From 105309abcfa992987d3995d55e44883e527adaf4 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 17:26:05 +0530
Subject: [PATCH 01/26] feat(authz): add authorization schemas and constants

---
 internal/constants/authorization.go           | 42 +++++++++
 .../constants/webhook_event_authorization.go  | 31 ++++++
 internal/storage/schemas/permission.go        | 94 +++++++++++++++++++
 internal/storage/schemas/policy.go            | 48 ++++++++++
 internal/storage/schemas/resource.go          | 20 ++++
 internal/storage/schemas/scope.go             | 20 ++++
 6 files changed, 255 insertions(+)
 create mode 100644 internal/constants/authorization.go
 create mode 100644 internal/constants/webhook_event_authorization.go
 create mode 100644 internal/storage/schemas/permission.go
 create mode 100644 internal/storage/schemas/policy.go
 create mode 100644 internal/storage/schemas/resource.go
 create mode 100644 internal/storage/schemas/scope.go

diff --git a/internal/constants/authorization.go b/internal/constants/authorization.go
new file mode 100644
index 00000000..8a211dad
--- /dev/null
+++ b/internal/constants/authorization.go
@@ -0,0 +1,42 @@
+package constants
+
+const (
+	// PolicyTypeRole is the policy type for role-based policies.
+	// A role-based policy grants or denies access based on the principal's roles.
+	PolicyTypeRole = "role"
+	// PolicyTypeUser is the policy type for user-based policies.
+	// A user-based policy grants or denies access to specific user IDs.
+	PolicyTypeUser = "user"
+
+	// PolicyLogicPositive grants access when the policy condition matches.
+	PolicyLogicPositive = "positive"
+	// PolicyLogicNegative denies access when the policy condition matches (blacklist).
+	PolicyLogicNegative = "negative"
+
+	// DecisionStrategyAffirmative grants if ANY policy/target grants (OR logic).
+	DecisionStrategyAffirmative = "affirmative"
+	// DecisionStrategyUnanimous grants only if ALL policies/targets agree (AND logic).
+	DecisionStrategyUnanimous = "unanimous"
+
+	// AuthorizationEnforcementDisabled turns off the authorization engine entirely.
+	// All check_permission calls return true. Default for backward compatibility.
+	AuthorizationEnforcementDisabled = "disabled"
+	// AuthorizationEnforcementPermissive returns true when no matching permission
+	// exists, but logs a warning. Useful for migration/development.
+	AuthorizationEnforcementPermissive = "permissive"
+	// AuthorizationEnforcementEnforcing is default-deny. Returns false when no
+	// matching permission exists.
+	AuthorizationEnforcementEnforcing = "enforcing"
+
+	// PrincipalTypeUser identifies a human user principal (from authorization_code grant).
+	PrincipalTypeUser = "user"
+	// PrincipalTypeClient identifies a service/M2M principal (from client_credentials grant).
+	PrincipalTypeClient = "client"
+	// PrincipalTypeAgent identifies an AI agent principal (future use).
+	PrincipalTypeAgent = "agent"
+
+	// TargetTypeRole is a policy target that matches by role name.
+	TargetTypeRole = "role"
+	// TargetTypeUser is a policy target that matches by user ID.
+	TargetTypeUser = "user"
+)
diff --git a/internal/constants/webhook_event_authorization.go b/internal/constants/webhook_event_authorization.go
new file mode 100644
index 00000000..059ed8d0
--- /dev/null
+++ b/internal/constants/webhook_event_authorization.go
@@ -0,0 +1,31 @@
+package constants
+
+const (
+	// ResourceCreatedWebhookEvent is fired when an authorization resource is created.
+	ResourceCreatedWebhookEvent = "resource.created"
+	// ResourceUpdatedWebhookEvent is fired when an authorization resource is updated.
+	ResourceUpdatedWebhookEvent = "resource.updated"
+	// ResourceDeletedWebhookEvent is fired when an authorization resource is deleted.
+	ResourceDeletedWebhookEvent = "resource.deleted"
+	// ScopeCreatedWebhookEvent is fired when an authorization scope is created.
+	ScopeCreatedWebhookEvent = "scope.created"
+	// ScopeUpdatedWebhookEvent is fired when an authorization scope is updated.
+	ScopeUpdatedWebhookEvent = "scope.updated"
+	// ScopeDeletedWebhookEvent is fired when an authorization scope is deleted.
+	ScopeDeletedWebhookEvent = "scope.deleted"
+	// PolicyCreatedWebhookEvent is fired when an authorization policy is created.
+	PolicyCreatedWebhookEvent = "policy.created"
+	// PolicyUpdatedWebhookEvent is fired when an authorization policy is updated.
+	PolicyUpdatedWebhookEvent = "policy.updated"
+	// PolicyDeletedWebhookEvent is fired when an authorization policy is deleted.
+	PolicyDeletedWebhookEvent = "policy.deleted"
+	// PermissionCreatedWebhookEvent is fired when an authorization permission is created.
+	PermissionCreatedWebhookEvent = "permission.created"
+	// PermissionUpdatedWebhookEvent is fired when an authorization permission is updated.
+	PermissionUpdatedWebhookEvent = "permission.updated"
+	// PermissionDeletedWebhookEvent is fired when an authorization permission is deleted.
+	PermissionDeletedWebhookEvent = "permission.deleted"
+	// PermissionCheckDeniedWebhookEvent is fired when a permission check is denied
+	// in enforcing mode. Useful for agent kill-switches and security alerting.
+	PermissionCheckDeniedWebhookEvent = "permission.check_denied"
+)
diff --git a/internal/storage/schemas/permission.go b/internal/storage/schemas/permission.go
new file mode 100644
index 00000000..51a50c05
--- /dev/null
+++ b/internal/storage/schemas/permission.go
@@ -0,0 +1,94 @@
+package schemas
+
+// Permission is the binding layer of the authorization model.
+// It connects a Resource to Scopes (via PermissionScope) and Policies (via PermissionPolicy).
+// A permission answers: "WHO can do WHAT on WHICH resource?"
+type Permission struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// Name is a unique human-readable identifier (e.g., "edit-documents").
+	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
+	// Description provides optional context about this permission.
+	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
+	// ResourceID is the foreign key to the Resource this permission protects.
+	ResourceID string `json:"resource_id" gorm:"type:char(36);index" bson:"resource_id" cql:"resource_id" dynamo:"resource_id"`
+	// DecisionStrategy controls how multiple policies attached to this permission are evaluated.
+	// "affirmative" = any policy grants access (OR), "unanimous" = all must agree (AND).
+	DecisionStrategy string `json:"decision_strategy" gorm:"type:varchar(20);default:affirmative" bson:"decision_strategy" cql:"decision_strategy" dynamo:"decision_strategy"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	// UpdatedAt is the unix timestamp of last update.
+	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
+}
+
+// PermissionScope is the join table linking a Permission to its allowed Scopes.
+// A permission can cover multiple scopes (e.g., "read" and "write").
+type PermissionScope struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// PermissionID is the foreign key to the parent Permission.
+	PermissionID string `json:"permission_id" gorm:"type:char(36);index;uniqueIndex:idx_ps_unique" bson:"permission_id" cql:"permission_id" dynamo:"permission_id"`
+	// ScopeID is the foreign key to the Scope.
+	ScopeID string `json:"scope_id" gorm:"type:char(36);index;uniqueIndex:idx_ps_unique" bson:"scope_id" cql:"scope_id" dynamo:"scope_id"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+}
+
+// PermissionPolicy is the join table linking a Permission to its governing Policies.
+// A permission can be governed by multiple policies, evaluated using the permission's DecisionStrategy.
+type PermissionPolicy struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// PermissionID is the foreign key to the parent Permission.
+	PermissionID string `json:"permission_id" gorm:"type:char(36);index;uniqueIndex:idx_pp_unique" bson:"permission_id" cql:"permission_id" dynamo:"permission_id"`
+	// PolicyID is the foreign key to the Policy.
+	PolicyID string `json:"policy_id" gorm:"type:char(36);index;uniqueIndex:idx_pp_unique" bson:"policy_id" cql:"policy_id" dynamo:"policy_id"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+}
+
+// PermissionWithPolicies is a denormalized view used by the evaluation engine.
+// It bundles a permission with its resolved policies and targets for efficient
+// single-query evaluation. Not a database table -- constructed by
+// GetPermissionsForResourceScope().
+type PermissionWithPolicies struct {
+	// PermissionID is the permission being evaluated.
+	PermissionID string
+	// PermissionName is for logging and debugging.
+	PermissionName string
+	// DecisionStrategy is how to combine policy results for this permission.
+	DecisionStrategy string
+	// Policies contains the resolved policies with their targets.
+	Policies []PolicyWithTargets
+}
+
+// PolicyWithTargets bundles a policy with its resolved targets.
+// Used by the evaluation engine to avoid N+1 queries.
+type PolicyWithTargets struct {
+	// PolicyID is the policy identifier.
+	PolicyID string
+	// PolicyName is for logging and debugging.
+	PolicyName string
+	// Type is the policy type discriminator (role, user, client, agent).
+	Type string
+	// Logic is positive or negative.
+	Logic string
+	// DecisionStrategy is how to combine targets within this policy.
+	DecisionStrategy string
+	// Targets are the resolved policy targets.
+	Targets []PolicyTargetView
+}
+
+// PolicyTargetView is a read-only view of a policy target for evaluation.
+type PolicyTargetView struct {
+	// TargetType is "role", "user", "client", or "agent".
+	TargetType string
+	// TargetValue is the role name, user ID, client ID, or agent ID.
+	TargetValue string
+}
diff --git a/internal/storage/schemas/policy.go b/internal/storage/schemas/policy.go
new file mode 100644
index 00000000..792209ad
--- /dev/null
+++ b/internal/storage/schemas/policy.go
@@ -0,0 +1,48 @@
+package schemas
+
+// Policy defines conditions for granting or denying access.
+// Policies are the brain of the authorization model -- they determine WHO gets access.
+// A policy has a Type (role-based, user-based, etc.) and Logic (positive=grant, negative=deny).
+type Policy struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// Name is a unique human-readable identifier (e.g., "editors-policy").
+	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
+	// Description provides optional context about this policy.
+	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
+	// Type is the policy type discriminator: "role" or "user" (extensible to "client", "agent").
+	// See constants.PolicyTypeRole, constants.PolicyTypeUser.
+	Type string `json:"type" gorm:"type:varchar(50);index" bson:"type" cql:"type" dynamo:"type"`
+	// Logic determines whether matching GRANTS or DENIES access.
+	// "positive" = grant when matched, "negative" = deny when matched.
+	// See constants.PolicyLogicPositive, constants.PolicyLogicNegative.
+	Logic string `json:"logic" gorm:"type:varchar(10);default:positive" bson:"logic" cql:"logic" dynamo:"logic"`
+	// DecisionStrategy controls how multiple targets within this policy are evaluated.
+	// "affirmative" = any target match grants, "unanimous" = all targets must match.
+	// See constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous.
+	DecisionStrategy string `json:"decision_strategy" gorm:"type:varchar(20);default:affirmative" bson:"decision_strategy" cql:"decision_strategy" dynamo:"decision_strategy"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	// UpdatedAt is the unix timestamp of last update.
+	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
+}
+
+// PolicyTarget specifies who/what a policy applies to.
+// For a role-based policy, targets are role names. For a user-based policy, targets are user IDs.
+type PolicyTarget struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// PolicyID is the foreign key to the parent Policy.
+	PolicyID string `json:"policy_id" gorm:"type:char(36);index;uniqueIndex:idx_pt_unique" bson:"policy_id" cql:"policy_id" dynamo:"policy_id"`
+	// TargetType describes what kind of target this is: "role" or "user"
+	// (extensible to "client", "agent").
+	TargetType string `json:"target_type" gorm:"type:varchar(50);uniqueIndex:idx_pt_unique" bson:"target_type" cql:"target_type" dynamo:"target_type"`
+	// TargetValue is the role name or user/client/agent ID this target matches.
+	TargetValue string `json:"target_value" gorm:"type:varchar(256);uniqueIndex:idx_pt_unique" bson:"target_value" cql:"target_value" dynamo:"target_value"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+}
diff --git a/internal/storage/schemas/resource.go b/internal/storage/schemas/resource.go
new file mode 100644
index 00000000..c8ee92b5
--- /dev/null
+++ b/internal/storage/schemas/resource.go
@@ -0,0 +1,20 @@
+package schemas
+
+// Resource represents a protected resource type in the authorization model.
+// Resources are types (e.g., "document", "invoice"), not instances.
+// They define WHAT is being protected.
+type Resource struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// Name is a unique human-readable identifier (e.g., "document", "invoice").
+	// Must be alphanumeric with hyphens and underscores, max 100 chars.
+	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
+	// Description provides optional context about what this resource represents.
+	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	// UpdatedAt is the unix timestamp of last update.
+	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
+}
diff --git a/internal/storage/schemas/scope.go b/internal/storage/schemas/scope.go
new file mode 100644
index 00000000..4eb47406
--- /dev/null
+++ b/internal/storage/schemas/scope.go
@@ -0,0 +1,20 @@
+package schemas
+
+// Scope represents an action that can be performed on a resource.
+// Scopes are global verbs (e.g., "read", "write", "delete", "approve").
+// They define WHAT ACTIONS are allowed.
+type Scope struct {
+	// ID is the unique identifier (UUID v4).
+	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
+	// Key is an alias for ID used by some NoSQL providers.
+	Key string `json:"key" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
+	// Name is a unique human-readable identifier (e.g., "read", "write").
+	// Must be alphanumeric with hyphens and underscores, max 100 chars.
+	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
+	// Description provides optional context about what this scope represents.
+	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
+	// CreatedAt is the unix timestamp of creation.
+	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	// UpdatedAt is the unix timestamp of last update.
+	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
+}

From 42a3965e30eee82650dba000f3ae5d7a0325878e Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 17:27:53 +0530
Subject: [PATCH 02/26] feat(authz): extend storage provider interface with 28
 authorization methods

Add 7 new collection/table names (Resource, Scope, Policy, PolicyTarget,
Permission, PermissionScope, PermissionPolicy) to CollectionList and
Collections var.

Add 28 new method signatures to the Provider interface covering CRUD for
resources, scopes, policies, policy targets, permissions, and join tables,
plus the optimized GetPermissionsForResourceScope evaluation query.
---
 internal/storage/provider.go      | 95 +++++++++++++++++++++++++++++++
 internal/storage/schemas/model.go | 16 ++++++
 2 files changed, 111 insertions(+)

diff --git a/internal/storage/provider.go b/internal/storage/provider.go
index bbf1b551..4854dc1f 100644
--- a/internal/storage/provider.go
+++ b/internal/storage/provider.go
@@ -174,6 +174,101 @@ type Provider interface {
 
 	// Close releases resources held by the provider (e.g. database connection pools).
 	Close() error
+
+	// === Authorization: Resources ===
+
+	// AddResource creates a new authorization resource.
+	AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error)
+	// UpdateResource updates an existing authorization resource.
+	UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error)
+	// DeleteResource deletes an authorization resource by ID.
+	// Returns an error if any permission references this resource.
+	DeleteResource(ctx context.Context, id string) error
+	// GetResourceByID returns an authorization resource by its ID.
+	GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error)
+	// GetResourceByName returns an authorization resource by its unique name.
+	GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error)
+	// ListResources returns a paginated list of authorization resources.
+	ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error)
+
+	// === Authorization: Scopes ===
+
+	// AddScope creates a new authorization scope.
+	AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error)
+	// UpdateScope updates an existing authorization scope.
+	UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error)
+	// DeleteScope deletes an authorization scope by ID.
+	// Returns an error if any permission_scope references this scope.
+	DeleteScope(ctx context.Context, id string) error
+	// GetScopeByID returns an authorization scope by its ID.
+	GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error)
+	// GetScopeByName returns an authorization scope by its unique name.
+	GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error)
+	// ListScopes returns a paginated list of authorization scopes.
+	ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error)
+
+	// === Authorization: Policies ===
+
+	// AddPolicy creates a new authorization policy.
+	AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error)
+	// UpdatePolicy updates an existing authorization policy.
+	UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error)
+	// DeletePolicy deletes an authorization policy by ID.
+	// Returns an error if any permission_policy references this policy.
+	DeletePolicy(ctx context.Context, id string) error
+	// GetPolicyByID returns an authorization policy by its ID.
+	GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error)
+	// ListPolicies returns a paginated list of authorization policies.
+	ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error)
+
+	// === Authorization: Policy Targets ===
+
+	// AddPolicyTarget adds a target (role name or user ID) to a policy.
+	AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error)
+	// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+	// Used during policy update to replace targets atomically.
+	DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error
+	// GetPolicyTargets returns all targets for a policy.
+	GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error)
+
+	// === Authorization: Permissions ===
+
+	// AddPermission creates a new authorization permission.
+	AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error)
+	// UpdatePermission updates an existing authorization permission.
+	UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error)
+	// DeletePermission deletes an authorization permission by ID.
+	DeletePermission(ctx context.Context, id string) error
+	// GetPermissionByID returns an authorization permission by its ID.
+	GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error)
+	// ListPermissions returns a paginated list of authorization permissions.
+	ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error)
+
+	// === Authorization: Permission Scopes (join table) ===
+
+	// AddPermissionScope links a scope to a permission.
+	AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error)
+	// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+	DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error
+	// GetPermissionScopes returns all scope links for a permission.
+	GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error)
+
+	// === Authorization: Permission Policies (join table) ===
+
+	// AddPermissionPolicy links a policy to a permission.
+	AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error)
+	// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+	DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error
+	// GetPermissionPolicies returns all policy links for a permission.
+	GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error)
+
+	// === Authorization: Optimized Evaluation Query ===
+
+	// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+	// that match a given resource name and scope name. This is the hot-path query used by
+	// the evaluation engine. SQL providers use a single JOIN query. NoSQL providers use
+	// a denormalized lookup collection.
+	GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error)
 }
 
 // New creates a new database provider based on the configuration
diff --git a/internal/storage/schemas/model.go b/internal/storage/schemas/model.go
index 43f4e464..86653692 100644
--- a/internal/storage/schemas/model.go
+++ b/internal/storage/schemas/model.go
@@ -16,6 +16,14 @@ type CollectionList struct {
 	MFASession             string
 	OAuthState             string
 	AuditLog               string
+	// Authorization tables
+	Resource         string
+	Scope            string
+	Policy           string
+	PolicyTarget     string
+	Permission       string
+	PermissionScope  string
+	PermissionPolicy string
 }
 
 var (
@@ -37,5 +45,13 @@ var (
 		MFASession:             Prefix + "mfa_sessions",
 		OAuthState:             Prefix + "oauth_states",
 		AuditLog:               Prefix + "audit_logs",
+		// Authorization collections
+		Resource:         Prefix + "resources",
+		Scope:            Prefix + "scopes",
+		Policy:           Prefix + "policies",
+		PolicyTarget:     Prefix + "policy_targets",
+		Permission:       Prefix + "permissions",
+		PermissionScope:  Prefix + "permission_scopes",
+		PermissionPolicy: Prefix + "permission_policies",
 	}
 )

From 295451907c890b9e11e43ebe150114a870eaea16 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 17:33:03 +0530
Subject: [PATCH 03/26] feat(authz): implement SQL storage provider for
 authorization

Add CRUD methods for resources, scopes, policies, policy targets,
permissions, permission scopes, and permission policies. Implement
GetPermissionsForResourceScope optimized JOIN query for the evaluation
engine. Add 7 new schemas to AutoMigrate.
---
 internal/storage/db/sql/permission.go | 246 ++++++++++++++++++++++++++
 internal/storage/db/sql/policy.go     | 119 +++++++++++++
 internal/storage/db/sql/provider.go   |   2 +-
 internal/storage/db/sql/resource.go   |  90 ++++++++++
 internal/storage/db/sql/scope.go      |  90 ++++++++++
 5 files changed, 546 insertions(+), 1 deletion(-)
 create mode 100644 internal/storage/db/sql/permission.go
 create mode 100644 internal/storage/db/sql/policy.go
 create mode 100644 internal/storage/db/sql/resource.go
 create mode 100644 internal/storage/db/sql/scope.go

diff --git a/internal/storage/db/sql/permission.go b/internal/storage/db/sql/permission.go
new file mode 100644
index 00000000..dc1bb324
--- /dev/null
+++ b/internal/storage/db/sql/permission.go
@@ -0,0 +1,246 @@
+package sql
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm/clause"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPermission creates a new authorization permission.
+func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	if permission.ID == "" {
+		permission.ID = uuid.New().String()
+	}
+	permission.Key = permission.ID
+	permission.CreatedAt = time.Now().Unix()
+	permission.UpdatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&permission)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return permission, nil
+}
+
+// UpdatePermission updates an existing authorization permission.
+func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	permission.UpdatedAt = time.Now().Unix()
+	result := p.db.Save(&permission)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return permission, nil
+}
+
+// DeletePermission deletes an authorization permission by ID.
+// Cascade-deletes associated permission_scopes and permission_policies.
+func (p *provider) DeletePermission(ctx context.Context, id string) error {
+	result := p.db.Where("permission_id = ?", id).Delete(&schemas.PermissionScope{})
+	if result.Error != nil {
+		return result.Error
+	}
+	result = p.db.Where("permission_id = ?", id).Delete(&schemas.PermissionPolicy{})
+	if result.Error != nil {
+		return result.Error
+	}
+	result = p.db.Where("id = ?", id).Delete(&schemas.Permission{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetPermissionByID returns an authorization permission by its ID.
+func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
+	var permission schemas.Permission
+	result := p.db.Where("id = ?", id).First(&permission)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &permission, nil
+}
+
+// ListPermissions returns a paginated list of authorization permissions.
+func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
+	var permissions []*schemas.Permission
+	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&permissions)
+	if result.Error != nil {
+		return nil, nil, result.Error
+	}
+	var total int64
+	totalRes := p.db.Model(&schemas.Permission{}).Count(&total)
+	if totalRes.Error != nil {
+		return nil, nil, totalRes.Error
+	}
+	paginationClone := pagination
+	paginationClone.Total = total
+	return permissions, paginationClone, nil
+}
+
+// AddPermissionScope links a scope to a permission.
+func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
+	if ps.ID == "" {
+		ps.ID = uuid.New().String()
+	}
+	ps.Key = ps.ID
+	ps.CreatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&ps)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return ps, nil
+}
+
+// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
+	result := p.db.Where("permission_id = ?", permissionID).Delete(&schemas.PermissionScope{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetPermissionScopes returns all scope links for a permission.
+func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
+	var scopes []*schemas.PermissionScope
+	result := p.db.Where("permission_id = ?", permissionID).Find(&scopes)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return scopes, nil
+}
+
+// AddPermissionPolicy links a policy to a permission.
+func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
+	if pp.ID == "" {
+		pp.ID = uuid.New().String()
+	}
+	pp.Key = pp.ID
+	pp.CreatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&pp)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return pp, nil
+}
+
+// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
+	result := p.db.Where("permission_id = ?", permissionID).Delete(&schemas.PermissionPolicy{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetPermissionPolicies returns all policy links for a permission.
+func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
+	var policies []*schemas.PermissionPolicy
+	result := p.db.Where("permission_id = ?", permissionID).Find(&policies)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return policies, nil
+}
+
+// permissionRow is an intermediate struct for scanning the multi-JOIN query result
+// in GetPermissionsForResourceScope.
+type permissionRow struct {
+	PermissionID           string `gorm:"column:permission_id"`
+	PermissionName         string `gorm:"column:permission_name"`
+	DecisionStrategy       string `gorm:"column:decision_strategy"`
+	PolicyID               string `gorm:"column:policy_id"`
+	PolicyName             string `gorm:"column:policy_name"`
+	PolicyType             string `gorm:"column:policy_type"`
+	PolicyLogic            string `gorm:"column:policy_logic"`
+	PolicyDecisionStrategy string `gorm:"column:policy_decision_strategy"`
+	TargetType             string `gorm:"column:target_type"`
+	TargetValue            string `gorm:"column:target_value"`
+}
+
+// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+// that match a given resource name and scope name. This is the hot-path query used by
+// the evaluation engine.
+func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
+	query := `SELECT p.id AS permission_id, p.name AS permission_name, p.decision_strategy,
+       pol.id AS policy_id, pol.name AS policy_name, pol.type AS policy_type, pol.logic AS policy_logic, pol.decision_strategy AS policy_decision_strategy,
+       pt.target_type, pt.target_value
+FROM ` + schemas.Prefix + `permissions p
+JOIN ` + schemas.Prefix + `resources r ON r.id = p.resource_id
+JOIN ` + schemas.Prefix + `permission_scopes ps ON ps.permission_id = p.id
+JOIN ` + schemas.Prefix + `scopes s ON s.id = ps.scope_id
+JOIN ` + schemas.Prefix + `permission_policies pp ON pp.permission_id = p.id
+JOIN ` + schemas.Prefix + `policies pol ON pol.id = pp.policy_id
+JOIN ` + schemas.Prefix + `policy_targets pt ON pt.policy_id = pol.id
+WHERE r.name = ? AND s.name = ?`
+
+	var rows []permissionRow
+	result := p.db.Raw(query, resourceName, scopeName).Scan(&rows)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+
+	return groupPermissionRows(rows), nil
+}
+
+// groupPermissionRows groups flat permissionRow results into nested PermissionWithPolicies structs.
+func groupPermissionRows(rows []permissionRow) []*schemas.PermissionWithPolicies {
+	// Track insertion order for permissions and policies
+	permOrder := make([]string, 0)
+	permMap := make(map[string]*schemas.PermissionWithPolicies)
+	policyOrderMap := make(map[string][]string)              // permissionID -> ordered policy IDs
+	policyMap := make(map[string]*schemas.PolicyWithTargets) // "permID:polID" -> policy
+
+	for _, row := range rows {
+		// Ensure permission exists
+		perm, ok := permMap[row.PermissionID]
+		if !ok {
+			perm = &schemas.PermissionWithPolicies{
+				PermissionID:     row.PermissionID,
+				PermissionName:   row.PermissionName,
+				DecisionStrategy: row.DecisionStrategy,
+				Policies:         nil,
+			}
+			permMap[row.PermissionID] = perm
+			permOrder = append(permOrder, row.PermissionID)
+		}
+
+		// Ensure policy exists within this permission
+		policyKey := row.PermissionID + ":" + row.PolicyID
+		pol, ok := policyMap[policyKey]
+		if !ok {
+			pol = &schemas.PolicyWithTargets{
+				PolicyID:         row.PolicyID,
+				PolicyName:       row.PolicyName,
+				Type:             row.PolicyType,
+				Logic:            row.PolicyLogic,
+				DecisionStrategy: row.PolicyDecisionStrategy,
+				Targets:          nil,
+			}
+			policyMap[policyKey] = pol
+			policyOrderMap[row.PermissionID] = append(policyOrderMap[row.PermissionID], policyKey)
+		}
+
+		// Add target
+		pol.Targets = append(pol.Targets, schemas.PolicyTargetView{
+			TargetType:  row.TargetType,
+			TargetValue: row.TargetValue,
+		})
+	}
+
+	// Assemble in order
+	result := make([]*schemas.PermissionWithPolicies, 0, len(permOrder))
+	for _, permID := range permOrder {
+		perm := permMap[permID]
+		for _, policyKey := range policyOrderMap[permID] {
+			pol := policyMap[policyKey]
+			perm.Policies = append(perm.Policies, *pol)
+		}
+		result = append(result, perm)
+	}
+	return result
+}
diff --git a/internal/storage/db/sql/policy.go b/internal/storage/db/sql/policy.go
new file mode 100644
index 00000000..75d3b7a3
--- /dev/null
+++ b/internal/storage/db/sql/policy.go
@@ -0,0 +1,119 @@
+package sql
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm/clause"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPolicy creates a new authorization policy.
+func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	if policy.ID == "" {
+		policy.ID = uuid.New().String()
+	}
+	policy.Key = policy.ID
+	policy.CreatedAt = time.Now().Unix()
+	policy.UpdatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&policy)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return policy, nil
+}
+
+// UpdatePolicy updates an existing authorization policy.
+func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	policy.UpdatedAt = time.Now().Unix()
+	result := p.db.Save(&policy)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return policy, nil
+}
+
+// DeletePolicy deletes an authorization policy by ID.
+// Returns an error if any permission_policy references this policy.
+// Cascade-deletes associated policy targets.
+func (p *provider) DeletePolicy(ctx context.Context, id string) error {
+	var count int64
+	p.db.Model(&schemas.PermissionPolicy{}).Where("policy_id = ?", id).Count(&count)
+	if count > 0 {
+		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
+	}
+	// Cascade-delete policy targets
+	result := p.db.Where("policy_id = ?", id).Delete(&schemas.PolicyTarget{})
+	if result.Error != nil {
+		return result.Error
+	}
+	result = p.db.Where("id = ?", id).Delete(&schemas.Policy{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetPolicyByID returns an authorization policy by its ID.
+func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
+	var policy schemas.Policy
+	result := p.db.Where("id = ?", id).First(&policy)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &policy, nil
+}
+
+// ListPolicies returns a paginated list of authorization policies.
+func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
+	var policies []*schemas.Policy
+	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&policies)
+	if result.Error != nil {
+		return nil, nil, result.Error
+	}
+	var total int64
+	totalRes := p.db.Model(&schemas.Policy{}).Count(&total)
+	if totalRes.Error != nil {
+		return nil, nil, totalRes.Error
+	}
+	paginationClone := pagination
+	paginationClone.Total = total
+	return policies, paginationClone, nil
+}
+
+// AddPolicyTarget adds a target (role name or user ID) to a policy.
+func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+	target.Key = target.ID
+	target.CreatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&target)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return target, nil
+}
+
+// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
+	result := p.db.Where("policy_id = ?", policyID).Delete(&schemas.PolicyTarget{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetPolicyTargets returns all targets for a policy.
+func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
+	var targets []*schemas.PolicyTarget
+	result := p.db.Where("policy_id = ?", policyID).Find(&targets)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return targets, nil
+}
diff --git a/internal/storage/db/sql/provider.go b/internal/storage/db/sql/provider.go
index c9c7eaa0..495c1551 100644
--- a/internal/storage/db/sql/provider.go
+++ b/internal/storage/db/sql/provider.go
@@ -83,7 +83,7 @@ func NewProvider(
 		}
 	}
 
-	err = sqlDB.AutoMigrate(&schemas.User{}, &schemas.VerificationRequest{}, &schemas.Session{}, &schemas.Env{}, &schemas.Webhook{}, &schemas.WebhookLog{}, &schemas.EmailTemplate{}, &schemas.OTP{}, &schemas.Authenticator{}, &schemas.SessionToken{}, &schemas.MFASession{}, &schemas.OAuthState{}, &schemas.AuditLog{})
+	err = sqlDB.AutoMigrate(&schemas.User{}, &schemas.VerificationRequest{}, &schemas.Session{}, &schemas.Env{}, &schemas.Webhook{}, &schemas.WebhookLog{}, &schemas.EmailTemplate{}, &schemas.OTP{}, &schemas.Authenticator{}, &schemas.SessionToken{}, &schemas.MFASession{}, &schemas.OAuthState{}, &schemas.AuditLog{}, &schemas.Resource{}, &schemas.Scope{}, &schemas.Policy{}, &schemas.PolicyTarget{}, &schemas.Permission{}, &schemas.PermissionScope{}, &schemas.PermissionPolicy{})
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/storage/db/sql/resource.go b/internal/storage/db/sql/resource.go
new file mode 100644
index 00000000..3348885f
--- /dev/null
+++ b/internal/storage/db/sql/resource.go
@@ -0,0 +1,90 @@
+package sql
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm/clause"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddResource creates a new authorization resource.
+func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	if resource.ID == "" {
+		resource.ID = uuid.New().String()
+	}
+	resource.Key = resource.ID
+	resource.CreatedAt = time.Now().Unix()
+	resource.UpdatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&resource)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return resource, nil
+}
+
+// UpdateResource updates an existing authorization resource.
+func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	resource.UpdatedAt = time.Now().Unix()
+	result := p.db.Save(&resource)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return resource, nil
+}
+
+// DeleteResource deletes an authorization resource by ID.
+// Returns an error if any permission references this resource.
+func (p *provider) DeleteResource(ctx context.Context, id string) error {
+	var count int64
+	p.db.Model(&schemas.Permission{}).Where("resource_id = ?", id).Count(&count)
+	if count > 0 {
+		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
+	}
+	result := p.db.Where("id = ?", id).Delete(&schemas.Resource{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetResourceByID returns an authorization resource by its ID.
+func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	result := p.db.Where("id = ?", id).First(&resource)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &resource, nil
+}
+
+// GetResourceByName returns an authorization resource by its unique name.
+func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	result := p.db.Where("name = ?", name).First(&resource)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &resource, nil
+}
+
+// ListResources returns a paginated list of authorization resources.
+func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
+	var resources []*schemas.Resource
+	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&resources)
+	if result.Error != nil {
+		return nil, nil, result.Error
+	}
+	var total int64
+	totalRes := p.db.Model(&schemas.Resource{}).Count(&total)
+	if totalRes.Error != nil {
+		return nil, nil, totalRes.Error
+	}
+	paginationClone := pagination
+	paginationClone.Total = total
+	return resources, paginationClone, nil
+}
diff --git a/internal/storage/db/sql/scope.go b/internal/storage/db/sql/scope.go
new file mode 100644
index 00000000..8425b389
--- /dev/null
+++ b/internal/storage/db/sql/scope.go
@@ -0,0 +1,90 @@
+package sql
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm/clause"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddScope creates a new authorization scope.
+func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	if scope.ID == "" {
+		scope.ID = uuid.New().String()
+	}
+	scope.Key = scope.ID
+	scope.CreatedAt = time.Now().Unix()
+	scope.UpdatedAt = time.Now().Unix()
+	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&scope)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return scope, nil
+}
+
+// UpdateScope updates an existing authorization scope.
+func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	scope.UpdatedAt = time.Now().Unix()
+	result := p.db.Save(&scope)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return scope, nil
+}
+
+// DeleteScope deletes an authorization scope by ID.
+// Returns an error if any permission_scope references this scope.
+func (p *provider) DeleteScope(ctx context.Context, id string) error {
+	var count int64
+	p.db.Model(&schemas.PermissionScope{}).Where("scope_id = ?", id).Count(&count)
+	if count > 0 {
+		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
+	}
+	result := p.db.Where("id = ?", id).Delete(&schemas.Scope{})
+	if result.Error != nil {
+		return result.Error
+	}
+	return nil
+}
+
+// GetScopeByID returns an authorization scope by its ID.
+func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	result := p.db.Where("id = ?", id).First(&scope)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &scope, nil
+}
+
+// GetScopeByName returns an authorization scope by its unique name.
+func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	result := p.db.Where("name = ?", name).First(&scope)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &scope, nil
+}
+
+// ListScopes returns a paginated list of authorization scopes.
+func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
+	var scopes []*schemas.Scope
+	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&scopes)
+	if result.Error != nil {
+		return nil, nil, result.Error
+	}
+	var total int64
+	totalRes := p.db.Model(&schemas.Scope{}).Count(&total)
+	if totalRes.Error != nil {
+		return nil, nil, totalRes.Error
+	}
+	paginationClone := pagination
+	paginationClone.Total = total
+	return scopes, paginationClone, nil
+}

From 6227741f2f06cac24d42f3e0a2ef02b33effbbb3 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 20:15:33 +0530
Subject: [PATCH 04/26] feat(authz): implement MongoDB storage provider for
 authorization

Add CRUD methods for all 7 authorization collections using MongoDB driver.
Implement GetPermissionsForResourceScope using sequential lookups.
Create indexes for efficient name and foreign key lookups.
---
 internal/storage/db/mongodb/permission.go | 325 ++++++++++++++++++++++
 internal/storage/db/mongodb/policy.go     | 153 ++++++++++
 internal/storage/db/mongodb/resource.go   | 112 ++++++++
 internal/storage/db/mongodb/scope.go      | 112 ++++++++
 4 files changed, 702 insertions(+)
 create mode 100644 internal/storage/db/mongodb/permission.go
 create mode 100644 internal/storage/db/mongodb/policy.go
 create mode 100644 internal/storage/db/mongodb/resource.go
 create mode 100644 internal/storage/db/mongodb/scope.go

diff --git a/internal/storage/db/mongodb/permission.go b/internal/storage/db/mongodb/permission.go
new file mode 100644
index 00000000..b28870a3
--- /dev/null
+++ b/internal/storage/db/mongodb/permission.go
@@ -0,0 +1,325 @@
+package mongodb
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo/options"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPermission creates a new authorization permission.
+func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	if permission.ID == "" {
+		permission.ID = uuid.New().String()
+	}
+	permission.Key = permission.ID
+	permission.CreatedAt = time.Now().Unix()
+	permission.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	_, err := collection.InsertOne(ctx, permission)
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// UpdatePermission updates an existing authorization permission.
+func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	permission.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": permission.ID}}, bson.M{"$set": permission}, options.MergeUpdateOptions())
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// DeletePermission deletes an authorization permission by ID.
+// Cascade-deletes associated permission_scopes and permission_policies.
+func (p *provider) DeletePermission(ctx context.Context, id string) error {
+	permissionScopeCollection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
+	_, err := permissionScopeCollection.DeleteMany(ctx, bson.M{"permission_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	permissionPolicyCollection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
+	_, err = permissionPolicyCollection.DeleteMany(ctx, bson.M{"permission_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionByID returns an authorization permission by its ID.
+func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
+	var permission schemas.Permission
+	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&permission)
+	if err != nil {
+		return nil, err
+	}
+	return &permission, nil
+}
+
+// ListPermissions returns a paginated list of authorization permissions.
+func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
+	permissions := []*schemas.Permission{}
+	opts := options.Find()
+	opts.SetLimit(pagination.Limit)
+	opts.SetSkip(pagination.Offset)
+	opts.SetSort(bson.M{"created_at": -1})
+	paginationClone := pagination
+	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = count
+	cursor, err := collection.Find(ctx, bson.M{}, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var permission *schemas.Permission
+		err := cursor.Decode(&permission)
+		if err != nil {
+			return nil, nil, err
+		}
+		permissions = append(permissions, permission)
+	}
+	return permissions, paginationClone, nil
+}
+
+// AddPermissionScope links a scope to a permission.
+func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
+	if ps.ID == "" {
+		ps.ID = uuid.New().String()
+	}
+	ps.Key = ps.ID
+	ps.CreatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
+	_, err := collection.InsertOne(ctx, ps)
+	if err != nil {
+		return nil, err
+	}
+	return ps, nil
+}
+
+// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
+	collection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
+	_, err := collection.DeleteMany(ctx, bson.M{"permission_id": permissionID}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionScopes returns all scope links for a permission.
+func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
+	scopes := []*schemas.PermissionScope{}
+	collection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
+	cursor, err := collection.Find(ctx, bson.M{"permission_id": permissionID})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var ps *schemas.PermissionScope
+		err := cursor.Decode(&ps)
+		if err != nil {
+			return nil, err
+		}
+		scopes = append(scopes, ps)
+	}
+	return scopes, nil
+}
+
+// AddPermissionPolicy links a policy to a permission.
+func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
+	if pp.ID == "" {
+		pp.ID = uuid.New().String()
+	}
+	pp.Key = pp.ID
+	pp.CreatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
+	_, err := collection.InsertOne(ctx, pp)
+	if err != nil {
+		return nil, err
+	}
+	return pp, nil
+}
+
+// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
+	collection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
+	_, err := collection.DeleteMany(ctx, bson.M{"permission_id": permissionID}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionPolicies returns all policy links for a permission.
+func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
+	policies := []*schemas.PermissionPolicy{}
+	collection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
+	cursor, err := collection.Find(ctx, bson.M{"permission_id": permissionID})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var pp *schemas.PermissionPolicy
+		err := cursor.Decode(&pp)
+		if err != nil {
+			return nil, err
+		}
+		policies = append(policies, pp)
+	}
+	return policies, nil
+}
+
+// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+// that match a given resource name and scope name. This is the hot-path query used by
+// the evaluation engine. Uses sequential queries for clarity.
+func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
+	// 1. Find resource by name
+	var resource schemas.Resource
+	resourceCollection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	err := resourceCollection.FindOne(ctx, bson.M{"name": resourceName}).Decode(&resource)
+	if err != nil {
+		return nil, err
+	}
+
+	// 2. Find scope by name
+	var scope schemas.Scope
+	scopeCollection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	err = scopeCollection.FindOne(ctx, bson.M{"name": scopeName}).Decode(&scope)
+	if err != nil {
+		return nil, err
+	}
+
+	// 3. Find permissions for this resource
+	permissionCollection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	permCursor, err := permissionCollection.Find(ctx, bson.M{"resource_id": resource.ID})
+	if err != nil {
+		return nil, err
+	}
+	defer permCursor.Close(ctx)
+
+	var permissions []schemas.Permission
+	for permCursor.Next(ctx) {
+		var perm schemas.Permission
+		if err := permCursor.Decode(&perm); err != nil {
+			return nil, err
+		}
+		permissions = append(permissions, perm)
+	}
+
+	if len(permissions) == 0 {
+		return nil, nil
+	}
+
+	// 4. For each permission, check if it has the requested scope
+	permissionScopeCollection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
+	permissionPolicyCollection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
+	policyCollection := p.db.Collection(schemas.Collections.Policy, options.Collection())
+	policyTargetCollection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
+
+	var result []*schemas.PermissionWithPolicies
+
+	for _, perm := range permissions {
+		// Check if this permission has the requested scope
+		scopeCount, err := permissionScopeCollection.CountDocuments(ctx, bson.M{
+			"permission_id": perm.ID,
+			"scope_id":      scope.ID,
+		}, options.Count())
+		if err != nil {
+			return nil, err
+		}
+		if scopeCount == 0 {
+			continue
+		}
+
+		// 5. Find permission_policies for this permission
+		ppCursor, err := permissionPolicyCollection.Find(ctx, bson.M{"permission_id": perm.ID})
+		if err != nil {
+			return nil, err
+		}
+
+		var permPolicies []schemas.PermissionPolicy
+		for ppCursor.Next(ctx) {
+			var pp schemas.PermissionPolicy
+			if err := ppCursor.Decode(&pp); err != nil {
+				ppCursor.Close(ctx)
+				return nil, err
+			}
+			permPolicies = append(permPolicies, pp)
+		}
+		ppCursor.Close(ctx)
+
+		if len(permPolicies) == 0 {
+			continue
+		}
+
+		// 6. For each permission_policy, resolve the policy and its targets
+		var policiesWithTargets []schemas.PolicyWithTargets
+		for _, pp := range permPolicies {
+			var policy schemas.Policy
+			err := policyCollection.FindOne(ctx, bson.M{"_id": pp.PolicyID}).Decode(&policy)
+			if err != nil {
+				return nil, err
+			}
+
+			// Get targets for this policy
+			targetCursor, err := policyTargetCollection.Find(ctx, bson.M{"policy_id": policy.ID})
+			if err != nil {
+				return nil, err
+			}
+
+			var targets []schemas.PolicyTargetView
+			for targetCursor.Next(ctx) {
+				var target schemas.PolicyTarget
+				if err := targetCursor.Decode(&target); err != nil {
+					targetCursor.Close(ctx)
+					return nil, err
+				}
+				targets = append(targets, schemas.PolicyTargetView{
+					TargetType:  target.TargetType,
+					TargetValue: target.TargetValue,
+				})
+			}
+			targetCursor.Close(ctx)
+
+			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
+				PolicyID:         policy.ID,
+				PolicyName:       policy.Name,
+				Type:             policy.Type,
+				Logic:            policy.Logic,
+				DecisionStrategy: policy.DecisionStrategy,
+				Targets:          targets,
+			})
+		}
+
+		result = append(result, &schemas.PermissionWithPolicies{
+			PermissionID:     perm.ID,
+			PermissionName:   perm.Name,
+			DecisionStrategy: perm.DecisionStrategy,
+			Policies:         policiesWithTargets,
+		})
+	}
+
+	return result, nil
+}
diff --git a/internal/storage/db/mongodb/policy.go b/internal/storage/db/mongodb/policy.go
new file mode 100644
index 00000000..129aa74e
--- /dev/null
+++ b/internal/storage/db/mongodb/policy.go
@@ -0,0 +1,153 @@
+package mongodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo/options"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPolicy creates a new authorization policy.
+func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	if policy.ID == "" {
+		policy.ID = uuid.New().String()
+	}
+	policy.Key = policy.ID
+	policy.CreatedAt = time.Now().Unix()
+	policy.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
+	_, err := collection.InsertOne(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// UpdatePolicy updates an existing authorization policy.
+func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	policy.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
+	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": policy.ID}}, bson.M{"$set": policy}, options.MergeUpdateOptions())
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// DeletePolicy deletes an authorization policy by ID.
+// Returns an error if any permission_policy references this policy.
+// Cascade-deletes associated policy targets.
+func (p *provider) DeletePolicy(ctx context.Context, id string) error {
+	permissionPolicyCollection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
+	count, err := permissionPolicyCollection.CountDocuments(ctx, bson.M{"policy_id": id}, options.Count())
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
+	}
+	// Cascade-delete policy targets
+	policyTargetCollection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
+	_, err = policyTargetCollection.DeleteMany(ctx, bson.M{"policy_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
+	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPolicyByID returns an authorization policy by its ID.
+func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
+	var policy schemas.Policy
+	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
+	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&policy)
+	if err != nil {
+		return nil, err
+	}
+	return &policy, nil
+}
+
+// ListPolicies returns a paginated list of authorization policies.
+func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
+	policies := []*schemas.Policy{}
+	opts := options.Find()
+	opts.SetLimit(pagination.Limit)
+	opts.SetSkip(pagination.Offset)
+	opts.SetSort(bson.M{"created_at": -1})
+	paginationClone := pagination
+	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
+	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = count
+	cursor, err := collection.Find(ctx, bson.M{}, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var policy *schemas.Policy
+		err := cursor.Decode(&policy)
+		if err != nil {
+			return nil, nil, err
+		}
+		policies = append(policies, policy)
+	}
+	return policies, paginationClone, nil
+}
+
+// AddPolicyTarget adds a target (role name or user ID) to a policy.
+func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+	target.Key = target.ID
+	target.CreatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
+	_, err := collection.InsertOne(ctx, target)
+	if err != nil {
+		return nil, err
+	}
+	return target, nil
+}
+
+// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
+	collection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
+	_, err := collection.DeleteMany(ctx, bson.M{"policy_id": policyID}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPolicyTargets returns all targets for a policy.
+func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
+	targets := []*schemas.PolicyTarget{}
+	collection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
+	cursor, err := collection.Find(ctx, bson.M{"policy_id": policyID})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var target *schemas.PolicyTarget
+		err := cursor.Decode(&target)
+		if err != nil {
+			return nil, err
+		}
+		targets = append(targets, target)
+	}
+	return targets, nil
+}
diff --git a/internal/storage/db/mongodb/resource.go b/internal/storage/db/mongodb/resource.go
new file mode 100644
index 00000000..f77cd73d
--- /dev/null
+++ b/internal/storage/db/mongodb/resource.go
@@ -0,0 +1,112 @@
+package mongodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo/options"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddResource creates a new authorization resource.
+func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	if resource.ID == "" {
+		resource.ID = uuid.New().String()
+	}
+	resource.Key = resource.ID
+	resource.CreatedAt = time.Now().Unix()
+	resource.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	_, err := collection.InsertOne(ctx, resource)
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// UpdateResource updates an existing authorization resource.
+func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	resource.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": resource.ID}}, bson.M{"$set": resource}, options.MergeUpdateOptions())
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// DeleteResource deletes an authorization resource by ID.
+// Returns an error if any permission references this resource.
+func (p *provider) DeleteResource(ctx context.Context, id string) error {
+	permissionCollection := p.db.Collection(schemas.Collections.Permission, options.Collection())
+	count, err := permissionCollection.CountDocuments(ctx, bson.M{"resource_id": id}, options.Count())
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
+	}
+	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetResourceByID returns an authorization resource by its ID.
+func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&resource)
+	if err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// GetResourceByName returns an authorization resource by its unique name.
+func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	err := collection.FindOne(ctx, bson.M{"name": name}).Decode(&resource)
+	if err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// ListResources returns a paginated list of authorization resources.
+func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
+	resources := []*schemas.Resource{}
+	opts := options.Find()
+	opts.SetLimit(pagination.Limit)
+	opts.SetSkip(pagination.Offset)
+	opts.SetSort(bson.M{"created_at": -1})
+	paginationClone := pagination
+	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
+	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = count
+	cursor, err := collection.Find(ctx, bson.M{}, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var resource *schemas.Resource
+		err := cursor.Decode(&resource)
+		if err != nil {
+			return nil, nil, err
+		}
+		resources = append(resources, resource)
+	}
+	return resources, paginationClone, nil
+}
diff --git a/internal/storage/db/mongodb/scope.go b/internal/storage/db/mongodb/scope.go
new file mode 100644
index 00000000..4d942217
--- /dev/null
+++ b/internal/storage/db/mongodb/scope.go
@@ -0,0 +1,112 @@
+package mongodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo/options"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddScope creates a new authorization scope.
+func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	if scope.ID == "" {
+		scope.ID = uuid.New().String()
+	}
+	scope.Key = scope.ID
+	scope.CreatedAt = time.Now().Unix()
+	scope.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	_, err := collection.InsertOne(ctx, scope)
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// UpdateScope updates an existing authorization scope.
+func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	scope.UpdatedAt = time.Now().Unix()
+	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": scope.ID}}, bson.M{"$set": scope}, options.MergeUpdateOptions())
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// DeleteScope deletes an authorization scope by ID.
+// Returns an error if any permission_scope references this scope.
+func (p *provider) DeleteScope(ctx context.Context, id string) error {
+	permissionScopeCollection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
+	count, err := permissionScopeCollection.CountDocuments(ctx, bson.M{"scope_id": id}, options.Count())
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
+	}
+	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetScopeByID returns an authorization scope by its ID.
+func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&scope)
+	if err != nil {
+		return nil, err
+	}
+	return &scope, nil
+}
+
+// GetScopeByName returns an authorization scope by its unique name.
+func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	err := collection.FindOne(ctx, bson.M{"name": name}).Decode(&scope)
+	if err != nil {
+		return nil, err
+	}
+	return &scope, nil
+}
+
+// ListScopes returns a paginated list of authorization scopes.
+func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
+	scopes := []*schemas.Scope{}
+	opts := options.Find()
+	opts.SetLimit(pagination.Limit)
+	opts.SetSkip(pagination.Offset)
+	opts.SetSort(bson.M{"created_at": -1})
+	paginationClone := pagination
+	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
+	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = count
+	cursor, err := collection.Find(ctx, bson.M{}, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close(ctx)
+	for cursor.Next(ctx) {
+		var scope *schemas.Scope
+		err := cursor.Decode(&scope)
+		if err != nil {
+			return nil, nil, err
+		}
+		scopes = append(scopes, scope)
+	}
+	return scopes, paginationClone, nil
+}

From 0104b1cbb20d13527b65b696d6644228d06cd92e Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 20:15:39 +0530
Subject: [PATCH 05/26] feat(authz): implement ArangoDB, Cassandra, Couchbase,
 DynamoDB providers

Add authorization CRUD methods for all remaining NoSQL providers.
Each provider follows its existing patterns for collection access,
querying, and pagination. All 6 providers now implement the full
28-method authorization storage interface.
---
 internal/storage/db/arangodb/permission.go    | 367 +++++++++++++++
 internal/storage/db/arangodb/policy.go        | 194 ++++++++
 internal/storage/db/arangodb/resource.go      | 157 +++++++
 internal/storage/db/arangodb/scope.go         | 157 +++++++
 internal/storage/db/cassandradb/permission.go | 423 +++++++++++++++++
 internal/storage/db/cassandradb/policy.go     | 221 +++++++++
 internal/storage/db/cassandradb/provider.go   | 104 +++++
 internal/storage/db/cassandradb/resource.go   | 144 ++++++
 internal/storage/db/cassandradb/scope.go      | 144 ++++++
 internal/storage/db/couchbase/permission.go   | 429 ++++++++++++++++++
 internal/storage/db/couchbase/policy.go       | 223 +++++++++
 internal/storage/db/couchbase/provider.go     |  32 ++
 internal/storage/db/couchbase/resource.go     | 172 +++++++
 internal/storage/db/couchbase/scope.go        | 172 +++++++
 internal/storage/db/dynamodb/permission.go    | 318 +++++++++++++
 internal/storage/db/dynamodb/policy.go        | 156 +++++++
 internal/storage/db/dynamodb/resource.go      | 117 +++++
 internal/storage/db/dynamodb/scope.go         | 116 +++++
 internal/storage/db/dynamodb/tables.go        |  68 +++
 19 files changed, 3714 insertions(+)
 create mode 100644 internal/storage/db/arangodb/permission.go
 create mode 100644 internal/storage/db/arangodb/policy.go
 create mode 100644 internal/storage/db/arangodb/resource.go
 create mode 100644 internal/storage/db/arangodb/scope.go
 create mode 100644 internal/storage/db/cassandradb/permission.go
 create mode 100644 internal/storage/db/cassandradb/policy.go
 create mode 100644 internal/storage/db/cassandradb/resource.go
 create mode 100644 internal/storage/db/cassandradb/scope.go
 create mode 100644 internal/storage/db/couchbase/permission.go
 create mode 100644 internal/storage/db/couchbase/policy.go
 create mode 100644 internal/storage/db/couchbase/resource.go
 create mode 100644 internal/storage/db/couchbase/scope.go
 create mode 100644 internal/storage/db/dynamodb/permission.go
 create mode 100644 internal/storage/db/dynamodb/policy.go
 create mode 100644 internal/storage/db/dynamodb/resource.go
 create mode 100644 internal/storage/db/dynamodb/scope.go

diff --git a/internal/storage/db/arangodb/permission.go b/internal/storage/db/arangodb/permission.go
new file mode 100644
index 00000000..5a56e7b1
--- /dev/null
+++ b/internal/storage/db/arangodb/permission.go
@@ -0,0 +1,367 @@
+package arangodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	arangoDriver "github.com/arangodb/go-driver"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPermission creates a new authorization permission.
+func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	if permission.ID == "" {
+		permission.ID = uuid.New().String()
+	}
+	permission.Key = permission.ID
+	permission.CreatedAt = time.Now().Unix()
+	permission.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Permission)
+	meta, err := collection.CreateDocument(ctx, permission)
+	if err != nil {
+		return nil, err
+	}
+	permission.Key = meta.Key
+	permission.ID = meta.ID.String()
+	return permission, nil
+}
+
+// UpdatePermission updates an existing authorization permission.
+func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	permission.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Permission)
+	meta, err := collection.UpdateDocument(ctx, permission.Key, permission)
+	if err != nil {
+		return nil, err
+	}
+	permission.Key = meta.Key
+	permission.ID = meta.ID.String()
+	return permission, nil
+}
+
+// DeletePermission deletes an authorization permission by ID.
+// Cascade-deletes associated permission_scopes and permission_policies.
+func (p *provider) DeletePermission(ctx context.Context, id string) error {
+	// Cascade-delete permission_scopes
+	deleteScopesQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionScope, schemas.Collections.PermissionScope)
+	scopeCursor, err := p.db.Query(ctx, deleteScopesQuery, map[string]interface{}{
+		"permission_id": id,
+	})
+	if err != nil {
+		return err
+	}
+	defer scopeCursor.Close()
+
+	// Cascade-delete permission_policies
+	deletePoliciesQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionPolicy, schemas.Collections.PermissionPolicy)
+	policyCursor, err := p.db.Query(ctx, deletePoliciesQuery, map[string]interface{}{
+		"permission_id": id,
+	})
+	if err != nil {
+		return err
+	}
+	defer policyCursor.Close()
+
+	// Find the document key for this permission
+	permission, err := p.GetPermissionByID(ctx, id)
+	if err != nil {
+		return err
+	}
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Permission)
+	_, err = collection.RemoveDocument(ctx, permission.Key)
+	return err
+}
+
+// GetPermissionByID returns an authorization permission by its ID.
+func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
+	var permission *schemas.Permission
+	query := fmt.Sprintf("FOR d IN %s FILTER d._id == @id RETURN d", schemas.Collections.Permission)
+	bindVars := map[string]interface{}{
+		"id": id,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if permission == nil {
+				return nil, fmt.Errorf("permission not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &permission)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return permission, nil
+}
+
+// ListPermissions returns a paginated list of authorization permissions.
+func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
+	permissions := []*schemas.Permission{}
+	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Permission, pagination.Offset, pagination.Limit)
+	sctx := arangoDriver.WithQueryFullCount(ctx)
+	cursor, err := p.db.Query(sctx, query, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close()
+	paginationClone := pagination
+	paginationClone.Total = cursor.Statistics().FullCount()
+	for {
+		var permission *schemas.Permission
+		meta, err := cursor.ReadDocument(ctx, &permission)
+		if arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, nil, err
+		}
+		if meta.Key != "" {
+			permissions = append(permissions, permission)
+		}
+	}
+	return permissions, paginationClone, nil
+}
+
+// AddPermissionScope links a scope to a permission.
+func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
+	if ps.ID == "" {
+		ps.ID = uuid.New().String()
+	}
+	ps.Key = ps.ID
+	ps.CreatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.PermissionScope)
+	meta, err := collection.CreateDocument(ctx, ps)
+	if err != nil {
+		return nil, err
+	}
+	ps.Key = meta.Key
+	ps.ID = meta.ID.String()
+	return ps, nil
+}
+
+// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
+	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionScope, schemas.Collections.PermissionScope)
+	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
+		"permission_id": permissionID,
+	})
+	if err != nil {
+		return err
+	}
+	defer cursor.Close()
+	return nil
+}
+
+// GetPermissionScopes returns all scope links for a permission.
+func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
+	scopes := []*schemas.PermissionScope{}
+	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id RETURN d", schemas.Collections.PermissionScope)
+	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
+		"permission_id": permissionID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		var ps *schemas.PermissionScope
+		if _, err := cursor.ReadDocument(ctx, &ps); arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		scopes = append(scopes, ps)
+	}
+	return scopes, nil
+}
+
+// AddPermissionPolicy links a policy to a permission.
+func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
+	if pp.ID == "" {
+		pp.ID = uuid.New().String()
+	}
+	pp.Key = pp.ID
+	pp.CreatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.PermissionPolicy)
+	meta, err := collection.CreateDocument(ctx, pp)
+	if err != nil {
+		return nil, err
+	}
+	pp.Key = meta.Key
+	pp.ID = meta.ID.String()
+	return pp, nil
+}
+
+// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
+	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionPolicy, schemas.Collections.PermissionPolicy)
+	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
+		"permission_id": permissionID,
+	})
+	if err != nil {
+		return err
+	}
+	defer cursor.Close()
+	return nil
+}
+
+// GetPermissionPolicies returns all policy links for a permission.
+func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
+	policies := []*schemas.PermissionPolicy{}
+	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id RETURN d", schemas.Collections.PermissionPolicy)
+	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
+		"permission_id": permissionID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		var pp *schemas.PermissionPolicy
+		if _, err := cursor.ReadDocument(ctx, &pp); arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		policies = append(policies, pp)
+	}
+	return policies, nil
+}
+
+// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+// that match a given resource name and scope name. This is the hot-path query used by
+// the evaluation engine. Uses sequential lookups across collections.
+func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
+	// Step 1: Find the resource by name
+	resource, err := p.GetResourceByName(ctx, resourceName)
+	if err != nil {
+		return nil, nil // Resource not found means no permissions
+	}
+
+	// Step 2: Find the scope by name
+	scope, err := p.GetScopeByName(ctx, scopeName)
+	if err != nil {
+		return nil, nil // Scope not found means no permissions
+	}
+
+	// Step 3: Find permissions for this resource
+	permQuery := fmt.Sprintf("FOR d IN %s FILTER d.resource_id == @resource_id RETURN d", schemas.Collections.Permission)
+	permCursor, err := p.db.Query(ctx, permQuery, map[string]interface{}{
+		"resource_id": resource.ID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer permCursor.Close()
+
+	var permissions []*schemas.Permission
+	for {
+		var perm *schemas.Permission
+		if _, err := permCursor.ReadDocument(ctx, &perm); arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		permissions = append(permissions, perm)
+	}
+
+	if len(permissions) == 0 {
+		return nil, nil
+	}
+
+	// Step 4: Filter permissions that have this scope linked
+	var matchedPermissions []*schemas.Permission
+	for _, perm := range permissions {
+		psQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id AND d.scope_id == @scope_id RETURN d", schemas.Collections.PermissionScope)
+		psCursor, err := p.db.Query(ctx, psQuery, map[string]interface{}{
+			"permission_id": perm.ID,
+			"scope_id":      scope.ID,
+		})
+		if err != nil {
+			return nil, err
+		}
+		var ps *schemas.PermissionScope
+		if _, err := psCursor.ReadDocument(ctx, &ps); err == nil && ps != nil {
+			matchedPermissions = append(matchedPermissions, perm)
+		}
+		psCursor.Close()
+	}
+
+	if len(matchedPermissions) == 0 {
+		return nil, nil
+	}
+
+	// Step 5: For each matched permission, resolve policies and targets
+	var result []*schemas.PermissionWithPolicies
+	for _, perm := range matchedPermissions {
+		pwp := &schemas.PermissionWithPolicies{
+			PermissionID:     perm.ID,
+			PermissionName:   perm.Name,
+			DecisionStrategy: perm.DecisionStrategy,
+		}
+
+		// Get permission_policies for this permission
+		ppQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id RETURN d", schemas.Collections.PermissionPolicy)
+		ppCursor, err := p.db.Query(ctx, ppQuery, map[string]interface{}{
+			"permission_id": perm.ID,
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		var permPolicies []*schemas.PermissionPolicy
+		for {
+			var pp *schemas.PermissionPolicy
+			if _, err := ppCursor.ReadDocument(ctx, &pp); arangoDriver.IsNoMoreDocuments(err) {
+				break
+			} else if err != nil {
+				ppCursor.Close()
+				return nil, err
+			}
+			permPolicies = append(permPolicies, pp)
+		}
+		ppCursor.Close()
+
+		// For each linked policy, resolve the policy and its targets
+		for _, pp := range permPolicies {
+			policy, err := p.GetPolicyByID(ctx, pp.PolicyID)
+			if err != nil {
+				continue // Skip policies that can't be found
+			}
+
+			pwt := schemas.PolicyWithTargets{
+				PolicyID:         policy.ID,
+				PolicyName:       policy.Name,
+				Type:             policy.Type,
+				Logic:            policy.Logic,
+				DecisionStrategy: policy.DecisionStrategy,
+			}
+
+			// Get targets for this policy
+			targets, err := p.GetPolicyTargets(ctx, policy.ID)
+			if err != nil {
+				return nil, err
+			}
+			for _, t := range targets {
+				pwt.Targets = append(pwt.Targets, schemas.PolicyTargetView{
+					TargetType:  t.TargetType,
+					TargetValue: t.TargetValue,
+				})
+			}
+
+			pwp.Policies = append(pwp.Policies, pwt)
+		}
+
+		result = append(result, pwp)
+	}
+
+	return result, nil
+}
diff --git a/internal/storage/db/arangodb/policy.go b/internal/storage/db/arangodb/policy.go
new file mode 100644
index 00000000..eb976f5b
--- /dev/null
+++ b/internal/storage/db/arangodb/policy.go
@@ -0,0 +1,194 @@
+package arangodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	arangoDriver "github.com/arangodb/go-driver"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPolicy creates a new authorization policy.
+func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	if policy.ID == "" {
+		policy.ID = uuid.New().String()
+	}
+	policy.Key = policy.ID
+	policy.CreatedAt = time.Now().Unix()
+	policy.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Policy)
+	meta, err := collection.CreateDocument(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	policy.Key = meta.Key
+	policy.ID = meta.ID.String()
+	return policy, nil
+}
+
+// UpdatePolicy updates an existing authorization policy.
+func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	policy.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Policy)
+	meta, err := collection.UpdateDocument(ctx, policy.Key, policy)
+	if err != nil {
+		return nil, err
+	}
+	policy.Key = meta.Key
+	policy.ID = meta.ID.String()
+	return policy, nil
+}
+
+// DeletePolicy deletes an authorization policy by ID.
+// Returns an error if any permission_policy references this policy.
+// Cascade-deletes associated policy targets.
+func (p *provider) DeletePolicy(ctx context.Context, id string) error {
+	// Check for referencing permission_policies
+	countQuery := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id COLLECT WITH COUNT INTO length RETURN length", schemas.Collections.PermissionPolicy)
+	cursor, err := p.db.Query(ctx, countQuery, map[string]interface{}{
+		"policy_id": id,
+	})
+	if err != nil {
+		return err
+	}
+	defer cursor.Close()
+	var count int64
+	if cursor.HasMore() {
+		if _, err := cursor.ReadDocument(ctx, &count); err != nil {
+			return err
+		}
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
+	}
+
+	// Cascade-delete policy targets
+	deleteTargetsQuery := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id REMOVE d IN %s", schemas.Collections.PolicyTarget, schemas.Collections.PolicyTarget)
+	targetCursor, err := p.db.Query(ctx, deleteTargetsQuery, map[string]interface{}{
+		"policy_id": id,
+	})
+	if err != nil {
+		return err
+	}
+	defer targetCursor.Close()
+
+	// Find the document key for this policy
+	policy, err := p.GetPolicyByID(ctx, id)
+	if err != nil {
+		return err
+	}
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Policy)
+	_, err = collection.RemoveDocument(ctx, policy.Key)
+	return err
+}
+
+// GetPolicyByID returns an authorization policy by its ID.
+func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
+	var policy *schemas.Policy
+	query := fmt.Sprintf("FOR d IN %s FILTER d._id == @id RETURN d", schemas.Collections.Policy)
+	bindVars := map[string]interface{}{
+		"id": id,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if policy == nil {
+				return nil, fmt.Errorf("policy not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &policy)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return policy, nil
+}
+
+// ListPolicies returns a paginated list of authorization policies.
+func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
+	policies := []*schemas.Policy{}
+	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Policy, pagination.Offset, pagination.Limit)
+	sctx := arangoDriver.WithQueryFullCount(ctx)
+	cursor, err := p.db.Query(sctx, query, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close()
+	paginationClone := pagination
+	paginationClone.Total = cursor.Statistics().FullCount()
+	for {
+		var policy *schemas.Policy
+		meta, err := cursor.ReadDocument(ctx, &policy)
+		if arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, nil, err
+		}
+		if meta.Key != "" {
+			policies = append(policies, policy)
+		}
+	}
+	return policies, paginationClone, nil
+}
+
+// AddPolicyTarget adds a target (role name or user ID) to a policy.
+func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+	target.Key = target.ID
+	target.CreatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.PolicyTarget)
+	meta, err := collection.CreateDocument(ctx, target)
+	if err != nil {
+		return nil, err
+	}
+	target.Key = meta.Key
+	target.ID = meta.ID.String()
+	return target, nil
+}
+
+// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
+	query := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id REMOVE d IN %s", schemas.Collections.PolicyTarget, schemas.Collections.PolicyTarget)
+	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
+		"policy_id": policyID,
+	})
+	if err != nil {
+		return err
+	}
+	defer cursor.Close()
+	return nil
+}
+
+// GetPolicyTargets returns all targets for a policy.
+func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
+	targets := []*schemas.PolicyTarget{}
+	query := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id RETURN d", schemas.Collections.PolicyTarget)
+	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
+		"policy_id": policyID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		var target *schemas.PolicyTarget
+		if _, err := cursor.ReadDocument(ctx, &target); arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		targets = append(targets, target)
+	}
+	return targets, nil
+}
diff --git a/internal/storage/db/arangodb/resource.go b/internal/storage/db/arangodb/resource.go
new file mode 100644
index 00000000..507ae097
--- /dev/null
+++ b/internal/storage/db/arangodb/resource.go
@@ -0,0 +1,157 @@
+package arangodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	arangoDriver "github.com/arangodb/go-driver"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddResource creates a new authorization resource.
+func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	if resource.ID == "" {
+		resource.ID = uuid.New().String()
+	}
+	resource.Key = resource.ID
+	resource.CreatedAt = time.Now().Unix()
+	resource.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Resource)
+	meta, err := collection.CreateDocument(ctx, resource)
+	if err != nil {
+		return nil, err
+	}
+	resource.Key = meta.Key
+	resource.ID = meta.ID.String()
+	return resource, nil
+}
+
+// UpdateResource updates an existing authorization resource.
+func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	resource.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Resource)
+	meta, err := collection.UpdateDocument(ctx, resource.Key, resource)
+	if err != nil {
+		return nil, err
+	}
+	resource.Key = meta.Key
+	resource.ID = meta.ID.String()
+	return resource, nil
+}
+
+// DeleteResource deletes an authorization resource by ID.
+// Returns an error if any permission references this resource.
+func (p *provider) DeleteResource(ctx context.Context, id string) error {
+	// Check for referencing permissions
+	countQuery := fmt.Sprintf("FOR d IN %s FILTER d.resource_id == @resource_id COLLECT WITH COUNT INTO length RETURN length", schemas.Collections.Permission)
+	cursor, err := p.db.Query(ctx, countQuery, map[string]interface{}{
+		"resource_id": id,
+	})
+	if err != nil {
+		return err
+	}
+	defer cursor.Close()
+	var count int64
+	if cursor.HasMore() {
+		if _, err := cursor.ReadDocument(ctx, &count); err != nil {
+			return err
+		}
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
+	}
+
+	// Find the document key for this resource
+	resource, err := p.GetResourceByID(ctx, id)
+	if err != nil {
+		return err
+	}
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Resource)
+	_, err = collection.RemoveDocument(ctx, resource.Key)
+	return err
+}
+
+// GetResourceByID returns an authorization resource by its ID.
+func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
+	var resource *schemas.Resource
+	query := fmt.Sprintf("FOR d IN %s FILTER d._id == @id RETURN d", schemas.Collections.Resource)
+	bindVars := map[string]interface{}{
+		"id": id,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if resource == nil {
+				return nil, fmt.Errorf("resource not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &resource)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return resource, nil
+}
+
+// GetResourceByName returns an authorization resource by its unique name.
+func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
+	var resource *schemas.Resource
+	query := fmt.Sprintf("FOR d IN %s FILTER d.name == @name RETURN d", schemas.Collections.Resource)
+	bindVars := map[string]interface{}{
+		"name": name,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if resource == nil {
+				return nil, fmt.Errorf("resource not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &resource)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return resource, nil
+}
+
+// ListResources returns a paginated list of authorization resources.
+func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
+	resources := []*schemas.Resource{}
+	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Resource, pagination.Offset, pagination.Limit)
+	sctx := arangoDriver.WithQueryFullCount(ctx)
+	cursor, err := p.db.Query(sctx, query, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close()
+	paginationClone := pagination
+	paginationClone.Total = cursor.Statistics().FullCount()
+	for {
+		var resource *schemas.Resource
+		meta, err := cursor.ReadDocument(ctx, &resource)
+		if arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, nil, err
+		}
+		if meta.Key != "" {
+			resources = append(resources, resource)
+		}
+	}
+	return resources, paginationClone, nil
+}
diff --git a/internal/storage/db/arangodb/scope.go b/internal/storage/db/arangodb/scope.go
new file mode 100644
index 00000000..8b8fb918
--- /dev/null
+++ b/internal/storage/db/arangodb/scope.go
@@ -0,0 +1,157 @@
+package arangodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	arangoDriver "github.com/arangodb/go-driver"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddScope creates a new authorization scope.
+func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	if scope.ID == "" {
+		scope.ID = uuid.New().String()
+	}
+	scope.Key = scope.ID
+	scope.CreatedAt = time.Now().Unix()
+	scope.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Scope)
+	meta, err := collection.CreateDocument(ctx, scope)
+	if err != nil {
+		return nil, err
+	}
+	scope.Key = meta.Key
+	scope.ID = meta.ID.String()
+	return scope, nil
+}
+
+// UpdateScope updates an existing authorization scope.
+func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	scope.UpdatedAt = time.Now().Unix()
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Scope)
+	meta, err := collection.UpdateDocument(ctx, scope.Key, scope)
+	if err != nil {
+		return nil, err
+	}
+	scope.Key = meta.Key
+	scope.ID = meta.ID.String()
+	return scope, nil
+}
+
+// DeleteScope deletes an authorization scope by ID.
+// Returns an error if any permission_scope references this scope.
+func (p *provider) DeleteScope(ctx context.Context, id string) error {
+	// Check for referencing permission_scopes
+	countQuery := fmt.Sprintf("FOR d IN %s FILTER d.scope_id == @scope_id COLLECT WITH COUNT INTO length RETURN length", schemas.Collections.PermissionScope)
+	cursor, err := p.db.Query(ctx, countQuery, map[string]interface{}{
+		"scope_id": id,
+	})
+	if err != nil {
+		return err
+	}
+	defer cursor.Close()
+	var count int64
+	if cursor.HasMore() {
+		if _, err := cursor.ReadDocument(ctx, &count); err != nil {
+			return err
+		}
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
+	}
+
+	// Find the document key for this scope
+	scope, err := p.GetScopeByID(ctx, id)
+	if err != nil {
+		return err
+	}
+	collection, _ := p.db.Collection(ctx, schemas.Collections.Scope)
+	_, err = collection.RemoveDocument(ctx, scope.Key)
+	return err
+}
+
+// GetScopeByID returns an authorization scope by its ID.
+func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
+	var scope *schemas.Scope
+	query := fmt.Sprintf("FOR d IN %s FILTER d._id == @id RETURN d", schemas.Collections.Scope)
+	bindVars := map[string]interface{}{
+		"id": id,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if scope == nil {
+				return nil, fmt.Errorf("scope not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &scope)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return scope, nil
+}
+
+// GetScopeByName returns an authorization scope by its unique name.
+func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
+	var scope *schemas.Scope
+	query := fmt.Sprintf("FOR d IN %s FILTER d.name == @name RETURN d", schemas.Collections.Scope)
+	bindVars := map[string]interface{}{
+		"name": name,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if scope == nil {
+				return nil, fmt.Errorf("scope not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &scope)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return scope, nil
+}
+
+// ListScopes returns a paginated list of authorization scopes.
+func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
+	scopes := []*schemas.Scope{}
+	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Scope, pagination.Offset, pagination.Limit)
+	sctx := arangoDriver.WithQueryFullCount(ctx)
+	cursor, err := p.db.Query(sctx, query, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer cursor.Close()
+	paginationClone := pagination
+	paginationClone.Total = cursor.Statistics().FullCount()
+	for {
+		var scope *schemas.Scope
+		meta, err := cursor.ReadDocument(ctx, &scope)
+		if arangoDriver.IsNoMoreDocuments(err) {
+			break
+		} else if err != nil {
+			return nil, nil, err
+		}
+		if meta.Key != "" {
+			scopes = append(scopes, scope)
+		}
+	}
+	return scopes, paginationClone, nil
+}
diff --git a/internal/storage/db/cassandradb/permission.go b/internal/storage/db/cassandradb/permission.go
new file mode 100644
index 00000000..6421c917
--- /dev/null
+++ b/internal/storage/db/cassandradb/permission.go
@@ -0,0 +1,423 @@
+package cassandradb
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/gocql/gocql"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPermission creates a new authorization permission.
+func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	if permission.ID == "" {
+		permission.ID = uuid.New().String()
+	}
+	permission.Key = permission.ID
+	permission.CreatedAt = time.Now().Unix()
+	permission.UpdatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, resource_id, decision_strategy, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.Permission)
+	err := p.db.Query(insertQuery, permission.ID, permission.Name, permission.Description, permission.ResourceID, permission.DecisionStrategy, permission.CreatedAt, permission.UpdatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// UpdatePermission updates an existing authorization permission.
+func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	permission.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(permission)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	permissionMap := map[string]interface{}{}
+	err = decoder.Decode(&permissionMap)
+	if err != nil {
+		return nil, err
+	}
+	convertMapValues(permissionMap)
+	updateFields := ""
+	var updateValues []interface{}
+	for key, value := range permissionMap {
+		if key == "_id" || key == "_key" || key == "id" || key == "key" {
+			continue
+		}
+		if value == nil {
+			updateFields += fmt.Sprintf("%s = null,", key)
+			continue
+		}
+		updateFields += fmt.Sprintf("%s = ?, ", key)
+		updateValues = append(updateValues, value)
+	}
+	updateFields = strings.Trim(updateFields, " ")
+	updateFields = strings.TrimSuffix(updateFields, ",")
+	updateValues = append(updateValues, permission.ID)
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Permission, updateFields)
+	err = p.db.Query(query, updateValues...).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// DeletePermission deletes an authorization permission by ID.
+// Cascade-deletes associated permission_scopes and permission_policies.
+func (p *provider) DeletePermission(ctx context.Context, id string) error {
+	// Cascade-delete permission_scopes
+	getScopesQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionScope)
+	scanner := p.db.Query(getScopesQuery, id).Iter().Scanner()
+	var scopeIDs []string
+	for scanner.Next() {
+		var scopeID string
+		err := scanner.Scan(&scopeID)
+		if err != nil {
+			return err
+		}
+		scopeIDs = append(scopeIDs, scopeID)
+	}
+	if len(scopeIDs) > 0 {
+		placeholders := strings.Repeat("?,", len(scopeIDs))
+		placeholders = strings.TrimSuffix(placeholders, ",")
+		deleteValues := make([]interface{}, len(scopeIDs))
+		for i, sid := range scopeIDs {
+			deleteValues[i] = sid
+		}
+		deleteScopesQuery := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionScope, placeholders)
+		err := p.db.Query(deleteScopesQuery, deleteValues...).Exec()
+		if err != nil {
+			return err
+		}
+	}
+	// Cascade-delete permission_policies
+	getPoliciesQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionPolicy)
+	scanner = p.db.Query(getPoliciesQuery, id).Iter().Scanner()
+	var policyIDs []string
+	for scanner.Next() {
+		var policyID string
+		err := scanner.Scan(&policyID)
+		if err != nil {
+			return err
+		}
+		policyIDs = append(policyIDs, policyID)
+	}
+	if len(policyIDs) > 0 {
+		placeholders := strings.Repeat("?,", len(policyIDs))
+		placeholders = strings.TrimSuffix(placeholders, ",")
+		deleteValues := make([]interface{}, len(policyIDs))
+		for i, pid := range policyIDs {
+			deleteValues[i] = pid
+		}
+		deletePoliciesQuery := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionPolicy, placeholders)
+		err := p.db.Query(deletePoliciesQuery, deleteValues...).Exec()
+		if err != nil {
+			return err
+		}
+	}
+	// Delete the permission itself
+	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Permission)
+	err := p.db.Query(query, id).Exec()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionByID returns an authorization permission by its ID.
+func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
+	var permission schemas.Permission
+	query := fmt.Sprintf("SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
+		KeySpace+"."+schemas.Collections.Permission)
+	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
+		&permission.ID, &permission.Name, &permission.Description, &permission.ResourceID, &permission.DecisionStrategy, &permission.CreatedAt, &permission.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &permission, nil
+}
+
+// ListPermissions returns a paginated list of authorization permissions.
+func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
+	permissions := []*schemas.Permission{}
+	paginationClone := pagination
+	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Permission)
+	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
+	if err != nil {
+		return nil, nil, err
+	}
+	query := fmt.Sprintf("SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s LIMIT %d",
+		KeySpace+"."+schemas.Collections.Permission, pagination.Limit+pagination.Offset)
+	scanner := p.db.Query(query).Iter().Scanner()
+	counter := int64(0)
+	for scanner.Next() {
+		if counter >= pagination.Offset {
+			var permission schemas.Permission
+			err := scanner.Scan(&permission.ID, &permission.Name, &permission.Description, &permission.ResourceID, &permission.DecisionStrategy, &permission.CreatedAt, &permission.UpdatedAt)
+			if err != nil {
+				return nil, nil, err
+			}
+			permissions = append(permissions, &permission)
+		}
+		counter++
+	}
+	return permissions, paginationClone, nil
+}
+
+// AddPermissionScope links a scope to a permission.
+func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
+	if ps.ID == "" {
+		ps.ID = uuid.New().String()
+	}
+	ps.Key = ps.ID
+	ps.CreatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, permission_id, scope_id, created_at) VALUES (?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.PermissionScope)
+	err := p.db.Query(insertQuery, ps.ID, ps.PermissionID, ps.ScopeID, ps.CreatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return ps, nil
+}
+
+// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
+	getQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionScope)
+	scanner := p.db.Query(getQuery, permissionID).Iter().Scanner()
+	var ids []string
+	for scanner.Next() {
+		var id string
+		err := scanner.Scan(&id)
+		if err != nil {
+			return err
+		}
+		ids = append(ids, id)
+	}
+	if len(ids) > 0 {
+		placeholders := strings.Repeat("?,", len(ids))
+		placeholders = strings.TrimSuffix(placeholders, ",")
+		deleteValues := make([]interface{}, len(ids))
+		for i, id := range ids {
+			deleteValues[i] = id
+		}
+		query := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionScope, placeholders)
+		err := p.db.Query(query, deleteValues...).Exec()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetPermissionScopes returns all scope links for a permission.
+func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
+	scopes := []*schemas.PermissionScope{}
+	query := fmt.Sprintf("SELECT id, permission_id, scope_id, created_at FROM %s WHERE permission_id = ? ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.PermissionScope)
+	scanner := p.db.Query(query, permissionID).Iter().Scanner()
+	for scanner.Next() {
+		var ps schemas.PermissionScope
+		err := scanner.Scan(&ps.ID, &ps.PermissionID, &ps.ScopeID, &ps.CreatedAt)
+		if err != nil {
+			return nil, err
+		}
+		scopes = append(scopes, &ps)
+	}
+	return scopes, nil
+}
+
+// AddPermissionPolicy links a policy to a permission.
+func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
+	if pp.ID == "" {
+		pp.ID = uuid.New().String()
+	}
+	pp.Key = pp.ID
+	pp.CreatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, permission_id, policy_id, created_at) VALUES (?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.PermissionPolicy)
+	err := p.db.Query(insertQuery, pp.ID, pp.PermissionID, pp.PolicyID, pp.CreatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return pp, nil
+}
+
+// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
+	getQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionPolicy)
+	scanner := p.db.Query(getQuery, permissionID).Iter().Scanner()
+	var ids []string
+	for scanner.Next() {
+		var id string
+		err := scanner.Scan(&id)
+		if err != nil {
+			return err
+		}
+		ids = append(ids, id)
+	}
+	if len(ids) > 0 {
+		placeholders := strings.Repeat("?,", len(ids))
+		placeholders = strings.TrimSuffix(placeholders, ",")
+		deleteValues := make([]interface{}, len(ids))
+		for i, id := range ids {
+			deleteValues[i] = id
+		}
+		query := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionPolicy, placeholders)
+		err := p.db.Query(query, deleteValues...).Exec()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetPermissionPolicies returns all policy links for a permission.
+func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
+	policies := []*schemas.PermissionPolicy{}
+	query := fmt.Sprintf("SELECT id, permission_id, policy_id, created_at FROM %s WHERE permission_id = ? ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.PermissionPolicy)
+	scanner := p.db.Query(query, permissionID).Iter().Scanner()
+	for scanner.Next() {
+		var pp schemas.PermissionPolicy
+		err := scanner.Scan(&pp.ID, &pp.PermissionID, &pp.PolicyID, &pp.CreatedAt)
+		if err != nil {
+			return nil, err
+		}
+		policies = append(policies, &pp)
+	}
+	return policies, nil
+}
+
+// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+// that match a given resource name and scope name. This is the hot-path query used by
+// the evaluation engine. Uses sequential queries since Cassandra does not support JOINs.
+func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
+	// 1. Find resource by name
+	var resourceID string
+	resourceQuery := fmt.Sprintf("SELECT id FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.Resource)
+	err := p.db.Query(resourceQuery, resourceName).Consistency(gocql.One).Scan(&resourceID)
+	if err != nil {
+		return nil, err
+	}
+
+	// 2. Find scope by name
+	var scopeID string
+	scopeQuery := fmt.Sprintf("SELECT id FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.Scope)
+	err = p.db.Query(scopeQuery, scopeName).Consistency(gocql.One).Scan(&scopeID)
+	if err != nil {
+		return nil, err
+	}
+
+	// 3. Find permissions for this resource
+	permQuery := fmt.Sprintf("SELECT id, name, decision_strategy FROM %s WHERE resource_id = ? ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.Permission)
+	permScanner := p.db.Query(permQuery, resourceID).Iter().Scanner()
+
+	type permInfo struct {
+		ID               string
+		Name             string
+		DecisionStrategy string
+	}
+	var permissions []permInfo
+	for permScanner.Next() {
+		var pi permInfo
+		err := permScanner.Scan(&pi.ID, &pi.Name, &pi.DecisionStrategy)
+		if err != nil {
+			return nil, err
+		}
+		permissions = append(permissions, pi)
+	}
+
+	if len(permissions) == 0 {
+		return nil, nil
+	}
+
+	// 4. For each permission, check if it has the requested scope
+	var result []*schemas.PermissionWithPolicies
+
+	for _, perm := range permissions {
+		var scopeCount int64
+		scopeCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE permission_id = ? AND scope_id = ? ALLOW FILTERING",
+			KeySpace+"."+schemas.Collections.PermissionScope)
+		err := p.db.Query(scopeCountQuery, perm.ID, scopeID).Consistency(gocql.One).Scan(&scopeCount)
+		if err != nil {
+			return nil, err
+		}
+		if scopeCount == 0 {
+			continue
+		}
+
+		// 5. Find permission_policies for this permission
+		ppQuery := fmt.Sprintf("SELECT policy_id FROM %s WHERE permission_id = ? ALLOW FILTERING",
+			KeySpace+"."+schemas.Collections.PermissionPolicy)
+		ppScanner := p.db.Query(ppQuery, perm.ID).Iter().Scanner()
+		var policyIDs []string
+		for ppScanner.Next() {
+			var policyID string
+			err := ppScanner.Scan(&policyID)
+			if err != nil {
+				return nil, err
+			}
+			policyIDs = append(policyIDs, policyID)
+		}
+
+		if len(policyIDs) == 0 {
+			continue
+		}
+
+		// 6. For each policy, resolve the policy and its targets
+		var policiesWithTargets []schemas.PolicyWithTargets
+		for _, policyID := range policyIDs {
+			var policy schemas.Policy
+			policyQuery := fmt.Sprintf("SELECT id, name, type, logic, decision_strategy FROM %s WHERE id = ? LIMIT 1",
+				KeySpace+"."+schemas.Collections.Policy)
+			err := p.db.Query(policyQuery, policyID).Consistency(gocql.One).Scan(
+				&policy.ID, &policy.Name, &policy.Type, &policy.Logic, &policy.DecisionStrategy)
+			if err != nil {
+				return nil, err
+			}
+
+			// Get targets for this policy
+			targetQuery := fmt.Sprintf("SELECT target_type, target_value FROM %s WHERE policy_id = ? ALLOW FILTERING",
+				KeySpace+"."+schemas.Collections.PolicyTarget)
+			targetScanner := p.db.Query(targetQuery, policyID).Iter().Scanner()
+			var targets []schemas.PolicyTargetView
+			for targetScanner.Next() {
+				var tv schemas.PolicyTargetView
+				err := targetScanner.Scan(&tv.TargetType, &tv.TargetValue)
+				if err != nil {
+					return nil, err
+				}
+				targets = append(targets, tv)
+			}
+
+			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
+				PolicyID:         policy.ID,
+				PolicyName:       policy.Name,
+				Type:             policy.Type,
+				Logic:            policy.Logic,
+				DecisionStrategy: policy.DecisionStrategy,
+				Targets:          targets,
+			})
+		}
+
+		result = append(result, &schemas.PermissionWithPolicies{
+			PermissionID:     perm.ID,
+			PermissionName:   perm.Name,
+			DecisionStrategy: perm.DecisionStrategy,
+			Policies:         policiesWithTargets,
+		})
+	}
+
+	return result, nil
+}
diff --git a/internal/storage/db/cassandradb/policy.go b/internal/storage/db/cassandradb/policy.go
new file mode 100644
index 00000000..20754505
--- /dev/null
+++ b/internal/storage/db/cassandradb/policy.go
@@ -0,0 +1,221 @@
+package cassandradb
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/gocql/gocql"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPolicy creates a new authorization policy.
+func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	if policy.ID == "" {
+		policy.ID = uuid.New().String()
+	}
+	policy.Key = policy.ID
+	policy.CreatedAt = time.Now().Unix()
+	policy.UpdatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, type, logic, decision_strategy, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.Policy)
+	err := p.db.Query(insertQuery, policy.ID, policy.Name, policy.Description, policy.Type, policy.Logic, policy.DecisionStrategy, policy.CreatedAt, policy.UpdatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// UpdatePolicy updates an existing authorization policy.
+func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	policy.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(policy)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	policyMap := map[string]interface{}{}
+	err = decoder.Decode(&policyMap)
+	if err != nil {
+		return nil, err
+	}
+	convertMapValues(policyMap)
+	updateFields := ""
+	var updateValues []interface{}
+	for key, value := range policyMap {
+		if key == "_id" || key == "_key" || key == "id" || key == "key" {
+			continue
+		}
+		if value == nil {
+			updateFields += fmt.Sprintf("%s = null,", key)
+			continue
+		}
+		updateFields += fmt.Sprintf("%s = ?, ", key)
+		updateValues = append(updateValues, value)
+	}
+	updateFields = strings.Trim(updateFields, " ")
+	updateFields = strings.TrimSuffix(updateFields, ",")
+	updateValues = append(updateValues, policy.ID)
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Policy, updateFields)
+	err = p.db.Query(query, updateValues...).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// DeletePolicy deletes an authorization policy by ID.
+// Returns an error if any permission_policy references this policy.
+// Cascade-deletes associated policy targets.
+func (p *provider) DeletePolicy(ctx context.Context, id string) error {
+	// Check for referencing permission_policies
+	var count int64
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE policy_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionPolicy)
+	err := p.db.Query(countQuery, id).Consistency(gocql.One).Scan(&count)
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
+	}
+	// Cascade-delete policy targets
+	getTargetsQuery := fmt.Sprintf("SELECT id FROM %s WHERE policy_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PolicyTarget)
+	scanner := p.db.Query(getTargetsQuery, id).Iter().Scanner()
+	var targetIDs []string
+	for scanner.Next() {
+		var targetID string
+		err = scanner.Scan(&targetID)
+		if err != nil {
+			return err
+		}
+		targetIDs = append(targetIDs, targetID)
+	}
+	if len(targetIDs) > 0 {
+		placeholders := strings.Repeat("?,", len(targetIDs))
+		placeholders = strings.TrimSuffix(placeholders, ",")
+		deleteValues := make([]interface{}, len(targetIDs))
+		for i, tid := range targetIDs {
+			deleteValues[i] = tid
+		}
+		deleteTargetsQuery := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PolicyTarget, placeholders)
+		err = p.db.Query(deleteTargetsQuery, deleteValues...).Exec()
+		if err != nil {
+			return err
+		}
+	}
+	// Delete the policy itself
+	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Policy)
+	err = p.db.Query(query, id).Exec()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPolicyByID returns an authorization policy by its ID.
+func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
+	var policy schemas.Policy
+	query := fmt.Sprintf("SELECT id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
+		KeySpace+"."+schemas.Collections.Policy)
+	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
+		&policy.ID, &policy.Name, &policy.Description, &policy.Type, &policy.Logic, &policy.DecisionStrategy, &policy.CreatedAt, &policy.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &policy, nil
+}
+
+// ListPolicies returns a paginated list of authorization policies.
+func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
+	policies := []*schemas.Policy{}
+	paginationClone := pagination
+	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Policy)
+	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
+	if err != nil {
+		return nil, nil, err
+	}
+	query := fmt.Sprintf("SELECT id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s LIMIT %d",
+		KeySpace+"."+schemas.Collections.Policy, pagination.Limit+pagination.Offset)
+	scanner := p.db.Query(query).Iter().Scanner()
+	counter := int64(0)
+	for scanner.Next() {
+		if counter >= pagination.Offset {
+			var policy schemas.Policy
+			err := scanner.Scan(&policy.ID, &policy.Name, &policy.Description, &policy.Type, &policy.Logic, &policy.DecisionStrategy, &policy.CreatedAt, &policy.UpdatedAt)
+			if err != nil {
+				return nil, nil, err
+			}
+			policies = append(policies, &policy)
+		}
+		counter++
+	}
+	return policies, paginationClone, nil
+}
+
+// AddPolicyTarget adds a target (role name or user ID) to a policy.
+func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+	target.Key = target.ID
+	target.CreatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, policy_id, target_type, target_value, created_at) VALUES (?, ?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.PolicyTarget)
+	err := p.db.Query(insertQuery, target.ID, target.PolicyID, target.TargetType, target.TargetValue, target.CreatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return target, nil
+}
+
+// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
+	getTargetsQuery := fmt.Sprintf("SELECT id FROM %s WHERE policy_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PolicyTarget)
+	scanner := p.db.Query(getTargetsQuery, policyID).Iter().Scanner()
+	var targetIDs []string
+	for scanner.Next() {
+		var targetID string
+		err := scanner.Scan(&targetID)
+		if err != nil {
+			return err
+		}
+		targetIDs = append(targetIDs, targetID)
+	}
+	if len(targetIDs) > 0 {
+		placeholders := strings.Repeat("?,", len(targetIDs))
+		placeholders = strings.TrimSuffix(placeholders, ",")
+		deleteValues := make([]interface{}, len(targetIDs))
+		for i, tid := range targetIDs {
+			deleteValues[i] = tid
+		}
+		query := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PolicyTarget, placeholders)
+		err := p.db.Query(query, deleteValues...).Exec()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetPolicyTargets returns all targets for a policy.
+func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
+	targets := []*schemas.PolicyTarget{}
+	query := fmt.Sprintf("SELECT id, policy_id, target_type, target_value, created_at FROM %s WHERE policy_id = ? ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.PolicyTarget)
+	scanner := p.db.Query(query, policyID).Iter().Scanner()
+	for scanner.Next() {
+		var target schemas.PolicyTarget
+		err := scanner.Scan(&target.ID, &target.PolicyID, &target.TargetType, &target.TargetValue, &target.CreatedAt)
+		if err != nil {
+			return nil, err
+		}
+		targets = append(targets, &target)
+	}
+	return targets, nil
+}
diff --git a/internal/storage/db/cassandradb/provider.go b/internal/storage/db/cassandradb/provider.go
index ff7aa371..9e621b32 100644
--- a/internal/storage/db/cassandradb/provider.go
+++ b/internal/storage/db/cassandradb/provider.go
@@ -366,6 +366,110 @@ func NewProvider(cfg *config.Config, deps *Dependencies) (*provider, error) {
 		return nil, err
 	}
 
+	// Resource table
+	resourceCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Resource)
+	err = session.Query(resourceCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	resourceNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_resource_name ON %s.%s (name)", KeySpace, schemas.Collections.Resource)
+	err = session.Query(resourceNameIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
+	// Scope table
+	scopeCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Scope)
+	err = session.Query(scopeCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	scopeNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_scope_name ON %s.%s (name)", KeySpace, schemas.Collections.Scope)
+	err = session.Query(scopeNameIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
+	// Policy table
+	policyCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, type text, logic text, decision_strategy text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Policy)
+	err = session.Query(policyCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	policyNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_policy_name ON %s.%s (name)", KeySpace, schemas.Collections.Policy)
+	err = session.Query(policyNameIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+	policyTypeIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_policy_type ON %s.%s (type)", KeySpace, schemas.Collections.Policy)
+	err = session.Query(policyTypeIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
+	// PolicyTarget table
+	policyTargetCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, policy_id text, target_type text, target_value text, created_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.PolicyTarget)
+	err = session.Query(policyTargetCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	policyTargetPolicyIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_policy_target_policy_id ON %s.%s (policy_id)", KeySpace, schemas.Collections.PolicyTarget)
+	err = session.Query(policyTargetPolicyIDIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
+	// Permission table
+	permissionCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, resource_id text, decision_strategy text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Permission)
+	err = session.Query(permissionCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	permissionNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_name ON %s.%s (name)", KeySpace, schemas.Collections.Permission)
+	err = session.Query(permissionNameIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+	permissionResourceIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_resource_id ON %s.%s (resource_id)", KeySpace, schemas.Collections.Permission)
+	err = session.Query(permissionResourceIDIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
+	// PermissionScope join table
+	permissionScopeCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, permission_id text, scope_id text, created_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.PermissionScope)
+	err = session.Query(permissionScopeCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	permissionScopePermIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_scope_permission_id ON %s.%s (permission_id)", KeySpace, schemas.Collections.PermissionScope)
+	err = session.Query(permissionScopePermIDIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+	permissionScopeScopeIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_scope_scope_id ON %s.%s (scope_id)", KeySpace, schemas.Collections.PermissionScope)
+	err = session.Query(permissionScopeScopeIDIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
+	// PermissionPolicy join table
+	permissionPolicyCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, permission_id text, policy_id text, created_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.PermissionPolicy)
+	err = session.Query(permissionPolicyCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+	permissionPolicyPermIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_policy_permission_id ON %s.%s (permission_id)", KeySpace, schemas.Collections.PermissionPolicy)
+	err = session.Query(permissionPolicyPermIDIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+	permissionPolicyPolicyIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_policy_policy_id ON %s.%s (policy_id)", KeySpace, schemas.Collections.PermissionPolicy)
+	err = session.Query(permissionPolicyPolicyIDIndex).Exec()
+	if err != nil {
+		return nil, err
+	}
+
 	return &provider{
 		config:       cfg,
 		dependencies: deps,
diff --git a/internal/storage/db/cassandradb/resource.go b/internal/storage/db/cassandradb/resource.go
new file mode 100644
index 00000000..485436e6
--- /dev/null
+++ b/internal/storage/db/cassandradb/resource.go
@@ -0,0 +1,144 @@
+package cassandradb
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/gocql/gocql"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddResource creates a new authorization resource.
+func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	if resource.ID == "" {
+		resource.ID = uuid.New().String()
+	}
+	resource.Key = resource.ID
+	resource.CreatedAt = time.Now().Unix()
+	resource.UpdatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.Resource)
+	err := p.db.Query(insertQuery, resource.ID, resource.Name, resource.Description, resource.CreatedAt, resource.UpdatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// UpdateResource updates an existing authorization resource.
+func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	resource.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(resource)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	resourceMap := map[string]interface{}{}
+	err = decoder.Decode(&resourceMap)
+	if err != nil {
+		return nil, err
+	}
+	convertMapValues(resourceMap)
+	updateFields := ""
+	var updateValues []interface{}
+	for key, value := range resourceMap {
+		if key == "_id" || key == "_key" || key == "id" || key == "key" {
+			continue
+		}
+		if value == nil {
+			updateFields += fmt.Sprintf("%s = null,", key)
+			continue
+		}
+		updateFields += fmt.Sprintf("%s = ?, ", key)
+		updateValues = append(updateValues, value)
+	}
+	updateFields = strings.Trim(updateFields, " ")
+	updateFields = strings.TrimSuffix(updateFields, ",")
+	updateValues = append(updateValues, resource.ID)
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Resource, updateFields)
+	err = p.db.Query(query, updateValues...).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// DeleteResource deletes an authorization resource by ID.
+// Returns an error if any permission references this resource.
+func (p *provider) DeleteResource(ctx context.Context, id string) error {
+	var count int64
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE resource_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.Permission)
+	err := p.db.Query(countQuery, id).Consistency(gocql.One).Scan(&count)
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
+	}
+	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Resource)
+	err = p.db.Query(query, id).Exec()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetResourceByID returns an authorization resource by its ID.
+func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
+		KeySpace+"."+schemas.Collections.Resource)
+	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
+		&resource.ID, &resource.Name, &resource.Description, &resource.CreatedAt, &resource.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// GetResourceByName returns an authorization resource by its unique name.
+func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.Resource)
+	err := p.db.Query(query, name).Consistency(gocql.One).Scan(
+		&resource.ID, &resource.Name, &resource.Description, &resource.CreatedAt, &resource.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// ListResources returns a paginated list of authorization resources.
+func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
+	resources := []*schemas.Resource{}
+	paginationClone := pagination
+	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Resource)
+	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
+	if err != nil {
+		return nil, nil, err
+	}
+	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s LIMIT %d",
+		KeySpace+"."+schemas.Collections.Resource, pagination.Limit+pagination.Offset)
+	scanner := p.db.Query(query).Iter().Scanner()
+	counter := int64(0)
+	for scanner.Next() {
+		if counter >= pagination.Offset {
+			var resource schemas.Resource
+			err := scanner.Scan(&resource.ID, &resource.Name, &resource.Description, &resource.CreatedAt, &resource.UpdatedAt)
+			if err != nil {
+				return nil, nil, err
+			}
+			resources = append(resources, &resource)
+		}
+		counter++
+	}
+	return resources, paginationClone, nil
+}
diff --git a/internal/storage/db/cassandradb/scope.go b/internal/storage/db/cassandradb/scope.go
new file mode 100644
index 00000000..de6b0cc2
--- /dev/null
+++ b/internal/storage/db/cassandradb/scope.go
@@ -0,0 +1,144 @@
+package cassandradb
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/gocql/gocql"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddScope creates a new authorization scope.
+func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	if scope.ID == "" {
+		scope.ID = uuid.New().String()
+	}
+	scope.Key = scope.ID
+	scope.CreatedAt = time.Now().Unix()
+	scope.UpdatedAt = time.Now().Unix()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
+		KeySpace+"."+schemas.Collections.Scope)
+	err := p.db.Query(insertQuery, scope.ID, scope.Name, scope.Description, scope.CreatedAt, scope.UpdatedAt).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// UpdateScope updates an existing authorization scope.
+func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	scope.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(scope)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	scopeMap := map[string]interface{}{}
+	err = decoder.Decode(&scopeMap)
+	if err != nil {
+		return nil, err
+	}
+	convertMapValues(scopeMap)
+	updateFields := ""
+	var updateValues []interface{}
+	for key, value := range scopeMap {
+		if key == "_id" || key == "_key" || key == "id" || key == "key" {
+			continue
+		}
+		if value == nil {
+			updateFields += fmt.Sprintf("%s = null,", key)
+			continue
+		}
+		updateFields += fmt.Sprintf("%s = ?, ", key)
+		updateValues = append(updateValues, value)
+	}
+	updateFields = strings.Trim(updateFields, " ")
+	updateFields = strings.TrimSuffix(updateFields, ",")
+	updateValues = append(updateValues, scope.ID)
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Scope, updateFields)
+	err = p.db.Query(query, updateValues...).Exec()
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// DeleteScope deletes an authorization scope by ID.
+// Returns an error if any permission_scope references this scope.
+func (p *provider) DeleteScope(ctx context.Context, id string) error {
+	var count int64
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE scope_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionScope)
+	err := p.db.Query(countQuery, id).Consistency(gocql.One).Scan(&count)
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
+	}
+	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Scope)
+	err = p.db.Query(query, id).Exec()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetScopeByID returns an authorization scope by its ID.
+func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
+		KeySpace+"."+schemas.Collections.Scope)
+	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
+		&scope.ID, &scope.Name, &scope.Description, &scope.CreatedAt, &scope.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &scope, nil
+}
+
+// GetScopeByName returns an authorization scope by its unique name.
+func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
+		KeySpace+"."+schemas.Collections.Scope)
+	err := p.db.Query(query, name).Consistency(gocql.One).Scan(
+		&scope.ID, &scope.Name, &scope.Description, &scope.CreatedAt, &scope.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &scope, nil
+}
+
+// ListScopes returns a paginated list of authorization scopes.
+func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
+	scopes := []*schemas.Scope{}
+	paginationClone := pagination
+	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Scope)
+	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
+	if err != nil {
+		return nil, nil, err
+	}
+	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s LIMIT %d",
+		KeySpace+"."+schemas.Collections.Scope, pagination.Limit+pagination.Offset)
+	scanner := p.db.Query(query).Iter().Scanner()
+	counter := int64(0)
+	for scanner.Next() {
+		if counter >= pagination.Offset {
+			var scope schemas.Scope
+			err := scanner.Scan(&scope.ID, &scope.Name, &scope.Description, &scope.CreatedAt, &scope.UpdatedAt)
+			if err != nil {
+				return nil, nil, err
+			}
+			scopes = append(scopes, &scope)
+		}
+		counter++
+	}
+	return scopes, paginationClone, nil
+}
diff --git a/internal/storage/db/couchbase/permission.go b/internal/storage/db/couchbase/permission.go
new file mode 100644
index 00000000..ba0fb901
--- /dev/null
+++ b/internal/storage/db/couchbase/permission.go
@@ -0,0 +1,429 @@
+package couchbase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/couchbase/gocb/v2"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPermission creates a new authorization permission.
+func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	if permission.ID == "" {
+		permission.ID = uuid.New().String()
+	}
+	permission.Key = permission.ID
+	permission.CreatedAt = time.Now().Unix()
+	permission.UpdatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.Permission).Insert(permission.ID, permission, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// UpdatePermission updates an existing authorization permission.
+func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	permission.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(permission)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	permissionMap := map[string]interface{}{}
+	err = decoder.Decode(&permissionMap)
+	if err != nil {
+		return nil, err
+	}
+	updateFields, params := GetSetFields(permissionMap)
+	params["_id"] = permission.ID
+	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE _id=$_id`, p.scopeName, schemas.Collections.Permission, updateFields)
+	_, err = p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// DeletePermission deletes an authorization permission by ID.
+// Cascade-deletes associated permission_scopes and permission_policies.
+func (p *provider) DeletePermission(ctx context.Context, id string) error {
+	params := make(map[string]interface{}, 1)
+	params["permission_id"] = id
+	// Cascade-delete permission_scopes
+	scopeQuery := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionScope)
+	_, err := p.db.Query(scopeQuery, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	// Cascade-delete permission_policies
+	policyQuery := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
+	_, err = p.db.Query(policyQuery, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	removeOpt := gocb.RemoveOptions{
+		Context: ctx,
+	}
+	_, err = p.db.Collection(schemas.Collections.Permission).Remove(id, &removeOpt)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionByID returns an authorization permission by its ID.
+func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
+	var permission *schemas.Permission
+	params := make(map[string]interface{}, 1)
+	params["_id"] = id
+	query := fmt.Sprintf(`SELECT _id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s.%s WHERE _id=$_id LIMIT 1`, p.scopeName, schemas.Collections.Permission)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	err = q.One(&permission)
+	if err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// ListPermissions returns a paginated list of authorization permissions.
+func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
+	permissions := []*schemas.Permission{}
+	paginationClone := pagination
+	params := make(map[string]interface{}, 1)
+	params["offset"] = paginationClone.Offset
+	params["limit"] = paginationClone.Limit
+	total, err := p.GetTotalDocs(ctx, schemas.Collections.Permission)
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = total
+	query := fmt.Sprintf("SELECT _id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Permission)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	for queryResult.Next() {
+		var permission schemas.Permission
+		err := queryResult.Row(&permission)
+		if err != nil {
+			log.Fatal(err)
+		}
+		permissions = append(permissions, &permission)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, nil, err
+	}
+	return permissions, paginationClone, nil
+}
+
+// AddPermissionScope links a scope to a permission.
+func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
+	if ps.ID == "" {
+		ps.ID = uuid.New().String()
+	}
+	ps.Key = ps.ID
+	ps.CreatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.PermissionScope).Insert(ps.ID, ps, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return ps, nil
+}
+
+// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
+	params := make(map[string]interface{}, 1)
+	params["permission_id"] = permissionID
+	query := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionScope)
+	_, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionScopes returns all scope links for a permission.
+func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
+	scopes := []*schemas.PermissionScope{}
+	params := make(map[string]interface{}, 1)
+	params["permission_id"] = permissionID
+	query := fmt.Sprintf(`SELECT _id, permission_id, scope_id, created_at FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionScope)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for queryResult.Next() {
+		var ps schemas.PermissionScope
+		err := queryResult.Row(&ps)
+		if err != nil {
+			log.Fatal(err)
+		}
+		scopes = append(scopes, &ps)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, err
+	}
+	return scopes, nil
+}
+
+// AddPermissionPolicy links a policy to a permission.
+func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
+	if pp.ID == "" {
+		pp.ID = uuid.New().String()
+	}
+	pp.Key = pp.ID
+	pp.CreatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.PermissionPolicy).Insert(pp.ID, pp, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return pp, nil
+}
+
+// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
+	params := make(map[string]interface{}, 1)
+	params["permission_id"] = permissionID
+	query := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
+	_, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPermissionPolicies returns all policy links for a permission.
+func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
+	policies := []*schemas.PermissionPolicy{}
+	params := make(map[string]interface{}, 1)
+	params["permission_id"] = permissionID
+	query := fmt.Sprintf(`SELECT _id, permission_id, policy_id, created_at FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for queryResult.Next() {
+		var pp schemas.PermissionPolicy
+		err := queryResult.Row(&pp)
+		if err != nil {
+			log.Fatal(err)
+		}
+		policies = append(policies, &pp)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, err
+	}
+	return policies, nil
+}
+
+// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+// that match a given resource name and scope name. This is the hot-path query used by
+// the evaluation engine. Uses sequential queries for clarity.
+func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
+	// 1. Find resource by name
+	resource, err := p.GetResourceByName(ctx, resourceName)
+	if err != nil {
+		return nil, err
+	}
+
+	// 2. Find scope by name
+	scope, err := p.GetScopeByName(ctx, scopeName)
+	if err != nil {
+		return nil, err
+	}
+
+	// 3. Find permissions for this resource
+	permParams := make(map[string]interface{}, 1)
+	permParams["resource_id"] = resource.ID
+	permQuery := fmt.Sprintf(`SELECT _id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s.%s WHERE resource_id=$resource_id`, p.scopeName, schemas.Collections.Permission)
+	permResult, err := p.db.Query(permQuery, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: permParams,
+	})
+	if err != nil {
+		return nil, err
+	}
+	var permissions []schemas.Permission
+	for permResult.Next() {
+		var perm schemas.Permission
+		if err := permResult.Row(&perm); err != nil {
+			return nil, err
+		}
+		permissions = append(permissions, perm)
+	}
+	if err := permResult.Err(); err != nil {
+		return nil, err
+	}
+
+	if len(permissions) == 0 {
+		return nil, nil
+	}
+
+	// 4. For each permission, check if it has the requested scope
+	var result []*schemas.PermissionWithPolicies
+
+	for _, perm := range permissions {
+		// Check if this permission has the requested scope
+		scopeCheckParams := make(map[string]interface{}, 2)
+		scopeCheckParams["permission_id"] = perm.ID
+		scopeCheckParams["scope_id"] = scope.ID
+		scopeCountQuery := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE permission_id=$permission_id AND scope_id=$scope_id`, p.scopeName, schemas.Collections.PermissionScope)
+		scopeCountResult, err := p.db.Query(scopeCountQuery, &gocb.QueryOptions{
+			Context:         ctx,
+			ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+			NamedParameters: scopeCheckParams,
+		})
+		if err != nil {
+			return nil, err
+		}
+		var countDocs TotalDocs
+		err = scopeCountResult.One(&countDocs)
+		if err != nil {
+			return nil, err
+		}
+		if countDocs.Total == 0 {
+			continue
+		}
+
+		// 5. Find permission_policies for this permission
+		ppParams := make(map[string]interface{}, 1)
+		ppParams["permission_id"] = perm.ID
+		ppQuery := fmt.Sprintf(`SELECT _id, permission_id, policy_id, created_at FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
+		ppResult, err := p.db.Query(ppQuery, &gocb.QueryOptions{
+			Context:         ctx,
+			ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+			NamedParameters: ppParams,
+		})
+		if err != nil {
+			return nil, err
+		}
+		var permPolicies []schemas.PermissionPolicy
+		for ppResult.Next() {
+			var pp schemas.PermissionPolicy
+			if err := ppResult.Row(&pp); err != nil {
+				return nil, err
+			}
+			permPolicies = append(permPolicies, pp)
+		}
+		if err := ppResult.Err(); err != nil {
+			return nil, err
+		}
+
+		if len(permPolicies) == 0 {
+			continue
+		}
+
+		// 6. For each permission_policy, resolve the policy and its targets
+		var policiesWithTargets []schemas.PolicyWithTargets
+		for _, pp := range permPolicies {
+			policy, err := p.GetPolicyByID(ctx, pp.PolicyID)
+			if err != nil {
+				return nil, err
+			}
+
+			// Get targets for this policy
+			targetParams := make(map[string]interface{}, 1)
+			targetParams["policy_id"] = policy.ID
+			targetQuery := fmt.Sprintf(`SELECT _id, policy_id, target_type, target_value, created_at FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
+			targetResult, err := p.db.Query(targetQuery, &gocb.QueryOptions{
+				Context:         ctx,
+				ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+				NamedParameters: targetParams,
+			})
+			if err != nil {
+				return nil, err
+			}
+			var targets []schemas.PolicyTargetView
+			for targetResult.Next() {
+				var target schemas.PolicyTarget
+				if err := targetResult.Row(&target); err != nil {
+					return nil, err
+				}
+				targets = append(targets, schemas.PolicyTargetView{
+					TargetType:  target.TargetType,
+					TargetValue: target.TargetValue,
+				})
+			}
+			if err := targetResult.Err(); err != nil {
+				return nil, err
+			}
+
+			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
+				PolicyID:         policy.ID,
+				PolicyName:       policy.Name,
+				Type:             policy.Type,
+				Logic:            policy.Logic,
+				DecisionStrategy: policy.DecisionStrategy,
+				Targets:          targets,
+			})
+		}
+
+		result = append(result, &schemas.PermissionWithPolicies{
+			PermissionID:     perm.ID,
+			PermissionName:   perm.Name,
+			DecisionStrategy: perm.DecisionStrategy,
+			Policies:         policiesWithTargets,
+		})
+	}
+
+	return result, nil
+}
diff --git a/internal/storage/db/couchbase/policy.go b/internal/storage/db/couchbase/policy.go
new file mode 100644
index 00000000..481fbdd3
--- /dev/null
+++ b/internal/storage/db/couchbase/policy.go
@@ -0,0 +1,223 @@
+package couchbase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/couchbase/gocb/v2"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPolicy creates a new authorization policy.
+func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	if policy.ID == "" {
+		policy.ID = uuid.New().String()
+	}
+	policy.Key = policy.ID
+	policy.CreatedAt = time.Now().Unix()
+	policy.UpdatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.Policy).Insert(policy.ID, policy, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// UpdatePolicy updates an existing authorization policy.
+func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	policy.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(policy)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	policyMap := map[string]interface{}{}
+	err = decoder.Decode(&policyMap)
+	if err != nil {
+		return nil, err
+	}
+	updateFields, params := GetSetFields(policyMap)
+	params["_id"] = policy.ID
+	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE _id=$_id`, p.scopeName, schemas.Collections.Policy, updateFields)
+	_, err = p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// DeletePolicy deletes an authorization policy by ID.
+// Returns an error if any permission_policy references this policy.
+// Cascade-deletes associated policy targets.
+func (p *provider) DeletePolicy(ctx context.Context, id string) error {
+	// Check for permission_policy references
+	params := make(map[string]interface{}, 1)
+	params["policy_id"] = id
+	query := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PermissionPolicy)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	var totalDocs TotalDocs
+	err = queryResult.One(&totalDocs)
+	if err != nil {
+		return err
+	}
+	if totalDocs.Total > 0 {
+		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", totalDocs.Total)
+	}
+	// Cascade-delete policy targets
+	deleteQuery := fmt.Sprintf(`DELETE FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
+	_, err = p.db.Query(deleteQuery, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	removeOpt := gocb.RemoveOptions{
+		Context: ctx,
+	}
+	_, err = p.db.Collection(schemas.Collections.Policy).Remove(id, &removeOpt)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPolicyByID returns an authorization policy by its ID.
+func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
+	var policy *schemas.Policy
+	params := make(map[string]interface{}, 1)
+	params["_id"] = id
+	query := fmt.Sprintf(`SELECT _id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s.%s WHERE _id=$_id LIMIT 1`, p.scopeName, schemas.Collections.Policy)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	err = q.One(&policy)
+	if err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// ListPolicies returns a paginated list of authorization policies.
+func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
+	policies := []*schemas.Policy{}
+	paginationClone := pagination
+	params := make(map[string]interface{}, 1)
+	params["offset"] = paginationClone.Offset
+	params["limit"] = paginationClone.Limit
+	total, err := p.GetTotalDocs(ctx, schemas.Collections.Policy)
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = total
+	query := fmt.Sprintf("SELECT _id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Policy)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	for queryResult.Next() {
+		var policy schemas.Policy
+		err := queryResult.Row(&policy)
+		if err != nil {
+			log.Fatal(err)
+		}
+		policies = append(policies, &policy)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, nil, err
+	}
+	return policies, paginationClone, nil
+}
+
+// AddPolicyTarget adds a target (role name or user ID) to a policy.
+func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+	target.Key = target.ID
+	target.CreatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.PolicyTarget).Insert(target.ID, target, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return target, nil
+}
+
+// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
+	params := make(map[string]interface{}, 1)
+	params["policy_id"] = policyID
+	query := fmt.Sprintf(`DELETE FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
+	_, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPolicyTargets returns all targets for a policy.
+func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
+	targets := []*schemas.PolicyTarget{}
+	params := make(map[string]interface{}, 1)
+	params["policy_id"] = policyID
+	query := fmt.Sprintf(`SELECT _id, policy_id, target_type, target_value, created_at FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for queryResult.Next() {
+		var target schemas.PolicyTarget
+		err := queryResult.Row(&target)
+		if err != nil {
+			log.Fatal(err)
+		}
+		targets = append(targets, &target)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, err
+	}
+	return targets, nil
+}
diff --git a/internal/storage/db/couchbase/provider.go b/internal/storage/db/couchbase/provider.go
index 9efccfcc..e0163e19 100644
--- a/internal/storage/db/couchbase/provider.go
+++ b/internal/storage/db/couchbase/provider.go
@@ -243,5 +243,37 @@ func getIndex(scopeName string) map[string][]string {
 	auditLogIndex3 := fmt.Sprintf("CREATE INDEX AuditLogTimestampIndex ON %s.%s(timestamp)", scopeName, schemas.Collections.AuditLog)
 	indices[schemas.Collections.AuditLog] = []string{auditLogIndex1, auditLogIndex2, auditLogIndex3}
 
+	// Resource index
+	resourceIndex1 := fmt.Sprintf("CREATE INDEX ResourceNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Resource)
+	indices[schemas.Collections.Resource] = []string{resourceIndex1}
+
+	// Scope index
+	scopeIndex1 := fmt.Sprintf("CREATE INDEX ScopeNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Scope)
+	indices[schemas.Collections.Scope] = []string{scopeIndex1}
+
+	// Policy index
+	policyIndex1 := fmt.Sprintf("CREATE INDEX PolicyNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Policy)
+	policyIndex2 := fmt.Sprintf("CREATE INDEX PolicyTypeIndex ON %s.%s(type)", scopeName, schemas.Collections.Policy)
+	indices[schemas.Collections.Policy] = []string{policyIndex1, policyIndex2}
+
+	// PolicyTarget index
+	policyTargetIndex1 := fmt.Sprintf("CREATE INDEX PolicyTargetPolicyIdIndex ON %s.%s(policy_id)", scopeName, schemas.Collections.PolicyTarget)
+	indices[schemas.Collections.PolicyTarget] = []string{policyTargetIndex1}
+
+	// Permission index
+	permissionIndex1 := fmt.Sprintf("CREATE INDEX PermissionNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Permission)
+	permissionIndex2 := fmt.Sprintf("CREATE INDEX PermissionResourceIdIndex ON %s.%s(resource_id)", scopeName, schemas.Collections.Permission)
+	indices[schemas.Collections.Permission] = []string{permissionIndex1, permissionIndex2}
+
+	// PermissionScope index
+	permissionScopeIndex1 := fmt.Sprintf("CREATE INDEX PermissionScopePermissionIdIndex ON %s.%s(permission_id)", scopeName, schemas.Collections.PermissionScope)
+	permissionScopeIndex2 := fmt.Sprintf("CREATE INDEX PermissionScopeScopeIdIndex ON %s.%s(scope_id)", scopeName, schemas.Collections.PermissionScope)
+	indices[schemas.Collections.PermissionScope] = []string{permissionScopeIndex1, permissionScopeIndex2}
+
+	// PermissionPolicy index
+	permissionPolicyIndex1 := fmt.Sprintf("CREATE INDEX PermissionPolicyPermissionIdIndex ON %s.%s(permission_id)", scopeName, schemas.Collections.PermissionPolicy)
+	permissionPolicyIndex2 := fmt.Sprintf("CREATE INDEX PermissionPolicyPolicyIdIndex ON %s.%s(policy_id)", scopeName, schemas.Collections.PermissionPolicy)
+	indices[schemas.Collections.PermissionPolicy] = []string{permissionPolicyIndex1, permissionPolicyIndex2}
+
 	return indices
 }
diff --git a/internal/storage/db/couchbase/resource.go b/internal/storage/db/couchbase/resource.go
new file mode 100644
index 00000000..c54a8426
--- /dev/null
+++ b/internal/storage/db/couchbase/resource.go
@@ -0,0 +1,172 @@
+package couchbase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/couchbase/gocb/v2"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddResource creates a new authorization resource.
+func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	if resource.ID == "" {
+		resource.ID = uuid.New().String()
+	}
+	resource.Key = resource.ID
+	resource.CreatedAt = time.Now().Unix()
+	resource.UpdatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.Resource).Insert(resource.ID, resource, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// UpdateResource updates an existing authorization resource.
+func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	resource.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(resource)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	resourceMap := map[string]interface{}{}
+	err = decoder.Decode(&resourceMap)
+	if err != nil {
+		return nil, err
+	}
+	updateFields, params := GetSetFields(resourceMap)
+	params["_id"] = resource.ID
+	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE _id=$_id`, p.scopeName, schemas.Collections.Resource, updateFields)
+	_, err = p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// DeleteResource deletes an authorization resource by ID.
+// Returns an error if any permission references this resource.
+func (p *provider) DeleteResource(ctx context.Context, id string) error {
+	// Check for permission references
+	params := make(map[string]interface{}, 1)
+	params["resource_id"] = id
+	query := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE resource_id=$resource_id`, p.scopeName, schemas.Collections.Permission)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	var totalDocs TotalDocs
+	err = queryResult.One(&totalDocs)
+	if err != nil {
+		return err
+	}
+	if totalDocs.Total > 0 {
+		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", totalDocs.Total)
+	}
+	removeOpt := gocb.RemoveOptions{
+		Context: ctx,
+	}
+	_, err = p.db.Collection(schemas.Collections.Resource).Remove(id, &removeOpt)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetResourceByID returns an authorization resource by its ID.
+func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
+	var resource *schemas.Resource
+	params := make(map[string]interface{}, 1)
+	params["_id"] = id
+	query := fmt.Sprintf(`SELECT _id, name, description, created_at, updated_at FROM %s.%s WHERE _id=$_id LIMIT 1`, p.scopeName, schemas.Collections.Resource)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	err = q.One(&resource)
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// GetResourceByName returns an authorization resource by its unique name.
+func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
+	var resource *schemas.Resource
+	params := make(map[string]interface{}, 1)
+	params["name"] = name
+	query := fmt.Sprintf(`SELECT _id, name, description, created_at, updated_at FROM %s.%s WHERE name=$name LIMIT 1`, p.scopeName, schemas.Collections.Resource)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	err = q.One(&resource)
+	if err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// ListResources returns a paginated list of authorization resources.
+func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
+	resources := []*schemas.Resource{}
+	paginationClone := pagination
+	params := make(map[string]interface{}, 1)
+	params["offset"] = paginationClone.Offset
+	params["limit"] = paginationClone.Limit
+	total, err := p.GetTotalDocs(ctx, schemas.Collections.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = total
+	query := fmt.Sprintf("SELECT _id, name, description, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Resource)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	for queryResult.Next() {
+		var resource schemas.Resource
+		err := queryResult.Row(&resource)
+		if err != nil {
+			log.Fatal(err)
+		}
+		resources = append(resources, &resource)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, nil, err
+	}
+	return resources, paginationClone, nil
+}
diff --git a/internal/storage/db/couchbase/scope.go b/internal/storage/db/couchbase/scope.go
new file mode 100644
index 00000000..2bcfe0ae
--- /dev/null
+++ b/internal/storage/db/couchbase/scope.go
@@ -0,0 +1,172 @@
+package couchbase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/couchbase/gocb/v2"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddScope creates a new authorization scope.
+func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	if scope.ID == "" {
+		scope.ID = uuid.New().String()
+	}
+	scope.Key = scope.ID
+	scope.CreatedAt = time.Now().Unix()
+	scope.UpdatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(schemas.Collections.Scope).Insert(scope.ID, scope, &insertOpt)
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// UpdateScope updates an existing authorization scope.
+func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	scope.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(scope)
+	if err != nil {
+		return nil, err
+	}
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	scopeMap := map[string]interface{}{}
+	err = decoder.Decode(&scopeMap)
+	if err != nil {
+		return nil, err
+	}
+	updateFields, params := GetSetFields(scopeMap)
+	params["_id"] = scope.ID
+	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE _id=$_id`, p.scopeName, schemas.Collections.Scope, updateFields)
+	_, err = p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// DeleteScope deletes an authorization scope by ID.
+// Returns an error if any permission_scope references this scope.
+func (p *provider) DeleteScope(ctx context.Context, id string) error {
+	// Check for permission_scope references
+	params := make(map[string]interface{}, 1)
+	params["scope_id"] = id
+	query := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE scope_id=$scope_id`, p.scopeName, schemas.Collections.PermissionScope)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return err
+	}
+	var totalDocs TotalDocs
+	err = queryResult.One(&totalDocs)
+	if err != nil {
+		return err
+	}
+	if totalDocs.Total > 0 {
+		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", totalDocs.Total)
+	}
+	removeOpt := gocb.RemoveOptions{
+		Context: ctx,
+	}
+	_, err = p.db.Collection(schemas.Collections.Scope).Remove(id, &removeOpt)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetScopeByID returns an authorization scope by its ID.
+func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
+	var scope *schemas.Scope
+	params := make(map[string]interface{}, 1)
+	params["_id"] = id
+	query := fmt.Sprintf(`SELECT _id, name, description, created_at, updated_at FROM %s.%s WHERE _id=$_id LIMIT 1`, p.scopeName, schemas.Collections.Scope)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	err = q.One(&scope)
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// GetScopeByName returns an authorization scope by its unique name.
+func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
+	var scope *schemas.Scope
+	params := make(map[string]interface{}, 1)
+	params["name"] = name
+	query := fmt.Sprintf(`SELECT _id, name, description, created_at, updated_at FROM %s.%s WHERE name=$name LIMIT 1`, p.scopeName, schemas.Collections.Scope)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	err = q.One(&scope)
+	if err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// ListScopes returns a paginated list of authorization scopes.
+func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
+	scopes := []*schemas.Scope{}
+	paginationClone := pagination
+	params := make(map[string]interface{}, 1)
+	params["offset"] = paginationClone.Offset
+	params["limit"] = paginationClone.Limit
+	total, err := p.GetTotalDocs(ctx, schemas.Collections.Scope)
+	if err != nil {
+		return nil, nil, err
+	}
+	paginationClone.Total = total
+	query := fmt.Sprintf("SELECT _id, name, description, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Scope)
+	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	for queryResult.Next() {
+		var scope schemas.Scope
+		err := queryResult.Row(&scope)
+		if err != nil {
+			log.Fatal(err)
+		}
+		scopes = append(scopes, &scope)
+	}
+	if err := queryResult.Err(); err != nil {
+		return nil, nil, err
+	}
+	return scopes, paginationClone, nil
+}
diff --git a/internal/storage/db/dynamodb/permission.go b/internal/storage/db/dynamodb/permission.go
new file mode 100644
index 00000000..9b02e298
--- /dev/null
+++ b/internal/storage/db/dynamodb/permission.go
@@ -0,0 +1,318 @@
+package dynamodb
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPermission creates a new authorization permission.
+func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	if permission.ID == "" {
+		permission.ID = uuid.New().String()
+	}
+	permission.Key = permission.ID
+	permission.CreatedAt = time.Now().Unix()
+	permission.UpdatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.Permission, permission); err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// UpdatePermission updates an existing authorization permission.
+func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
+	permission.UpdatedAt = time.Now().Unix()
+	if err := p.updateByHashKey(ctx, schemas.Collections.Permission, "id", permission.ID, permission); err != nil {
+		return nil, err
+	}
+	return permission, nil
+}
+
+// DeletePermission deletes an authorization permission by ID.
+// Cascade-deletes all permission_scopes and permission_policies for this permission.
+func (p *provider) DeletePermission(ctx context.Context, id string) error {
+	if err := p.DeletePermissionScopesByPermissionID(ctx, id); err != nil {
+		return err
+	}
+	if err := p.DeletePermissionPoliciesByPermissionID(ctx, id); err != nil {
+		return err
+	}
+	return p.deleteItemByHash(ctx, schemas.Collections.Permission, "id", id)
+}
+
+// GetPermissionByID returns an authorization permission by its ID.
+func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
+	var permission schemas.Permission
+	if err := p.getItemByHash(ctx, schemas.Collections.Permission, "id", id, &permission); err != nil {
+		return nil, err
+	}
+	if permission.ID == "" {
+		return nil, errors.New("no document found")
+	}
+	return &permission, nil
+}
+
+// ListPermissions returns a paginated list of authorization permissions.
+func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
+	var lastKey map[string]types.AttributeValue
+	var iteration int64
+	paginationClone := pagination
+	var permissions []*schemas.Permission
+
+	count, err := p.scanCount(ctx, schemas.Collections.Permission, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for (paginationClone.Offset + paginationClone.Limit) > iteration {
+		items, next, err := p.scanPageIter(ctx, schemas.Collections.Permission, nil, int32(paginationClone.Limit), lastKey)
+		if err != nil {
+			return nil, nil, err
+		}
+		for _, it := range items {
+			var perm schemas.Permission
+			if err := unmarshalItem(it, &perm); err != nil {
+				return nil, nil, err
+			}
+			if paginationClone.Offset == iteration {
+				permissions = append(permissions, &perm)
+			}
+		}
+		lastKey = next
+		iteration += paginationClone.Limit
+		if lastKey == nil {
+			break
+		}
+	}
+	paginationClone.Total = count
+	return permissions, paginationClone, nil
+}
+
+// AddPermissionScope links a scope to a permission.
+func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
+	if ps.ID == "" {
+		ps.ID = uuid.New().String()
+	}
+	ps.Key = ps.ID
+	ps.CreatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.PermissionScope, ps); err != nil {
+		return nil, err
+	}
+	return ps, nil
+}
+
+// DeletePermissionScopesByPermissionID removes all scope links for a permission.
+func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
+	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &f)
+	if err != nil {
+		return err
+	}
+	for _, it := range items {
+		var ps schemas.PermissionScope
+		if err := unmarshalItem(it, &ps); err != nil {
+			return err
+		}
+		if err := p.deleteItemByHash(ctx, schemas.Collections.PermissionScope, "id", ps.ID); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetPermissionScopes returns all scope links for a permission.
+func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
+	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &f)
+	if err != nil {
+		return nil, err
+	}
+	var scopes []*schemas.PermissionScope
+	for _, it := range items {
+		var ps schemas.PermissionScope
+		if err := unmarshalItem(it, &ps); err != nil {
+			return nil, err
+		}
+		scopes = append(scopes, &ps)
+	}
+	return scopes, nil
+}
+
+// AddPermissionPolicy links a policy to a permission.
+func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
+	if pp.ID == "" {
+		pp.ID = uuid.New().String()
+	}
+	pp.Key = pp.ID
+	pp.CreatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.PermissionPolicy, pp); err != nil {
+		return nil, err
+	}
+	return pp, nil
+}
+
+// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
+func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
+	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &f)
+	if err != nil {
+		return err
+	}
+	for _, it := range items {
+		var pp schemas.PermissionPolicy
+		if err := unmarshalItem(it, &pp); err != nil {
+			return err
+		}
+		if err := p.deleteItemByHash(ctx, schemas.Collections.PermissionPolicy, "id", pp.ID); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetPermissionPolicies returns all policy links for a permission.
+func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
+	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &f)
+	if err != nil {
+		return nil, err
+	}
+	var policies []*schemas.PermissionPolicy
+	for _, it := range items {
+		var pp schemas.PermissionPolicy
+		if err := unmarshalItem(it, &pp); err != nil {
+			return nil, err
+		}
+		policies = append(policies, &pp)
+	}
+	return policies, nil
+}
+
+// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
+// that apply to a given resource name and scope name. Used by the evaluation engine.
+func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
+	// 1. Find resource by name
+	resourceItems, err := p.queryEqLimit(ctx, schemas.Collections.Resource, "name", "name", resourceName, nil, 1)
+	if err != nil {
+		return nil, err
+	}
+	if len(resourceItems) == 0 {
+		return nil, errors.New("no document found")
+	}
+	var resource schemas.Resource
+	if err := unmarshalItem(resourceItems[0], &resource); err != nil {
+		return nil, err
+	}
+
+	// 2. Find scope by name
+	scopeItems, err := p.queryEqLimit(ctx, schemas.Collections.Scope, "name", "name", scopeName, nil, 1)
+	if err != nil {
+		return nil, err
+	}
+	if len(scopeItems) == 0 {
+		return nil, errors.New("no document found")
+	}
+	var scope schemas.Scope
+	if err := unmarshalItem(scopeItems[0], &scope); err != nil {
+		return nil, err
+	}
+
+	// 3. Find permissions for this resource
+	f := expression.Name("resource_id").Equal(expression.Value(resource.ID))
+	permItems, err := p.scanFilteredAll(ctx, schemas.Collections.Permission, nil, &f)
+	if err != nil {
+		return nil, err
+	}
+	if len(permItems) == 0 {
+		return nil, nil
+	}
+
+	var result []*schemas.PermissionWithPolicies
+
+	for _, permItem := range permItems {
+		var perm schemas.Permission
+		if err := unmarshalItem(permItem, &perm); err != nil {
+			return nil, err
+		}
+
+		// 4. Check if this permission has the requested scope
+		psFilter := expression.Name("permission_id").Equal(expression.Value(perm.ID)).
+			And(expression.Name("scope_id").Equal(expression.Value(scope.ID)))
+		psItems, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &psFilter)
+		if err != nil {
+			return nil, err
+		}
+		if len(psItems) == 0 {
+			continue
+		}
+
+		// 5. Find permission_policies for this permission
+		ppFilter := expression.Name("permission_id").Equal(expression.Value(perm.ID))
+		ppItems, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &ppFilter)
+		if err != nil {
+			return nil, err
+		}
+		if len(ppItems) == 0 {
+			continue
+		}
+
+		// 6. For each permission_policy, resolve the policy and its targets
+		var policiesWithTargets []schemas.PolicyWithTargets
+		for _, ppItem := range ppItems {
+			var pp schemas.PermissionPolicy
+			if err := unmarshalItem(ppItem, &pp); err != nil {
+				return nil, err
+			}
+
+			var policy schemas.Policy
+			if err := p.getItemByHash(ctx, schemas.Collections.Policy, "id", pp.PolicyID, &policy); err != nil {
+				return nil, err
+			}
+
+			// Get targets for this policy
+			tFilter := expression.Name("policy_id").Equal(expression.Value(policy.ID))
+			tItems, err := p.scanFilteredAll(ctx, schemas.Collections.PolicyTarget, nil, &tFilter)
+			if err != nil {
+				return nil, err
+			}
+
+			var targets []schemas.PolicyTargetView
+			for _, tItem := range tItems {
+				var target schemas.PolicyTarget
+				if err := unmarshalItem(tItem, &target); err != nil {
+					return nil, err
+				}
+				targets = append(targets, schemas.PolicyTargetView{
+					TargetType:  target.TargetType,
+					TargetValue: target.TargetValue,
+				})
+			}
+
+			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
+				PolicyID:         policy.ID,
+				PolicyName:       policy.Name,
+				Type:             policy.Type,
+				Logic:            policy.Logic,
+				DecisionStrategy: policy.DecisionStrategy,
+				Targets:          targets,
+			})
+		}
+
+		result = append(result, &schemas.PermissionWithPolicies{
+			PermissionID:     perm.ID,
+			PermissionName:   perm.Name,
+			DecisionStrategy: perm.DecisionStrategy,
+			Policies:         policiesWithTargets,
+		})
+	}
+
+	return result, nil
+}
diff --git a/internal/storage/db/dynamodb/policy.go b/internal/storage/db/dynamodb/policy.go
new file mode 100644
index 00000000..daa4f1ee
--- /dev/null
+++ b/internal/storage/db/dynamodb/policy.go
@@ -0,0 +1,156 @@
+package dynamodb
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddPolicy creates a new authorization policy.
+func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	if policy.ID == "" {
+		policy.ID = uuid.New().String()
+	}
+	policy.Key = policy.ID
+	policy.CreatedAt = time.Now().Unix()
+	policy.UpdatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.Policy, policy); err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// UpdatePolicy updates an existing authorization policy.
+func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
+	policy.UpdatedAt = time.Now().Unix()
+	if err := p.updateByHashKey(ctx, schemas.Collections.Policy, "id", policy.ID, policy); err != nil {
+		return nil, err
+	}
+	return policy, nil
+}
+
+// DeletePolicy deletes an authorization policy by ID.
+// Returns an error if any permission_policy references this policy.
+// Also cascade-deletes all policy_targets for this policy.
+func (p *provider) DeletePolicy(ctx context.Context, id string) error {
+	// Check for referencing permission_policies
+	f := expression.Name("policy_id").Equal(expression.Value(id))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &f)
+	if err != nil {
+		return err
+	}
+	if len(items) > 0 {
+		return fmt.Errorf("cannot delete policy: %d permission_policy(ies) reference it", len(items))
+	}
+	// Cascade-delete policy targets
+	if err := p.DeletePolicyTargetsByPolicyID(ctx, id); err != nil {
+		return err
+	}
+	return p.deleteItemByHash(ctx, schemas.Collections.Policy, "id", id)
+}
+
+// GetPolicyByID returns an authorization policy by its ID.
+func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
+	var policy schemas.Policy
+	if err := p.getItemByHash(ctx, schemas.Collections.Policy, "id", id, &policy); err != nil {
+		return nil, err
+	}
+	if policy.ID == "" {
+		return nil, errors.New("no document found")
+	}
+	return &policy, nil
+}
+
+// ListPolicies returns a paginated list of authorization policies.
+func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
+	var lastKey map[string]types.AttributeValue
+	var iteration int64
+	paginationClone := pagination
+	var policies []*schemas.Policy
+
+	count, err := p.scanCount(ctx, schemas.Collections.Policy, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for (paginationClone.Offset + paginationClone.Limit) > iteration {
+		items, next, err := p.scanPageIter(ctx, schemas.Collections.Policy, nil, int32(paginationClone.Limit), lastKey)
+		if err != nil {
+			return nil, nil, err
+		}
+		for _, it := range items {
+			var pol schemas.Policy
+			if err := unmarshalItem(it, &pol); err != nil {
+				return nil, nil, err
+			}
+			if paginationClone.Offset == iteration {
+				policies = append(policies, &pol)
+			}
+		}
+		lastKey = next
+		iteration += paginationClone.Limit
+		if lastKey == nil {
+			break
+		}
+	}
+	paginationClone.Total = count
+	return policies, paginationClone, nil
+}
+
+// AddPolicyTarget adds a target (role name or user ID) to a policy.
+func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+	target.Key = target.ID
+	target.CreatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.PolicyTarget, target); err != nil {
+		return nil, err
+	}
+	return target, nil
+}
+
+// DeletePolicyTargetsByPolicyID removes all targets for a policy.
+func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
+	f := expression.Name("policy_id").Equal(expression.Value(policyID))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PolicyTarget, nil, &f)
+	if err != nil {
+		return err
+	}
+	for _, it := range items {
+		var target schemas.PolicyTarget
+		if err := unmarshalItem(it, &target); err != nil {
+			return err
+		}
+		if err := p.deleteItemByHash(ctx, schemas.Collections.PolicyTarget, "id", target.ID); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetPolicyTargets returns all targets for a policy.
+func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
+	f := expression.Name("policy_id").Equal(expression.Value(policyID))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PolicyTarget, nil, &f)
+	if err != nil {
+		return nil, err
+	}
+	var targets []*schemas.PolicyTarget
+	for _, it := range items {
+		var target schemas.PolicyTarget
+		if err := unmarshalItem(it, &target); err != nil {
+			return nil, err
+		}
+		targets = append(targets, &target)
+	}
+	return targets, nil
+}
diff --git a/internal/storage/db/dynamodb/resource.go b/internal/storage/db/dynamodb/resource.go
new file mode 100644
index 00000000..cae7ba7e
--- /dev/null
+++ b/internal/storage/db/dynamodb/resource.go
@@ -0,0 +1,117 @@
+package dynamodb
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddResource creates a new authorization resource.
+func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	if resource.ID == "" {
+		resource.ID = uuid.New().String()
+	}
+	resource.Key = resource.ID
+	resource.CreatedAt = time.Now().Unix()
+	resource.UpdatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.Resource, resource); err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// UpdateResource updates an existing authorization resource.
+func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
+	resource.UpdatedAt = time.Now().Unix()
+	if err := p.updateByHashKey(ctx, schemas.Collections.Resource, "id", resource.ID, resource); err != nil {
+		return nil, err
+	}
+	return resource, nil
+}
+
+// DeleteResource deletes an authorization resource by ID.
+// Returns an error if any permission references this resource.
+func (p *provider) DeleteResource(ctx context.Context, id string) error {
+	// Check for referencing permissions via resource_id GSI
+	f := expression.Name("resource_id").Equal(expression.Value(id))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.Permission, nil, &f)
+	if err != nil {
+		return err
+	}
+	if len(items) > 0 {
+		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", len(items))
+	}
+	return p.deleteItemByHash(ctx, schemas.Collections.Resource, "id", id)
+}
+
+// GetResourceByID returns an authorization resource by its ID.
+func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
+	var resource schemas.Resource
+	if err := p.getItemByHash(ctx, schemas.Collections.Resource, "id", id, &resource); err != nil {
+		return nil, err
+	}
+	if resource.ID == "" {
+		return nil, errors.New("no document found")
+	}
+	return &resource, nil
+}
+
+// GetResourceByName returns an authorization resource by its unique name.
+func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
+	items, err := p.queryEqLimit(ctx, schemas.Collections.Resource, "name", "name", name, nil, 1)
+	if err != nil {
+		return nil, err
+	}
+	if len(items) == 0 {
+		return nil, errors.New("no document found")
+	}
+	var resource schemas.Resource
+	if err := unmarshalItem(items[0], &resource); err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// ListResources returns a paginated list of authorization resources.
+func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
+	var lastKey map[string]types.AttributeValue
+	var iteration int64
+	paginationClone := pagination
+	var resources []*schemas.Resource
+
+	count, err := p.scanCount(ctx, schemas.Collections.Resource, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for (paginationClone.Offset + paginationClone.Limit) > iteration {
+		items, next, err := p.scanPageIter(ctx, schemas.Collections.Resource, nil, int32(paginationClone.Limit), lastKey)
+		if err != nil {
+			return nil, nil, err
+		}
+		for _, it := range items {
+			var r schemas.Resource
+			if err := unmarshalItem(it, &r); err != nil {
+				return nil, nil, err
+			}
+			if paginationClone.Offset == iteration {
+				resources = append(resources, &r)
+			}
+		}
+		lastKey = next
+		iteration += paginationClone.Limit
+		if lastKey == nil {
+			break
+		}
+	}
+	paginationClone.Total = count
+	return resources, paginationClone, nil
+}
diff --git a/internal/storage/db/dynamodb/scope.go b/internal/storage/db/dynamodb/scope.go
new file mode 100644
index 00000000..0184ebdb
--- /dev/null
+++ b/internal/storage/db/dynamodb/scope.go
@@ -0,0 +1,116 @@
+package dynamodb
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// AddScope creates a new authorization scope.
+func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	if scope.ID == "" {
+		scope.ID = uuid.New().String()
+	}
+	scope.Key = scope.ID
+	scope.CreatedAt = time.Now().Unix()
+	scope.UpdatedAt = time.Now().Unix()
+	if err := p.putItem(ctx, schemas.Collections.Scope, scope); err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// UpdateScope updates an existing authorization scope.
+func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
+	scope.UpdatedAt = time.Now().Unix()
+	if err := p.updateByHashKey(ctx, schemas.Collections.Scope, "id", scope.ID, scope); err != nil {
+		return nil, err
+	}
+	return scope, nil
+}
+
+// DeleteScope deletes an authorization scope by ID.
+// Returns an error if any permission_scope references this scope.
+func (p *provider) DeleteScope(ctx context.Context, id string) error {
+	f := expression.Name("scope_id").Equal(expression.Value(id))
+	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &f)
+	if err != nil {
+		return err
+	}
+	if len(items) > 0 {
+		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", len(items))
+	}
+	return p.deleteItemByHash(ctx, schemas.Collections.Scope, "id", id)
+}
+
+// GetScopeByID returns an authorization scope by its ID.
+func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
+	var scope schemas.Scope
+	if err := p.getItemByHash(ctx, schemas.Collections.Scope, "id", id, &scope); err != nil {
+		return nil, err
+	}
+	if scope.ID == "" {
+		return nil, errors.New("no document found")
+	}
+	return &scope, nil
+}
+
+// GetScopeByName returns an authorization scope by its unique name.
+func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
+	items, err := p.queryEqLimit(ctx, schemas.Collections.Scope, "name", "name", name, nil, 1)
+	if err != nil {
+		return nil, err
+	}
+	if len(items) == 0 {
+		return nil, errors.New("no document found")
+	}
+	var scope schemas.Scope
+	if err := unmarshalItem(items[0], &scope); err != nil {
+		return nil, err
+	}
+	return &scope, nil
+}
+
+// ListScopes returns a paginated list of authorization scopes.
+func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
+	var lastKey map[string]types.AttributeValue
+	var iteration int64
+	paginationClone := pagination
+	var scopes []*schemas.Scope
+
+	count, err := p.scanCount(ctx, schemas.Collections.Scope, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for (paginationClone.Offset + paginationClone.Limit) > iteration {
+		items, next, err := p.scanPageIter(ctx, schemas.Collections.Scope, nil, int32(paginationClone.Limit), lastKey)
+		if err != nil {
+			return nil, nil, err
+		}
+		for _, it := range items {
+			var s schemas.Scope
+			if err := unmarshalItem(it, &s); err != nil {
+				return nil, nil, err
+			}
+			if paginationClone.Offset == iteration {
+				scopes = append(scopes, &s)
+			}
+		}
+		lastKey = next
+		iteration += paginationClone.Limit
+		if lastKey == nil {
+			break
+		}
+	}
+	paginationClone.Total = count
+	return scopes, paginationClone, nil
+}
diff --git a/internal/storage/db/dynamodb/tables.go b/internal/storage/db/dynamodb/tables.go
index 81b8b705..0109a204 100644
--- a/internal/storage/db/dynamodb/tables.go
+++ b/internal/storage/db/dynamodb/tables.go
@@ -173,6 +173,74 @@ func (p *provider) ensureTables(ctx context.Context) error {
 				gsi("action", "action"),
 			},
 		},
+		// Authorization tables
+		{
+			name: schemas.Collections.Resource,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{gsi("name", "name")},
+		},
+		{
+			name: schemas.Collections.Scope,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{gsi("name", "name")},
+		},
+		{
+			name: schemas.Collections.Policy,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{gsi("name", "name")},
+		},
+		{
+			name: schemas.Collections.PolicyTarget,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("policy_id"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{gsi("policy_id", "policy_id")},
+		},
+		{
+			name: schemas.Collections.Permission,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("resource_id"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{
+				gsi("name", "name"),
+				gsi("resource_id", "resource_id"),
+			},
+		},
+		{
+			name: schemas.Collections.PermissionScope,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("permission_id"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{gsi("permission_id", "permission_id")},
+		},
+		{
+			name: schemas.Collections.PermissionPolicy,
+			hash: "id",
+			attr: []types.AttributeDefinition{
+				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
+				{AttributeName: aws.String("permission_id"), AttributeType: types.ScalarAttributeTypeS},
+			},
+			gsi: []types.GlobalSecondaryIndex{gsi("permission_id", "permission_id")},
+		},
 	}
 
 	for _, t := range tables {

From 5a92eaf52a080cdcf00f762eb04ed6eaa534008f Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 20:20:40 +0530
Subject: [PATCH 06/26] feat(authz): implement authorization evaluation engine

Add principal-agnostic policy evaluation engine with:
- Role-based and user-based policy evaluators (extensible to client/agent)
- Affirmative and unanimous decision strategies
- MaxScopes delegation ceiling enforcement
- Input validation (safe characters, known resource/scope checks)
- In-memory cache with negative caching and prefix invalidation
- Three enforcement modes (disabled, permissive, enforcing)
---
 internal/authorization/cache.go      |  95 ++++++
 internal/authorization/evaluator.go  | 427 +++++++++++++++++++++++++++
 internal/authorization/provider.go   |  93 ++++++
 internal/authorization/validators.go |  18 ++
 4 files changed, 633 insertions(+)
 create mode 100644 internal/authorization/cache.go
 create mode 100644 internal/authorization/evaluator.go
 create mode 100644 internal/authorization/provider.go
 create mode 100644 internal/authorization/validators.go

diff --git a/internal/authorization/cache.go b/internal/authorization/cache.go
new file mode 100644
index 00000000..5f911040
--- /dev/null
+++ b/internal/authorization/cache.go
@@ -0,0 +1,95 @@
+package authorization
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+)
+
+// cache is a local in-memory cache with TTL support.
+// It uses sync.Map for concurrent access and tracks per-key expiry.
+// A distributed cache (via memory_store) will be layered on top in Phase 7.
+type cache struct {
+	ttl       time.Duration
+	data      sync.Map
+	expiryMap sync.Map
+}
+
+// newCache creates a new local cache. If ttlSeconds is 0, caching is disabled.
+func newCache(ttlSeconds int64) *cache {
+	return &cache{
+		ttl: time.Duration(ttlSeconds) * time.Second,
+	}
+}
+
+// enabled returns true if caching is active (TTL > 0).
+func (c *cache) enabled() bool {
+	return c.ttl > 0
+}
+
+// get retrieves a cached value by key. Returns the value and whether the key
+// was found and still valid. Expired entries are lazily deleted on access.
+// This returns cached "false" results identically to "true" results,
+// ensuring constant-time behavior for both outcomes.
+func (c *cache) get(key string) (string, bool) {
+	if !c.enabled() {
+		return "", false
+	}
+
+	expiry, ok := c.expiryMap.Load(key)
+	if !ok {
+		return "", false
+	}
+	if time.Now().After(expiry.(time.Time)) {
+		// Lazily evict expired entry.
+		c.data.Delete(key)
+		c.expiryMap.Delete(key)
+		return "", false
+	}
+
+	val, ok := c.data.Load(key)
+	if !ok {
+		return "", false
+	}
+	return val.(string), true
+}
+
+// set stores a value in the cache with the configured TTL.
+// Both "true" and "false" values are cached (negative caching)
+// to prevent cache stampede on non-existent resource:scope combos.
+func (c *cache) set(key string, value string) {
+	if !c.enabled() {
+		return
+	}
+	c.data.Store(key, value)
+	c.expiryMap.Store(key, time.Now().Add(c.ttl))
+}
+
+// deleteByPrefix removes all cached entries whose key starts with the given prefix.
+// Used when admin mutations change resources, scopes, or policies to invalidate
+// all related cached decisions.
+func (c *cache) deleteByPrefix(prefix string) {
+	c.data.Range(func(key, _ any) bool {
+		if strings.HasPrefix(key.(string), prefix) {
+			c.data.Delete(key)
+			c.expiryMap.Delete(key)
+		}
+		return true
+	})
+}
+
+// evalKey constructs a cache key for an authorization evaluation result.
+func evalKey(principalID, resource, scope string) string {
+	return fmt.Sprintf("authz:eval:%s:%s:%s", principalID, resource, scope)
+}
+
+// validResourcesKey returns the cache key for the set of known resource names.
+func validResourcesKey() string {
+	return "authz:valid_resources"
+}
+
+// validScopesKey returns the cache key for the set of known scope names.
+func validScopesKey() string {
+	return "authz:valid_scopes"
+}
diff --git a/internal/authorization/evaluator.go b/internal/authorization/evaluator.go
new file mode 100644
index 00000000..7b2fac34
--- /dev/null
+++ b/internal/authorization/evaluator.go
@@ -0,0 +1,427 @@
+package authorization
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// policyResult holds the outcome of a single policy evaluation.
+type policyResult struct {
+	granted    bool
+	policyName string
+}
+
+// CheckPermission evaluates whether a principal can perform a scope on a resource.
+// It follows this sequence:
+//  1. Check enforcement mode (disabled returns true immediately)
+//  2. Validate inputs
+//  3. Check MaxScopes ceiling
+//  4. Check cache
+//  5. Query storage for matching permissions
+//  6. Evaluate policies using decision strategies
+//  7. Cache and return result
+func (p *provider) CheckPermission(ctx context.Context, principal *Principal, resource string, scope string) (*CheckResult, error) {
+	// Step 1: Enforcement mode check.
+	if p.config.Enforcement == constants.AuthorizationEnforcementDisabled {
+		return &CheckResult{Allowed: true}, nil
+	}
+
+	// Step 2: Validate inputs.
+	if principal == nil {
+		return nil, fmt.Errorf("principal is required")
+	}
+	if !isValidIdentifier(principal.ID) {
+		return nil, fmt.Errorf("invalid principal ID: %q", principal.ID)
+	}
+	if !isValidIdentifier(resource) {
+		return nil, fmt.Errorf("invalid resource: %q", resource)
+	}
+	if !isValidIdentifier(scope) {
+		return nil, fmt.Errorf("invalid scope: %q", scope)
+	}
+
+	// Step 3: MaxScopes ceiling.
+	if principal.MaxScopes != nil {
+		scopeStr := resource + ":" + scope
+		found := false
+		for _, ms := range principal.MaxScopes {
+			if ms == scopeStr {
+				found = true
+				break
+			}
+		}
+		if !found {
+			p.log.Debug().
+				Str("principal_id", principal.ID).
+				Str("resource", resource).
+				Str("scope", scope).
+				Msg("denied by MaxScopes ceiling")
+			return &CheckResult{Allowed: false}, nil
+		}
+	}
+
+	// Step 4: Check cache.
+	cacheKey := evalKey(principal.ID, resource, scope)
+	if cached, ok := p.cache.get(cacheKey); ok {
+		allowed := cached == "true"
+		p.log.Debug().
+			Str("principal_id", principal.ID).
+			Str("resource", resource).
+			Str("scope", scope).
+			Bool("allowed", allowed).
+			Msg("authorization cache hit")
+		return &CheckResult{Allowed: allowed}, nil
+	}
+
+	// Step 5: Check known resources and scopes.
+	if err := p.validateResourceExists(ctx, resource); err != nil {
+		return p.handleNoPermission(cacheKey, principal, resource, scope), nil
+	}
+	if err := p.validateScopeExists(ctx, scope); err != nil {
+		return p.handleNoPermission(cacheKey, principal, resource, scope), nil
+	}
+
+	// Step 6: Query storage for permissions matching this resource+scope.
+	perms, err := p.storageProvider.GetPermissionsForResourceScope(ctx, resource, scope)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query permissions: %w", err)
+	}
+
+	if len(perms) == 0 {
+		return p.handleNoPermission(cacheKey, principal, resource, scope), nil
+	}
+
+	// Step 7: Evaluate each permission's policies.
+	for _, perm := range perms {
+		allowed, matchedPolicy := p.evaluatePermission(principal, perm)
+		if allowed {
+			p.cache.set(cacheKey, "true")
+			p.log.Debug().
+				Str("principal_id", principal.ID).
+				Str("resource", resource).
+				Str("scope", scope).
+				Str("matched_policy", matchedPolicy).
+				Msg("authorization granted")
+			return &CheckResult{Allowed: true, MatchedPolicy: matchedPolicy}, nil
+		}
+	}
+
+	// No permission granted access.
+	p.cache.set(cacheKey, "false")
+	p.log.Debug().
+		Str("principal_id", principal.ID).
+		Str("resource", resource).
+		Str("scope", scope).
+		Msg("authorization denied: no matching policy")
+	return &CheckResult{Allowed: false}, nil
+}
+
+// handleNoPermission returns a deny or allow result based on enforcement mode.
+// In permissive mode, it logs a warning and allows. In enforcing mode, it denies.
+// The result is cached (negative caching).
+func (p *provider) handleNoPermission(cacheKey string, principal *Principal, resource, scope string) *CheckResult {
+	if p.config.Enforcement == constants.AuthorizationEnforcementPermissive {
+		p.log.Warn().
+			Str("principal_id", principal.ID).
+			Str("resource", resource).
+			Str("scope", scope).
+			Msg("no matching permission found (permissive mode: allowing)")
+		p.cache.set(cacheKey, "true")
+		return &CheckResult{Allowed: true}
+	}
+
+	p.cache.set(cacheKey, "false")
+	return &CheckResult{Allowed: false}
+}
+
+// evaluatePermission evaluates all policies attached to a single permission
+// and combines their results using the permission's decision strategy.
+func (p *provider) evaluatePermission(principal *Principal, perm *schemas.PermissionWithPolicies) (bool, string) {
+	if len(perm.Policies) == 0 {
+		return false, ""
+	}
+
+	results := make([]policyResult, 0, len(perm.Policies))
+	for i := range perm.Policies {
+		policy := &perm.Policies[i]
+		granted := p.evaluatePolicy(principal, policy)
+		results = append(results, policyResult{
+			granted:    granted,
+			policyName: policy.PolicyName,
+		})
+	}
+
+	return resolveDecision(results, perm.DecisionStrategy)
+}
+
+// evaluatePolicy evaluates a single policy against the principal.
+// It checks whether the principal matches any of the policy's targets,
+// then applies the policy's logic (positive = grant, negative = deny).
+func (p *provider) evaluatePolicy(principal *Principal, policy *schemas.PolicyWithTargets) bool {
+	if len(policy.Targets) == 0 {
+		return false
+	}
+
+	var matched bool
+	switch policy.Type {
+	case constants.PolicyTypeRole:
+		matched = evaluateRoleTargets(policy.Targets, principal.Roles, policy.DecisionStrategy)
+	case constants.PolicyTypeUser:
+		matched = evaluateUserTargets(policy.Targets, principal.ID)
+	default:
+		// Unknown policy type -- fail closed.
+		p.log.Warn().
+			Str("policy_type", policy.Type).
+			Str("policy_name", policy.PolicyName).
+			Msg("unknown policy type, denying")
+		return false
+	}
+
+	// Apply logic: positive policies grant on match, negative policies deny on match.
+	if policy.Logic == constants.PolicyLogicNegative {
+		return !matched
+	}
+	return matched
+}
+
+// evaluateRoleTargets checks whether any (affirmative) or all (unanimous) of the
+// role targets match the principal's roles.
+func evaluateRoleTargets(targets []schemas.PolicyTargetView, roles []string, strategy string) bool {
+	roleSet := make(map[string]struct{}, len(roles))
+	for _, r := range roles {
+		roleSet[r] = struct{}{}
+	}
+
+	switch strategy {
+	case constants.DecisionStrategyUnanimous:
+		// All role targets must be present in the principal's roles.
+		for _, t := range targets {
+			if t.TargetType != constants.TargetTypeRole {
+				continue
+			}
+			if _, ok := roleSet[t.TargetValue]; !ok {
+				return false
+			}
+		}
+		return true
+	default:
+		// Affirmative (default): any role target match is sufficient.
+		for _, t := range targets {
+			if t.TargetType != constants.TargetTypeRole {
+				continue
+			}
+			if _, ok := roleSet[t.TargetValue]; ok {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// evaluateUserTargets checks whether any of the user targets match the principal's ID.
+func evaluateUserTargets(targets []schemas.PolicyTargetView, principalID string) bool {
+	for _, t := range targets {
+		if t.TargetType == constants.TargetTypeUser && t.TargetValue == principalID {
+			return true
+		}
+	}
+	return false
+}
+
+// resolveDecision combines multiple policy results using the given strategy.
+// Affirmative (default): any grant wins.
+// Unanimous: all must grant.
+func resolveDecision(results []policyResult, strategy string) (bool, string) {
+	if len(results) == 0 {
+		return false, ""
+	}
+
+	switch strategy {
+	case constants.DecisionStrategyUnanimous:
+		// All policies must grant.
+		for _, r := range results {
+			if !r.granted {
+				return false, ""
+			}
+		}
+		return true, results[0].policyName
+	default:
+		// Affirmative: first grant wins.
+		for _, r := range results {
+			if r.granted {
+				return true, r.policyName
+			}
+		}
+		return false, ""
+	}
+}
+
+// GetPrincipalPermissions returns all granted resource:scope pairs for a principal.
+// It iterates all known resources and scopes, checking each combination.
+func (p *provider) GetPrincipalPermissions(ctx context.Context, principal *Principal) ([]ResourceScope, error) {
+	if p.config.Enforcement == constants.AuthorizationEnforcementDisabled {
+		return nil, nil
+	}
+
+	if principal == nil {
+		return nil, fmt.Errorf("principal is required")
+	}
+	if !isValidIdentifier(principal.ID) {
+		return nil, fmt.Errorf("invalid principal ID: %q", principal.ID)
+	}
+
+	// Fetch all resources.
+	resources, err := p.fetchAllResources(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list resources: %w", err)
+	}
+
+	// Fetch all scopes.
+	scopes, err := p.fetchAllScopes(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list scopes: %w", err)
+	}
+
+	var granted []ResourceScope
+	for _, res := range resources {
+		for _, sc := range scopes {
+			result, err := p.CheckPermission(ctx, principal, res, sc)
+			if err != nil {
+				p.log.Warn().Err(err).
+					Str("resource", res).
+					Str("scope", sc).
+					Msg("error checking permission, skipping")
+				continue
+			}
+			if result.Allowed {
+				granted = append(granted, ResourceScope{
+					Resource: res,
+					Scope:    sc,
+				})
+			}
+		}
+	}
+
+	return granted, nil
+}
+
+// InvalidateCache removes cached authorization data matching the given prefix.
+func (p *provider) InvalidateCache(ctx context.Context, prefix string) error {
+	p.cache.deleteByPrefix(prefix)
+	p.log.Debug().Str("prefix", prefix).Msg("authorization cache invalidated")
+	return nil
+}
+
+// validateResourceExists checks that the given resource name is registered in the DB.
+// Results are cached to avoid repeated DB lookups.
+func (p *provider) validateResourceExists(ctx context.Context, resource string) error {
+	cacheKey := validResourcesKey()
+	if cached, ok := p.cache.get(cacheKey); ok {
+		if strings.Contains(","+cached+",", ","+resource+",") {
+			return nil
+		}
+		return fmt.Errorf("unknown resource: %s", resource)
+	}
+
+	names, err := p.fetchAllResources(ctx)
+	if err != nil {
+		// On error, allow the request to proceed (fail open for validation,
+		// the actual permission check will still be default-deny).
+		return nil
+	}
+
+	p.cache.set(cacheKey, strings.Join(names, ","))
+
+	for _, n := range names {
+		if n == resource {
+			return nil
+		}
+	}
+	return fmt.Errorf("unknown resource: %s", resource)
+}
+
+// validateScopeExists checks that the given scope name is registered in the DB.
+// Results are cached to avoid repeated DB lookups.
+func (p *provider) validateScopeExists(ctx context.Context, scope string) error {
+	cacheKey := validScopesKey()
+	if cached, ok := p.cache.get(cacheKey); ok {
+		if strings.Contains(","+cached+",", ","+scope+",") {
+			return nil
+		}
+		return fmt.Errorf("unknown scope: %s", scope)
+	}
+
+	names, err := p.fetchAllScopes(ctx)
+	if err != nil {
+		return nil
+	}
+
+	p.cache.set(cacheKey, strings.Join(names, ","))
+
+	for _, n := range names {
+		if n == scope {
+			return nil
+		}
+	}
+	return fmt.Errorf("unknown scope: %s", scope)
+}
+
+// fetchAllResources retrieves all resource names from storage using pagination.
+func (p *provider) fetchAllResources(ctx context.Context) ([]string, error) {
+	var names []string
+	page := int64(1)
+	limit := int64(100)
+
+	for {
+		pagination := &model.Pagination{
+			Limit: limit,
+			Page:  page,
+		}
+		resources, paginationResult, err := p.storageProvider.ListResources(ctx, pagination)
+		if err != nil {
+			return nil, err
+		}
+		for _, r := range resources {
+			names = append(names, r.Name)
+		}
+		// If we got fewer results than the limit, or reached the total, we're done.
+		if int64(len(resources)) < limit || (paginationResult != nil && paginationResult.Total <= page*limit) {
+			break
+		}
+		page++
+	}
+
+	return names, nil
+}
+
+// fetchAllScopes retrieves all scope names from storage using pagination.
+func (p *provider) fetchAllScopes(ctx context.Context) ([]string, error) {
+	var names []string
+	page := int64(1)
+	limit := int64(100)
+
+	for {
+		pagination := &model.Pagination{
+			Limit: limit,
+			Page:  page,
+		}
+		scopes, paginationResult, err := p.storageProvider.ListScopes(ctx, pagination)
+		if err != nil {
+			return nil, err
+		}
+		for _, s := range scopes {
+			names = append(names, s.Name)
+		}
+		if int64(len(scopes)) < limit || (paginationResult != nil && paginationResult.Total <= page*limit) {
+			break
+		}
+		page++
+	}
+
+	return names, nil
+}
diff --git a/internal/authorization/provider.go b/internal/authorization/provider.go
new file mode 100644
index 00000000..4836c918
--- /dev/null
+++ b/internal/authorization/provider.go
@@ -0,0 +1,93 @@
+package authorization
+
+import (
+	"context"
+
+	"github.com/rs/zerolog"
+
+	"github.com/authorizerdev/authorizer/internal/storage"
+)
+
+// Principal represents the entity requesting access.
+// It is deliberately agnostic -- a Principal can be a human user,
+// a service account (M2M), or an AI agent. The evaluation engine
+// does not care about the origin; it only evaluates policies against
+// the principal's identity and roles.
+type Principal struct {
+	// ID is the unique identifier of the principal (user ID, client ID, agent ID).
+	ID string
+	// Type is the kind of principal: "user", "client", or "agent".
+	Type string
+	// Roles are the roles assigned to this principal.
+	Roles []string
+	// MaxScopes is an optional delegation ceiling. If set, the principal
+	// can never be granted permissions beyond this set, regardless of
+	// what policies say. Format: []string{"resource:scope", ...}.
+	// Nil means no ceiling (full access based on policies).
+	MaxScopes []string
+}
+
+// ResourceScope pairs a resource name with a scope name.
+// Used for returning all permissions a principal has.
+type ResourceScope struct {
+	Resource string `json:"resource"`
+	Scope    string `json:"scope"`
+}
+
+// CheckResult contains the result of a permission check with debugging info.
+type CheckResult struct {
+	// Allowed is true if the principal has the requested permission.
+	Allowed bool
+	// MatchedPolicy is the name of the policy that granted access (empty if denied).
+	MatchedPolicy string
+}
+
+// Provider defines the authorization evaluation engine interface.
+type Provider interface {
+	// CheckPermission evaluates whether a principal can perform a scope on a resource.
+	CheckPermission(ctx context.Context, principal *Principal, resource string, scope string) (*CheckResult, error)
+
+	// GetPrincipalPermissions returns all granted resource:scope pairs for a principal.
+	// Used for JWT embedding and dashboard display.
+	GetPrincipalPermissions(ctx context.Context, principal *Principal) ([]ResourceScope, error)
+
+	// InvalidateCache removes cached authorization data.
+	// Called by admin mutations when permissions/policies change.
+	InvalidateCache(ctx context.Context, prefix string) error
+}
+
+// Dependencies carries shared resources for constructing an authorization Provider.
+type Dependencies struct {
+	Log             *zerolog.Logger
+	StorageProvider storage.Provider
+}
+
+// Config holds authorization-specific configuration.
+// This is separate from the main config to avoid circular imports.
+// The values are passed in from cmd/root.go.
+type Config struct {
+	// Enforcement is the authorization enforcement mode:
+	// "disabled", "permissive", or "enforcing".
+	Enforcement string
+	// CacheTTL is the cache time-to-live in seconds. 0 disables caching.
+	CacheTTL int64
+}
+
+// provider implements the Provider interface.
+type provider struct {
+	config          *Config
+	log             *zerolog.Logger
+	storageProvider storage.Provider
+	cache           *cache
+}
+
+// New creates a new authorization provider.
+func New(cfg *Config, deps *Dependencies) (Provider, error) {
+	p := &provider{
+		config:          cfg,
+		log:             deps.Log,
+		storageProvider: deps.StorageProvider,
+		cache:           newCache(cfg.CacheTTL),
+	}
+	return p, nil
+}
diff --git a/internal/authorization/validators.go b/internal/authorization/validators.go
new file mode 100644
index 00000000..9b09e46e
--- /dev/null
+++ b/internal/authorization/validators.go
@@ -0,0 +1,18 @@
+package authorization
+
+import "unicode"
+
+// isValidIdentifier checks that a string is safe for use in cache keys
+// and database queries. Allows alphanumeric, hyphens, underscores.
+// Max 100 characters. Empty strings are invalid.
+func isValidIdentifier(s string) bool {
+	if len(s) == 0 || len(s) > 100 {
+		return false
+	}
+	for _, r := range s {
+		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+			return false
+		}
+	}
+	return true
+}

From fec92e9bdaaf4cd610644914b734a45fba5577ce Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 13 Apr 2026 21:44:21 +0530
Subject: [PATCH 07/26] feat(authz): add cache methods to memory store
 providers

Add SetCache, GetCache, DeleteCacheByPrefix to Redis, DB-backed,
and in-memory memory store providers. Update fakeMemoryStore in
tests to implement the new interface methods.
---
 .../oauth_authorize_state_test.go             |  5 ++
 internal/memory_store/db/cache.go             | 69 +++++++++++++++++++
 internal/memory_store/in_memory/cache.go      | 50 ++++++++++++++
 internal/memory_store/provider.go             |  9 +++
 internal/memory_store/redis/cache.go          | 59 ++++++++++++++++
 5 files changed, 192 insertions(+)
 create mode 100644 internal/memory_store/db/cache.go
 create mode 100644 internal/memory_store/in_memory/cache.go
 create mode 100644 internal/memory_store/redis/cache.go

diff --git a/internal/http_handlers/oauth_authorize_state_test.go b/internal/http_handlers/oauth_authorize_state_test.go
index ea6f4088..8d1db8e9 100644
--- a/internal/http_handlers/oauth_authorize_state_test.go
+++ b/internal/http_handlers/oauth_authorize_state_test.go
@@ -236,3 +236,8 @@ func (f *fakeMemoryStore) GetAndRemoveState(key string) (string, error) {
 	return val, nil
 }
 func (f *fakeMemoryStore) GetAllData() (map[string]string, error) { return map[string]string{}, nil }
+func (f *fakeMemoryStore) SetCache(key string, value string, ttlSeconds int64) error {
+	return nil
+}
+func (f *fakeMemoryStore) GetCache(key string) (string, error)     { return "", nil }
+func (f *fakeMemoryStore) DeleteCacheByPrefix(prefix string) error { return nil }
diff --git a/internal/memory_store/db/cache.go b/internal/memory_store/db/cache.go
new file mode 100644
index 00000000..1764f23f
--- /dev/null
+++ b/internal/memory_store/db/cache.go
@@ -0,0 +1,69 @@
+package db
+
+import (
+	"strings"
+	"sync"
+	"time"
+)
+
+// cacheEntry holds a cached value with its expiration time.
+type cacheEntry struct {
+	Value     string
+	ExpiresAt int64
+}
+
+// cacheStore is a simple in-memory cache used by the DB-backed memory store provider.
+// The DB provider delegates session/state storage to the database, but cache
+// entries are kept in-memory for performance since they are short-lived and
+// tolerant of loss on restart.
+var (
+	cache      = make(map[string]*cacheEntry)
+	cacheMutex sync.RWMutex
+)
+
+// SetCache stores a key-value pair with a TTL in seconds.
+func (p *provider) SetCache(key string, value string, ttlSeconds int64) error {
+	cacheMutex.Lock()
+	defer cacheMutex.Unlock()
+	cache[key] = &cacheEntry{
+		Value:     value,
+		ExpiresAt: time.Now().Unix() + ttlSeconds,
+	}
+	return nil
+}
+
+// GetCache retrieves a cached value by key.
+// Returns empty string and nil error if the key is not found or expired.
+func (p *provider) GetCache(key string) (string, error) {
+	cacheMutex.RLock()
+	defer cacheMutex.RUnlock()
+	entry, ok := cache[key]
+	if !ok {
+		return "", nil
+	}
+	if entry.ExpiresAt < time.Now().Unix() {
+		// Entry expired; clean up asynchronously to avoid write lock in read path.
+		go func() {
+			cacheMutex.Lock()
+			defer cacheMutex.Unlock()
+			// Re-check to avoid deleting a refreshed entry.
+			if e, exists := cache[key]; exists && e.ExpiresAt < time.Now().Unix() {
+				delete(cache, key)
+			}
+		}()
+		return "", nil
+	}
+	return entry.Value, nil
+}
+
+// DeleteCacheByPrefix removes all cache entries whose keys start with the given prefix.
+func (p *provider) DeleteCacheByPrefix(prefix string) error {
+	cacheMutex.Lock()
+	defer cacheMutex.Unlock()
+	for k := range cache {
+		if strings.HasPrefix(k, prefix) {
+			delete(cache, k)
+		}
+	}
+	return nil
+}
diff --git a/internal/memory_store/in_memory/cache.go b/internal/memory_store/in_memory/cache.go
new file mode 100644
index 00000000..66464405
--- /dev/null
+++ b/internal/memory_store/in_memory/cache.go
@@ -0,0 +1,50 @@
+package in_memory
+
+import (
+	"strings"
+	"sync"
+	"time"
+)
+
+// cacheEntry holds a cached value with its expiration time.
+type cacheEntry struct {
+	Value     string
+	ExpiresAt int64
+}
+
+var cacheStore sync.Map
+
+// SetCache stores a key-value pair with a TTL in seconds.
+func (c *provider) SetCache(key string, value string, ttlSeconds int64) error {
+	cacheStore.Store(key, &cacheEntry{
+		Value:     value,
+		ExpiresAt: time.Now().Unix() + ttlSeconds,
+	})
+	return nil
+}
+
+// GetCache retrieves a cached value by key.
+// Returns empty string and nil error if the key is not found or expired.
+func (c *provider) GetCache(key string) (string, error) {
+	val, ok := cacheStore.Load(key)
+	if !ok {
+		return "", nil
+	}
+	entry := val.(*cacheEntry)
+	if entry.ExpiresAt < time.Now().Unix() {
+		cacheStore.Delete(key)
+		return "", nil
+	}
+	return entry.Value, nil
+}
+
+// DeleteCacheByPrefix removes all cache entries whose keys start with the given prefix.
+func (c *provider) DeleteCacheByPrefix(prefix string) error {
+	cacheStore.Range(func(key, value any) bool {
+		if k, ok := key.(string); ok && strings.HasPrefix(k, prefix) {
+			cacheStore.Delete(key)
+		}
+		return true
+	})
+	return nil
+}
diff --git a/internal/memory_store/provider.go b/internal/memory_store/provider.go
index d16a9dea..878837d3 100644
--- a/internal/memory_store/provider.go
+++ b/internal/memory_store/provider.go
@@ -68,6 +68,15 @@ type Provider interface {
 	// prevent authorization code replay (RFC 6749 §4.1.2).
 	GetAndRemoveState(key string) (string, error)
 
+	// SetCache stores a key-value pair with a TTL in seconds.
+	// Used by the authorization engine for permission evaluation caching.
+	SetCache(key string, value string, ttlSeconds int64) error
+	// GetCache retrieves a cached value by key. Returns empty string and nil error if not found.
+	GetCache(key string) (string, error)
+	// DeleteCacheByPrefix removes all cache entries whose keys start with the given prefix.
+	// Used for cache invalidation when permissions/policies change.
+	DeleteCacheByPrefix(prefix string) error
+
 	// GetAllData returns all the data from the session store
 	// This is used for testing purposes only
 	GetAllData() (map[string]string, error)
diff --git a/internal/memory_store/redis/cache.go b/internal/memory_store/redis/cache.go
new file mode 100644
index 00000000..c630aa42
--- /dev/null
+++ b/internal/memory_store/redis/cache.go
@@ -0,0 +1,59 @@
+package redis
+
+import (
+	"time"
+
+	goredis "github.com/redis/go-redis/v9"
+)
+
+const cachePrefix = "authorizer_cache:"
+
+// SetCache stores a key-value pair in Redis with a TTL in seconds.
+func (p *provider) SetCache(key string, value string, ttlSeconds int64) error {
+	duration := time.Duration(ttlSeconds) * time.Second
+	err := p.store.Set(p.ctx, cachePrefix+key, value, duration).Err()
+	if err != nil {
+		p.dependencies.Log.Debug().Err(err).Msg("Error setting cache in redis")
+		return err
+	}
+	return nil
+}
+
+// GetCache retrieves a cached value by key from Redis.
+// Returns empty string and nil error if the key is not found.
+func (p *provider) GetCache(key string) (string, error) {
+	data, err := p.store.Get(p.ctx, cachePrefix+key).Result()
+	if err != nil {
+		if err == goredis.Nil {
+			return "", nil
+		}
+		p.dependencies.Log.Debug().Err(err).Msg("Error getting cache from redis")
+		return "", err
+	}
+	return data, nil
+}
+
+// DeleteCacheByPrefix removes all cache entries whose keys start with the given prefix.
+// Uses SCAN to avoid blocking Redis on large datasets.
+func (p *provider) DeleteCacheByPrefix(prefix string) error {
+	pattern := cachePrefix + prefix + "*"
+	var cursor uint64
+	for {
+		keys, nextCursor, err := p.store.Scan(p.ctx, cursor, pattern, 100).Result()
+		if err != nil {
+			p.dependencies.Log.Debug().Err(err).Msg("Error scanning cache keys from redis")
+			return err
+		}
+		if len(keys) > 0 {
+			if err := p.store.Del(p.ctx, keys...).Err(); err != nil {
+				p.dependencies.Log.Debug().Err(err).Msg("Error deleting cache keys from redis")
+				return err
+			}
+		}
+		cursor = nextCursor
+		if cursor == 0 {
+			break
+		}
+	}
+	return nil
+}

From f9f91d2f39fa8e981d199147c13d744f3f53aae0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 10:08:50 +0530
Subject: [PATCH 08/26] feat(authz): add CLI flags and wire authorization
 provider

Add --authorization-enforcement, --authorization-cache-ttl,
--include-permissions-in-token, --authorization-log-all-checks flags.
Wire authorization provider in cmd/root.go initialization order.
Pass authorization provider to http_handlers and graphql dependencies.
---
 cmd/root.go                        | 29 +++++++++++++++++++++++++++++
 internal/config/config.go          | 14 ++++++++++++++
 internal/graphql/provider.go       |  3 +++
 internal/http_handlers/graphql.go  |  3 ++-
 internal/http_handlers/provider.go |  3 +++
 5 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/cmd/root.go b/cmd/root.go
index 81d9e2f9..6996fbef 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
+	"github.com/authorizerdev/authorizer/internal/authorization"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/email"
@@ -235,6 +236,12 @@ func init() {
 	// Back-channel logout (OIDC BCL 1.0)
 	f.StringVar(&rootArgs.config.BackchannelLogoutURI, "backchannel-logout-uri", "", "URL to POST a signed logout_token to when users log out successfully. Leave empty (default) to disable back-channel logout notifications. See OIDC Back-Channel Logout 1.0.")
 
+	// Fine-grained authorization flags
+	f.StringVar(&rootArgs.config.AuthorizationEnforcement, "authorization-enforcement", "disabled", "Authorization enforcement mode: disabled, permissive, or enforcing")
+	f.Int64Var(&rootArgs.config.AuthorizationCacheTTL, "authorization-cache-ttl", 300, "Cache TTL in seconds for permission checks (0 to disable)")
+	f.BoolVar(&rootArgs.config.IncludePermissionsInToken, "include-permissions-in-token", false, "Include permissions in JWT access tokens")
+	f.BoolVar(&rootArgs.config.AuthorizationLogAllChecks, "authorization-log-all-checks", false, "Audit log all permission checks, not just denials")
+
 	// Deprecated flags
 	f.MarkDeprecated("database_url", "use --database-url instead")
 	f.MarkDeprecated("database_type", "use --database-type instead")
@@ -321,6 +328,9 @@ func applyFlagDefaults() {
 	if len(c.RobloxScopes) == 0 {
 		c.RobloxScopes = append([]string(nil), defaultRobloxScopes...)
 	}
+	if strings.TrimSpace(c.AuthorizationEnforcement) == "" {
+		c.AuthorizationEnforcement = "disabled"
+	}
 }
 
 // Run the service
@@ -455,6 +465,24 @@ func runRoot(c *cobra.Command, args []string) {
 	}
 	defer rateLimitProvider.Close()
 
+	// Authorization provider
+	authorizationProvider, err := authorization.New(
+		&authorization.Config{
+			Enforcement: rootArgs.config.AuthorizationEnforcement,
+			CacheTTL:    rootArgs.config.AuthorizationCacheTTL,
+		},
+		&authorization.Dependencies{
+			Log:             &log,
+			StorageProvider: storageProvider,
+		},
+	)
+	if err != nil {
+		log.Fatal().Err(err).Msg("failed to create authorization provider")
+	}
+	if rootArgs.config.AuthorizationEnforcement != "disabled" {
+		log.Info().Str("enforcement", rootArgs.config.AuthorizationEnforcement).Msg("authorization enforcement enabled")
+	}
+
 	// SMS provider
 	smsProvider, err := sms.New(&rootArgs.config, &sms.Dependencies{
 		Log: &log,
@@ -505,6 +533,7 @@ func runRoot(c *cobra.Command, args []string) {
 		TokenProvider:         tokenProvider,
 		OAuthProvider:         oauthProvider,
 		RateLimitProvider:     rateLimitProvider,
+		AuthorizationProvider: authorizationProvider,
 	})
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to create http provider")
diff --git a/internal/config/config.go b/internal/config/config.go
index 185e1c2e..619c97e1 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -316,4 +316,18 @@ type Config struct {
 	// empty (default), back-channel logout notifications are disabled.
 	// See OIDC Back-Channel Logout 1.0 §2.5 for the protocol.
 	BackchannelLogoutURI string
+
+	// Fine-Grained Authorization
+	// AuthorizationEnforcement is the authorization enforcement mode.
+	// Valid values: "disabled" (default), "permissive", "enforcing".
+	AuthorizationEnforcement string
+	// AuthorizationCacheTTL is the cache time-to-live in seconds for permission checks.
+	// Set to 0 to disable caching. Default: 300 (5 minutes).
+	AuthorizationCacheTTL int64
+	// IncludePermissionsInToken controls whether permissions are embedded in JWT access tokens.
+	// When true, the permissions claim is added to access tokens. Default: false.
+	IncludePermissionsInToken bool
+	// AuthorizationLogAllChecks controls whether all permission checks are audit logged.
+	// When false (default), only denied checks are logged. When true, all checks are logged.
+	AuthorizationLogAllChecks bool
 }
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index e8d2a9fa..dd2a96cf 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
+	"github.com/authorizerdev/authorizer/internal/authorization"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/email"
 	"github.com/authorizerdev/authorizer/internal/events"
@@ -38,6 +39,8 @@ type Dependencies struct {
 	StorageProvider storage.Provider
 	// TokenProvider is used to generate tokens
 	TokenProvider token.Provider
+	// AuthorizationProvider is used for fine-grained authorization checks
+	AuthorizationProvider authorization.Provider
 }
 
 // New constructs a new graphql provider with given arguments
diff --git a/internal/http_handlers/graphql.go b/internal/http_handlers/graphql.go
index 92375ac8..ad6e5e97 100644
--- a/internal/http_handlers/graphql.go
+++ b/internal/http_handlers/graphql.go
@@ -43,7 +43,7 @@ type queryLimits struct {
 }
 
 var (
-	_ gql.HandlerExtension       = (*queryLimits)(nil)
+	_ gql.HandlerExtension        = (*queryLimits)(nil)
 	_ gql.OperationContextMutator = (*queryLimits)(nil)
 )
 
@@ -218,6 +218,7 @@ func (h *httpProvider) GraphqlHandler() gin.HandlerFunc {
 		SMSProvider:           h.SMSProvider,
 		StorageProvider:       h.StorageProvider,
 		TokenProvider:         h.TokenProvider,
+		AuthorizationProvider: h.AuthorizationProvider,
 	})
 	if err != nil {
 		h.Log.Error().Err(err).Msg("Failed to create graphql provider")
diff --git a/internal/http_handlers/provider.go b/internal/http_handlers/provider.go
index 0afadbdf..966c2c3c 100644
--- a/internal/http_handlers/provider.go
+++ b/internal/http_handlers/provider.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
+	"github.com/authorizerdev/authorizer/internal/authorization"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/email"
 	"github.com/authorizerdev/authorizer/internal/events"
@@ -42,6 +43,8 @@ type Dependencies struct {
 	OAuthProvider oauth.Provider
 	// RateLimitProvider is used for per-IP rate limiting
 	RateLimitProvider rate_limit.Provider
+	// AuthorizationProvider is used for fine-grained authorization checks
+	AuthorizationProvider authorization.Provider
 }
 
 // New constructs a new http provider with given arguments

From 3dc4f983ea42c7a66ab5d86422705b21a4d3c452 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 10:41:56 +0530
Subject: [PATCH 09/26] feat(authz): add authorization GraphQL schema and
 resolvers

Add 10 output types, 9 input types, 12 admin mutations, and 6 queries
for the authorization model. Regenerate GraphQL code. Wire resolver
stubs with placeholder implementations until Phase 10.
---
 internal/graph/generated/generated.go | 17605 ++++++++++++++++--------
 internal/graph/model/models_gen.go    |   144 +
 internal/graph/schema.graphqls        |   168 +
 internal/graph/schema.resolvers.go    |    90 +
 4 files changed, 12347 insertions(+), 5660 deletions(-)

diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index 58c15c77..d65a3965 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -80,6 +80,82 @@ type ComplexityRoot struct {
 		User                       func(childComplexity int) int
 	}
 
+	AuthzPermission struct {
+		CreatedAt        func(childComplexity int) int
+		DecisionStrategy func(childComplexity int) int
+		Description      func(childComplexity int) int
+		ID               func(childComplexity int) int
+		Name             func(childComplexity int) int
+		Policies         func(childComplexity int) int
+		Resource         func(childComplexity int) int
+		Scopes           func(childComplexity int) int
+		UpdatedAt        func(childComplexity int) int
+	}
+
+	AuthzPermissions struct {
+		Pagination  func(childComplexity int) int
+		Permissions func(childComplexity int) int
+	}
+
+	AuthzPolicies struct {
+		Pagination func(childComplexity int) int
+		Policies   func(childComplexity int) int
+	}
+
+	AuthzPolicy struct {
+		CreatedAt        func(childComplexity int) int
+		DecisionStrategy func(childComplexity int) int
+		Description      func(childComplexity int) int
+		ID               func(childComplexity int) int
+		Logic            func(childComplexity int) int
+		Name             func(childComplexity int) int
+		Targets          func(childComplexity int) int
+		Type             func(childComplexity int) int
+		UpdatedAt        func(childComplexity int) int
+	}
+
+	AuthzPolicyTarget struct {
+		ID          func(childComplexity int) int
+		TargetType  func(childComplexity int) int
+		TargetValue func(childComplexity int) int
+	}
+
+	AuthzResource struct {
+		CreatedAt   func(childComplexity int) int
+		Description func(childComplexity int) int
+		ID          func(childComplexity int) int
+		Name        func(childComplexity int) int
+		UpdatedAt   func(childComplexity int) int
+	}
+
+	AuthzResourceScope struct {
+		Resource func(childComplexity int) int
+		Scope    func(childComplexity int) int
+	}
+
+	AuthzResources struct {
+		Pagination func(childComplexity int) int
+		Resources  func(childComplexity int) int
+	}
+
+	AuthzScope struct {
+		CreatedAt   func(childComplexity int) int
+		Description func(childComplexity int) int
+		ID          func(childComplexity int) int
+		Name        func(childComplexity int) int
+		UpdatedAt   func(childComplexity int) int
+	}
+
+	AuthzScopes struct {
+		Pagination func(childComplexity int) int
+		Scopes     func(childComplexity int) int
+	}
+
+	CheckPermissionResponse struct {
+		Allowed       func(childComplexity int) int
+		MatchedPolicy func(childComplexity int) int
+	}
+
 	EmailTemplate struct {
 		CreatedAt func(childComplexity int) int
 		Design    func(childComplexity int) int
@@ -215,12 +291,20 @@ type ComplexityRoot struct {
 
 	Mutation struct {
 		AddEmailTemplate    func(childComplexity int, params model.AddEmailTemplateRequest) int
+		AddPermission       func(childComplexity int, params model.AddPermissionInput) int
+		AddPolicy           func(childComplexity int, params model.AddPolicyInput) int
+		AddResource         func(childComplexity int, params model.AddResourceInput) int
+		AddScope            func(childComplexity int, params model.AddScopeInput) int
 		AddWebhook          func(childComplexity int, params model.AddWebhookRequest) int
 		AdminLogin          func(childComplexity int, params model.AdminLoginRequest) int
 		AdminLogout         func(childComplexity int) int
 		AdminSignup         func(childComplexity int, params model.AdminSignupRequest) int
 		DeactivateAccount   func(childComplexity int) int
 		DeleteEmailTemplate func(childComplexity int, params model.DeleteEmailTemplateRequest) int
+		DeletePermission    func(childComplexity int, id string) int
+		DeletePolicy        func(childComplexity int, id string) int
+		DeleteResource      func(childComplexity int, id string) int
+		DeleteScope         func(childComplexity int, id string) int
 		DeleteUser          func(childComplexity int, params model.DeleteUserRequest) int
 		DeleteWebhook       func(childComplexity int, params model.WebhookRequest) int
 		EnableAccess        func(childComplexity int, param model.UpdateAccessRequest) int
@@ -241,7 +325,11 @@ type ComplexityRoot struct {
 		TestEndpoint        func(childComplexity int, params model.TestEndpointRequest) int
 		UpdateEmailTemplate func(childComplexity int, params model.UpdateEmailTemplateRequest) int
 		UpdateEnv           func(childComplexity int, params model.UpdateEnvRequest) int
+		UpdatePermission    func(childComplexity int, params model.UpdatePermissionInput) int
+		UpdatePolicy        func(childComplexity int, params model.UpdatePolicyInput) int
 		UpdateProfile       func(childComplexity int, params model.UpdateProfileRequest) int
+		UpdateResource      func(childComplexity int, params model.UpdateResourceInput) int
+		UpdateScope         func(childComplexity int, params model.UpdateScopeInput) int
 		UpdateUser          func(childComplexity int, params model.UpdateUserRequest) int
 		UpdateWebhook       func(childComplexity int, params model.UpdateWebhookRequest) int
 		VerifyEmail         func(childComplexity int, params model.VerifyEmailRequest) int
@@ -258,10 +346,16 @@ type ComplexityRoot struct {
 	Query struct {
 		AdminSession         func(childComplexity int) int
 		AuditLogs            func(childComplexity int, params *model.ListAuditLogRequest) int
+		CheckPermission      func(childComplexity int, params model.CheckPermissionInput) int
 		EmailTemplates       func(childComplexity int, params *model.PaginatedRequest) int
 		Env                  func(childComplexity int) int
 		Meta                 func(childComplexity int) int
+		MyPermissions        func(childComplexity int) int
+		Permissions          func(childComplexity int, params *model.PaginatedRequest) int
+		Policies             func(childComplexity int, params *model.PaginatedRequest) int
 		Profile              func(childComplexity int) int
+		Resources            func(childComplexity int, params *model.PaginatedRequest) int
+		Scopes               func(childComplexity int, params *model.PaginatedRequest) int
 		Session              func(childComplexity int, params *model.SessionQueryRequest) int
 		User                 func(childComplexity int, params model.GetUserRequest) int
 		Users                func(childComplexity int, params *model.PaginatedRequest) int
@@ -402,6 +496,18 @@ type MutationResolver interface {
 	AddEmailTemplate(ctx context.Context, params model.AddEmailTemplateRequest) (*model.Response, error)
 	UpdateEmailTemplate(ctx context.Context, params model.UpdateEmailTemplateRequest) (*model.Response, error)
 	DeleteEmailTemplate(ctx context.Context, params model.DeleteEmailTemplateRequest) (*model.Response, error)
+	AddResource(ctx context.Context, params model.AddResourceInput) (*model.AuthzResource, error)
+	UpdateResource(ctx context.Context, params model.UpdateResourceInput) (*model.AuthzResource, error)
+	DeleteResource(ctx context.Context, id string) (*model.Response, error)
+	AddScope(ctx context.Context, params model.AddScopeInput) (*model.AuthzScope, error)
+	UpdateScope(ctx context.Context, params model.UpdateScopeInput) (*model.AuthzScope, error)
+	DeleteScope(ctx context.Context, id string) (*model.Response, error)
+	AddPolicy(ctx context.Context, params model.AddPolicyInput) (*model.AuthzPolicy, error)
+	UpdatePolicy(ctx context.Context, params model.UpdatePolicyInput) (*model.AuthzPolicy, error)
+	DeletePolicy(ctx context.Context, id string) (*model.Response, error)
+	AddPermission(ctx context.Context, params model.AddPermissionInput) (*model.AuthzPermission, error)
+	UpdatePermission(ctx context.Context, params model.UpdatePermissionInput) (*model.AuthzPermission, error)
+	DeletePermission(ctx context.Context, id string) (*model.Response, error)
 }
 type QueryResolver interface {
 	Meta(ctx context.Context) (*model.Meta, error)
@@ -419,6 +525,12 @@ type QueryResolver interface {
 	WebhookLogs(ctx context.Context, params *model.ListWebhookLogRequest) (*model.WebhookLogs, error)
 	EmailTemplates(ctx context.Context, params *model.PaginatedRequest) (*model.EmailTemplates, error)
 	AuditLogs(ctx context.Context, params *model.ListAuditLogRequest) (*model.AuditLogs, error)
+	Resources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error)
+	Scopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error)
+	Policies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error)
+	Permissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error)
+	CheckPermission(ctx context.Context, params model.CheckPermissionInput) (*model.CheckPermissionResponse, error)
+	MyPermissions(ctx context.Context) ([]*model.AuthzResourceScope, error)
 }
 
 type executableSchema struct {
@@ -615,6 +727,307 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.AuthResponse.User(childComplexity), true
 
+	case "AuthzPermission.created_at":
+		if e.complexity.AuthzPermission.CreatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.CreatedAt(childComplexity), true
+
+	case "AuthzPermission.decision_strategy":
+		if e.complexity.AuthzPermission.DecisionStrategy == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.DecisionStrategy(childComplexity), true
+
+	case "AuthzPermission.description":
+		if e.complexity.AuthzPermission.Description == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.Description(childComplexity), true
+
+	case "AuthzPermission.id":
+		if e.complexity.AuthzPermission.ID == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.ID(childComplexity), true
+
+	case "AuthzPermission.name":
+		if e.complexity.AuthzPermission.Name == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.Name(childComplexity), true
+
+	case "AuthzPermission.policies":
+		if e.complexity.AuthzPermission.Policies == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.Policies(childComplexity), true
+
+	case "AuthzPermission.resource":
+		if e.complexity.AuthzPermission.Resource == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.Resource(childComplexity), true
+
+	case "AuthzPermission.scopes":
+		if e.complexity.AuthzPermission.Scopes == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.Scopes(childComplexity), true
+
+	case "AuthzPermission.updated_at":
+		if e.complexity.AuthzPermission.UpdatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermission.UpdatedAt(childComplexity), true
+
+	case "AuthzPermissions.pagination":
+		if e.complexity.AuthzPermissions.Pagination == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermissions.Pagination(childComplexity), true
+
+	case "AuthzPermissions.permissions":
+		if e.complexity.AuthzPermissions.Permissions == nil {
+			break
+		}
+
+		return e.complexity.AuthzPermissions.Permissions(childComplexity), true
+
+	case "AuthzPolicies.pagination":
+		if e.complexity.AuthzPolicies.Pagination == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicies.Pagination(childComplexity), true
+
+	case "AuthzPolicies.policies":
+		if e.complexity.AuthzPolicies.Policies == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicies.Policies(childComplexity), true
+
+	case "AuthzPolicy.created_at":
+		if e.complexity.AuthzPolicy.CreatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.CreatedAt(childComplexity), true
+
+	case "AuthzPolicy.decision_strategy":
+		if e.complexity.AuthzPolicy.DecisionStrategy == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.DecisionStrategy(childComplexity), true
+
+	case "AuthzPolicy.description":
+		if e.complexity.AuthzPolicy.Description == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.Description(childComplexity), true
+
+	case "AuthzPolicy.id":
+		if e.complexity.AuthzPolicy.ID == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.ID(childComplexity), true
+
+	case "AuthzPolicy.logic":
+		if e.complexity.AuthzPolicy.Logic == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.Logic(childComplexity), true
+
+	case "AuthzPolicy.name":
+		if e.complexity.AuthzPolicy.Name == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.Name(childComplexity), true
+
+	case "AuthzPolicy.targets":
+		if e.complexity.AuthzPolicy.Targets == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.Targets(childComplexity), true
+
+	case "AuthzPolicy.type":
+		if e.complexity.AuthzPolicy.Type == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.Type(childComplexity), true
+
+	case "AuthzPolicy.updated_at":
+		if e.complexity.AuthzPolicy.UpdatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicy.UpdatedAt(childComplexity), true
+
+	case "AuthzPolicyTarget.id":
+		if e.complexity.AuthzPolicyTarget.ID == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicyTarget.ID(childComplexity), true
+
+	case "AuthzPolicyTarget.target_type":
+		if e.complexity.AuthzPolicyTarget.TargetType == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicyTarget.TargetType(childComplexity), true
+
+	case "AuthzPolicyTarget.target_value":
+		if e.complexity.AuthzPolicyTarget.TargetValue == nil {
+			break
+		}
+
+		return e.complexity.AuthzPolicyTarget.TargetValue(childComplexity), true
+
+	case "AuthzResource.created_at":
+		if e.complexity.AuthzResource.CreatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzResource.CreatedAt(childComplexity), true
+
+	case "AuthzResource.description":
+		if e.complexity.AuthzResource.Description == nil {
+			break
+		}
+
+		return e.complexity.AuthzResource.Description(childComplexity), true
+
+	case "AuthzResource.id":
+		if e.complexity.AuthzResource.ID == nil {
+			break
+		}
+
+		return e.complexity.AuthzResource.ID(childComplexity), true
+
+	case "AuthzResource.name":
+		if e.complexity.AuthzResource.Name == nil {
+			break
+		}
+
+		return e.complexity.AuthzResource.Name(childComplexity), true
+
+	case "AuthzResource.updated_at":
+		if e.complexity.AuthzResource.UpdatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzResource.UpdatedAt(childComplexity), true
+
+	case "AuthzResourceScope.resource":
+		if e.complexity.AuthzResourceScope.Resource == nil {
+			break
+		}
+
+		return e.complexity.AuthzResourceScope.Resource(childComplexity), true
+
+	case "AuthzResourceScope.scope":
+		if e.complexity.AuthzResourceScope.Scope == nil {
+			break
+		}
+
+		return e.complexity.AuthzResourceScope.Scope(childComplexity), true
+
+	case "AuthzResources.pagination":
+		if e.complexity.AuthzResources.Pagination == nil {
+			break
+		}
+
+		return e.complexity.AuthzResources.Pagination(childComplexity), true
+
+	case "AuthzResources.resources":
+		if e.complexity.AuthzResources.Resources == nil {
+			break
+		}
+
+		return e.complexity.AuthzResources.Resources(childComplexity), true
+
+	case "AuthzScope.created_at":
+		if e.complexity.AuthzScope.CreatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzScope.CreatedAt(childComplexity), true
+
+	case "AuthzScope.description":
+		if e.complexity.AuthzScope.Description == nil {
+			break
+		}
+
+		return e.complexity.AuthzScope.Description(childComplexity), true
+
+	case "AuthzScope.id":
+		if e.complexity.AuthzScope.ID == nil {
+			break
+		}
+
+		return e.complexity.AuthzScope.ID(childComplexity), true
+
+	case "AuthzScope.name":
+		if e.complexity.AuthzScope.Name == nil {
+			break
+		}
+
+		return e.complexity.AuthzScope.Name(childComplexity), true
+
+	case "AuthzScope.updated_at":
+		if e.complexity.AuthzScope.UpdatedAt == nil {
+			break
+		}
+
+		return e.complexity.AuthzScope.UpdatedAt(childComplexity), true
+
+	case "AuthzScopes.pagination":
+		if e.complexity.AuthzScopes.Pagination == nil {
+			break
+		}
+
+		return e.complexity.AuthzScopes.Pagination(childComplexity), true
+
+	case "AuthzScopes.scopes":
+		if e.complexity.AuthzScopes.Scopes == nil {
+			break
+		}
+
+		return e.complexity.AuthzScopes.Scopes(childComplexity), true
+
+	case "CheckPermissionResponse.allowed":
+		if e.complexity.CheckPermissionResponse.Allowed == nil {
+			break
+		}
+
+		return e.complexity.CheckPermissionResponse.Allowed(childComplexity), true
+
+	case "CheckPermissionResponse.matched_policy":
+		if e.complexity.CheckPermissionResponse.MatchedPolicy == nil {
+			break
+		}
+
+		return e.complexity.CheckPermissionResponse.MatchedPolicy(childComplexity), true
+
 	case "EmailTemplate.created_at":
 		if e.complexity.EmailTemplate.CreatedAt == nil {
 			break
@@ -1390,6 +1803,54 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Mutation.AddEmailTemplate(childComplexity, args["params"].(model.AddEmailTemplateRequest)), true
 
+	case "Mutation._add_permission":
+		if e.complexity.Mutation.AddPermission == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__add_permission_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.AddPermission(childComplexity, args["params"].(model.AddPermissionInput)), true
+
+	case "Mutation._add_policy":
+		if e.complexity.Mutation.AddPolicy == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__add_policy_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.AddPolicy(childComplexity, args["params"].(model.AddPolicyInput)), true
+
+	case "Mutation._add_resource":
+		if e.complexity.Mutation.AddResource == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__add_resource_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.AddResource(childComplexity, args["params"].(model.AddResourceInput)), true
+
+	case "Mutation._add_scope":
+		if e.complexity.Mutation.AddScope == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__add_scope_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.AddScope(childComplexity, args["params"].(model.AddScopeInput)), true
+
 	case "Mutation._add_webhook":
 		if e.complexity.Mutation.AddWebhook == nil {
 			break
@@ -1452,43 +1913,91 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Mutation.DeleteEmailTemplate(childComplexity, args["params"].(model.DeleteEmailTemplateRequest)), true
 
-	case "Mutation._delete_user":
-		if e.complexity.Mutation.DeleteUser == nil {
+	case "Mutation._delete_permission":
+		if e.complexity.Mutation.DeletePermission == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__delete_user_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__delete_permission_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.DeleteUser(childComplexity, args["params"].(model.DeleteUserRequest)), true
+		return e.complexity.Mutation.DeletePermission(childComplexity, args["id"].(string)), true
 
-	case "Mutation._delete_webhook":
-		if e.complexity.Mutation.DeleteWebhook == nil {
+	case "Mutation._delete_policy":
+		if e.complexity.Mutation.DeletePolicy == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__delete_webhook_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__delete_policy_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.DeleteWebhook(childComplexity, args["params"].(model.WebhookRequest)), true
+		return e.complexity.Mutation.DeletePolicy(childComplexity, args["id"].(string)), true
 
-	case "Mutation._enable_access":
-		if e.complexity.Mutation.EnableAccess == nil {
+	case "Mutation._delete_resource":
+		if e.complexity.Mutation.DeleteResource == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__enable_access_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__delete_resource_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.EnableAccess(childComplexity, args["param"].(model.UpdateAccessRequest)), true
+		return e.complexity.Mutation.DeleteResource(childComplexity, args["id"].(string)), true
 
-	case "Mutation.forgot_password":
+	case "Mutation._delete_scope":
+		if e.complexity.Mutation.DeleteScope == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__delete_scope_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.DeleteScope(childComplexity, args["id"].(string)), true
+
+	case "Mutation._delete_user":
+		if e.complexity.Mutation.DeleteUser == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__delete_user_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.DeleteUser(childComplexity, args["params"].(model.DeleteUserRequest)), true
+
+	case "Mutation._delete_webhook":
+		if e.complexity.Mutation.DeleteWebhook == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__delete_webhook_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.DeleteWebhook(childComplexity, args["params"].(model.WebhookRequest)), true
+
+	case "Mutation._enable_access":
+		if e.complexity.Mutation.EnableAccess == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__enable_access_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.EnableAccess(childComplexity, args["param"].(model.UpdateAccessRequest)), true
+
+	case "Mutation.forgot_password":
 		if e.complexity.Mutation.ForgotPassword == nil {
 			break
 		}
@@ -1687,6 +2196,30 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Mutation.UpdateEnv(childComplexity, args["params"].(model.UpdateEnvRequest)), true
 
+	case "Mutation._update_permission":
+		if e.complexity.Mutation.UpdatePermission == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__update_permission_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.UpdatePermission(childComplexity, args["params"].(model.UpdatePermissionInput)), true
+
+	case "Mutation._update_policy":
+		if e.complexity.Mutation.UpdatePolicy == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__update_policy_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.UpdatePolicy(childComplexity, args["params"].(model.UpdatePolicyInput)), true
+
 	case "Mutation.update_profile":
 		if e.complexity.Mutation.UpdateProfile == nil {
 			break
@@ -1699,6 +2232,30 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Mutation.UpdateProfile(childComplexity, args["params"].(model.UpdateProfileRequest)), true
 
+	case "Mutation._update_resource":
+		if e.complexity.Mutation.UpdateResource == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__update_resource_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.UpdateResource(childComplexity, args["params"].(model.UpdateResourceInput)), true
+
+	case "Mutation._update_scope":
+		if e.complexity.Mutation.UpdateScope == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation__update_scope_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.UpdateScope(childComplexity, args["params"].(model.UpdateScopeInput)), true
+
 	case "Mutation._update_user":
 		if e.complexity.Mutation.UpdateUser == nil {
 			break
@@ -1794,6 +2351,18 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.AuditLogs(childComplexity, args["params"].(*model.ListAuditLogRequest)), true
 
+	case "Query.check_permission":
+		if e.complexity.Query.CheckPermission == nil {
+			break
+		}
+
+		args, err := ec.field_Query_check_permission_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.CheckPermission(childComplexity, args["params"].(model.CheckPermissionInput)), true
+
 	case "Query._email_templates":
 		if e.complexity.Query.EmailTemplates == nil {
 			break
@@ -1820,6 +2389,37 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.Meta(childComplexity), true
 
+	case "Query.my_permissions":
+		if e.complexity.Query.MyPermissions == nil {
+			break
+		}
+
+		return e.complexity.Query.MyPermissions(childComplexity), true
+
+	case "Query._permissions":
+		if e.complexity.Query.Permissions == nil {
+			break
+		}
+
+		args, err := ec.field_Query__permissions_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.Permissions(childComplexity, args["params"].(*model.PaginatedRequest)), true
+
+	case "Query._policies":
+		if e.complexity.Query.Policies == nil {
+			break
+		}
+
+		args, err := ec.field_Query__policies_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.Policies(childComplexity, args["params"].(*model.PaginatedRequest)), true
+
 	case "Query.profile":
 		if e.complexity.Query.Profile == nil {
 			break
@@ -1827,6 +2427,30 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.Profile(childComplexity), true
 
+	case "Query._resources":
+		if e.complexity.Query.Resources == nil {
+			break
+		}
+
+		args, err := ec.field_Query__resources_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.Resources(childComplexity, args["params"].(*model.PaginatedRequest)), true
+
+	case "Query._scopes":
+		if e.complexity.Query.Scopes == nil {
+			break
+		}
+
+		args, err := ec.field_Query__scopes_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.Scopes(childComplexity, args["params"].(*model.PaginatedRequest)), true
+
 	case "Query.session":
 		if e.complexity.Query.Session == nil {
 			break
@@ -2357,9 +2981,14 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 	ec := executionContext{opCtx, e, 0, 0, make(chan graphql.DeferredResult)}
 	inputUnmarshalMap := graphql.BuildUnmarshalerMap(
 		ec.unmarshalInputAddEmailTemplateRequest,
+		ec.unmarshalInputAddPermissionInput,
+		ec.unmarshalInputAddPolicyInput,
+		ec.unmarshalInputAddResourceInput,
+		ec.unmarshalInputAddScopeInput,
 		ec.unmarshalInputAddWebhookRequest,
 		ec.unmarshalInputAdminLoginRequest,
 		ec.unmarshalInputAdminSignupRequest,
+		ec.unmarshalInputCheckPermissionInput,
 		ec.unmarshalInputDeleteEmailTemplateRequest,
 		ec.unmarshalInputDeleteUserRequest,
 		ec.unmarshalInputForgotPasswordRequest,
@@ -2375,6 +3004,7 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputOAuthRevokeRequest,
 		ec.unmarshalInputPaginatedRequest,
 		ec.unmarshalInputPaginationRequest,
+		ec.unmarshalInputPolicyTargetInput,
 		ec.unmarshalInputResendOTPRequest,
 		ec.unmarshalInputResendVerifyEmailRequest,
 		ec.unmarshalInputResetPasswordRequest,
@@ -2384,7 +3014,11 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputUpdateAccessRequest,
 		ec.unmarshalInputUpdateEmailTemplateRequest,
 		ec.unmarshalInputUpdateEnvRequest,
+		ec.unmarshalInputUpdatePermissionInput,
+		ec.unmarshalInputUpdatePolicyInput,
 		ec.unmarshalInputUpdateProfileRequest,
+		ec.unmarshalInputUpdateResourceInput,
+		ec.unmarshalInputUpdateScopeInput,
 		ec.unmarshalInputUpdateUserRequest,
 		ec.unmarshalInputUpdateWebhookRequest,
 		ec.unmarshalInputValidateJWTTokenRequest,
@@ -3132,6 +3766,150 @@ input GetUserRequest {
   email: String
 }
 
+type AuthzResource {
+  id: ID!
+  name: String!
+  description: String
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzResources {
+  pagination: Pagination!
+  resources: [AuthzResource!]!
+}
+
+type AuthzScope {
+  id: ID!
+  name: String!
+  description: String
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzScopes {
+  pagination: Pagination!
+  scopes: [AuthzScope!]!
+}
+
+type AuthzPolicyTarget {
+  id: ID!
+  target_type: String!
+  target_value: String!
+}
+
+type AuthzPolicy {
+  id: ID!
+  name: String!
+  description: String
+  type: String!
+  logic: String!
+  decision_strategy: String!
+  targets: [AuthzPolicyTarget!]!
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzPolicies {
+  pagination: Pagination!
+  policies: [AuthzPolicy!]!
+}
+
+type AuthzPermission {
+  id: ID!
+  name: String!
+  description: String
+  resource: AuthzResource!
+  scopes: [AuthzScope!]!
+  policies: [AuthzPolicy!]!
+  decision_strategy: String!
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzPermissions {
+  pagination: Pagination!
+  permissions: [AuthzPermission!]!
+}
+
+type CheckPermissionResponse {
+  allowed: Boolean!
+  matched_policy: String
+}
+
+type AuthzResourceScope {
+  resource: String!
+  scope: String!
+}
+
+input AddResourceInput {
+  name: String!
+  description: String
+}
+
+input UpdateResourceInput {
+  id: ID!
+  name: String
+  description: String
+}
+
+input AddScopeInput {
+  name: String!
+  description: String
+}
+
+input UpdateScopeInput {
+  id: ID!
+  name: String
+  description: String
+}
+
+input PolicyTargetInput {
+  target_type: String!
+  target_value: String!
+}
+
+input AddPolicyInput {
+  name: String!
+  description: String
+  type: String!
+  logic: String
+  decision_strategy: String
+  targets: [PolicyTargetInput!]!
+}
+
+input UpdatePolicyInput {
+  id: ID!
+  name: String
+  description: String
+  logic: String
+  decision_strategy: String
+  targets: [PolicyTargetInput!]
+}
+
+input AddPermissionInput {
+  name: String!
+  description: String
+  resource_id: ID!
+  scope_ids: [ID!]!
+  policy_ids: [ID!]!
+  decision_strategy: String
+}
+
+input UpdatePermissionInput {
+  id: ID!
+  name: String
+  description: String
+  scope_ids: [ID!]
+  policy_ids: [ID!]
+  decision_strategy: String
+}
+
+input CheckPermissionInput {
+  resource: String!
+  scope: String!
+}
+
 type Mutation {
   signup(params: SignUpRequest!): AuthResponse!
   # Deprecated from v1.2.0
@@ -3171,6 +3949,22 @@ type Mutation {
   _add_email_template(params: AddEmailTemplateRequest!): Response!
   _update_email_template(params: UpdateEmailTemplateRequest!): Response!
   _delete_email_template(params: DeleteEmailTemplateRequest!): Response!
+  # Authorization: Resources
+  _add_resource(params: AddResourceInput!): AuthzResource!
+  _update_resource(params: UpdateResourceInput!): AuthzResource!
+  _delete_resource(id: ID!): Response!
+  # Authorization: Scopes
+  _add_scope(params: AddScopeInput!): AuthzScope!
+  _update_scope(params: UpdateScopeInput!): AuthzScope!
+  _delete_scope(id: ID!): Response!
+  # Authorization: Policies
+  _add_policy(params: AddPolicyInput!): AuthzPolicy!
+  _update_policy(params: UpdatePolicyInput!): AuthzPolicy!
+  _delete_policy(id: ID!): Response!
+  # Authorization: Permissions
+  _add_permission(params: AddPermissionInput!): AuthzPermission!
+  _update_permission(params: UpdatePermissionInput!): AuthzPermission!
+  _delete_permission(id: ID!): Response!
 }
 
 type Query {
@@ -3191,6 +3985,14 @@ type Query {
   _webhook_logs(params: ListWebhookLogRequest): WebhookLogs!
   _email_templates(params: PaginatedRequest): EmailTemplates!
   _audit_logs(params: ListAuditLogRequest): AuditLogs!
+  # Authorization: Admin queries
+  _resources(params: PaginatedRequest): AuthzResources!
+  _scopes(params: PaginatedRequest): AuthzScopes!
+  _policies(params: PaginatedRequest): AuthzPolicies!
+  _permissions(params: PaginatedRequest): AuthzPermissions!
+  # Authorization: User-facing queries
+  check_permission(params: CheckPermissionInput!): CheckPermissionResponse!
+  my_permissions: [AuthzResourceScope!]!
 }
 `, BuiltIn: false},
 }
@@ -3228,1579 +4030,1768 @@ func (ec *executionContext) field_Mutation__add_email_template_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__add_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__add_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__add_webhook_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__add_permission_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__add_webhook_argsParams(
+func (ec *executionContext) field_Mutation__add_permission_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AddWebhookRequest, error) {
+) (model.AddPermissionInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AddWebhookRequest
+		var zeroVal model.AddPermissionInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAddWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddWebhookRequest(ctx, tmp)
+		return ec.unmarshalNAddPermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPermissionInput(ctx, tmp)
 	}
 
-	var zeroVal model.AddWebhookRequest
+	var zeroVal model.AddPermissionInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__admin_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__add_policy_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__admin_login_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__add_policy_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__admin_login_argsParams(
+func (ec *executionContext) field_Mutation__add_policy_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AdminLoginRequest, error) {
+) (model.AddPolicyInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AdminLoginRequest
+		var zeroVal model.AddPolicyInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAdminLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminLoginRequest(ctx, tmp)
+		return ec.unmarshalNAddPolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPolicyInput(ctx, tmp)
 	}
 
-	var zeroVal model.AdminLoginRequest
+	var zeroVal model.AddPolicyInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__admin_signup_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__add_resource_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__admin_signup_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__add_resource_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__admin_signup_argsParams(
+func (ec *executionContext) field_Mutation__add_resource_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AdminSignupRequest, error) {
+) (model.AddResourceInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AdminSignupRequest
+		var zeroVal model.AddResourceInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAdminSignupRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminSignupRequest(ctx, tmp)
+		return ec.unmarshalNAddResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddResourceInput(ctx, tmp)
 	}
 
-	var zeroVal model.AdminSignupRequest
+	var zeroVal model.AddResourceInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__delete_email_template_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__add_scope_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__delete_email_template_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__add_scope_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__delete_email_template_argsParams(
+func (ec *executionContext) field_Mutation__add_scope_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.DeleteEmailTemplateRequest, error) {
+) (model.AddScopeInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.DeleteEmailTemplateRequest
+		var zeroVal model.AddScopeInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx, tmp)
+		return ec.unmarshalNAddScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddScopeInput(ctx, tmp)
 	}
 
-	var zeroVal model.DeleteEmailTemplateRequest
+	var zeroVal model.AddScopeInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__delete_user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__add_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__delete_user_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__add_webhook_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__delete_user_argsParams(
+func (ec *executionContext) field_Mutation__add_webhook_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.DeleteUserRequest, error) {
+) (model.AddWebhookRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.DeleteUserRequest
+		var zeroVal model.AddWebhookRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNDeleteUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteUserRequest(ctx, tmp)
+		return ec.unmarshalNAddWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddWebhookRequest(ctx, tmp)
 	}
 
-	var zeroVal model.DeleteUserRequest
+	var zeroVal model.AddWebhookRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__delete_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__admin_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__delete_webhook_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__admin_login_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__delete_webhook_argsParams(
+func (ec *executionContext) field_Mutation__admin_login_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.WebhookRequest, error) {
+) (model.AdminLoginRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.WebhookRequest
+		var zeroVal model.AdminLoginRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
+		return ec.unmarshalNAdminLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminLoginRequest(ctx, tmp)
 	}
 
-	var zeroVal model.WebhookRequest
+	var zeroVal model.AdminLoginRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__enable_access_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__admin_signup_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__enable_access_argsParam(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__admin_signup_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["param"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__enable_access_argsParam(
+func (ec *executionContext) field_Mutation__admin_signup_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateAccessRequest, error) {
-	if _, ok := rawArgs["param"]; !ok {
-		var zeroVal model.UpdateAccessRequest
+) (model.AdminSignupRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.AdminSignupRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("param"))
-	if tmp, ok := rawArgs["param"]; ok {
-		return ec.unmarshalNUpdateAccessRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateAccessRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNAdminSignupRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminSignupRequest(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateAccessRequest
+	var zeroVal model.AdminSignupRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__generate_jwt_keys_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_email_template_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__generate_jwt_keys_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_email_template_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__generate_jwt_keys_argsParams(
+func (ec *executionContext) field_Mutation__delete_email_template_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.GenerateJWTKeysRequest, error) {
+) (model.DeleteEmailTemplateRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.GenerateJWTKeysRequest
+		var zeroVal model.DeleteEmailTemplateRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNGenerateJWTKeysRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysRequest(ctx, tmp)
+		return ec.unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx, tmp)
 	}
 
-	var zeroVal model.GenerateJWTKeysRequest
+	var zeroVal model.DeleteEmailTemplateRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__invite_members_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__invite_members_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_permission_argsID(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["params"] = arg0
+	args["id"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__invite_members_argsParams(
+func (ec *executionContext) field_Mutation__delete_permission_argsID(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.InviteMemberRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.InviteMemberRequest
+) (string, error) {
+	if _, ok := rawArgs["id"]; !ok {
+		var zeroVal string
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNInviteMemberRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐInviteMemberRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+	if tmp, ok := rawArgs["id"]; ok {
+		return ec.unmarshalNID2string(ctx, tmp)
 	}
 
-	var zeroVal model.InviteMemberRequest
+	var zeroVal string
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__revoke_access_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_policy_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__revoke_access_argsParam(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_policy_argsID(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["param"] = arg0
+	args["id"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__revoke_access_argsParam(
+func (ec *executionContext) field_Mutation__delete_policy_argsID(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateAccessRequest, error) {
-	if _, ok := rawArgs["param"]; !ok {
-		var zeroVal model.UpdateAccessRequest
+) (string, error) {
+	if _, ok := rawArgs["id"]; !ok {
+		var zeroVal string
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("param"))
-	if tmp, ok := rawArgs["param"]; ok {
-		return ec.unmarshalNUpdateAccessRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateAccessRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+	if tmp, ok := rawArgs["id"]; ok {
+		return ec.unmarshalNID2string(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateAccessRequest
+	var zeroVal string
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__test_endpoint_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_resource_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__test_endpoint_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_resource_argsID(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["params"] = arg0
+	args["id"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__test_endpoint_argsParams(
+func (ec *executionContext) field_Mutation__delete_resource_argsID(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.TestEndpointRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.TestEndpointRequest
+) (string, error) {
+	if _, ok := rawArgs["id"]; !ok {
+		var zeroVal string
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNTestEndpointRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐTestEndpointRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+	if tmp, ok := rawArgs["id"]; ok {
+		return ec.unmarshalNID2string(ctx, tmp)
 	}
 
-	var zeroVal model.TestEndpointRequest
+	var zeroVal string
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__update_email_template_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_scope_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__update_email_template_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_scope_argsID(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["params"] = arg0
+	args["id"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__update_email_template_argsParams(
+func (ec *executionContext) field_Mutation__delete_scope_argsID(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateEmailTemplateRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateEmailTemplateRequest
+) (string, error) {
+	if _, ok := rawArgs["id"]; !ok {
+		var zeroVal string
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateEmailTemplateRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+	if tmp, ok := rawArgs["id"]; ok {
+		return ec.unmarshalNID2string(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateEmailTemplateRequest
+	var zeroVal string
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__update_env_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__update_env_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_user_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__update_env_argsParams(
+func (ec *executionContext) field_Mutation__delete_user_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateEnvRequest, error) {
+) (model.DeleteUserRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateEnvRequest
+		var zeroVal model.DeleteUserRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateEnvRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateEnvRequest(ctx, tmp)
+		return ec.unmarshalNDeleteUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteUserRequest(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateEnvRequest
+	var zeroVal model.DeleteUserRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__update_user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__update_user_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_webhook_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__update_user_argsParams(
+func (ec *executionContext) field_Mutation__delete_webhook_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateUserRequest, error) {
+) (model.WebhookRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateUserRequest
+		var zeroVal model.WebhookRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateUserRequest(ctx, tmp)
+		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateUserRequest
+	var zeroVal model.WebhookRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__update_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__enable_access_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__update_webhook_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__enable_access_argsParam(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["params"] = arg0
+	args["param"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__update_webhook_argsParams(
+func (ec *executionContext) field_Mutation__enable_access_argsParam(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateWebhookRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateWebhookRequest
+) (model.UpdateAccessRequest, error) {
+	if _, ok := rawArgs["param"]; !ok {
+		var zeroVal model.UpdateAccessRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateWebhookRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("param"))
+	if tmp, ok := rawArgs["param"]; ok {
+		return ec.unmarshalNUpdateAccessRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateAccessRequest(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateWebhookRequest
+	var zeroVal model.UpdateAccessRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_forgot_password_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__generate_jwt_keys_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_forgot_password_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__generate_jwt_keys_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_forgot_password_argsParams(
+func (ec *executionContext) field_Mutation__generate_jwt_keys_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.ForgotPasswordRequest, error) {
+) (model.GenerateJWTKeysRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.ForgotPasswordRequest
+		var zeroVal model.GenerateJWTKeysRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNForgotPasswordRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordRequest(ctx, tmp)
+		return ec.unmarshalNGenerateJWTKeysRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysRequest(ctx, tmp)
 	}
 
-	var zeroVal model.ForgotPasswordRequest
+	var zeroVal model.GenerateJWTKeysRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__invite_members_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_login_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__invite_members_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_login_argsParams(
+func (ec *executionContext) field_Mutation__invite_members_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.LoginRequest, error) {
+) (model.InviteMemberRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.LoginRequest
+		var zeroVal model.InviteMemberRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐLoginRequest(ctx, tmp)
+		return ec.unmarshalNInviteMemberRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐInviteMemberRequest(ctx, tmp)
 	}
 
-	var zeroVal model.LoginRequest
+	var zeroVal model.InviteMemberRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_magic_link_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__revoke_access_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_magic_link_login_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__revoke_access_argsParam(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["params"] = arg0
+	args["param"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_magic_link_login_argsParams(
+func (ec *executionContext) field_Mutation__revoke_access_argsParam(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.MagicLinkLoginRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.MagicLinkLoginRequest
+) (model.UpdateAccessRequest, error) {
+	if _, ok := rawArgs["param"]; !ok {
+		var zeroVal model.UpdateAccessRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNMagicLinkLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMagicLinkLoginRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("param"))
+	if tmp, ok := rawArgs["param"]; ok {
+		return ec.unmarshalNUpdateAccessRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateAccessRequest(ctx, tmp)
 	}
 
-	var zeroVal model.MagicLinkLoginRequest
+	var zeroVal model.UpdateAccessRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_mobile_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__test_endpoint_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_mobile_login_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__test_endpoint_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_mobile_login_argsParams(
+func (ec *executionContext) field_Mutation__test_endpoint_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.MobileLoginRequest, error) {
+) (model.TestEndpointRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.MobileLoginRequest
+		var zeroVal model.TestEndpointRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNMobileLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMobileLoginRequest(ctx, tmp)
+		return ec.unmarshalNTestEndpointRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐTestEndpointRequest(ctx, tmp)
 	}
 
-	var zeroVal model.MobileLoginRequest
+	var zeroVal model.TestEndpointRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_mobile_signup_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_email_template_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_mobile_signup_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_email_template_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_mobile_signup_argsParams(
+func (ec *executionContext) field_Mutation__update_email_template_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.MobileSignUpRequest, error) {
+) (model.UpdateEmailTemplateRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.MobileSignUpRequest
+		var zeroVal model.UpdateEmailTemplateRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOMobileSignUpRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMobileSignUpRequest(ctx, tmp)
+		return ec.unmarshalNUpdateEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateEmailTemplateRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.MobileSignUpRequest
+	var zeroVal model.UpdateEmailTemplateRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_resend_otp_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_env_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_resend_otp_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_env_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_resend_otp_argsParams(
+func (ec *executionContext) field_Mutation__update_env_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.ResendOTPRequest, error) {
+) (model.UpdateEnvRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.ResendOTPRequest
+		var zeroVal model.UpdateEnvRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNResendOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendOTPRequest(ctx, tmp)
+		return ec.unmarshalNUpdateEnvRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateEnvRequest(ctx, tmp)
 	}
 
-	var zeroVal model.ResendOTPRequest
+	var zeroVal model.UpdateEnvRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_resend_verify_email_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_resend_verify_email_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_permission_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_resend_verify_email_argsParams(
+func (ec *executionContext) field_Mutation__update_permission_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.ResendVerifyEmailRequest, error) {
+) (model.UpdatePermissionInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.ResendVerifyEmailRequest
+		var zeroVal model.UpdatePermissionInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNResendVerifyEmailRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendVerifyEmailRequest(ctx, tmp)
+		return ec.unmarshalNUpdatePermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePermissionInput(ctx, tmp)
 	}
 
-	var zeroVal model.ResendVerifyEmailRequest
+	var zeroVal model.UpdatePermissionInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_reset_password_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_policy_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_reset_password_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_policy_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_reset_password_argsParams(
+func (ec *executionContext) field_Mutation__update_policy_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.ResetPasswordRequest, error) {
+) (model.UpdatePolicyInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.ResetPasswordRequest
+		var zeroVal model.UpdatePolicyInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNResetPasswordRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResetPasswordRequest(ctx, tmp)
+		return ec.unmarshalNUpdatePolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePolicyInput(ctx, tmp)
 	}
 
-	var zeroVal model.ResetPasswordRequest
+	var zeroVal model.UpdatePolicyInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_revoke_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_resource_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_revoke_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_resource_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_revoke_argsParams(
+func (ec *executionContext) field_Mutation__update_resource_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.OAuthRevokeRequest, error) {
+) (model.UpdateResourceInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.OAuthRevokeRequest
+		var zeroVal model.UpdateResourceInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNOAuthRevokeRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐOAuthRevokeRequest(ctx, tmp)
+		return ec.unmarshalNUpdateResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateResourceInput(ctx, tmp)
 	}
 
-	var zeroVal model.OAuthRevokeRequest
+	var zeroVal model.UpdateResourceInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_signup_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_scope_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_signup_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_scope_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_signup_argsParams(
+func (ec *executionContext) field_Mutation__update_scope_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.SignUpRequest, error) {
+) (model.UpdateScopeInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.SignUpRequest
+		var zeroVal model.UpdateScopeInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNSignUpRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐSignUpRequest(ctx, tmp)
+		return ec.unmarshalNUpdateScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateScopeInput(ctx, tmp)
 	}
 
-	var zeroVal model.SignUpRequest
+	var zeroVal model.UpdateScopeInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_update_profile_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_update_profile_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_user_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_update_profile_argsParams(
+func (ec *executionContext) field_Mutation__update_user_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.UpdateProfileRequest, error) {
+) (model.UpdateUserRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateProfileRequest
+		var zeroVal model.UpdateUserRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateProfileRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateProfileRequest(ctx, tmp)
+		return ec.unmarshalNUpdateUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateUserRequest(ctx, tmp)
 	}
 
-	var zeroVal model.UpdateProfileRequest
+	var zeroVal model.UpdateUserRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_verify_email_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__update_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_verify_email_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__update_webhook_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_verify_email_argsParams(
+func (ec *executionContext) field_Mutation__update_webhook_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.VerifyEmailRequest, error) {
+) (model.UpdateWebhookRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.VerifyEmailRequest
+		var zeroVal model.UpdateWebhookRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNVerifyEmailRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerifyEmailRequest(ctx, tmp)
+		return ec.unmarshalNUpdateWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateWebhookRequest(ctx, tmp)
 	}
 
-	var zeroVal model.VerifyEmailRequest
+	var zeroVal model.UpdateWebhookRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation_verify_otp_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_forgot_password_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation_verify_otp_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_forgot_password_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation_verify_otp_argsParams(
+func (ec *executionContext) field_Mutation_forgot_password_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.VerifyOTPRequest, error) {
+) (model.ForgotPasswordRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.VerifyOTPRequest
+		var zeroVal model.ForgotPasswordRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNVerifyOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerifyOTPRequest(ctx, tmp)
+		return ec.unmarshalNForgotPasswordRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordRequest(ctx, tmp)
 	}
 
-	var zeroVal model.VerifyOTPRequest
+	var zeroVal model.ForgotPasswordRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query___type_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query___type_argsName(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_login_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["name"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query___type_argsName(
+func (ec *executionContext) field_Mutation_login_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (string, error) {
-	if _, ok := rawArgs["name"]; !ok {
-		var zeroVal string
+) (model.LoginRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.LoginRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
-	if tmp, ok := rawArgs["name"]; ok {
-		return ec.unmarshalNString2string(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐLoginRequest(ctx, tmp)
 	}
 
-	var zeroVal string
+	var zeroVal model.LoginRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__audit_logs_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_magic_link_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__audit_logs_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_magic_link_login_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__audit_logs_argsParams(
+func (ec *executionContext) field_Mutation_magic_link_login_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.ListAuditLogRequest, error) {
+) (model.MagicLinkLoginRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.ListAuditLogRequest
+		var zeroVal model.MagicLinkLoginRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOListAuditLogRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListAuditLogRequest(ctx, tmp)
+		return ec.unmarshalNMagicLinkLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMagicLinkLoginRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.ListAuditLogRequest
+	var zeroVal model.MagicLinkLoginRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__email_templates_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_mobile_login_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__email_templates_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_mobile_login_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__email_templates_argsParams(
+func (ec *executionContext) field_Mutation_mobile_login_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.MobileLoginRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.MobileLoginRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNMobileLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMobileLoginRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.MobileLoginRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_mobile_signup_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__user_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_mobile_signup_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__user_argsParams(
+func (ec *executionContext) field_Mutation_mobile_signup_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.GetUserRequest, error) {
+) (*model.MobileSignUpRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.GetUserRequest
+		var zeroVal *model.MobileSignUpRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNGetUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGetUserRequest(ctx, tmp)
+		return ec.unmarshalOMobileSignUpRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMobileSignUpRequest(ctx, tmp)
 	}
 
-	var zeroVal model.GetUserRequest
+	var zeroVal *model.MobileSignUpRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__users_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_resend_otp_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__users_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_resend_otp_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__users_argsParams(
+func (ec *executionContext) field_Mutation_resend_otp_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.ResendOTPRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.ResendOTPRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNResendOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendOTPRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.ResendOTPRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__verification_requests_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_resend_verify_email_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__verification_requests_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_resend_verify_email_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__verification_requests_argsParams(
+func (ec *executionContext) field_Mutation_resend_verify_email_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.ResendVerifyEmailRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.ResendVerifyEmailRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNResendVerifyEmailRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendVerifyEmailRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.ResendVerifyEmailRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_reset_password_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__webhook_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_reset_password_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__webhook_argsParams(
+func (ec *executionContext) field_Mutation_reset_password_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.WebhookRequest, error) {
+) (model.ResetPasswordRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.WebhookRequest
+		var zeroVal model.ResetPasswordRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
+		return ec.unmarshalNResetPasswordRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResetPasswordRequest(ctx, tmp)
 	}
 
-	var zeroVal model.WebhookRequest
+	var zeroVal model.ResetPasswordRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__webhook_logs_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_revoke_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__webhook_logs_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_revoke_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__webhook_logs_argsParams(
+func (ec *executionContext) field_Mutation_revoke_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.ListWebhookLogRequest, error) {
+) (model.OAuthRevokeRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.ListWebhookLogRequest
+		var zeroVal model.OAuthRevokeRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOListWebhookLogRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListWebhookLogRequest(ctx, tmp)
+		return ec.unmarshalNOAuthRevokeRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐOAuthRevokeRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.ListWebhookLogRequest
+	var zeroVal model.OAuthRevokeRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__webhooks_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_signup_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__webhooks_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_signup_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__webhooks_argsParams(
+func (ec *executionContext) field_Mutation_signup_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.SignUpRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.SignUpRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNSignUpRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐSignUpRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.SignUpRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query_session_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_update_profile_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query_session_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_update_profile_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query_session_argsParams(
+func (ec *executionContext) field_Mutation_update_profile_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.SessionQueryRequest, error) {
+) (model.UpdateProfileRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.SessionQueryRequest
+		var zeroVal model.UpdateProfileRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOSessionQueryRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐSessionQueryRequest(ctx, tmp)
+		return ec.unmarshalNUpdateProfileRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateProfileRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.SessionQueryRequest
+	var zeroVal model.UpdateProfileRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query_validate_jwt_token_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_verify_email_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query_validate_jwt_token_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_verify_email_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query_validate_jwt_token_argsParams(
+func (ec *executionContext) field_Mutation_verify_email_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.ValidateJWTTokenRequest, error) {
+) (model.VerifyEmailRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.ValidateJWTTokenRequest
+		var zeroVal model.VerifyEmailRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNValidateJWTTokenRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateJWTTokenRequest(ctx, tmp)
+		return ec.unmarshalNVerifyEmailRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerifyEmailRequest(ctx, tmp)
 	}
 
-	var zeroVal model.ValidateJWTTokenRequest
+	var zeroVal model.VerifyEmailRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query_validate_session_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation_verify_otp_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query_validate_session_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation_verify_otp_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query_validate_session_argsParams(
+func (ec *executionContext) field_Mutation_verify_otp_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.ValidateSessionRequest, error) {
+) (model.VerifyOTPRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.ValidateSessionRequest
+		var zeroVal model.VerifyOTPRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOValidateSessionRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateSessionRequest(ctx, tmp)
+		return ec.unmarshalNVerifyOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerifyOTPRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.ValidateSessionRequest
+	var zeroVal model.VerifyOTPRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field___Directive_args_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query___type_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field___Directive_args_argsIncludeDeprecated(ctx, rawArgs)
+	arg0, err := ec.field_Query___type_argsName(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["includeDeprecated"] = arg0
+	args["name"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field___Directive_args_argsIncludeDeprecated(
+func (ec *executionContext) field_Query___type_argsName(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*bool, error) {
-	if _, ok := rawArgs["includeDeprecated"]; !ok {
-		var zeroVal *bool
+) (string, error) {
+	if _, ok := rawArgs["name"]; !ok {
+		var zeroVal string
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
-	if tmp, ok := rawArgs["includeDeprecated"]; ok {
-		return ec.unmarshalOBoolean2ᚖbool(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+	if tmp, ok := rawArgs["name"]; ok {
+		return ec.unmarshalNString2string(ctx, tmp)
 	}
 
-	var zeroVal *bool
+	var zeroVal string
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field___Field_args_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__audit_logs_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field___Field_args_argsIncludeDeprecated(ctx, rawArgs)
+	arg0, err := ec.field_Query__audit_logs_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["includeDeprecated"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field___Field_args_argsIncludeDeprecated(
+func (ec *executionContext) field_Query__audit_logs_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*bool, error) {
-	if _, ok := rawArgs["includeDeprecated"]; !ok {
-		var zeroVal *bool
+) (*model.ListAuditLogRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.ListAuditLogRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
-	if tmp, ok := rawArgs["includeDeprecated"]; ok {
-		return ec.unmarshalOBoolean2ᚖbool(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOListAuditLogRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListAuditLogRequest(ctx, tmp)
 	}
 
-	var zeroVal *bool
+	var zeroVal *model.ListAuditLogRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field___Type_enumValues_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__email_templates_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field___Type_enumValues_argsIncludeDeprecated(ctx, rawArgs)
+	arg0, err := ec.field_Query__email_templates_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["includeDeprecated"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field___Type_enumValues_argsIncludeDeprecated(
+func (ec *executionContext) field_Query__email_templates_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (bool, error) {
-	if _, ok := rawArgs["includeDeprecated"]; !ok {
-		var zeroVal bool
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
-	if tmp, ok := rawArgs["includeDeprecated"]; ok {
-		return ec.unmarshalOBoolean2bool(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
 
-	var zeroVal bool
+	var zeroVal *model.PaginatedRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field___Type_fields_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__permissions_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field___Type_fields_argsIncludeDeprecated(ctx, rawArgs)
+	arg0, err := ec.field_Query__permissions_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["includeDeprecated"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field___Type_fields_argsIncludeDeprecated(
+func (ec *executionContext) field_Query__permissions_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (bool, error) {
-	if _, ok := rawArgs["includeDeprecated"]; !ok {
-		var zeroVal bool
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
-	if tmp, ok := rawArgs["includeDeprecated"]; ok {
-		return ec.unmarshalOBoolean2bool(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
 
-	var zeroVal bool
+	var zeroVal *model.PaginatedRequest
 	return zeroVal, nil
 }
 
-// endregion ***************************** args.gotpl *****************************
-
-// region    ************************** directives.gotpl **************************
+func (ec *executionContext) field_Query__policies_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__policies_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query__policies_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
+		return zeroVal, nil
+	}
 
-// endregion ************************** directives.gotpl **************************
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+	}
 
-// region    **************************** field.gotpl *****************************
+	var zeroVal *model.PaginatedRequest
+	return zeroVal, nil
+}
 
-func (ec *executionContext) _AuditLog_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_id(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
-	})
+func (ec *executionContext) field_Query__resources_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__resources_argsParams(ctx, rawArgs)
 	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
+		return nil, err
 	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query__resources_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) fieldContext_AuditLog_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
-		},
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
-	return fc, nil
+
+	var zeroVal *model.PaginatedRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) _AuditLog_actor_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_actor_id(ctx, field)
+func (ec *executionContext) field_Query__scopes_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__scopes_argsParams(ctx, rawArgs)
 	if err != nil {
-		return graphql.Null
+		return nil, err
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.ActorID, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query__scopes_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
+		return zeroVal, nil
 	}
-	if resTmp == nil {
-		return graphql.Null
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+
+	var zeroVal *model.PaginatedRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) fieldContext_AuditLog_actor_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+func (ec *executionContext) field_Query__user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__user_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
 	}
-	return fc, nil
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query__user_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (model.GetUserRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.GetUserRequest
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) _AuditLog_actor_type(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_actor_type(ctx, field)
-	if err != nil {
-		return graphql.Null
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNGetUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGetUserRequest(ctx, tmp)
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.ActorType, nil
-	})
+
+	var zeroVal model.GetUserRequest
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field_Query__users_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__users_argsParams(ctx, rawArgs)
 	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
+		return nil, err
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query__users_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) fieldContext_AuditLog_actor_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
-	return fc, nil
+
+	var zeroVal *model.PaginatedRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) _AuditLog_actor_email(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_actor_email(ctx, field)
+func (ec *executionContext) field_Query__verification_requests_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__verification_requests_argsParams(ctx, rawArgs)
 	if err != nil {
-		return graphql.Null
+		return nil, err
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.ActorEmail, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query__verification_requests_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
+		return zeroVal, nil
 	}
-	if resTmp == nil {
-		return graphql.Null
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+
+	var zeroVal *model.PaginatedRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) fieldContext_AuditLog_actor_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+func (ec *executionContext) field_Query__webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__webhook_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
 	}
-	return fc, nil
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query__webhook_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (model.WebhookRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.WebhookRequest
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) _AuditLog_action(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_action(ctx, field)
-	if err != nil {
-		return graphql.Null
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Action, nil
-	})
+
+	var zeroVal model.WebhookRequest
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field_Query__webhook_logs_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__webhook_logs_argsParams(ctx, rawArgs)
 	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
+		return nil, err
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query__webhook_logs_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.ListWebhookLogRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.ListWebhookLogRequest
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) fieldContext_AuditLog_action(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOListWebhookLogRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListWebhookLogRequest(ctx, tmp)
 	}
-	return fc, nil
+
+	var zeroVal *model.ListWebhookLogRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) _AuditLog_resource_type(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_resource_type(ctx, field)
+func (ec *executionContext) field_Query__webhooks_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__webhooks_argsParams(ctx, rawArgs)
 	if err != nil {
-		return graphql.Null
+		return nil, err
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.ResourceType, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query__webhooks_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.PaginatedRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.PaginatedRequest
+		return zeroVal, nil
 	}
-	if resTmp == nil {
-		return graphql.Null
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+
+	var zeroVal *model.PaginatedRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) fieldContext_AuditLog_resource_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+func (ec *executionContext) field_Query_check_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query_check_permission_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
 	}
-	return fc, nil
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query_check_permission_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (model.CheckPermissionInput, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.CheckPermissionInput
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) _AuditLog_resource_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_resource_id(ctx, field)
-	if err != nil {
-		return graphql.Null
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNCheckPermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionInput(ctx, tmp)
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.ResourceID, nil
-	})
+
+	var zeroVal model.CheckPermissionInput
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field_Query_session_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query_session_argsParams(ctx, rawArgs)
 	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
+		return nil, err
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	args["params"] = arg0
+	return args, nil
 }
+func (ec *executionContext) field_Query_session_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.SessionQueryRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.SessionQueryRequest
+		return zeroVal, nil
+	}
 
-func (ec *executionContext) fieldContext_AuditLog_resource_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "AuditLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOSessionQueryRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐSessionQueryRequest(ctx, tmp)
 	}
-	return fc, nil
+
+	var zeroVal *model.SessionQueryRequest
+	return zeroVal, nil
 }
 
-func (ec *executionContext) _AuditLog_ip_address(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_ip_address(ctx, field)
+func (ec *executionContext) field_Query_validate_jwt_token_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query_validate_jwt_token_argsParams(ctx, rawArgs)
 	if err != nil {
-		return graphql.Null
+		return nil, err
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query_validate_jwt_token_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (model.ValidateJWTTokenRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.ValidateJWTTokenRequest
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNValidateJWTTokenRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateJWTTokenRequest(ctx, tmp)
+	}
+
+	var zeroVal model.ValidateJWTTokenRequest
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field_Query_validate_session_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query_validate_session_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query_validate_session_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*model.ValidateSessionRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal *model.ValidateSessionRequest
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalOValidateSessionRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateSessionRequest(ctx, tmp)
+	}
+
+	var zeroVal *model.ValidateSessionRequest
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field___Directive_args_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field___Directive_args_argsIncludeDeprecated(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["includeDeprecated"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field___Directive_args_argsIncludeDeprecated(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*bool, error) {
+	if _, ok := rawArgs["includeDeprecated"]; !ok {
+		var zeroVal *bool
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
+	if tmp, ok := rawArgs["includeDeprecated"]; ok {
+		return ec.unmarshalOBoolean2ᚖbool(ctx, tmp)
+	}
+
+	var zeroVal *bool
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field___Field_args_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field___Field_args_argsIncludeDeprecated(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["includeDeprecated"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field___Field_args_argsIncludeDeprecated(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (*bool, error) {
+	if _, ok := rawArgs["includeDeprecated"]; !ok {
+		var zeroVal *bool
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
+	if tmp, ok := rawArgs["includeDeprecated"]; ok {
+		return ec.unmarshalOBoolean2ᚖbool(ctx, tmp)
+	}
+
+	var zeroVal *bool
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field___Type_enumValues_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field___Type_enumValues_argsIncludeDeprecated(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["includeDeprecated"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field___Type_enumValues_argsIncludeDeprecated(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (bool, error) {
+	if _, ok := rawArgs["includeDeprecated"]; !ok {
+		var zeroVal bool
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
+	if tmp, ok := rawArgs["includeDeprecated"]; ok {
+		return ec.unmarshalOBoolean2bool(ctx, tmp)
+	}
+
+	var zeroVal bool
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field___Type_fields_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field___Type_fields_argsIncludeDeprecated(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["includeDeprecated"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field___Type_fields_argsIncludeDeprecated(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (bool, error) {
+	if _, ok := rawArgs["includeDeprecated"]; !ok {
+		var zeroVal bool
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("includeDeprecated"))
+	if tmp, ok := rawArgs["includeDeprecated"]; ok {
+		return ec.unmarshalOBoolean2bool(ctx, tmp)
+	}
+
+	var zeroVal bool
+	return zeroVal, nil
+}
+
+// endregion ***************************** args.gotpl *****************************
+
+// region    ************************** directives.gotpl **************************
+
+// endregion ************************** directives.gotpl **************************
+
+// region    **************************** field.gotpl *****************************
+
+func (ec *executionContext) _AuditLog_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_id(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IPAddress, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuditLog_ip_address(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuditLog_user_agent(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_user_agent(ctx, field)
+func (ec *executionContext) _AuditLog_actor_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_actor_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -4813,7 +5804,7 @@ func (ec *executionContext) _AuditLog_user_agent(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UserAgent, nil
+		return obj.ActorID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -4827,7 +5818,7 @@ func (ec *executionContext) _AuditLog_user_agent(ctx context.Context, field grap
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuditLog_user_agent(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_actor_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuditLog",
 		Field:      field,
@@ -4840,8 +5831,8 @@ func (ec *executionContext) fieldContext_AuditLog_user_agent(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _AuditLog_metadata(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_metadata(ctx, field)
+func (ec *executionContext) _AuditLog_actor_type(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_actor_type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -4854,7 +5845,7 @@ func (ec *executionContext) _AuditLog_metadata(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Metadata, nil
+		return obj.ActorType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -4868,7 +5859,7 @@ func (ec *executionContext) _AuditLog_metadata(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuditLog_metadata(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_actor_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuditLog",
 		Field:      field,
@@ -4881,8 +5872,8 @@ func (ec *executionContext) fieldContext_AuditLog_metadata(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _AuditLog_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLog_created_at(ctx, field)
+func (ec *executionContext) _AuditLog_actor_email(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_actor_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -4895,7 +5886,7 @@ func (ec *executionContext) _AuditLog_created_at(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.ActorEmail, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -4904,26 +5895,26 @@ func (ec *executionContext) _AuditLog_created_at(ctx context.Context, field grap
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuditLog_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_actor_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuditLogs_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuditLogs) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLogs_pagination(ctx, field)
+func (ec *executionContext) _AuditLog_action(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_action(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -4936,48 +5927,35 @@ func (ec *executionContext) _AuditLogs_pagination(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.Action, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuditLogs_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_action(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuditLogs",
+		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuditLogs_audit_logs(ctx context.Context, field graphql.CollectedField, obj *model.AuditLogs) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuditLogs_audit_logs(ctx, field)
+func (ec *executionContext) _AuditLog_resource_type(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_resource_type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -4990,62 +5968,35 @@ func (ec *executionContext) _AuditLogs_audit_logs(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AuditLogs, nil
+		return obj.ResourceType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuditLog)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuditLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuditLogs_audit_logs(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_resource_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuditLogs",
+		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuditLog_id(ctx, field)
-			case "actor_id":
-				return ec.fieldContext_AuditLog_actor_id(ctx, field)
-			case "actor_type":
-				return ec.fieldContext_AuditLog_actor_type(ctx, field)
-			case "actor_email":
-				return ec.fieldContext_AuditLog_actor_email(ctx, field)
-			case "action":
-				return ec.fieldContext_AuditLog_action(ctx, field)
-			case "resource_type":
-				return ec.fieldContext_AuditLog_resource_type(ctx, field)
-			case "resource_id":
-				return ec.fieldContext_AuditLog_resource_id(ctx, field)
-			case "ip_address":
-				return ec.fieldContext_AuditLog_ip_address(ctx, field)
-			case "user_agent":
-				return ec.fieldContext_AuditLog_user_agent(ctx, field)
-			case "metadata":
-				return ec.fieldContext_AuditLog_metadata(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuditLog_created_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuditLog", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_message(ctx, field)
+func (ec *executionContext) _AuditLog_resource_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_resource_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5058,26 +6009,64 @@ func (ec *executionContext) _AuthResponse_message(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return obj.ResourceID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AuditLog_resource_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AuditLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _AuditLog_ip_address(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_ip_address(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IPAddress, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_ip_address(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthResponse",
+		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -5088,8 +6077,8 @@ func (ec *executionContext) fieldContext_AuthResponse_message(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_should_show_email_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+func (ec *executionContext) _AuditLog_user_agent(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_user_agent(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5102,7 +6091,7 @@ func (ec *executionContext) _AuthResponse_should_show_email_otp_screen(ctx conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ShouldShowEmailOtpScreen, nil
+		return obj.UserAgent, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5111,26 +6100,26 @@ func (ec *executionContext) _AuthResponse_should_show_email_otp_screen(ctx conte
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_should_show_email_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_user_agent(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthResponse",
+		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_should_show_mobile_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+func (ec *executionContext) _AuditLog_metadata(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_metadata(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5143,7 +6132,7 @@ func (ec *executionContext) _AuthResponse_should_show_mobile_otp_screen(ctx cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ShouldShowMobileOtpScreen, nil
+		return obj.Metadata, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5152,26 +6141,26 @@ func (ec *executionContext) _AuthResponse_should_show_mobile_otp_screen(ctx cont
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_should_show_mobile_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_metadata(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthResponse",
+		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_should_show_totp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+func (ec *executionContext) _AuditLog_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLog_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5184,7 +6173,7 @@ func (ec *executionContext) _AuthResponse_should_show_totp_screen(ctx context.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ShouldShowTotpScreen, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5193,26 +6182,26 @@ func (ec *executionContext) _AuthResponse_should_show_totp_screen(ctx context.Co
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_should_show_totp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLog_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthResponse",
+		Object:     "AuditLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_access_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_access_token(ctx, field)
+func (ec *executionContext) _AuditLogs_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuditLogs) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLogs_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5225,35 +6214,48 @@ func (ec *executionContext) _AuthResponse_access_token(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AccessToken, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_access_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLogs_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthResponse",
+		Object:     "AuditLogs",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_id_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_id_token(ctx, field)
+func (ec *executionContext) _AuditLogs_audit_logs(ctx context.Context, field graphql.CollectedField, obj *model.AuditLogs) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuditLogs_audit_logs(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5266,35 +6268,62 @@ func (ec *executionContext) _AuthResponse_id_token(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IDToken, nil
+		return obj.AuditLogs, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.AuditLog)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuditLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_id_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuditLogs_audit_logs(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthResponse",
+		Object:     "AuditLogs",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuditLog_id(ctx, field)
+			case "actor_id":
+				return ec.fieldContext_AuditLog_actor_id(ctx, field)
+			case "actor_type":
+				return ec.fieldContext_AuditLog_actor_type(ctx, field)
+			case "actor_email":
+				return ec.fieldContext_AuditLog_actor_email(ctx, field)
+			case "action":
+				return ec.fieldContext_AuditLog_action(ctx, field)
+			case "resource_type":
+				return ec.fieldContext_AuditLog_resource_type(ctx, field)
+			case "resource_id":
+				return ec.fieldContext_AuditLog_resource_id(ctx, field)
+			case "ip_address":
+				return ec.fieldContext_AuditLog_ip_address(ctx, field)
+			case "user_agent":
+				return ec.fieldContext_AuditLog_user_agent(ctx, field)
+			case "metadata":
+				return ec.fieldContext_AuditLog_metadata(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuditLog_created_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuditLog", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_refresh_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+func (ec *executionContext) _AuthResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5307,21 +6336,24 @@ func (ec *executionContext) _AuthResponse_refresh_token(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RefreshToken, nil
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_refresh_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuthResponse",
 		Field:      field,
@@ -5334,8 +6366,8 @@ func (ec *executionContext) fieldContext_AuthResponse_refresh_token(_ context.Co
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_expires_in(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_expires_in(ctx, field)
+func (ec *executionContext) _AuthResponse_should_show_email_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5348,7 +6380,7 @@ func (ec *executionContext) _AuthResponse_expires_in(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ExpiresIn, nil
+		return obj.ShouldShowEmailOtpScreen, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5357,26 +6389,26 @@ func (ec *executionContext) _AuthResponse_expires_in(ctx context.Context, field
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_expires_in(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_should_show_email_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_user(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_user(ctx, field)
+func (ec *executionContext) _AuthResponse_should_show_mobile_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5389,7 +6421,7 @@ func (ec *executionContext) _AuthResponse_user(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.User, nil
+		return obj.ShouldShowMobileOtpScreen, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5398,68 +6430,26 @@ func (ec *executionContext) _AuthResponse_user(ctx context.Context, field graphq
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalOUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_should_show_mobile_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_authenticator_scanner_image(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+func (ec *executionContext) _AuthResponse_should_show_totp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5472,7 +6462,7 @@ func (ec *executionContext) _AuthResponse_authenticator_scanner_image(ctx contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AuthenticatorScannerImage, nil
+		return obj.ShouldShowTotpScreen, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5481,26 +6471,26 @@ func (ec *executionContext) _AuthResponse_authenticator_scanner_image(ctx contex
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_authenticator_scanner_image(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_should_show_totp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_authenticator_secret(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+func (ec *executionContext) _AuthResponse_access_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_access_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5513,7 +6503,7 @@ func (ec *executionContext) _AuthResponse_authenticator_secret(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AuthenticatorSecret, nil
+		return obj.AccessToken, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5527,7 +6517,7 @@ func (ec *executionContext) _AuthResponse_authenticator_secret(ctx context.Conte
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_authenticator_secret(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_access_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuthResponse",
 		Field:      field,
@@ -5540,8 +6530,8 @@ func (ec *executionContext) fieldContext_AuthResponse_authenticator_secret(_ con
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthResponse_authenticator_recovery_codes(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+func (ec *executionContext) _AuthResponse_id_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_id_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5554,7 +6544,7 @@ func (ec *executionContext) _AuthResponse_authenticator_recovery_codes(ctx conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AuthenticatorRecoveryCodes, nil
+		return obj.IDToken, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5563,12 +6553,12 @@ func (ec *executionContext) _AuthResponse_authenticator_recovery_codes(ctx conte
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.([]*string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOString2ᚕᚖstring(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthResponse_authenticator_recovery_codes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_id_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "AuthResponse",
 		Field:      field,
@@ -5581,8 +6571,8 @@ func (ec *executionContext) fieldContext_AuthResponse_authenticator_recovery_cod
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_id(ctx, field)
+func (ec *executionContext) _AuthResponse_refresh_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_refresh_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5595,38 +6585,35 @@ func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.RefreshToken, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_refresh_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_event_name(ctx, field)
+func (ec *executionContext) _AuthResponse_expires_in(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_expires_in(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5639,38 +6626,35 @@ func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EventName, nil
+		return obj.ExpiresIn, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_expires_in(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_template(ctx, field)
+func (ec *executionContext) _AuthResponse_user(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5683,38 +6667,77 @@ func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Template, nil
+		return obj.User, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_template(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_design(ctx, field)
+func (ec *executionContext) _AuthResponse_authenticator_scanner_image(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5727,26 +6750,23 @@ func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Design, nil
+		return obj.AuthenticatorScannerImage, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_design(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_authenticator_scanner_image(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -5757,8 +6777,8 @@ func (ec *executionContext) fieldContext_EmailTemplate_design(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_subject(ctx, field)
+func (ec *executionContext) _AuthResponse_authenticator_secret(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5771,26 +6791,23 @@ func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Subject, nil
+		return obj.AuthenticatorSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_subject(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_authenticator_secret(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -5801,8 +6818,8 @@ func (ec *executionContext) fieldContext_EmailTemplate_subject(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_created_at(ctx, field)
+func (ec *executionContext) _AuthResponse_authenticator_recovery_codes(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5815,7 +6832,7 @@ func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.AuthenticatorRecoveryCodes, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5824,26 +6841,26 @@ func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.([]*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthResponse_authenticator_recovery_codes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_updated_at(ctx, field)
+func (ec *executionContext) _AuthzPermission_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5856,35 +6873,38 @@ func (ec *executionContext) _EmailTemplate_updated_at(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplates_pagination(ctx, field)
+func (ec *executionContext) _AuthzPermission_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5897,7 +6917,7 @@ func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -5909,36 +6929,26 @@ func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, fiel
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplates_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplates",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplates_email_templates(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplates_email_templates(ctx, field)
+func (ec *executionContext) _AuthzPermission_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -5951,54 +6961,35 @@ func (ec *executionContext) _EmailTemplates_email_templates(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EmailTemplates, nil
+		return obj.Description, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.EmailTemplate)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplateᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplates_email_templates(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplates",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_EmailTemplate_id(ctx, field)
-			case "event_name":
-				return ec.fieldContext_EmailTemplate_event_name(ctx, field)
-			case "template":
-				return ec.fieldContext_EmailTemplate_template(ctx, field)
-			case "design":
-				return ec.fieldContext_EmailTemplate_design(ctx, field)
-			case "subject":
-				return ec.fieldContext_EmailTemplate_subject(ctx, field)
-			case "created_at":
-				return ec.fieldContext_EmailTemplate_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_EmailTemplate_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type EmailTemplate", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
+func (ec *executionContext) _AuthzPermission_resource(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_resource(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6011,35 +7002,50 @@ func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AccessTokenExpiryTime, nil
+		return obj.Resource, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.AuthzResource)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_resource(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzResource_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzResource_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzResource_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzResource_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
+func (ec *executionContext) _AuthzPermission_scopes(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_scopes(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6052,35 +7058,50 @@ func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AdminSecret, nil
+		return obj.Scopes, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.AuthzScope)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopeᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ADMIN_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_scopes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzScope_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzScope_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzScope_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzScope_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_NAME(ctx, field)
+func (ec *executionContext) _AuthzPermission_policies(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_policies(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6093,35 +7114,58 @@ func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseName, nil
+		return obj.Policies, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.AuthzPolicy)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzPolicy2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_policies(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPolicy_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPolicy_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPolicy_description(ctx, field)
+			case "type":
+				return ec.fieldContext_AuthzPolicy_type(ctx, field)
+			case "logic":
+				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
+			case "targets":
+				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_URL(ctx, field)
+func (ec *executionContext) _AuthzPermission_decision_strategy(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6134,23 +7178,26 @@ func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseURL, nil
+		return obj.DecisionStrategy, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_decision_strategy(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6161,8 +7208,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_URL(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
+func (ec *executionContext) _AuthzPermission_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6175,35 +7222,38 @@ func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseType, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
+func (ec *executionContext) _AuthzPermission_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermission_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6216,35 +7266,38 @@ func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseUsername, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermission_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermission",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
+func (ec *executionContext) _AuthzPermissions_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermissions) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermissions_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6257,35 +7310,48 @@ func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabasePassword, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermissions_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermissions",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_HOST(ctx, field)
+func (ec *executionContext) _AuthzPermissions_permissions(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermissions) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPermissions_permissions(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6298,35 +7364,58 @@ func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseHost, nil
+		return obj.Permissions, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.AuthzPermission)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissionᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPermissions_permissions(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPermissions",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPermission_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPermission_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPermission_description(ctx, field)
+			case "resource":
+				return ec.fieldContext_AuthzPermission_resource(ctx, field)
+			case "scopes":
+				return ec.fieldContext_AuthzPermission_scopes(ctx, field)
+			case "policies":
+				return ec.fieldContext_AuthzPermission_policies(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPermission_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPermission_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPermission", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_PORT(ctx, field)
+func (ec *executionContext) _AuthzPolicies_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicies) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicies_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6339,35 +7428,48 @@ func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabasePort, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicies_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicies",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_CLIENT_ID(ctx, field)
+func (ec *executionContext) _AuthzPolicies_policies(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicies) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicies_policies(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6380,7 +7482,7 @@ func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ClientID, nil
+		return obj.Policies, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -6392,26 +7494,46 @@ func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.([]*model.AuthzPolicy)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNAuthzPolicy2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicies_policies(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicies",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPolicy_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPolicy_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPolicy_description(ctx, field)
+			case "type":
+				return ec.fieldContext_AuthzPolicy_type(ctx, field)
+			case "logic":
+				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
+			case "targets":
+				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _AuthzPolicy_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6424,7 +7546,7 @@ func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ClientSecret, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -6438,24 +7560,24 @@ func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphq
 	}
 	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
+func (ec *executionContext) _AuthzPolicy_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6468,23 +7590,26 @@ func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CustomAccessTokenScript, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6495,8 +7620,8 @@ func (ec *executionContext) fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_HOST(ctx, field)
+func (ec *executionContext) _AuthzPolicy_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6509,7 +7634,7 @@ func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPHost, nil
+		return obj.Description, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -6523,9 +7648,9 @@ func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.Co
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6536,8 +7661,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_HOST(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_PORT(ctx, field)
+func (ec *executionContext) _AuthzPolicy_type(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6550,23 +7675,26 @@ func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPPort, nil
+		return obj.Type, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6577,8 +7705,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_PORT(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
+func (ec *executionContext) _AuthzPolicy_logic(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_logic(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6591,23 +7719,26 @@ func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPUsername, nil
+		return obj.Logic, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_logic(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6618,8 +7749,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_USERNAME(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
+func (ec *executionContext) _AuthzPolicy_decision_strategy(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6632,23 +7763,26 @@ func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPPassword, nil
+		return obj.DecisionStrategy, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_decision_strategy(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6659,8 +7793,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_PASSWORD(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
+func (ec *executionContext) _AuthzPolicy_targets(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_targets(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6673,35 +7807,46 @@ func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPLocalName, nil
+		return obj.Targets, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.AuthzPolicyTarget)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzPolicyTarget2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTargetᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_LOCAL_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_targets(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPolicyTarget_id(ctx, field)
+			case "target_type":
+				return ec.fieldContext_AuthzPolicyTarget_target_type(ctx, field)
+			case "target_value":
+				return ec.fieldContext_AuthzPolicyTarget_target_value(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicyTarget", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
+func (ec *executionContext) _AuthzPolicy_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6714,35 +7859,38 @@ func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SenderEmail, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SENDER_EMAIL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SENDER_NAME(ctx, field)
+func (ec *executionContext) _AuthzPolicy_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6755,35 +7903,38 @@ func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SenderName, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SENDER_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicy_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicy",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_TYPE(ctx, field)
+func (ec *executionContext) _AuthzPolicyTarget_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicyTarget) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicyTarget_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6796,35 +7947,38 @@ func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtType, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicyTarget_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicyTarget",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_SECRET(ctx, field)
+func (ec *executionContext) _AuthzPolicyTarget_target_type(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicyTarget) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicyTarget_target_type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6837,23 +7991,26 @@ func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtSecret, nil
+		return obj.TargetType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicyTarget_target_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicyTarget",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6864,8 +8021,8 @@ func (ec *executionContext) fieldContext_Env_JWT_SECRET(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
+func (ec *executionContext) _AuthzPolicyTarget_target_value(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicyTarget) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzPolicyTarget_target_value(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6878,23 +8035,26 @@ func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtPrivateKey, nil
+		return obj.TargetValue, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_PRIVATE_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzPolicyTarget_target_value(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzPolicyTarget",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6905,8 +8065,8 @@ func (ec *executionContext) fieldContext_Env_JWT_PRIVATE_KEY(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
+func (ec *executionContext) _AuthzResource_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResource_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6919,35 +8079,38 @@ func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtPublicKey, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_PUBLIC_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResource_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResource",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
+func (ec *executionContext) _AuthzResource_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResource_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6960,23 +8123,26 @@ func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AllowedOrigins, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ALLOWED_ORIGINS(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResource_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResource",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6987,8 +8153,8 @@ func (ec *executionContext) fieldContext_Env_ALLOWED_ORIGINS(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APP_URL(ctx, field)
+func (ec *executionContext) _AuthzResource_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResource_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7001,7 +8167,7 @@ func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppURL, nil
+		return obj.Description, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7015,9 +8181,9 @@ func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.Coll
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APP_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResource_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResource",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7028,8 +8194,8 @@ func (ec *executionContext) fieldContext_Env_APP_URL(_ context.Context, field gr
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_REDIS_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_REDIS_URL(ctx, field)
+func (ec *executionContext) _AuthzResource_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResource_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7042,35 +8208,38 @@ func (ec *executionContext) _Env_REDIS_URL(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RedisURL, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_REDIS_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResource_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResource",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_RESET_PASSWORD_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
+func (ec *executionContext) _AuthzResource_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResource_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7083,35 +8252,38 @@ func (ec *executionContext) _Env_RESET_PASSWORD_URL(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ResetPasswordURL, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_RESET_PASSWORD_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResource_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResource",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
+func (ec *executionContext) _AuthzResourceScope_resource(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResourceScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResourceScope_resource(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7124,7 +8296,7 @@ func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableEmailVerification, nil
+		return obj.Resource, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7136,26 +8308,26 @@ func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_EMAIL_VERIFICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResourceScope_resource(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResourceScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _AuthzResourceScope_scope(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResourceScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResourceScope_scope(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7168,7 +8340,7 @@ func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableBasicAuthentication, nil
+		return obj.Scope, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7180,26 +8352,26 @@ func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Contex
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResourceScope_scope(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResourceScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _AuthzResources_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResources) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResources_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7212,7 +8384,7 @@ func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMobileBasicAuthentication, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7224,26 +8396,36 @@ func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResources_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResources",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
+func (ec *executionContext) _AuthzResources_resources(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResources) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzResources_resources(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7256,7 +8438,7 @@ func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMagicLinkLogin, nil
+		return obj.Resources, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7268,26 +8450,38 @@ func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]*model.AuthzResource)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNAuthzResource2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzResources_resources(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzResources",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzResource_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzResource_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzResource_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzResource_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
+func (ec *executionContext) _AuthzScope_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScope_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7300,7 +8494,7 @@ func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableLoginPage, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7312,26 +8506,26 @@ func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_LOGIN_PAGE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScope_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
+func (ec *executionContext) _AuthzScope_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScope_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7344,7 +8538,7 @@ func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableSignUp, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7356,26 +8550,26 @@ func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_SIGN_UP(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScope_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
+func (ec *executionContext) _AuthzScope_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScope_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7388,38 +8582,35 @@ func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableRedisForEnv, nil
+		return obj.Description, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_REDIS_FOR_ENV(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScope_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
+func (ec *executionContext) _AuthzScope_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScope_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7432,7 +8623,7 @@ func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableStrongPassword, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7444,26 +8635,26 @@ func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_STRONG_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScope_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _AuthzScope_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScope_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7476,7 +8667,7 @@ func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMultiFactorAuthentication, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7488,26 +8679,26 @@ func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScope_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScope",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _AuthzScopes_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScopes) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScopes_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7520,7 +8711,7 @@ func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EnforceMultiFactorAuthentication, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7532,26 +8723,36 @@ func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScopes_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScopes",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ROLES(ctx, field)
+func (ec *executionContext) _AuthzScopes_scopes(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScopes) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthzScopes_scopes(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7564,35 +8765,50 @@ func (ec *executionContext) _Env_ROLES(ctx context.Context, field graphql.Collec
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Roles, nil
+		return obj.Scopes, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.([]*model.AuthzScope)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopeᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_AuthzScopes_scopes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "AuthzScopes",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzScope_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzScope_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzScope_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzScope_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_PROTECTED_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
+func (ec *executionContext) _CheckPermissionResponse_allowed(ctx context.Context, field graphql.CollectedField, obj *model.CheckPermissionResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_CheckPermissionResponse_allowed(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7605,35 +8821,38 @@ func (ec *executionContext) _Env_PROTECTED_ROLES(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ProtectedRoles, nil
+		return obj.Allowed, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_PROTECTED_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_CheckPermissionResponse_allowed(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "CheckPermissionResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
+func (ec *executionContext) _CheckPermissionResponse_matched_policy(ctx context.Context, field graphql.CollectedField, obj *model.CheckPermissionResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_CheckPermissionResponse_matched_policy(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7646,7 +8865,7 @@ func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultRoles, nil
+		return obj.MatchedPolicy, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7655,14 +8874,14 @@ func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphq
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DEFAULT_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_CheckPermissionResponse_matched_policy(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "CheckPermissionResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7673,8 +8892,8 @@ func (ec *executionContext) fieldContext_Env_DEFAULT_ROLES(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_ROLE_CLAIM(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
+func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7687,35 +8906,38 @@ func (ec *executionContext) _Env_JWT_ROLE_CLAIM(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtRoleClaim, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_ROLE_CLAIM(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GOOGLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
+func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_event_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7728,23 +8950,26 @@ func (ec *executionContext) _Env_GOOGLE_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GoogleClientID, nil
+		return obj.EventName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7755,8 +8980,8 @@ func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GOOGLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7769,23 +8994,26 @@ func (ec *executionContext) _Env_GOOGLE_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GoogleClientSecret, nil
+		return obj.Template, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_template(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7796,8 +9024,8 @@ func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_SECRET(_ context.Cont
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
+func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_design(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7810,23 +9038,26 @@ func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GithubClientID, nil
+		return obj.Design, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_design(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7837,8 +9068,8 @@ func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GITHUB_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_subject(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7851,23 +9082,26 @@ func (ec *executionContext) _Env_GITHUB_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GithubClientSecret, nil
+		return obj.Subject, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_subject(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7878,8 +9112,8 @@ func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_SECRET(_ context.Cont
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
+func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7892,7 +9126,7 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.FacebookClientID, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7901,26 +9135,26 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field g
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _EmailTemplate_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7933,7 +9167,7 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.FacebookClientSecret, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7942,26 +9176,26 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, fie
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
+func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplates_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7974,35 +9208,48 @@ func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.LinkedinClientID, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplates_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplates",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _EmailTemplates_email_templates(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplates_email_templates(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8015,35 +9262,54 @@ func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.LinkedinClientSecret, nil
+		return obj.EmailTemplates, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		return graphql.Null
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.EmailTemplate)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplateᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplates_email_templates(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "EmailTemplates",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_EmailTemplate_id(ctx, field)
+			case "event_name":
+				return ec.fieldContext_EmailTemplate_event_name(ctx, field)
+			case "template":
+				return ec.fieldContext_EmailTemplate_template(ctx, field)
+			case "design":
+				return ec.fieldContext_EmailTemplate_design(ctx, field)
+			case "subject":
+				return ec.fieldContext_EmailTemplate_subject(ctx, field)
+			case "created_at":
+				return ec.fieldContext_EmailTemplate_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_EmailTemplate_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type EmailTemplate", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8056,7 +9322,7 @@ func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppleClientID, nil
+		return obj.AccessTokenExpiryTime, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8070,7 +9336,7 @@ func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field grap
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8083,8 +9349,8 @@ func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8097,7 +9363,7 @@ func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppleClientSecret, nil
+		return obj.AdminSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8111,7 +9377,7 @@ func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ADMIN_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8124,8 +9390,8 @@ func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_SECRET(_ context.Conte
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8138,7 +9404,7 @@ func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DiscordClientID, nil
+		return obj.DatabaseName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8152,7 +9418,7 @@ func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field gr
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8165,8 +9431,8 @@ func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_ID(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8179,7 +9445,7 @@ func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DiscordClientSecret, nil
+		return obj.DatabaseURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8193,7 +9459,7 @@ func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, fiel
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8206,8 +9472,8 @@ func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_SECRET(_ context.Con
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8220,7 +9486,7 @@ func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitterClientID, nil
+		return obj.DatabaseType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8234,7 +9500,7 @@ func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field gr
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8247,8 +9513,8 @@ func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_ID(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8261,7 +9527,7 @@ func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitterClientSecret, nil
+		return obj.DatabaseUsername, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8275,7 +9541,7 @@ func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, fiel
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8288,8 +9554,8 @@ func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_SECRET(_ context.Con
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8302,7 +9568,7 @@ func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MicrosoftClientID, nil
+		return obj.DatabasePassword, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8316,7 +9582,7 @@ func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8329,8 +9595,8 @@ func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_ID(_ context.Conte
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_HOST(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8343,7 +9609,7 @@ func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MicrosoftClientSecret, nil
+		return obj.DatabaseHost, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8357,7 +9623,7 @@ func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, fi
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8370,8 +9636,8 @@ func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_SECRET(_ context.C
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
+func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_PORT(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8384,7 +9650,7 @@ func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MicrosoftActiveDirectoryTenantID, nil
+		return obj.DatabasePort, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8398,7 +9664,7 @@ func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx contex
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8411,8 +9677,8 @@ func (ec *executionContext) fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_I
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITCH_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8425,21 +9691,24 @@ func (ec *executionContext) _Env_TWITCH_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitchClientID, nil
+		return obj.ClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8452,8 +9721,8 @@ func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITCH_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8466,21 +9735,24 @@ func (ec *executionContext) _Env_TWITCH_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitchClientSecret, nil
+		return obj.ClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8493,8 +9765,8 @@ func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_SECRET(_ context.Cont
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8507,7 +9779,7 @@ func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RobloxClientID, nil
+		return obj.CustomAccessTokenScript, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8521,7 +9793,7 @@ func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field gra
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8534,8 +9806,8 @@ func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_HOST(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8548,7 +9820,7 @@ func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RobloxClientSecret, nil
+		return obj.SMTPHost, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8562,7 +9834,7 @@ func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8575,8 +9847,8 @@ func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_SECRET(_ context.Cont
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
+func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_PORT(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8589,7 +9861,7 @@ func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.OrganizationName, nil
+		return obj.SMTPPort, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8603,7 +9875,7 @@ func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field gr
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ORGANIZATION_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8616,8 +9888,8 @@ func (ec *executionContext) fieldContext_Env_ORGANIZATION_NAME(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
+func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8630,7 +9902,7 @@ func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.OrganizationLogo, nil
+		return obj.SMTPUsername, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8644,7 +9916,7 @@ func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field gr
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ORGANIZATION_LOGO(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8657,8 +9929,8 @@ func (ec *executionContext) fieldContext_Env_ORGANIZATION_LOGO(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
+func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8671,38 +9943,35 @@ func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppCookieSecure, nil
+		return obj.SMTPPassword, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APP_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
+func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8715,38 +9984,35 @@ func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AdminCookieSecure, nil
+		return obj.SMTPLocalName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ADMIN_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_LOCAL_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
+func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8759,7 +10025,7 @@ func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultAuthorizeResponseType, nil
+		return obj.SenderEmail, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8773,7 +10039,7 @@ func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Con
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SENDER_EMAIL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8786,8 +10052,8 @@ func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(_ c
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
+func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SENDER_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8800,7 +10066,7 @@ func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultAuthorizeResponseMode, nil
+		return obj.SenderName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8814,7 +10080,7 @@ func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Con
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SENDER_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -8827,8 +10093,8 @@ func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(_ c
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
+func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_TYPE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8841,38 +10107,35 @@ func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisablePlayground, nil
+		return obj.JwtType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_PLAYGROUND(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
+func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8885,38 +10148,35 @@ func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMailOtpLogin, nil
+		return obj.JwtSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
+func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8929,38 +10189,35 @@ func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableTotpLogin, nil
+		return obj.JwtPrivateKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_TOTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_PRIVATE_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Error_message(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Error_message(ctx, field)
+func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8973,26 +10230,23 @@ func (ec *executionContext) _Error_message(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return obj.JwtPublicKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Error_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_PUBLIC_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Error",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9003,8 +10257,8 @@ func (ec *executionContext) fieldContext_Error_message(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Error_reason(ctx, field)
+func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9017,26 +10271,23 @@ func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Reason, nil
+		return obj.AllowedOrigins, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Error_reason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ALLOWED_ORIGINS(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Error",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9047,8 +10298,8 @@ func (ec *executionContext) fieldContext_Error_reason(_ context.Context, field g
 	return fc, nil
 }
 
-func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
+func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APP_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9061,26 +10312,23 @@ func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return obj.AppURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ForgotPasswordResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APP_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ForgotPasswordResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9091,8 +10339,8 @@ func (ec *executionContext) fieldContext_ForgotPasswordResponse_message(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
+func (ec *executionContext) _Env_REDIS_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_REDIS_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9105,7 +10353,7 @@ func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_scree
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ShouldShowMobileOtpScreen, nil
+		return obj.RedisURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9114,26 +10362,26 @@ func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_scree
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_REDIS_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ForgotPasswordResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
+func (ec *executionContext) _Env_RESET_PASSWORD_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9146,7 +10394,7 @@ func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Secret, nil
+		return obj.ResetPasswordURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9160,9 +10408,9 @@ func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context,
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_secret(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_RESET_PASSWORD_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "GenerateJWTKeysResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9173,8 +10421,8 @@ func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_secret(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _GenerateJWTKeysResponse_public_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
+func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9187,35 +10435,38 @@ func (ec *executionContext) _GenerateJWTKeysResponse_public_key(ctx context.Cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PublicKey, nil
+		return obj.DisableEmailVerification, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_public_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_EMAIL_VERIFICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "GenerateJWTKeysResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _GenerateJWTKeysResponse_private_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
+func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9228,35 +10479,38 @@ func (ec *executionContext) _GenerateJWTKeysResponse_private_key(ctx context.Con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PrivateKey, nil
+		return obj.DisableBasicAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_private_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "GenerateJWTKeysResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _InviteMembersResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_InviteMembersResponse_message(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9269,7 +10523,7 @@ func (ec *executionContext) _InviteMembersResponse_message(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return obj.DisableMobileBasicAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9281,26 +10535,26 @@ func (ec *executionContext) _InviteMembersResponse_message(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_InviteMembersResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "InviteMembersResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_InviteMembersResponse_Users(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9313,7 +10567,7 @@ func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Users, nil
+		return obj.DisableMagicLinkLogin, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9325,68 +10579,26 @@ func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.User)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_InviteMembersResponse_Users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "InviteMembersResponse",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_version(ctx, field)
+func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9399,7 +10611,7 @@ func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Version, nil
+		return obj.DisableLoginPage, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9411,26 +10623,26 @@ func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.Col
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_version(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_LOGIN_PAGE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_client_id(ctx, field)
+func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9443,7 +10655,7 @@ func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ClientID, nil
+		return obj.DisableSignUp, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9455,26 +10667,26 @@ func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.C
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_client_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_SIGN_UP(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
+func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9487,7 +10699,7 @@ func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsGoogleLoginEnabled, nil
+		return obj.DisableRedisForEnv, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9504,9 +10716,9 @@ func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, f
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_google_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_REDIS_FOR_ENV(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9517,8 +10729,8 @@ func (ec *executionContext) fieldContext_Meta_is_google_login_enabled(_ context.
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
+func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9531,7 +10743,7 @@ func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsFacebookLoginEnabled, nil
+		return obj.DisableStrongPassword, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9548,9 +10760,9 @@ func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context,
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_facebook_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_STRONG_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9561,8 +10773,8 @@ func (ec *executionContext) fieldContext_Meta_is_facebook_login_enabled(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9575,7 +10787,7 @@ func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsGithubLoginEnabled, nil
+		return obj.DisableMultiFactorAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9592,9 +10804,9 @@ func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, f
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_github_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9605,8 +10817,8 @@ func (ec *executionContext) fieldContext_Meta_is_github_login_enabled(_ context.
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
+func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9619,7 +10831,7 @@ func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsLinkedinLoginEnabled, nil
+		return obj.EnforceMultiFactorAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9636,9 +10848,9 @@ func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context,
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_linkedin_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -9649,8 +10861,8 @@ func (ec *executionContext) fieldContext_Meta_is_linkedin_login_enabled(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
+func (ec *executionContext) _Env_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ROLES(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9663,38 +10875,35 @@ func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsAppleLoginEnabled, nil
+		return obj.Roles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_apple_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
+func (ec *executionContext) _Env_PROTECTED_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9707,38 +10916,35 @@ func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsDiscordLoginEnabled, nil
+		return obj.ProtectedRoles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_discord_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_PROTECTED_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
+func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9751,38 +10957,35 @@ func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsTwitterLoginEnabled, nil
+		return obj.DefaultRoles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_twitter_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DEFAULT_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
+func (ec *executionContext) _Env_JWT_ROLE_CLAIM(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9795,38 +10998,35 @@ func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMicrosoftLoginEnabled, nil
+		return obj.JwtRoleClaim, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_microsoft_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_ROLE_CLAIM(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
+func (ec *executionContext) _Env_GOOGLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9839,38 +11039,35 @@ func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsTwitchLoginEnabled, nil
+		return obj.GoogleClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_twitch_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
+func (ec *executionContext) _Env_GOOGLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9883,38 +11080,35 @@ func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsRobloxLoginEnabled, nil
+		return obj.GoogleClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_roblox_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
+func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9927,38 +11121,35 @@ func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsEmailVerificationEnabled, nil
+		return obj.GithubClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_email_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
+func (ec *executionContext) _Env_GITHUB_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9971,38 +11162,35 @@ func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsBasicAuthenticationEnabled, nil
+		return obj.GithubClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
+func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10015,38 +11203,35 @@ func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMagicLinkLoginEnabled, nil
+		return obj.FacebookClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_magic_link_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
+func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10059,38 +11244,35 @@ func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsSignUpEnabled, nil
+		return obj.FacebookClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_sign_up_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
+func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10103,38 +11285,35 @@ func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsStrongPasswordEnabled, nil
+		return obj.LinkedinClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_strong_password_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
+func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10147,38 +11326,35 @@ func (ec *executionContext) _Meta_is_multi_factor_auth_enabled(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMultiFactorAuthEnabled, nil
+		return obj.LinkedinClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
+func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10191,38 +11367,35 @@ func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMobileBasicAuthenticationEnabled, nil
+		return obj.AppleClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_mobile_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
+func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10235,38 +11408,35 @@ func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsPhoneVerificationEnabled, nil
+		return obj.AppleClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_phone_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_signup(ctx, field)
+func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10279,75 +11449,35 @@ func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Signup(rctx, fc.Args["params"].(model.SignUpRequest))
+		return obj.DiscordClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_mobile_signup(ctx, field)
+func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10360,75 +11490,35 @@ func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().MobileSignup(rctx, fc.Args["params"].(*model.MobileSignUpRequest))
+		return obj.DiscordClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_mobile_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_login(ctx, field)
+func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10441,75 +11531,76 @@ func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Login(rctx, fc.Args["params"].(model.LoginRequest))
+		return obj.TwitterClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.TwitterClientSecret, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Env",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_mobile_login(ctx, field)
+func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10522,75 +11613,35 @@ func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().MobileLogin(rctx, fc.Args["params"].(model.MobileLoginRequest))
+		return obj.MicrosoftClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_mobile_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_magic_link_login(ctx, field)
+func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10603,53 +11654,35 @@ func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().MagicLinkLogin(rctx, fc.Args["params"].(model.MagicLinkLoginRequest))
+		return obj.MicrosoftClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_magic_link_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_logout(ctx, field)
+func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10662,42 +11695,35 @@ func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Logout(rctx)
+		return obj.MicrosoftActiveDirectoryTenantID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_update_profile(ctx, field)
+func (ec *executionContext) _Env_TWITCH_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10710,53 +11736,35 @@ func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateProfile(rctx, fc.Args["params"].(model.UpdateProfileRequest))
+		return obj.TwitchClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_update_profile_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_verify_email(ctx, field)
+func (ec *executionContext) _Env_TWITCH_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10769,75 +11777,35 @@ func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().VerifyEmail(rctx, fc.Args["params"].(model.VerifyEmailRequest))
+		return obj.TwitchClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_resend_verify_email(ctx, field)
+func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10850,53 +11818,35 @@ func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ResendVerifyEmail(rctx, fc.Args["params"].(model.ResendVerifyEmailRequest))
+		return obj.RobloxClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_resend_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_forgot_password(ctx, field)
+func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10909,55 +11859,35 @@ func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ForgotPassword(rctx, fc.Args["params"].(model.ForgotPasswordRequest))
+		return obj.RobloxClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.ForgotPasswordResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNForgotPasswordResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type ForgotPasswordResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_forgot_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_reset_password(ctx, field)
+func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10970,53 +11900,35 @@ func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ResetPassword(rctx, fc.Args["params"].(model.ResetPasswordRequest))
+		return obj.OrganizationName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ORGANIZATION_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_reset_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_revoke(ctx, field)
+func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11029,53 +11941,35 @@ func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Revoke(rctx, fc.Args["params"].(model.OAuthRevokeRequest))
+		return obj.OrganizationLogo, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_revoke(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ORGANIZATION_LOGO(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_revoke_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_verify_otp(ctx, field)
+func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11088,7 +11982,7 @@ func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().VerifyOtp(rctx, fc.Args["params"].(model.VerifyOTPRequest))
+		return obj.AppCookieSecure, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11100,63 +11994,26 @@ func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APP_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_verify_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_resend_otp(ctx, field)
+func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11169,7 +12026,7 @@ func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ResendOtp(rctx, fc.Args["params"].(model.ResendOTPRequest))
+		return obj.AdminCookieSecure, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11181,41 +12038,67 @@ func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ADMIN_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_resend_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.DefaultAuthorizeResponseType, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Env",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_deactivate_account(ctx, field)
+func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11228,42 +12111,35 @@ func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeactivateAccount(rctx)
+		return obj.DefaultAuthorizeResponseMode, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_deactivate_account(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__delete_user(ctx, field)
+func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11276,7 +12152,7 @@ func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeleteUser(rctx, fc.Args["params"].(model.DeleteUserRequest))
+		return obj.DisablePlayground, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11288,41 +12164,26 @@ func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_PLAYGROUND(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__delete_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_user(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11335,7 +12196,7 @@ func (ec *executionContext) _Mutation__update_user(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateUser(rctx, fc.Args["params"].(model.UpdateUserRequest))
+		return obj.DisableMailOtpLogin, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11347,79 +12208,26 @@ func (ec *executionContext) _Mutation__update_user(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__admin_signup(ctx, field)
+func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11432,7 +12240,7 @@ func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AdminSignup(rctx, fc.Args["params"].(model.AdminSignupRequest))
+		return obj.DisableTotpLogin, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11444,41 +12252,26 @@ func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_TOTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Env",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__admin_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__admin_login(ctx, field)
+func (ec *executionContext) _Error_message(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Error_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11491,7 +12284,7 @@ func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AdminLogin(rctx, fc.Args["params"].(model.AdminLoginRequest))
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11503,41 +12296,26 @@ func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Error_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Error",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__admin_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__admin_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__admin_logout(ctx, field)
+func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Error_reason(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11550,7 +12328,7 @@ func (ec *executionContext) _Mutation__admin_logout(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AdminLogout(rctx)
+		return obj.Reason, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11562,30 +12340,26 @@ func (ec *executionContext) _Mutation__admin_logout(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__admin_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Error_reason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Error",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_env(ctx, field)
+func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11598,7 +12372,7 @@ func (ec *executionContext) _Mutation__update_env(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateEnv(rctx, fc.Args["params"].(model.UpdateEnvRequest))
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11610,41 +12384,26 @@ func (ec *executionContext) _Mutation__update_env(ctx context.Context, field gra
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_env(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ForgotPasswordResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "ForgotPasswordResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_env_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__invite_members(ctx, field)
+func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11657,55 +12416,35 @@ func (ec *executionContext) _Mutation__invite_members(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().InviteMembers(rctx, fc.Args["params"].(model.InviteMemberRequest))
+		return obj.ShouldShowMobileOtpScreen, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.InviteMembersResponse)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalNInviteMembersResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐInviteMembersResponse(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "ForgotPasswordResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_InviteMembersResponse_message(ctx, field)
-			case "Users":
-				return ec.fieldContext_InviteMembersResponse_Users(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type InviteMembersResponse", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__invite_members_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__revoke_access(ctx, field)
+func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11718,53 +12457,35 @@ func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().RevokeAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
+		return obj.Secret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_secret(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "GenerateJWTKeysResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__revoke_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__enable_access(ctx, field)
+func (ec *executionContext) _GenerateJWTKeysResponse_public_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11777,53 +12498,35 @@ func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().EnableAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
+		return obj.PublicKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_public_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "GenerateJWTKeysResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__enable_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__generate_jwt_keys(ctx, field)
+func (ec *executionContext) _GenerateJWTKeysResponse_private_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11836,57 +12539,35 @@ func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().GenerateJwtKeys(rctx, fc.Args["params"].(model.GenerateJWTKeysRequest))
+		return obj.PrivateKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.GenerateJWTKeysResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNGenerateJWTKeysResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_private_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "GenerateJWTKeysResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "secret":
-				return ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
-			case "public_key":
-				return ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
-			case "private_key":
-				return ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type GenerateJWTKeysResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__generate_jwt_keys_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__add_webhook(ctx, field)
+func (ec *executionContext) _InviteMembersResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_InviteMembersResponse_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11899,7 +12580,7 @@ func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AddWebhook(rctx, fc.Args["params"].(model.AddWebhookRequest))
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11911,41 +12592,26 @@ func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_InviteMembersResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "InviteMembersResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__add_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_webhook(ctx, field)
+func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_InviteMembersResponse_Users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11958,7 +12624,7 @@ func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateWebhook(rctx, fc.Args["params"].(model.UpdateWebhookRequest))
+		return obj.Users, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11970,41 +12636,68 @@ func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.([]*model.User)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_InviteMembersResponse_Users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "InviteMembersResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__delete_webhook(ctx, field)
+func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_version(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12017,7 +12710,7 @@ func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeleteWebhook(rctx, fc.Args["params"].(model.WebhookRequest))
+		return obj.Version, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12029,41 +12722,26 @@ func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_version(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__delete_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__test_endpoint(ctx, field)
+func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_client_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12076,7 +12754,7 @@ func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().TestEndpoint(rctx, fc.Args["params"].(model.TestEndpointRequest))
+		return obj.ClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12088,43 +12766,26 @@ func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.TestEndpointResponse)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNTestEndpointResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐTestEndpointResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_client_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "http_status":
-				return ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
-			case "response":
-				return ec.fieldContext_TestEndpointResponse_response(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type TestEndpointResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__test_endpoint_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__add_email_template(ctx, field)
+func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12137,7 +12798,7 @@ func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AddEmailTemplate(rctx, fc.Args["params"].(model.AddEmailTemplateRequest))
+		return obj.IsGoogleLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12149,41 +12810,26 @@ func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_google_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__add_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_email_template(ctx, field)
+func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12196,7 +12842,7 @@ func (ec *executionContext) _Mutation__update_email_template(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateEmailTemplate(rctx, fc.Args["params"].(model.UpdateEmailTemplateRequest))
+		return obj.IsFacebookLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12208,41 +12854,26 @@ func (ec *executionContext) _Mutation__update_email_template(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_facebook_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__delete_email_template(ctx, field)
+func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12255,7 +12886,7 @@ func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeleteEmailTemplate(rctx, fc.Args["params"].(model.DeleteEmailTemplateRequest))
+		return obj.IsGithubLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12267,41 +12898,26 @@ func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_github_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__delete_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_limit(ctx, field)
+func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12314,7 +12930,7 @@ func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Limit, nil
+		return obj.IsLinkedinLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12326,26 +12942,26 @@ func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_limit(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_linkedin_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_page(ctx, field)
+func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12358,7 +12974,7 @@ func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Page, nil
+		return obj.IsAppleLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12370,26 +12986,26 @@ func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_page(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_apple_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_offset(ctx, field)
+func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12402,7 +13018,7 @@ func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Offset, nil
+		return obj.IsDiscordLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12414,26 +13030,26 @@ func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphq
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_offset(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_discord_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_total(ctx, field)
+func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12446,7 +13062,7 @@ func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Total, nil
+		return obj.IsTwitterLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12458,26 +13074,26 @@ func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_total(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_twitter_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_meta(ctx, field)
+func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12490,7 +13106,7 @@ func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Meta(rctx)
+		return obj.IsMicrosoftLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12502,68 +13118,26 @@ func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Meta)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMeta(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_microsoft_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "version":
-				return ec.fieldContext_Meta_version(ctx, field)
-			case "client_id":
-				return ec.fieldContext_Meta_client_id(ctx, field)
-			case "is_google_login_enabled":
-				return ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
-			case "is_facebook_login_enabled":
-				return ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
-			case "is_github_login_enabled":
-				return ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
-			case "is_linkedin_login_enabled":
-				return ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
-			case "is_apple_login_enabled":
-				return ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
-			case "is_discord_login_enabled":
-				return ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
-			case "is_twitter_login_enabled":
-				return ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
-			case "is_microsoft_login_enabled":
-				return ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
-			case "is_twitch_login_enabled":
-				return ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
-			case "is_roblox_login_enabled":
-				return ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
-			case "is_email_verification_enabled":
-				return ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
-			case "is_basic_authentication_enabled":
-				return ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
-			case "is_magic_link_login_enabled":
-				return ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
-			case "is_sign_up_enabled":
-				return ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
-			case "is_strong_password_enabled":
-				return ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
-			case "is_mobile_basic_authentication_enabled":
-				return ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
-			case "is_phone_verification_enabled":
-				return ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Meta", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_session(ctx, field)
+func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12576,7 +13150,7 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Session(rctx, fc.Args["params"].(*model.SessionQueryRequest))
+		return obj.IsTwitchLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12588,63 +13162,26 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_twitch_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_profile(ctx, field)
+func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12657,7 +13194,7 @@ func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Profile(rctx)
+		return obj.IsRobloxLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12669,68 +13206,26 @@ func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_profile(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_roblox_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_validate_jwt_token(ctx, field)
+func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12743,7 +13238,7 @@ func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().ValidateJwtToken(rctx, fc.Args["params"].(model.ValidateJWTTokenRequest))
+		return obj.IsEmailVerificationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12755,43 +13250,26 @@ func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.ValidateJWTTokenResponse)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNValidateJWTTokenResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateJWTTokenResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_email_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "is_valid":
-				return ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
-			case "claims":
-				return ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type ValidateJWTTokenResponse", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_validate_jwt_token_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_validate_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_validate_session(ctx, field)
+func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12804,7 +13282,7 @@ func (ec *executionContext) _Query_validate_session(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().ValidateSession(rctx, fc.Args["params"].(*model.ValidateSessionRequest))
+		return obj.IsBasicAuthenticationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12816,43 +13294,26 @@ func (ec *executionContext) _Query_validate_session(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.ValidateSessionResponse)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNValidateSessionResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateSessionResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_validate_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "is_valid":
-				return ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
-			case "user":
-				return ec.fieldContext_ValidateSessionResponse_user(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type ValidateSessionResponse", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_validate_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__users(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__users(ctx, field)
+func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12865,7 +13326,7 @@ func (ec *executionContext) _Query__users(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Users(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.IsMagicLinkLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12877,43 +13338,70 @@ func (ec *executionContext) _Query__users(ctx context.Context, field graphql.Col
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Users)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNUsers2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUsers(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__users(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_magic_link_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_Users_pagination(ctx, field)
-			case "users":
-				return ec.fieldContext_Users_users(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Users", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__users_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsSignUpEnabled, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Meta_is_sign_up_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Meta",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__user(ctx, field)
+func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12926,7 +13414,7 @@ func (ec *executionContext) _Query__user(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().User(rctx, fc.Args["params"].(model.GetUserRequest))
+		return obj.IsStrongPasswordEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12938,79 +13426,26 @@ func (ec *executionContext) _Query__user(ctx context.Context, field graphql.Coll
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_strong_password_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__verification_requests(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__verification_requests(ctx, field)
+func (ec *executionContext) _Meta_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13023,7 +13458,7 @@ func (ec *executionContext) _Query__verification_requests(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().VerificationRequests(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.IsMultiFactorAuthEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13035,43 +13470,70 @@ func (ec *executionContext) _Query__verification_requests(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.VerificationRequests)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNVerificationRequests2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequests(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__verification_requests(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_VerificationRequests_pagination(ctx, field)
-			case "verification_requests":
-				return ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type VerificationRequests", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__verification_requests_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsMobileBasicAuthenticationEnabled, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Meta_is_mobile_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Meta",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__admin_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__admin_session(ctx, field)
+func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13084,7 +13546,7 @@ func (ec *executionContext) _Query__admin_session(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AdminSession(rctx)
+		return obj.IsPhoneVerificationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13096,30 +13558,26 @@ func (ec *executionContext) _Query__admin_session(ctx context.Context, field gra
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__admin_session(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_phone_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Meta",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__env(ctx, field)
+func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_signup(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13132,7 +13590,7 @@ func (ec *executionContext) _Query__env(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Env(rctx)
+		return ec.resolvers.Mutation().Signup(rctx, fc.Args["params"].(model.SignUpRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13144,170 +13602,63 @@ func (ec *executionContext) _Query__env(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Env)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__env(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "ACCESS_TOKEN_EXPIRY_TIME":
-				return ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
-			case "ADMIN_SECRET":
-				return ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
-			case "DATABASE_NAME":
-				return ec.fieldContext_Env_DATABASE_NAME(ctx, field)
-			case "DATABASE_URL":
-				return ec.fieldContext_Env_DATABASE_URL(ctx, field)
-			case "DATABASE_TYPE":
-				return ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
-			case "DATABASE_USERNAME":
-				return ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
-			case "DATABASE_PASSWORD":
-				return ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
-			case "DATABASE_HOST":
-				return ec.fieldContext_Env_DATABASE_HOST(ctx, field)
-			case "DATABASE_PORT":
-				return ec.fieldContext_Env_DATABASE_PORT(ctx, field)
-			case "CLIENT_ID":
-				return ec.fieldContext_Env_CLIENT_ID(ctx, field)
-			case "CLIENT_SECRET":
-				return ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
-			case "CUSTOM_ACCESS_TOKEN_SCRIPT":
-				return ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
-			case "SMTP_HOST":
-				return ec.fieldContext_Env_SMTP_HOST(ctx, field)
-			case "SMTP_PORT":
-				return ec.fieldContext_Env_SMTP_PORT(ctx, field)
-			case "SMTP_USERNAME":
-				return ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
-			case "SMTP_PASSWORD":
-				return ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
-			case "SMTP_LOCAL_NAME":
-				return ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
-			case "SENDER_EMAIL":
-				return ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
-			case "SENDER_NAME":
-				return ec.fieldContext_Env_SENDER_NAME(ctx, field)
-			case "JWT_TYPE":
-				return ec.fieldContext_Env_JWT_TYPE(ctx, field)
-			case "JWT_SECRET":
-				return ec.fieldContext_Env_JWT_SECRET(ctx, field)
-			case "JWT_PRIVATE_KEY":
-				return ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
-			case "JWT_PUBLIC_KEY":
-				return ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
-			case "ALLOWED_ORIGINS":
-				return ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
-			case "APP_URL":
-				return ec.fieldContext_Env_APP_URL(ctx, field)
-			case "REDIS_URL":
-				return ec.fieldContext_Env_REDIS_URL(ctx, field)
-			case "RESET_PASSWORD_URL":
-				return ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
-			case "DISABLE_EMAIL_VERIFICATION":
-				return ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
-			case "DISABLE_BASIC_AUTHENTICATION":
-				return ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
-			case "DISABLE_MOBILE_BASIC_AUTHENTICATION":
-				return ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
-			case "DISABLE_MAGIC_LINK_LOGIN":
-				return ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
-			case "DISABLE_LOGIN_PAGE":
-				return ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
-			case "DISABLE_SIGN_UP":
-				return ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
-			case "DISABLE_REDIS_FOR_ENV":
-				return ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
-			case "DISABLE_STRONG_PASSWORD":
-				return ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
-			case "DISABLE_MULTI_FACTOR_AUTHENTICATION":
-				return ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
-			case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
-				return ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
-			case "ROLES":
-				return ec.fieldContext_Env_ROLES(ctx, field)
-			case "PROTECTED_ROLES":
-				return ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
-			case "DEFAULT_ROLES":
-				return ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
-			case "JWT_ROLE_CLAIM":
-				return ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
-			case "GOOGLE_CLIENT_ID":
-				return ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
-			case "GOOGLE_CLIENT_SECRET":
-				return ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
-			case "GITHUB_CLIENT_ID":
-				return ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
-			case "GITHUB_CLIENT_SECRET":
-				return ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
-			case "FACEBOOK_CLIENT_ID":
-				return ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
-			case "FACEBOOK_CLIENT_SECRET":
-				return ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
-			case "LINKEDIN_CLIENT_ID":
-				return ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
-			case "LINKEDIN_CLIENT_SECRET":
-				return ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
-			case "APPLE_CLIENT_ID":
-				return ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
-			case "APPLE_CLIENT_SECRET":
-				return ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
-			case "DISCORD_CLIENT_ID":
-				return ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
-			case "DISCORD_CLIENT_SECRET":
-				return ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
-			case "TWITTER_CLIENT_ID":
-				return ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
-			case "TWITTER_CLIENT_SECRET":
-				return ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
-			case "MICROSOFT_CLIENT_ID":
-				return ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
-			case "MICROSOFT_CLIENT_SECRET":
-				return ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
-			case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
-				return ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
-			case "TWITCH_CLIENT_ID":
-				return ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
-			case "TWITCH_CLIENT_SECRET":
-				return ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
-			case "ROBLOX_CLIENT_ID":
-				return ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
-			case "ROBLOX_CLIENT_SECRET":
-				return ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
-			case "ORGANIZATION_NAME":
-				return ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
-			case "ORGANIZATION_LOGO":
-				return ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
-			case "APP_COOKIE_SECURE":
-				return ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
-			case "ADMIN_COOKIE_SECURE":
-				return ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
-			case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
-				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
-			case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
-				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
-			case "DISABLE_PLAYGROUND":
-				return ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
-			case "DISABLE_MAIL_OTP_LOGIN":
-				return ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
-			case "DISABLE_TOTP_LOGIN":
-				return ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Env", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__webhook(ctx, field)
+func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_mobile_signup(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13320,7 +13671,7 @@ func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Webhook(rctx, fc.Args["params"].(model.WebhookRequest))
+		return ec.resolvers.Mutation().MobileSignup(rctx, fc.Args["params"].(*model.MobileSignUpRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13332,37 +13683,45 @@ func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.C
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Webhook)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNWebhook2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhook(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_Webhook_id(ctx, field)
-			case "event_name":
-				return ec.fieldContext_Webhook_event_name(ctx, field)
-			case "event_description":
-				return ec.fieldContext_Webhook_event_description(ctx, field)
-			case "endpoint":
-				return ec.fieldContext_Webhook_endpoint(ctx, field)
-			case "enabled":
-				return ec.fieldContext_Webhook_enabled(ctx, field)
-			case "headers":
-				return ec.fieldContext_Webhook_headers(ctx, field)
-			case "created_at":
-				return ec.fieldContext_Webhook_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_Webhook_updated_at(ctx, field)
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -13372,15 +13731,15 @@ func (ec *executionContext) fieldContext_Query__webhook(ctx context.Context, fie
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation_mobile_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__webhooks(ctx, field)
+func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13393,7 +13752,7 @@ func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Webhooks(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return ec.resolvers.Mutation().Login(rctx, fc.Args["params"].(model.LoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13405,25 +13764,45 @@ func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Webhooks)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNWebhooks2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhooks(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__webhooks(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_Webhooks_pagination(ctx, field)
-			case "webhooks":
-				return ec.fieldContext_Webhooks_webhooks(ctx, field)
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Webhooks", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -13433,15 +13812,15 @@ func (ec *executionContext) fieldContext_Query__webhooks(ctx context.Context, fi
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__webhooks_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__webhook_logs(ctx, field)
+func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_mobile_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13454,7 +13833,7 @@ func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().WebhookLogs(rctx, fc.Args["params"].(*model.ListWebhookLogRequest))
+		return ec.resolvers.Mutation().MobileLogin(rctx, fc.Args["params"].(model.MobileLoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13466,25 +13845,45 @@ func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.WebhookLogs)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNWebhookLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogs(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_WebhookLogs_pagination(ctx, field)
-			case "webhook_logs":
-				return ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type WebhookLogs", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -13494,15 +13893,15 @@ func (ec *executionContext) fieldContext_Query__webhook_logs(ctx context.Context
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__webhook_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation_mobile_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__email_templates(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__email_templates(ctx, field)
+func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_magic_link_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13515,7 +13914,7 @@ func (ec *executionContext) _Query__email_templates(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().EmailTemplates(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return ec.resolvers.Mutation().MagicLinkLogin(rctx, fc.Args["params"].(model.MagicLinkLoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13527,25 +13926,23 @@ func (ec *executionContext) _Query__email_templates(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.EmailTemplates)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNEmailTemplates2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__email_templates(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_EmailTemplates_pagination(ctx, field)
-			case "email_templates":
-				return ec.fieldContext_EmailTemplates_email_templates(ctx, field)
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type EmailTemplates", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	defer func() {
@@ -13555,15 +13952,15 @@ func (ec *executionContext) fieldContext_Query__email_templates(ctx context.Cont
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__email_templates_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation_magic_link_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__audit_logs(ctx, field)
+func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_logout(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13576,7 +13973,7 @@ func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AuditLogs(rctx, fc.Args["params"].(*model.ListAuditLogRequest))
+		return ec.resolvers.Mutation().Logout(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13588,43 +13985,30 @@ func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphq
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuditLogs)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNAuditLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__audit_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_AuditLogs_pagination(ctx, field)
-			case "audit_logs":
-				return ec.fieldContext_AuditLogs_audit_logs(ctx, field)
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuditLogs", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__audit_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query___type(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query___type(ctx, field)
+func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_update_profile(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13637,52 +14021,35 @@ func (ec *executionContext) _Query___type(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.introspectType(fc.Args["name"].(string))
+		return ec.resolvers.Mutation().UpdateProfile(rctx, fc.Args["params"].(model.UpdateProfileRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query___type(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
-		IsResolver: false,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	defer func() {
@@ -13692,15 +14059,15 @@ func (ec *executionContext) fieldContext_Query___type(ctx context.Context, field
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query___type_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation_update_profile_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query___schema(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query___schema(ctx, field)
+func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_verify_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13713,49 +14080,75 @@ func (ec *executionContext) _Query___schema(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.introspectSchema()
+		return ec.resolvers.Mutation().VerifyEmail(rctx, fc.Args["params"].(model.VerifyEmailRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Schema)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalO__Schema2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐSchema(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query___schema(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Mutation",
 		Field:      field,
 		IsMethod:   true,
-		IsResolver: false,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "description":
-				return ec.fieldContext___Schema_description(ctx, field)
-			case "types":
-				return ec.fieldContext___Schema_types(ctx, field)
-			case "queryType":
-				return ec.fieldContext___Schema_queryType(ctx, field)
-			case "mutationType":
-				return ec.fieldContext___Schema_mutationType(ctx, field)
-			case "subscriptionType":
-				return ec.fieldContext___Schema_subscriptionType(ctx, field)
-			case "directives":
-				return ec.fieldContext___Schema_directives(ctx, field)
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Schema", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Response_message(ctx context.Context, field graphql.CollectedField, obj *model.Response) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Response_message(ctx, field)
+func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_resend_verify_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13768,7 +14161,7 @@ func (ec *executionContext) _Response_message(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return ec.resolvers.Mutation().ResendVerifyEmail(rctx, fc.Args["params"].(model.ResendVerifyEmailRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13780,26 +14173,41 @@ func (ec *executionContext) _Response_message(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Response_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Response",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_resend_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
+func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_forgot_password(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13812,35 +14220,55 @@ func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.HTTPStatus, nil
+		return ec.resolvers.Mutation().ForgotPassword(rctx, fc.Args["params"].(model.ForgotPasswordRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.ForgotPasswordResponse)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNForgotPasswordResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_TestEndpointResponse_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "TestEndpointResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type ForgotPasswordResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_forgot_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_TestEndpointResponse_response(ctx, field)
+func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_reset_password(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13853,35 +14281,53 @@ func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Response, nil
+		return ec.resolvers.Mutation().ResetPassword(rctx, fc.Args["params"].(model.ResetPasswordRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_TestEndpointResponse_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "TestEndpointResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_reset_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_id(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_id(ctx, field)
+func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_revoke(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13894,7 +14340,7 @@ func (ec *executionContext) _User_id(ctx context.Context, field graphql.Collecte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return ec.resolvers.Mutation().Revoke(rctx, fc.Args["params"].(model.OAuthRevokeRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13906,26 +14352,41 @@ func (ec *executionContext) _User_id(ctx context.Context, field graphql.Collecte
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_revoke(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_revoke_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_email(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_email(ctx, field)
+func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_verify_otp(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13938,35 +14399,75 @@ func (ec *executionContext) _User_email(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Email, nil
+		return ec.resolvers.Mutation().VerifyOtp(rctx, fc.Args["params"].(model.VerifyOTPRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_verify_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_email_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_email_verified(ctx, field)
+func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_resend_otp(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13979,7 +14480,7 @@ func (ec *executionContext) _User_email_verified(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EmailVerified, nil
+		return ec.resolvers.Mutation().ResendOtp(rctx, fc.Args["params"].(model.ResendOTPRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13991,26 +14492,41 @@ func (ec *executionContext) _User_email_verified(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_email_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_resend_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_signup_methods(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_signup_methods(ctx, field)
+func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_deactivate_account(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14023,7 +14539,7 @@ func (ec *executionContext) _User_signup_methods(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SignupMethods, nil
+		return ec.resolvers.Mutation().DeactivateAccount(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14035,26 +14551,30 @@ func (ec *executionContext) _User_signup_methods(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_signup_methods(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_deactivate_account(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_given_name(ctx, field)
+func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14067,35 +14587,53 @@ func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GivenName, nil
+		return ec.resolvers.Mutation().DeleteUser(rctx, fc.Args["params"].(model.DeleteUserRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_given_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_family_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_family_name(ctx, field)
+func (ec *executionContext) _Mutation__update_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14108,35 +14646,91 @@ func (ec *executionContext) _User_family_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.FamilyName, nil
+		return ec.resolvers.Mutation().UpdateUser(rctx, fc.Args["params"].(model.UpdateUserRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_family_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_middle_name(ctx, field)
+func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__admin_signup(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14149,35 +14743,53 @@ func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MiddleName, nil
+		return ec.resolvers.Mutation().AdminSignup(rctx, fc.Args["params"].(model.AdminSignupRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_middle_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__admin_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_nickname(ctx, field)
+func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__admin_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14190,35 +14802,53 @@ func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Nickname, nil
+		return ec.resolvers.Mutation().AdminLogin(rctx, fc.Args["params"].(model.AdminLoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_nickname(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__admin_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_preferred_username(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_preferred_username(ctx, field)
+func (ec *executionContext) _Mutation__admin_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__admin_logout(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14231,35 +14861,42 @@ func (ec *executionContext) _User_preferred_username(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PreferredUsername, nil
+		return ec.resolvers.Mutation().AdminLogout(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_preferred_username(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__admin_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_gender(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_gender(ctx, field)
+func (ec *executionContext) _Mutation__update_env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_env(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14272,35 +14909,53 @@ func (ec *executionContext) _User_gender(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Gender, nil
+		return ec.resolvers.Mutation().UpdateEnv(rctx, fc.Args["params"].(model.UpdateEnvRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_gender(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_env(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_env_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_birthdate(ctx, field)
+func (ec *executionContext) _Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__invite_members(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14313,76 +14968,55 @@ func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Birthdate, nil
+		return ec.resolvers.Mutation().InviteMembers(rctx, fc.Args["params"].(model.InviteMemberRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.InviteMembersResponse)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInviteMembersResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐInviteMembersResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_birthdate(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_InviteMembersResponse_message(ctx, field)
+			case "Users":
+				return ec.fieldContext_InviteMembersResponse_Users(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type InviteMembersResponse", field.Name)
 		},
 	}
-	return fc, nil
-}
-
-func (ec *executionContext) _User_phone_number(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_phone_number(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
 		}
 	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.PhoneNumber, nil
-	})
-	if err != nil {
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__invite_members_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_User_phone_number(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "User",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_phone_number_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_phone_number_verified(ctx, field)
+func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__revoke_access(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14395,7 +15029,7 @@ func (ec *executionContext) _User_phone_number_verified(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PhoneNumberVerified, nil
+		return ec.resolvers.Mutation().RevokeAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14407,26 +15041,41 @@ func (ec *executionContext) _User_phone_number_verified(ctx context.Context, fie
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_phone_number_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__revoke_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_picture(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_picture(ctx, field)
+func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__enable_access(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14439,35 +15088,53 @@ func (ec *executionContext) _User_picture(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Picture, nil
+		return ec.resolvers.Mutation().EnableAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_picture(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__enable_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_roles(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_roles(ctx, field)
+func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__generate_jwt_keys(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14480,7 +15147,7 @@ func (ec *executionContext) _User_roles(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Roles, nil
+		return ec.resolvers.Mutation().GenerateJwtKeys(rctx, fc.Args["params"].(model.GenerateJWTKeysRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14492,26 +15159,45 @@ func (ec *executionContext) _User_roles(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(*model.GenerateJWTKeysResponse)
 	fc.Result = res
-	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNGenerateJWTKeysResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "secret":
+				return ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
+			case "public_key":
+				return ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
+			case "private_key":
+				return ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type GenerateJWTKeysResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__generate_jwt_keys_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_created_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_created_at(ctx, field)
+func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14524,35 +15210,53 @@ func (ec *executionContext) _User_created_at(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return ec.resolvers.Mutation().AddWebhook(rctx, fc.Args["params"].(model.AddWebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_updated_at(ctx, field)
+func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14565,35 +15269,53 @@ func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return ec.resolvers.Mutation().UpdateWebhook(rctx, fc.Args["params"].(model.UpdateWebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_revoked_timestamp(ctx, field)
+func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14606,35 +15328,53 @@ func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RevokedTimestamp, nil
+		return ec.resolvers.Mutation().DeleteWebhook(rctx, fc.Args["params"].(model.WebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_revoked_timestamp(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__test_endpoint(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14647,35 +15387,55 @@ func (ec *executionContext) _User_is_multi_factor_auth_enabled(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMultiFactorAuthEnabled, nil
+		return ec.resolvers.Mutation().TestEndpoint(rctx, fc.Args["params"].(model.TestEndpointRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*model.TestEndpointResponse)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalNTestEndpointResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐTestEndpointResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "http_status":
+				return ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
+			case "response":
+				return ec.fieldContext_TestEndpointResponse_response(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type TestEndpointResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__test_endpoint_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_app_data(ctx, field)
+func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_email_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14688,35 +15448,53 @@ func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppData, nil
+		return ec.resolvers.Mutation().AddEmailTemplate(rctx, fc.Args["params"].(model.AddEmailTemplateRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(map[string]any)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOMap2map(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_app_data(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Map does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Users_pagination(ctx, field)
+func (ec *executionContext) _Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_email_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14729,7 +15507,7 @@ func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return ec.resolvers.Mutation().UpdateEmailTemplate(rctx, fc.Args["params"].(model.UpdateEmailTemplateRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14741,36 +15519,41 @@ func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Users_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Users",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Users_users(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Users_users(ctx, field)
+func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_email_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14783,7 +15566,7 @@ func (ec *executionContext) _Users_users(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Users, nil
+		return ec.resolvers.Mutation().DeleteEmailTemplate(rctx, fc.Args["params"].(model.DeleteEmailTemplateRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14795,68 +15578,41 @@ func (ec *executionContext) _Users_users(ctx context.Context, field graphql.Coll
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.User)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Users_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Users",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
+func (ec *executionContext) _Mutation__add_resource(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_resource(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14869,7 +15625,7 @@ func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsValid, nil
+		return ec.resolvers.Mutation().AddResource(rctx, fc.Args["params"].(model.AddResourceInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14881,26 +15637,49 @@ func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Conte
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.AuthzResource)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_resource(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateJWTTokenResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzResource_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzResource_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzResource_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzResource_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_resource_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateJWTTokenResponse_claims(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
+func (ec *executionContext) _Mutation__update_resource(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_resource(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14913,35 +15692,61 @@ func (ec *executionContext) _ValidateJWTTokenResponse_claims(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Claims, nil
+		return ec.resolvers.Mutation().UpdateResource(rctx, fc.Args["params"].(model.UpdateResourceInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(map[string]any)
+	res := resTmp.(*model.AuthzResource)
 	fc.Result = res
-	return ec.marshalOMap2map(ctx, field.Selections, res)
+	return ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_claims(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_resource(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateJWTTokenResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Map does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzResource_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzResource_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzResource_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzResource_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_resource_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
+func (ec *executionContext) _Mutation__delete_resource(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_resource(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14954,7 +15759,7 @@ func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsValid, nil
+		return ec.resolvers.Mutation().DeleteResource(rctx, fc.Args["id"].(string))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14966,26 +15771,41 @@ func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Contex
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateSessionResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_resource(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateSessionResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_resource_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateSessionResponse_user(ctx, field)
+func (ec *executionContext) _Mutation__add_scope(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_scope(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14998,7 +15818,7 @@ func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.User, nil
+		return ec.resolvers.Mutation().AddScope(rctx, fc.Args["params"].(model.AddScopeInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15010,68 +15830,49 @@ func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(*model.AuthzScope)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateSessionResponse_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_scope(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateSessionResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
+				return ec.fieldContext_AuthzScope_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzScope_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzScope_description(ctx, field)
 			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
+				return ec.fieldContext_AuthzScope_created_at(ctx, field)
 			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
+				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_scope_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_id(ctx, field)
+func (ec *executionContext) _Mutation__update_scope(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_scope(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15084,7 +15885,7 @@ func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return ec.resolvers.Mutation().UpdateScope(rctx, fc.Args["params"].(model.UpdateScopeInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15096,26 +15897,49 @@ func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.AuthzScope)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_scope(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzScope_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzScope_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzScope_description(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzScope_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_scope_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_identifier(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_identifier(ctx, field)
+func (ec *executionContext) _Mutation__delete_scope(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_scope(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15128,35 +15952,53 @@ func (ec *executionContext) _VerificationRequest_identifier(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Identifier, nil
+		return ec.resolvers.Mutation().DeleteScope(rctx, fc.Args["id"].(string))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_identifier(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_scope(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_scope_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_token(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_token(ctx, field)
+func (ec *executionContext) _Mutation__add_policy(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_policy(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15169,35 +16011,69 @@ func (ec *executionContext) _VerificationRequest_token(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Token, nil
+		return ec.resolvers.Mutation().AddPolicy(rctx, fc.Args["params"].(model.AddPolicyInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.AuthzPolicy)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_policy(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPolicy_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPolicy_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPolicy_description(ctx, field)
+			case "type":
+				return ec.fieldContext_AuthzPolicy_type(ctx, field)
+			case "logic":
+				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
+			case "targets":
+				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_policy_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_email(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_email(ctx, field)
+func (ec *executionContext) _Mutation__update_policy(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_policy(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15210,35 +16086,69 @@ func (ec *executionContext) _VerificationRequest_email(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Email, nil
+		return ec.resolvers.Mutation().UpdatePolicy(rctx, fc.Args["params"].(model.UpdatePolicyInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.AuthzPolicy)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_policy(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPolicy_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPolicy_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPolicy_description(ctx, field)
+			case "type":
+				return ec.fieldContext_AuthzPolicy_type(ctx, field)
+			case "logic":
+				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
+			case "targets":
+				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_policy_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_expires(ctx, field)
+func (ec *executionContext) _Mutation__delete_policy(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_policy(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15251,35 +16161,53 @@ func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Expires, nil
+		return ec.resolvers.Mutation().DeletePolicy(rctx, fc.Args["id"].(string))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_expires(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_policy(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_policy_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_created_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_created_at(ctx, field)
+func (ec *executionContext) _Mutation__add_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_permission(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15292,76 +16220,69 @@ func (ec *executionContext) _VerificationRequest_created_at(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return ec.resolvers.Mutation().AddPermission(rctx, fc.Args["params"].(model.AddPermissionInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*int64)
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.AuthzPermission)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPermission_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPermission_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPermission_description(ctx, field)
+			case "resource":
+				return ec.fieldContext_AuthzPermission_resource(ctx, field)
+			case "scopes":
+				return ec.fieldContext_AuthzPermission_scopes(ctx, field)
+			case "policies":
+				return ec.fieldContext_AuthzPermission_policies(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPermission_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPermission_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPermission", field.Name)
 		},
 	}
-	return fc, nil
-}
-
-func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_updated_at(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
 		}
 	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
-	})
-	if err != nil {
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*int64)
-	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_VerificationRequest_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
-		},
+		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_nonce(ctx, field)
+func (ec *executionContext) _Mutation__update_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_permission(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15374,76 +16295,69 @@ func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Nonce, nil
+		return ec.resolvers.Mutation().UpdatePermission(rctx, fc.Args["params"].(model.UpdatePermissionInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.AuthzPermission)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_nonce(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_AuthzPermission_id(ctx, field)
+			case "name":
+				return ec.fieldContext_AuthzPermission_name(ctx, field)
+			case "description":
+				return ec.fieldContext_AuthzPermission_description(ctx, field)
+			case "resource":
+				return ec.fieldContext_AuthzPermission_resource(ctx, field)
+			case "scopes":
+				return ec.fieldContext_AuthzPermission_scopes(ctx, field)
+			case "policies":
+				return ec.fieldContext_AuthzPermission_policies(ctx, field)
+			case "decision_strategy":
+				return ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
+			case "created_at":
+				return ec.fieldContext_AuthzPermission_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_AuthzPermission_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPermission", field.Name)
 		},
 	}
-	return fc, nil
-}
-
-func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
 		}
 	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.RedirectURI, nil
-	})
-	if err != nil {
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_VerificationRequest_redirect_uri(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequests_pagination(ctx, field)
+func (ec *executionContext) _Mutation__delete_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_permission(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15456,7 +16370,7 @@ func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return ec.resolvers.Mutation().DeletePermission(rctx, fc.Args["id"].(string))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15468,36 +16382,41 @@ func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequests_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequests",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequests_verification_requests(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
+func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_limit(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15510,7 +16429,7 @@ func (ec *executionContext) _VerificationRequests_verification_requests(ctx cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.VerificationRequests, nil
+		return obj.Limit, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15522,46 +16441,26 @@ func (ec *executionContext) _VerificationRequests_verification_requests(ctx cont
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.VerificationRequest)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNVerificationRequest2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequestᚄ(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequests_verification_requests(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_limit(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequests",
+		Object:     "Pagination",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_VerificationRequest_id(ctx, field)
-			case "identifier":
-				return ec.fieldContext_VerificationRequest_identifier(ctx, field)
-			case "token":
-				return ec.fieldContext_VerificationRequest_token(ctx, field)
-			case "email":
-				return ec.fieldContext_VerificationRequest_email(ctx, field)
-			case "expires":
-				return ec.fieldContext_VerificationRequest_expires(ctx, field)
-			case "created_at":
-				return ec.fieldContext_VerificationRequest_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_VerificationRequest_updated_at(ctx, field)
-			case "nonce":
-				return ec.fieldContext_VerificationRequest_nonce(ctx, field)
-			case "redirect_uri":
-				return ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type VerificationRequest", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_id(ctx, field)
+func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_page(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15574,7 +16473,7 @@ func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.Page, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15586,26 +16485,26 @@ func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_page(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Pagination",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_event_name(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_event_name(ctx, field)
+func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_offset(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15618,35 +16517,38 @@ func (ec *executionContext) _Webhook_event_name(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EventName, nil
+		return obj.Offset, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_offset(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Pagination",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_event_description(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_event_description(ctx, field)
+func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_total(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15659,35 +16561,38 @@ func (ec *executionContext) _Webhook_event_description(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EventDescription, nil
+		return obj.Total, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_event_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_total(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Pagination",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_endpoint(ctx, field)
+func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_meta(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15700,35 +16605,80 @@ func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Endpoint, nil
+		return ec.resolvers.Query().Meta(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		return graphql.Null
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Meta)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMeta(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_endpoint(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "version":
+				return ec.fieldContext_Meta_version(ctx, field)
+			case "client_id":
+				return ec.fieldContext_Meta_client_id(ctx, field)
+			case "is_google_login_enabled":
+				return ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
+			case "is_facebook_login_enabled":
+				return ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
+			case "is_github_login_enabled":
+				return ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
+			case "is_linkedin_login_enabled":
+				return ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
+			case "is_apple_login_enabled":
+				return ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
+			case "is_discord_login_enabled":
+				return ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
+			case "is_twitter_login_enabled":
+				return ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
+			case "is_microsoft_login_enabled":
+				return ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
+			case "is_twitch_login_enabled":
+				return ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
+			case "is_roblox_login_enabled":
+				return ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
+			case "is_email_verification_enabled":
+				return ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
+			case "is_basic_authentication_enabled":
+				return ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
+			case "is_magic_link_login_enabled":
+				return ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
+			case "is_sign_up_enabled":
+				return ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
+			case "is_strong_password_enabled":
+				return ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
+			case "is_mobile_basic_authentication_enabled":
+				return ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
+			case "is_phone_verification_enabled":
+				return ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Meta", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_enabled(ctx, field)
+func (ec *executionContext) _Query_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_session(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15741,35 +16691,75 @@ func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Enabled, nil
+		return ec.resolvers.Query().Session(rctx, fc.Args["params"].(*model.SessionQueryRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_headers(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_headers(ctx, field)
+func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_profile(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15782,35 +16772,80 @@ func (ec *executionContext) _Webhook_headers(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Headers, nil
+		return ec.resolvers.Query().Profile(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(map[string]any)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalOMap2map(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_headers(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_profile(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Map does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_created_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_created_at(ctx, field)
+func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_validate_jwt_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15823,35 +16858,55 @@ func (ec *executionContext) _Webhook_created_at(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return ec.resolvers.Query().ValidateJwtToken(rctx, fc.Args["params"].(model.ValidateJWTTokenRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.ValidateJWTTokenResponse)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNValidateJWTTokenResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateJWTTokenResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "is_valid":
+				return ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
+			case "claims":
+				return ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type ValidateJWTTokenResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query_validate_jwt_token_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_updated_at(ctx, field)
+func (ec *executionContext) _Query_validate_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_validate_session(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15864,35 +16919,55 @@ func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return ec.resolvers.Query().ValidateSession(rctx, fc.Args["params"].(*model.ValidateSessionRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.ValidateSessionResponse)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNValidateSessionResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateSessionResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_validate_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "is_valid":
+				return ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
+			case "user":
+				return ec.fieldContext_ValidateSessionResponse_user(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type ValidateSessionResponse", field.Name)
 		},
 	}
-	return fc, nil
-}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query_validate_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
 
-func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_id(ctx, field)
+func (ec *executionContext) _Query__users(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15905,7 +16980,7 @@ func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return ec.resolvers.Query().Users(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15917,67 +16992,43 @@ func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.Users)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalNUsers2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUsers(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__users(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			switch field.Name {
+			case "pagination":
+				return ec.fieldContext_Users_pagination(ctx, field)
+			case "users":
+				return ec.fieldContext_Users_users(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Users", field.Name)
 		},
 	}
-	return fc, nil
-}
-
-func (ec *executionContext) _WebhookLog_http_status(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_http_status(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
 		}
 	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.HTTPStatus, nil
-	})
-	if err != nil {
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__users_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*int64)
-	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_WebhookLog_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
-		},
+		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_response(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_response(ctx, field)
+func (ec *executionContext) _Query__user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15990,35 +17041,91 @@ func (ec *executionContext) _WebhookLog_response(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Response, nil
+		return ec.resolvers.Query().User(rctx, fc.Args["params"].(model.GetUserRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_request(ctx, field)
+func (ec *executionContext) _Query__verification_requests(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__verification_requests(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16031,35 +17138,55 @@ func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Request, nil
+		return ec.resolvers.Query().VerificationRequests(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.VerificationRequests)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNVerificationRequests2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequests(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_request(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__verification_requests(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "pagination":
+				return ec.fieldContext_VerificationRequests_pagination(ctx, field)
+			case "verification_requests":
+				return ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type VerificationRequests", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__verification_requests_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_webhook_id(ctx, field)
+func (ec *executionContext) _Query__admin_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__admin_session(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16072,35 +17199,42 @@ func (ec *executionContext) _WebhookLog_webhook_id(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.WebhookID, nil
+		return ec.resolvers.Query().AdminSession(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOID2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__admin_session(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_created_at(ctx, field)
+func (ec *executionContext) _Query__env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__env(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16113,40 +17247,187 @@ func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return ec.resolvers.Query().Env(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.Env)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__env(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_updated_at(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
+			switch field.Name {
+			case "ACCESS_TOKEN_EXPIRY_TIME":
+				return ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
+			case "ADMIN_SECRET":
+				return ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
+			case "DATABASE_NAME":
+				return ec.fieldContext_Env_DATABASE_NAME(ctx, field)
+			case "DATABASE_URL":
+				return ec.fieldContext_Env_DATABASE_URL(ctx, field)
+			case "DATABASE_TYPE":
+				return ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
+			case "DATABASE_USERNAME":
+				return ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
+			case "DATABASE_PASSWORD":
+				return ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
+			case "DATABASE_HOST":
+				return ec.fieldContext_Env_DATABASE_HOST(ctx, field)
+			case "DATABASE_PORT":
+				return ec.fieldContext_Env_DATABASE_PORT(ctx, field)
+			case "CLIENT_ID":
+				return ec.fieldContext_Env_CLIENT_ID(ctx, field)
+			case "CLIENT_SECRET":
+				return ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
+			case "CUSTOM_ACCESS_TOKEN_SCRIPT":
+				return ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
+			case "SMTP_HOST":
+				return ec.fieldContext_Env_SMTP_HOST(ctx, field)
+			case "SMTP_PORT":
+				return ec.fieldContext_Env_SMTP_PORT(ctx, field)
+			case "SMTP_USERNAME":
+				return ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
+			case "SMTP_PASSWORD":
+				return ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
+			case "SMTP_LOCAL_NAME":
+				return ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
+			case "SENDER_EMAIL":
+				return ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
+			case "SENDER_NAME":
+				return ec.fieldContext_Env_SENDER_NAME(ctx, field)
+			case "JWT_TYPE":
+				return ec.fieldContext_Env_JWT_TYPE(ctx, field)
+			case "JWT_SECRET":
+				return ec.fieldContext_Env_JWT_SECRET(ctx, field)
+			case "JWT_PRIVATE_KEY":
+				return ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
+			case "JWT_PUBLIC_KEY":
+				return ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
+			case "ALLOWED_ORIGINS":
+				return ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
+			case "APP_URL":
+				return ec.fieldContext_Env_APP_URL(ctx, field)
+			case "REDIS_URL":
+				return ec.fieldContext_Env_REDIS_URL(ctx, field)
+			case "RESET_PASSWORD_URL":
+				return ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
+			case "DISABLE_EMAIL_VERIFICATION":
+				return ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
+			case "DISABLE_BASIC_AUTHENTICATION":
+				return ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
+			case "DISABLE_MOBILE_BASIC_AUTHENTICATION":
+				return ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
+			case "DISABLE_MAGIC_LINK_LOGIN":
+				return ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
+			case "DISABLE_LOGIN_PAGE":
+				return ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
+			case "DISABLE_SIGN_UP":
+				return ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
+			case "DISABLE_REDIS_FOR_ENV":
+				return ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
+			case "DISABLE_STRONG_PASSWORD":
+				return ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
+			case "DISABLE_MULTI_FACTOR_AUTHENTICATION":
+				return ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+			case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
+				return ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+			case "ROLES":
+				return ec.fieldContext_Env_ROLES(ctx, field)
+			case "PROTECTED_ROLES":
+				return ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
+			case "DEFAULT_ROLES":
+				return ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
+			case "JWT_ROLE_CLAIM":
+				return ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
+			case "GOOGLE_CLIENT_ID":
+				return ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
+			case "GOOGLE_CLIENT_SECRET":
+				return ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
+			case "GITHUB_CLIENT_ID":
+				return ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
+			case "GITHUB_CLIENT_SECRET":
+				return ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
+			case "FACEBOOK_CLIENT_ID":
+				return ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
+			case "FACEBOOK_CLIENT_SECRET":
+				return ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
+			case "LINKEDIN_CLIENT_ID":
+				return ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
+			case "LINKEDIN_CLIENT_SECRET":
+				return ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
+			case "APPLE_CLIENT_ID":
+				return ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
+			case "APPLE_CLIENT_SECRET":
+				return ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
+			case "DISCORD_CLIENT_ID":
+				return ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
+			case "DISCORD_CLIENT_SECRET":
+				return ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
+			case "TWITTER_CLIENT_ID":
+				return ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
+			case "TWITTER_CLIENT_SECRET":
+				return ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
+			case "MICROSOFT_CLIENT_ID":
+				return ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
+			case "MICROSOFT_CLIENT_SECRET":
+				return ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
+			case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
+				return ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
+			case "TWITCH_CLIENT_ID":
+				return ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
+			case "TWITCH_CLIENT_SECRET":
+				return ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
+			case "ROBLOX_CLIENT_ID":
+				return ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
+			case "ROBLOX_CLIENT_SECRET":
+				return ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
+			case "ORGANIZATION_NAME":
+				return ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
+			case "ORGANIZATION_LOGO":
+				return ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
+			case "APP_COOKIE_SECURE":
+				return ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
+			case "ADMIN_COOKIE_SECURE":
+				return ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
+			case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
+				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
+			case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
+				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
+			case "DISABLE_PLAYGROUND":
+				return ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
+			case "DISABLE_MAIL_OTP_LOGIN":
+				return ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
+			case "DISABLE_TOTP_LOGIN":
+				return ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Env", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__webhook(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
 			ret = graphql.Null
@@ -16154,35 +17435,67 @@ func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return ec.resolvers.Query().Webhook(rctx, fc.Args["params"].(model.WebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*model.Webhook)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNWebhook2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhook(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_Webhook_id(ctx, field)
+			case "event_name":
+				return ec.fieldContext_Webhook_event_name(ctx, field)
+			case "event_description":
+				return ec.fieldContext_Webhook_event_description(ctx, field)
+			case "endpoint":
+				return ec.fieldContext_Webhook_endpoint(ctx, field)
+			case "enabled":
+				return ec.fieldContext_Webhook_enabled(ctx, field)
+			case "headers":
+				return ec.fieldContext_Webhook_headers(ctx, field)
+			case "created_at":
+				return ec.fieldContext_Webhook_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_Webhook_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLogs_pagination(ctx, field)
+func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__webhooks(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16195,7 +17508,7 @@ func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return ec.resolvers.Query().Webhooks(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16207,36 +17520,43 @@ func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*model.Webhooks)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNWebhooks2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhooks(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLogs_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__webhooks(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLogs",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
+			case "pagination":
+				return ec.fieldContext_Webhooks_pagination(ctx, field)
+			case "webhooks":
+				return ec.fieldContext_Webhooks_webhooks(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Webhooks", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__webhooks_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
+func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__webhook_logs(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16249,7 +17569,7 @@ func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.WebhookLogs, nil
+		return ec.resolvers.Query().WebhookLogs(rctx, fc.Args["params"].(*model.ListWebhookLogRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16261,42 +17581,43 @@ func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.WebhookLog)
+	res := resTmp.(*model.WebhookLogs)
 	fc.Result = res
-	return ec.marshalNWebhookLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogᚄ(ctx, field.Selections, res)
+	return ec.marshalNWebhookLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogs(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLogs_webhook_logs(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLogs",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_WebhookLog_id(ctx, field)
-			case "http_status":
-				return ec.fieldContext_WebhookLog_http_status(ctx, field)
-			case "response":
-				return ec.fieldContext_WebhookLog_response(ctx, field)
-			case "request":
-				return ec.fieldContext_WebhookLog_request(ctx, field)
-			case "webhook_id":
-				return ec.fieldContext_WebhookLog_webhook_id(ctx, field)
-			case "created_at":
-				return ec.fieldContext_WebhookLog_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_WebhookLog_updated_at(ctx, field)
+			case "pagination":
+				return ec.fieldContext_WebhookLogs_pagination(ctx, field)
+			case "webhook_logs":
+				return ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type WebhookLog", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type WebhookLogs", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__webhook_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhooks_pagination(ctx, field)
+func (ec *executionContext) _Query__email_templates(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__email_templates(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16309,7 +17630,7 @@ func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return ec.resolvers.Query().EmailTemplates(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16321,36 +17642,43 @@ func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*model.EmailTemplates)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNEmailTemplates2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhooks_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__email_templates(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhooks",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
+			case "pagination":
+				return ec.fieldContext_EmailTemplates_pagination(ctx, field)
+			case "email_templates":
+				return ec.fieldContext_EmailTemplates_email_templates(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type EmailTemplates", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__email_templates_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhooks_webhooks(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhooks_webhooks(ctx, field)
+func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__audit_logs(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16363,7 +17691,7 @@ func (ec *executionContext) _Webhooks_webhooks(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Webhooks, nil
+		return ec.resolvers.Query().AuditLogs(rctx, fc.Args["params"].(*model.ListAuditLogRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16375,44 +17703,43 @@ func (ec *executionContext) _Webhooks_webhooks(ctx context.Context, field graphq
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.Webhook)
+	res := resTmp.(*model.AuditLogs)
 	fc.Result = res
-	return ec.marshalNWebhook2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookᚄ(ctx, field.Selections, res)
+	return ec.marshalNAuditLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhooks_webhooks(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__audit_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhooks",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_Webhook_id(ctx, field)
-			case "event_name":
-				return ec.fieldContext_Webhook_event_name(ctx, field)
-			case "event_description":
-				return ec.fieldContext_Webhook_event_description(ctx, field)
-			case "endpoint":
-				return ec.fieldContext_Webhook_endpoint(ctx, field)
-			case "enabled":
-				return ec.fieldContext_Webhook_enabled(ctx, field)
-			case "headers":
-				return ec.fieldContext_Webhook_headers(ctx, field)
-			case "created_at":
-				return ec.fieldContext_Webhook_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_Webhook_updated_at(ctx, field)
+			case "pagination":
+				return ec.fieldContext_AuditLogs_pagination(ctx, field)
+			case "audit_logs":
+				return ec.fieldContext_AuditLogs_audit_logs(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuditLogs", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__audit_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Directive_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_name(ctx, field)
+func (ec *executionContext) _Query__resources(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__resources(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16425,7 +17752,7 @@ func (ec *executionContext) ___Directive_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return ec.resolvers.Query().Resources(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16437,26 +17764,43 @@ func (ec *executionContext) ___Directive_name(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.AuthzResources)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNAuthzResources2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResources(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Directive_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__resources(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Directive",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "pagination":
+				return ec.fieldContext_AuthzResources_pagination(ctx, field)
+			case "resources":
+				return ec.fieldContext_AuthzResources_resources(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzResources", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__resources_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Directive_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_description(ctx, field)
+func (ec *executionContext) _Query__scopes(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__scopes(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16469,35 +17813,55 @@ func (ec *executionContext) ___Directive_description(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
+		return ec.resolvers.Query().Scopes(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.AuthzScopes)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNAuthzScopes2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopes(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Directive_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__scopes(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Directive",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
-		IsResolver: false,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "pagination":
+				return ec.fieldContext_AuthzScopes_pagination(ctx, field)
+			case "scopes":
+				return ec.fieldContext_AuthzScopes_scopes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzScopes", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__scopes_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Directive_isRepeatable(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_isRepeatable(ctx, field)
+func (ec *executionContext) _Query__policies(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__policies(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16510,7 +17874,7 @@ func (ec *executionContext) ___Directive_isRepeatable(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsRepeatable, nil
+		return ec.resolvers.Query().Policies(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16522,26 +17886,43 @@ func (ec *executionContext) ___Directive_isRepeatable(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.AuthzPolicies)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNAuthzPolicies2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicies(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Directive_isRepeatable(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__policies(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Directive",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "pagination":
+				return ec.fieldContext_AuthzPolicies_pagination(ctx, field)
+			case "policies":
+				return ec.fieldContext_AuthzPolicies_policies(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicies", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__policies_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Directive_locations(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_locations(ctx, field)
+func (ec *executionContext) _Query__permissions(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__permissions(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16554,7 +17935,7 @@ func (ec *executionContext) ___Directive_locations(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Locations, nil
+		return ec.resolvers.Query().Permissions(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16566,26 +17947,43 @@ func (ec *executionContext) ___Directive_locations(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(*model.AuthzPermissions)
 	fc.Result = res
-	return ec.marshalN__DirectiveLocation2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNAuthzPermissions2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissions(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Directive_locations(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__permissions(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Directive",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type __DirectiveLocation does not have child fields")
+			switch field.Name {
+			case "pagination":
+				return ec.fieldContext_AuthzPermissions_pagination(ctx, field)
+			case "permissions":
+				return ec.fieldContext_AuthzPermissions_permissions(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzPermissions", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__permissions_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Directive_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_args(ctx, field)
+func (ec *executionContext) _Query_check_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_check_permission(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16598,7 +17996,7 @@ func (ec *executionContext) ___Directive_args(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Args, nil
+		return ec.resolvers.Query().CheckPermission(rctx, fc.Args["params"].(model.CheckPermissionInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16610,33 +18008,25 @@ func (ec *executionContext) ___Directive_args(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.InputValue)
+	res := resTmp.(*model.CheckPermissionResponse)
 	fc.Result = res
-	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
+	return ec.marshalNCheckPermissionResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Directive_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_check_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Directive",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "name":
-				return ec.fieldContext___InputValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___InputValue_description(ctx, field)
-			case "type":
-				return ec.fieldContext___InputValue_type(ctx, field)
-			case "defaultValue":
-				return ec.fieldContext___InputValue_defaultValue(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
+			case "allowed":
+				return ec.fieldContext_CheckPermissionResponse_allowed(ctx, field)
+			case "matched_policy":
+				return ec.fieldContext_CheckPermissionResponse_matched_policy(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type CheckPermissionResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -16646,15 +18036,15 @@ func (ec *executionContext) fieldContext___Directive_args(ctx context.Context, f
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Directive_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_check_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___EnumValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_name(ctx, field)
+func (ec *executionContext) _Query_my_permissions(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_my_permissions(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16667,7 +18057,7 @@ func (ec *executionContext) ___EnumValue_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return ec.resolvers.Query().MyPermissions(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16679,26 +18069,32 @@ func (ec *executionContext) ___EnumValue_name(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.([]*model.AuthzResourceScope)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNAuthzResourceScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceScopeᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___EnumValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_my_permissions(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
+		Object:     "Query",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "resource":
+				return ec.fieldContext_AuthzResourceScope_resource(ctx, field)
+			case "scope":
+				return ec.fieldContext_AuthzResourceScope_scope(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthzResourceScope", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___EnumValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_description(ctx, field)
+func (ec *executionContext) _Query___type(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query___type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16711,7 +18107,7 @@ func (ec *executionContext) ___EnumValue_description(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
+		return ec.introspectType(fc.Args["name"].(string))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16720,26 +18116,61 @@ func (ec *executionContext) ___EnumValue_description(ctx context.Context, field
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___EnumValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query___type(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query___type_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___EnumValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_isDeprecated(ctx, field)
+func (ec *executionContext) _Query___schema(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query___schema(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16752,38 +18183,49 @@ func (ec *executionContext) ___EnumValue_isDeprecated(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsDeprecated(), nil
+		return ec.introspectSchema()
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*introspection.Schema)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalO__Schema2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐSchema(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___EnumValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query___schema(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "description":
+				return ec.fieldContext___Schema_description(ctx, field)
+			case "types":
+				return ec.fieldContext___Schema_types(ctx, field)
+			case "queryType":
+				return ec.fieldContext___Schema_queryType(ctx, field)
+			case "mutationType":
+				return ec.fieldContext___Schema_mutationType(ctx, field)
+			case "subscriptionType":
+				return ec.fieldContext___Schema_subscriptionType(ctx, field)
+			case "directives":
+				return ec.fieldContext___Schema_directives(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Schema", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___EnumValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_deprecationReason(ctx, field)
+func (ec *executionContext) _Response_message(ctx context.Context, field graphql.CollectedField, obj *model.Response) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Response_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16796,25 +18238,28 @@ func (ec *executionContext) ___EnumValue_deprecationReason(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DeprecationReason(), nil
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___EnumValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Response_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
+		Object:     "Response",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type String does not have child fields")
@@ -16823,8 +18268,8 @@ func (ec *executionContext) fieldContext___EnumValue_deprecationReason(_ context
 	return fc, nil
 }
 
-func (ec *executionContext) ___Field_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_name(ctx, field)
+func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16837,38 +18282,35 @@ func (ec *executionContext) ___Field_name(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return obj.HTTPStatus, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Field_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_TestEndpointResponse_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Field",
+		Object:     "TestEndpointResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Field_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_description(ctx, field)
+func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_TestEndpointResponse_response(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16881,7 +18323,7 @@ func (ec *executionContext) ___Field_description(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
+		return obj.Response, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16895,11 +18337,11 @@ func (ec *executionContext) ___Field_description(ctx context.Context, field grap
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Field_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_TestEndpointResponse_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Field",
+		Object:     "TestEndpointResponse",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type String does not have child fields")
@@ -16908,8 +18350,8 @@ func (ec *executionContext) fieldContext___Field_description(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) ___Field_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_args(ctx, field)
+func (ec *executionContext) _User_id(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16922,7 +18364,7 @@ func (ec *executionContext) ___Field_args(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Args, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16934,51 +18376,26 @@ func (ec *executionContext) ___Field_args(ctx context.Context, field graphql.Col
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.InputValue)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Field_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Field",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___InputValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___InputValue_description(ctx, field)
-			case "type":
-				return ec.fieldContext___InputValue_type(ctx, field)
-			case "defaultValue":
-				return ec.fieldContext___InputValue_defaultValue(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Field_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Field_type(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_type(ctx, field)
+func (ec *executionContext) _User_email(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16991,62 +18408,35 @@ func (ec *executionContext) ___Field_type(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Type, nil
+		return obj.Email, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Field_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Field",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Field_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_isDeprecated(ctx, field)
+func (ec *executionContext) _User_email_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_email_verified(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17059,7 +18449,7 @@ func (ec *executionContext) ___Field_isDeprecated(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsDeprecated(), nil
+		return obj.EmailVerified, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17076,11 +18466,11 @@ func (ec *executionContext) ___Field_isDeprecated(ctx context.Context, field gra
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Field_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_email_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Field",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type Boolean does not have child fields")
@@ -17089,8 +18479,8 @@ func (ec *executionContext) fieldContext___Field_isDeprecated(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) ___Field_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_deprecationReason(ctx, field)
+func (ec *executionContext) _User_signup_methods(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_signup_methods(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17103,25 +18493,28 @@ func (ec *executionContext) ___Field_deprecationReason(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DeprecationReason(), nil
+		return obj.SignupMethods, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Field_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_signup_methods(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Field",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type String does not have child fields")
@@ -17130,8 +18523,8 @@ func (ec *executionContext) fieldContext___Field_deprecationReason(_ context.Con
 	return fc, nil
 }
 
-func (ec *executionContext) ___InputValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_name(ctx, field)
+func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_given_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17144,26 +18537,23 @@ func (ec *executionContext) ___InputValue_name(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return obj.GivenName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___InputValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_given_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -17174,8 +18564,8 @@ func (ec *executionContext) fieldContext___InputValue_name(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) ___InputValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_description(ctx, field)
+func (ec *executionContext) _User_family_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_family_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17188,7 +18578,7 @@ func (ec *executionContext) ___InputValue_description(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
+		return obj.FamilyName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17202,11 +18592,11 @@ func (ec *executionContext) ___InputValue_description(ctx context.Context, field
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___InputValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_family_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type String does not have child fields")
@@ -17215,8 +18605,8 @@ func (ec *executionContext) fieldContext___InputValue_description(_ context.Cont
 	return fc, nil
 }
 
-func (ec *executionContext) ___InputValue_type(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_type(ctx, field)
+func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_middle_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17229,62 +18619,35 @@ func (ec *executionContext) ___InputValue_type(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Type, nil
+		return obj.MiddleName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___InputValue_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_middle_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___InputValue_defaultValue(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_defaultValue(ctx, field)
+func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_nickname(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17297,7 +18660,7 @@ func (ec *executionContext) ___InputValue_defaultValue(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultValue, nil
+		return obj.Nickname, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17311,9 +18674,9 @@ func (ec *executionContext) ___InputValue_defaultValue(ctx context.Context, fiel
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___InputValue_defaultValue(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_nickname(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -17324,8 +18687,8 @@ func (ec *executionContext) fieldContext___InputValue_defaultValue(_ context.Con
 	return fc, nil
 }
 
-func (ec *executionContext) ___InputValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_isDeprecated(ctx, field)
+func (ec *executionContext) _User_preferred_username(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_preferred_username(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17338,38 +18701,35 @@ func (ec *executionContext) ___InputValue_isDeprecated(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsDeprecated(), nil
+		return obj.PreferredUsername, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___InputValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_preferred_username(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___InputValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_deprecationReason(ctx, field)
+func (ec *executionContext) _User_gender(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_gender(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17382,7 +18742,7 @@ func (ec *executionContext) ___InputValue_deprecationReason(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DeprecationReason(), nil
+		return obj.Gender, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17396,11 +18756,11 @@ func (ec *executionContext) ___InputValue_deprecationReason(ctx context.Context,
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___InputValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_gender(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type String does not have child fields")
@@ -17409,8 +18769,8 @@ func (ec *executionContext) fieldContext___InputValue_deprecationReason(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) ___Schema_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_description(ctx, field)
+func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_birthdate(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17423,7 +18783,7 @@ func (ec *executionContext) ___Schema_description(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
+		return obj.Birthdate, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17437,11 +18797,11 @@ func (ec *executionContext) ___Schema_description(ctx context.Context, field gra
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Schema_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_birthdate(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Schema",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			return nil, errors.New("field of type String does not have child fields")
@@ -17450,8 +18810,8 @@ func (ec *executionContext) fieldContext___Schema_description(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) ___Schema_types(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_types(ctx, field)
+func (ec *executionContext) _User_phone_number(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_phone_number(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17464,62 +18824,35 @@ func (ec *executionContext) ___Schema_types(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Types(), nil
+		return obj.PhoneNumber, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.Type)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalN__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Schema_types(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_phone_number(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Schema",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Schema_queryType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_queryType(ctx, field)
+func (ec *executionContext) _User_phone_number_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_phone_number_verified(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17532,7 +18865,7 @@ func (ec *executionContext) ___Schema_queryType(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.QueryType(), nil
+		return obj.PhoneNumberVerified, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17544,50 +18877,26 @@ func (ec *executionContext) ___Schema_queryType(ctx context.Context, field graph
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Schema_queryType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_phone_number_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Schema",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Schema_mutationType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_mutationType(ctx, field)
+func (ec *executionContext) _User_picture(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_picture(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17600,7 +18909,7 @@ func (ec *executionContext) ___Schema_mutationType(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MutationType(), nil
+		return obj.Picture, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17609,50 +18918,26 @@ func (ec *executionContext) ___Schema_mutationType(ctx context.Context, field gr
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Schema_mutationType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_picture(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Schema",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Schema_subscriptionType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_subscriptionType(ctx, field)
+func (ec *executionContext) _User_roles(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_roles(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17665,59 +18950,38 @@ func (ec *executionContext) ___Schema_subscriptionType(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SubscriptionType(), nil
+		return obj.Roles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Schema_subscriptionType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Schema",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Schema_directives(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_directives(ctx, field)
+func (ec *executionContext) _User_created_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17730,50 +18994,35 @@ func (ec *executionContext) ___Schema_directives(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Directives(), nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.Directive)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalN__Directive2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐDirectiveᚄ(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Schema_directives(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Schema",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___Directive_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Directive_description(ctx, field)
-			case "isRepeatable":
-				return ec.fieldContext___Directive_isRepeatable(ctx, field)
-			case "locations":
-				return ec.fieldContext___Directive_locations(ctx, field)
-			case "args":
-				return ec.fieldContext___Directive_args(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Directive", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_kind(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_kind(ctx, field)
+func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17786,38 +19035,35 @@ func (ec *executionContext) ___Type_kind(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Kind(), nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalN__TypeKind2string(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_kind(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type __TypeKind does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_name(ctx, field)
+func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_revoked_timestamp(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17830,7 +19076,7 @@ func (ec *executionContext) ___Type_name(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name(), nil
+		return obj.RevokedTimestamp, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17839,26 +19085,26 @@ func (ec *executionContext) ___Type_name(ctx context.Context, field graphql.Coll
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_revoked_timestamp(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_description(ctx, field)
+func (ec *executionContext) _User_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17871,7 +19117,7 @@ func (ec *executionContext) ___Type_description(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
+		return obj.IsMultiFactorAuthEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17880,26 +19126,26 @@ func (ec *executionContext) ___Type_description(ctx context.Context, field graph
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_specifiedByURL(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_specifiedByURL(ctx, field)
+func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_app_data(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17912,7 +19158,7 @@ func (ec *executionContext) ___Type_specifiedByURL(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SpecifiedByURL(), nil
+		return obj.AppData, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17921,26 +19167,26 @@ func (ec *executionContext) ___Type_specifiedByURL(ctx context.Context, field gr
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(map[string]any)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOMap2map(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_specifiedByURL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_app_data(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Map does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_fields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_fields(ctx, field)
+func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Users_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17953,60 +19199,48 @@ func (ec *executionContext) ___Type_fields(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Fields(fc.Args["includeDeprecated"].(bool)), nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.Field)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalO__Field2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐFieldᚄ(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_fields(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Users_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "Users",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "name":
-				return ec.fieldContext___Field_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Field_description(ctx, field)
-			case "args":
-				return ec.fieldContext___Field_args(ctx, field)
-			case "type":
-				return ec.fieldContext___Field_type(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___Field_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___Field_deprecationReason(ctx, field)
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Field", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Type_fields_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_interfaces(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_interfaces(ctx, field)
+func (ec *executionContext) _Users_users(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Users_users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18019,59 +19253,80 @@ func (ec *executionContext) ___Type_interfaces(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Interfaces(), nil
+		return obj.Users, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.Type)
+	res := resTmp.([]*model.User)
 	fc.Result = res
-	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_interfaces(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Users_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "Users",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_possibleTypes(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_possibleTypes(ctx, field)
+func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18084,59 +19339,38 @@ func (ec *executionContext) ___Type_possibleTypes(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PossibleTypes(), nil
+		return obj.IsValid, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.Type)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_possibleTypes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "ValidateJWTTokenResponse",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_enumValues(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_enumValues(ctx, field)
+func (ec *executionContext) _ValidateJWTTokenResponse_claims(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18149,7 +19383,7 @@ func (ec *executionContext) ___Type_enumValues(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EnumValues(fc.Args["includeDeprecated"].(bool)), nil
+		return obj.Claims, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18158,47 +19392,26 @@ func (ec *executionContext) ___Type_enumValues(ctx context.Context, field graphq
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.EnumValue)
+	res := resTmp.(map[string]any)
 	fc.Result = res
-	return ec.marshalO__EnumValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐEnumValueᚄ(ctx, field.Selections, res)
+	return ec.marshalOMap2map(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_enumValues(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_claims(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "ValidateJWTTokenResponse",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___EnumValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___EnumValue_description(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___EnumValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___EnumValue_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __EnumValue", field.Name)
+			return nil, errors.New("field of type Map does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Type_enumValues_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_inputFields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_inputFields(ctx, field)
+func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18211,49 +19424,38 @@ func (ec *executionContext) ___Type_inputFields(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.InputFields(), nil
+		return obj.IsValid, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]introspection.InputValue)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalO__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_inputFields(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateSessionResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "ValidateSessionResponse",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___InputValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___InputValue_description(ctx, field)
-			case "type":
-				return ec.fieldContext___InputValue_type(ctx, field)
-			case "defaultValue":
-				return ec.fieldContext___InputValue_defaultValue(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_ofType(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_ofType(ctx, field)
+func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateSessionResponse_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18266,59 +19468,80 @@ func (ec *executionContext) ___Type_ofType(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.OfType(), nil
+		return obj.User, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_ofType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateSessionResponse_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "ValidateSessionResponse",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) ___Type_isOneOf(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_isOneOf(ctx, field)
+func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18331,200 +19554,3673 @@ func (ec *executionContext) ___Type_isOneOf(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsOneOf(), nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext___Type_isOneOf(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "__Type",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-// endregion **************************** field.gotpl *****************************
-
-// region    **************************** input.gotpl *****************************
-
-func (ec *executionContext) unmarshalInputAddEmailTemplateRequest(ctx context.Context, obj any) (model.AddEmailTemplateRequest, error) {
-	var it model.AddEmailTemplateRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+func (ec *executionContext) _VerificationRequest_identifier(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_identifier(ctx, field)
+	if err != nil {
+		return graphql.Null
 	}
-
-	fieldsInOrder := [...]string{"event_name", "subject", "template", "design"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.EventName = data
-		case "subject":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("subject"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Subject = data
-		case "template":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("template"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Template = data
-		case "design":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("design"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Design = data
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Identifier, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
 	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAddWebhookRequest(ctx context.Context, obj any) (model.AddWebhookRequest, error) {
-	var it model.AddWebhookRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	if resTmp == nil {
+		return graphql.Null
 	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
 
-	fieldsInOrder := [...]string{"event_name", "event_description", "endpoint", "enabled", "headers"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.EventName = data
-		case "event_description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.EventDescription = data
-		case "endpoint":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Endpoint = data
-		case "enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
-			data, err := ec.unmarshalNBoolean2bool(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Enabled = data
-		case "headers":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Headers = data
-		}
+func (ec *executionContext) fieldContext_VerificationRequest_identifier(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
 	}
-
-	return it, nil
+	return fc, nil
 }
 
-func (ec *executionContext) unmarshalInputAdminLoginRequest(ctx context.Context, obj any) (model.AdminLoginRequest, error) {
-	var it model.AdminLoginRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+func (ec *executionContext) _VerificationRequest_token(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_token(ctx, field)
+	if err != nil {
+		return graphql.Null
 	}
-
-	fieldsInOrder := [...]string{"admin_secret"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "admin_secret":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AdminSecret = data
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Token, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
 	}
-
-	return it, nil
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) unmarshalInputAdminSignupRequest(ctx context.Context, obj any) (model.AdminSignupRequest, error) {
-	var it model.AdminSignupRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+func (ec *executionContext) fieldContext_VerificationRequest_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
 	}
+	return fc, nil
+}
 
-	fieldsInOrder := [...]string{"admin_secret"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "admin_secret":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AdminSecret = data
+func (ec *executionContext) _VerificationRequest_email(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_email(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Email, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
 	}
-
-	return it, nil
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) unmarshalInputDeleteEmailTemplateRequest(ctx context.Context, obj any) (model.DeleteEmailTemplateRequest, error) {
-	var it model.DeleteEmailTemplateRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
+func (ec *executionContext) fieldContext_VerificationRequest_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_expires(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Expires, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequest_expires(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequest_created_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_created_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.CreatedAt, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequest_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_updated_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.UpdatedAt, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequest_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_nonce(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Nonce, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequest_nonce(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.RedirectURI, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequest_redirect_uri(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequest",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequests_pagination(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Pagination, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.Pagination)
+	fc.Result = res
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequests_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequests",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _VerificationRequests_verification_requests(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.VerificationRequests, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]*model.VerificationRequest)
+	fc.Result = res
+	return ec.marshalNVerificationRequest2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequestᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_VerificationRequests_verification_requests(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "VerificationRequests",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_VerificationRequest_id(ctx, field)
+			case "identifier":
+				return ec.fieldContext_VerificationRequest_identifier(ctx, field)
+			case "token":
+				return ec.fieldContext_VerificationRequest_token(ctx, field)
+			case "email":
+				return ec.fieldContext_VerificationRequest_email(ctx, field)
+			case "expires":
+				return ec.fieldContext_VerificationRequest_expires(ctx, field)
+			case "created_at":
+				return ec.fieldContext_VerificationRequest_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_VerificationRequest_updated_at(ctx, field)
+			case "nonce":
+				return ec.fieldContext_VerificationRequest_nonce(ctx, field)
+			case "redirect_uri":
+				return ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type VerificationRequest", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_id(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ID, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNID2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type ID does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_event_name(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_event_name(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.EventName, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_event_description(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_event_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.EventDescription, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_event_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_endpoint(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Endpoint, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_endpoint(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_enabled(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Enabled, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*bool)
+	fc.Result = res
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_headers(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_headers(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Headers, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(map[string]any)
+	fc.Result = res
+	return ec.marshalOMap2map(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_headers(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Map does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_created_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_created_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.CreatedAt, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_updated_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.UpdatedAt, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhook_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhook",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_id(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ID, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNID2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type ID does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_http_status(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_http_status(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.HTTPStatus, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_response(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_response(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Response, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_request(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Request, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_request(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_webhook_id(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.WebhookID, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOID2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type ID does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_created_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.CreatedAt, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_updated_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.UpdatedAt, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLog_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLog",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLogs_pagination(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Pagination, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.Pagination)
+	fc.Result = res
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLogs_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLogs",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.WebhookLogs, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]*model.WebhookLog)
+	fc.Result = res
+	return ec.marshalNWebhookLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_WebhookLogs_webhook_logs(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "WebhookLogs",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_WebhookLog_id(ctx, field)
+			case "http_status":
+				return ec.fieldContext_WebhookLog_http_status(ctx, field)
+			case "response":
+				return ec.fieldContext_WebhookLog_response(ctx, field)
+			case "request":
+				return ec.fieldContext_WebhookLog_request(ctx, field)
+			case "webhook_id":
+				return ec.fieldContext_WebhookLog_webhook_id(ctx, field)
+			case "created_at":
+				return ec.fieldContext_WebhookLog_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_WebhookLog_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type WebhookLog", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhooks_pagination(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Pagination, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.Pagination)
+	fc.Result = res
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhooks_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhooks",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Webhooks_webhooks(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhooks_webhooks(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Webhooks, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]*model.Webhook)
+	fc.Result = res
+	return ec.marshalNWebhook2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Webhooks_webhooks(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Webhooks",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_Webhook_id(ctx, field)
+			case "event_name":
+				return ec.fieldContext_Webhook_event_name(ctx, field)
+			case "event_description":
+				return ec.fieldContext_Webhook_event_description(ctx, field)
+			case "endpoint":
+				return ec.fieldContext_Webhook_endpoint(ctx, field)
+			case "enabled":
+				return ec.fieldContext_Webhook_enabled(ctx, field)
+			case "headers":
+				return ec.fieldContext_Webhook_headers(ctx, field)
+			case "created_at":
+				return ec.fieldContext_Webhook_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_Webhook_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Directive_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_name(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Name, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Directive_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Directive",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Directive_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Description(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Directive_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Directive",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Directive_isRepeatable(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_isRepeatable(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsRepeatable, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Directive_isRepeatable(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Directive",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Directive_locations(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_locations(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Locations, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]string)
+	fc.Result = res
+	return ec.marshalN__DirectiveLocation2ᚕstringᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Directive_locations(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Directive",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type __DirectiveLocation does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Directive_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_args(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Args, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.InputValue)
+	fc.Result = res
+	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Directive_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Directive",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___InputValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___InputValue_description(ctx, field)
+			case "type":
+				return ec.fieldContext___InputValue_type(ctx, field)
+			case "defaultValue":
+				return ec.fieldContext___InputValue_defaultValue(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Directive_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___EnumValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_name(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Name, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___EnumValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__EnumValue",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___EnumValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Description(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___EnumValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__EnumValue",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___EnumValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_isDeprecated(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsDeprecated(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___EnumValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__EnumValue",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___EnumValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_deprecationReason(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.DeprecationReason(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___EnumValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__EnumValue",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Field_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_name(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Name, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Field_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Field",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Field_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Description(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Field_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Field",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Field_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_args(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Args, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.InputValue)
+	fc.Result = res
+	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Field_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Field",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___InputValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___InputValue_description(ctx, field)
+			case "type":
+				return ec.fieldContext___InputValue_type(ctx, field)
+			case "defaultValue":
+				return ec.fieldContext___InputValue_defaultValue(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Field_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Field_type(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_type(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Type, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*introspection.Type)
+	fc.Result = res
+	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Field_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Field",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Field_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_isDeprecated(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsDeprecated(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Field_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Field",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Field_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_deprecationReason(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.DeprecationReason(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Field_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Field",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___InputValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_name(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Name, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___InputValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__InputValue",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___InputValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Description(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___InputValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__InputValue",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___InputValue_type(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_type(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Type, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*introspection.Type)
+	fc.Result = res
+	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___InputValue_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__InputValue",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___InputValue_defaultValue(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_defaultValue(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.DefaultValue, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___InputValue_defaultValue(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__InputValue",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___InputValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_isDeprecated(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsDeprecated(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___InputValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__InputValue",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___InputValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_deprecationReason(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.DeprecationReason(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___InputValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__InputValue",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Schema_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Description(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Schema_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Schema",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Schema_types(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_types(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Types(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.Type)
+	fc.Result = res
+	return ec.marshalN__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Schema_types(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Schema",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Schema_queryType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_queryType(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.QueryType(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*introspection.Type)
+	fc.Result = res
+	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Schema_queryType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Schema",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Schema_mutationType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_mutationType(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.MutationType(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*introspection.Type)
+	fc.Result = res
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Schema_mutationType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Schema",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Schema_subscriptionType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_subscriptionType(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.SubscriptionType(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*introspection.Type)
+	fc.Result = res
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Schema_subscriptionType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Schema",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Schema_directives(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_directives(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Directives(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.Directive)
+	fc.Result = res
+	return ec.marshalN__Directive2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐDirectiveᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Schema_directives(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Schema",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___Directive_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Directive_description(ctx, field)
+			case "isRepeatable":
+				return ec.fieldContext___Directive_isRepeatable(ctx, field)
+			case "locations":
+				return ec.fieldContext___Directive_locations(ctx, field)
+			case "args":
+				return ec.fieldContext___Directive_args(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Directive", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_kind(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_kind(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Kind(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalN__TypeKind2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_kind(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type __TypeKind does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_name(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Name(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_description(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Description(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_specifiedByURL(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_specifiedByURL(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.SpecifiedByURL(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_specifiedByURL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_fields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_fields(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Fields(fc.Args["includeDeprecated"].(bool)), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.Field)
+	fc.Result = res
+	return ec.marshalO__Field2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐFieldᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_fields(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___Field_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Field_description(ctx, field)
+			case "args":
+				return ec.fieldContext___Field_args(ctx, field)
+			case "type":
+				return ec.fieldContext___Field_type(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___Field_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___Field_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Field", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Type_fields_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_interfaces(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_interfaces(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Interfaces(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.Type)
+	fc.Result = res
+	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_interfaces(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_possibleTypes(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_possibleTypes(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.PossibleTypes(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.Type)
+	fc.Result = res
+	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_possibleTypes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_enumValues(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_enumValues(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.EnumValues(fc.Args["includeDeprecated"].(bool)), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.EnumValue)
+	fc.Result = res
+	return ec.marshalO__EnumValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐEnumValueᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_enumValues(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___EnumValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___EnumValue_description(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___EnumValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___EnumValue_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __EnumValue", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Type_enumValues_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_inputFields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_inputFields(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.InputFields(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.([]introspection.InputValue)
+	fc.Result = res
+	return ec.marshalO__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_inputFields(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___InputValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___InputValue_description(ctx, field)
+			case "type":
+				return ec.fieldContext___InputValue_type(ctx, field)
+			case "defaultValue":
+				return ec.fieldContext___InputValue_defaultValue(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_ofType(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_ofType(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.OfType(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*introspection.Type)
+	fc.Result = res
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_ofType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) ___Type_isOneOf(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_isOneOf(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsOneOf(), nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalOBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext___Type_isOneOf(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "__Type",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+// endregion **************************** field.gotpl *****************************
+
+// region    **************************** input.gotpl *****************************
+
+func (ec *executionContext) unmarshalInputAddEmailTemplateRequest(ctx context.Context, obj any) (model.AddEmailTemplateRequest, error) {
+	var it model.AddEmailTemplateRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"event_name", "subject", "template", "design"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.EventName = data
+		case "subject":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("subject"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Subject = data
+		case "template":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("template"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Template = data
+		case "design":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("design"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Design = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAddPermissionInput(ctx context.Context, obj any) (model.AddPermissionInput, error) {
+	var it model.AddPermissionInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"name", "description", "resource_id", "scope_ids", "policy_ids", "decision_strategy"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Description = data
+		case "resource_id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource_id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ResourceID = data
+		case "scope_ids":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope_ids"))
+			data, err := ec.unmarshalNID2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ScopeIds = data
+		case "policy_ids":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("policy_ids"))
+			data, err := ec.unmarshalNID2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.PolicyIds = data
+		case "decision_strategy":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DecisionStrategy = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAddPolicyInput(ctx context.Context, obj any) (model.AddPolicyInput, error) {
+	var it model.AddPolicyInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"name", "description", "type", "logic", "decision_strategy", "targets"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Description = data
+		case "type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Type = data
+		case "logic":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("logic"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Logic = data
+		case "decision_strategy":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DecisionStrategy = data
+		case "targets":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("targets"))
+			data, err := ec.unmarshalNPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Targets = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAddResourceInput(ctx context.Context, obj any) (model.AddResourceInput, error) {
+	var it model.AddResourceInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"name", "description"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Description = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAddScopeInput(ctx context.Context, obj any) (model.AddScopeInput, error) {
+	var it model.AddScopeInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"name", "description"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Description = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAddWebhookRequest(ctx context.Context, obj any) (model.AddWebhookRequest, error) {
+	var it model.AddWebhookRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"event_name", "event_description", "endpoint", "enabled", "headers"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.EventName = data
+		case "event_description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.EventDescription = data
+		case "endpoint":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Endpoint = data
+		case "enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
+			data, err := ec.unmarshalNBoolean2bool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Enabled = data
+		case "headers":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Headers = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAdminLoginRequest(ctx context.Context, obj any) (model.AdminLoginRequest, error) {
+	var it model.AdminLoginRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"admin_secret"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "admin_secret":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AdminSecret = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputAdminSignupRequest(ctx context.Context, obj any) (model.AdminSignupRequest, error) {
+	var it model.AdminSignupRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"admin_secret"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "admin_secret":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AdminSecret = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputCheckPermissionInput(ctx context.Context, obj any) (model.CheckPermissionInput, error) {
+	var it model.CheckPermissionInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"resource", "scope"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "resource":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Resource = data
+		case "scope":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Scope = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputDeleteEmailTemplateRequest(ctx context.Context, obj any) (model.DeleteEmailTemplateRequest, error) {
+	var it model.DeleteEmailTemplateRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
 
 	fieldsInOrder := [...]string{"id"}
 	for _, k := range fieldsInOrder {
@@ -19218,6 +23914,40 @@ func (ec *executionContext) unmarshalInputPaginationRequest(ctx context.Context,
 	return it, nil
 }
 
+func (ec *executionContext) unmarshalInputPolicyTargetInput(ctx context.Context, obj any) (model.PolicyTargetInput, error) {
+	var it model.PolicyTargetInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"target_type", "target_value"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "target_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("target_type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.TargetType = data
+		case "target_value":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("target_value"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.TargetValue = data
+		}
+	}
+
+	return it, nil
+}
+
 func (ec *executionContext) unmarshalInputResendOTPRequest(ctx context.Context, obj any) (model.ResendOTPRequest, error) {
 	var it model.ResendOTPRequest
 	asMap := map[string]any{}
@@ -20084,76 +24814,386 @@ func (ec *executionContext) unmarshalInputUpdateEnvRequest(ctx context.Context,
 			if err != nil {
 				return it, err
 			}
-			it.DefaultAuthorizeResponseType = data
-		case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_AUTHORIZE_RESPONSE_MODE"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DefaultAuthorizeResponseType = data
+		case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_AUTHORIZE_RESPONSE_MODE"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DefaultAuthorizeResponseMode = data
+		case "DISABLE_PLAYGROUND":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_PLAYGROUND"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DisablePlayground = data
+		case "DISABLE_MAIL_OTP_LOGIN":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MAIL_OTP_LOGIN"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DisableMailOtpLogin = data
+		case "DISABLE_TOTP_LOGIN":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_TOTP_LOGIN"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DisableTotpLogin = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputUpdatePermissionInput(ctx context.Context, obj any) (model.UpdatePermissionInput, error) {
+	var it model.UpdatePermissionInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"id", "name", "description", "scope_ids", "policy_ids", "decision_strategy"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ID = data
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Description = data
+		case "scope_ids":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope_ids"))
+			data, err := ec.unmarshalOID2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ScopeIds = data
+		case "policy_ids":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("policy_ids"))
+			data, err := ec.unmarshalOID2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.PolicyIds = data
+		case "decision_strategy":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DecisionStrategy = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputUpdatePolicyInput(ctx context.Context, obj any) (model.UpdatePolicyInput, error) {
+	var it model.UpdatePolicyInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"id", "name", "description", "logic", "decision_strategy", "targets"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ID = data
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Description = data
+		case "logic":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("logic"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Logic = data
+		case "decision_strategy":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.DecisionStrategy = data
+		case "targets":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("targets"))
+			data, err := ec.unmarshalOPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Targets = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Context, obj any) (model.UpdateProfileRequest, error) {
+	var it model.UpdateProfileRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"old_password", "new_password", "confirm_new_password", "email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "is_multi_factor_auth_enabled", "app_data"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "old_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("old_password"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.OldPassword = data
+		case "new_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("new_password"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.NewPassword = data
+		case "confirm_new_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_new_password"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ConfirmNewPassword = data
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Email = data
+		case "given_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.GivenName = data
+		case "family_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.FamilyName = data
+		case "middle_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.MiddleName = data
+		case "nickname":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Nickname = data
+		case "gender":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Gender = data
+		case "birthdate":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Birthdate = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.PhoneNumber = data
+		case "picture":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Picture = data
+		case "is_multi_factor_auth_enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.IsMultiFactorAuthEnabled = data
+		case "app_data":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DefaultAuthorizeResponseMode = data
-		case "DISABLE_PLAYGROUND":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_PLAYGROUND"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.AppData = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputUpdateResourceInput(ctx context.Context, obj any) (model.UpdateResourceInput, error) {
+	var it model.UpdateResourceInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"id", "name", "description"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisablePlayground = data
-		case "DISABLE_MAIL_OTP_LOGIN":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MAIL_OTP_LOGIN"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.ID = data
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableMailOtpLogin = data
-		case "DISABLE_TOTP_LOGIN":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_TOTP_LOGIN"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableTotpLogin = data
+			it.Description = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Context, obj any) (model.UpdateProfileRequest, error) {
-	var it model.UpdateProfileRequest
+func (ec *executionContext) unmarshalInputUpdateScopeInput(ctx context.Context, obj any) (model.UpdateScopeInput, error) {
+	var it model.UpdateScopeInput
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"old_password", "new_password", "confirm_new_password", "email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "is_multi_factor_auth_enabled", "app_data"}
+	fieldsInOrder := [...]string{"id", "name", "description"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "old_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("old_password"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.OldPassword = data
-		case "new_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("new_password"))
+			it.ID = data
+		case "name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.NewPassword = data
-		case "confirm_new_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_new_password"))
+			it.Name = data
+		case "description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ConfirmNewPassword = data
+			it.Description = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputUpdateUserRequest(ctx context.Context, obj any) (model.UpdateUserRequest, error) {
+	var it model.UpdateUserRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"id", "email", "email_verified", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "phone_number_verified", "picture", "roles", "is_multi_factor_auth_enabled", "app_data"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ID = data
 		case "email":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -20161,6 +25201,13 @@ func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Conte
 				return it, err
 			}
 			it.Email = data
+		case "email_verified":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email_verified"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.EmailVerified = data
 		case "given_name":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -20210,6 +25257,13 @@ func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Conte
 				return it, err
 			}
 			it.PhoneNumber = data
+		case "phone_number_verified":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number_verified"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.PhoneNumberVerified = data
 		case "picture":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -20217,6 +25271,13 @@ func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Conte
 				return it, err
 			}
 			it.Picture = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Roles = data
 		case "is_multi_factor_auth_enabled":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
 			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
@@ -20237,14 +25298,14 @@ func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Conte
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputUpdateUserRequest(ctx context.Context, obj any) (model.UpdateUserRequest, error) {
-	var it model.UpdateUserRequest
+func (ec *executionContext) unmarshalInputUpdateWebhookRequest(ctx context.Context, obj any) (model.UpdateWebhookRequest, error) {
+	var it model.UpdateWebhookRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id", "email", "email_verified", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "phone_number_verified", "picture", "roles", "is_multi_factor_auth_enabled", "app_data"}
+	fieldsInOrder := [...]string{"id", "event_name", "event_description", "endpoint", "enabled", "headers"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -20258,62 +25319,177 @@ func (ec *executionContext) unmarshalInputUpdateUserRequest(ctx context.Context,
 				return it, err
 			}
 			it.ID = data
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Email = data
-		case "email_verified":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email_verified"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.EventName = data
+		case "event_description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EmailVerified = data
-		case "given_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
+			it.EventDescription = data
+		case "endpoint":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GivenName = data
-		case "family_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Endpoint = data
+		case "enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.FamilyName = data
-		case "middle_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Enabled = data
+		case "headers":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.MiddleName = data
-		case "nickname":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Headers = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputValidateJWTTokenRequest(ctx context.Context, obj any) (model.ValidateJWTTokenRequest, error) {
+	var it model.ValidateJWTTokenRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"token_type", "token", "roles"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "token_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token_type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.TokenType = data
+		case "token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Token = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Roles = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputValidateSessionRequest(ctx context.Context, obj any) (model.ValidateSessionRequest, error) {
+	var it model.ValidateSessionRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"cookie", "roles"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "cookie":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("cookie"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Cookie = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Roles = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputVerifyEmailRequest(ctx context.Context, obj any) (model.VerifyEmailRequest, error) {
+	var it model.VerifyEmailRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"token", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Nickname = data
-		case "gender":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
+			it.Token = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Gender = data
-		case "birthdate":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
+			it.State = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputVerifyOTPRequest(ctx context.Context, obj any) (model.VerifyOTPRequest, error) {
+	var it model.VerifyOTPRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"email", "phone_number", "otp", "is_totp", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Birthdate = data
+			it.Email = data
 		case "phone_number":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -20321,344 +25497,698 @@ func (ec *executionContext) unmarshalInputUpdateUserRequest(ctx context.Context,
 				return it, err
 			}
 			it.PhoneNumber = data
-		case "phone_number_verified":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number_verified"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+		case "otp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumberVerified = data
-		case "picture":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Otp = data
+		case "is_totp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_totp"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Picture = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕᚖstring(ctx, v)
+			it.IsTotp = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Roles = data
-		case "is_multi_factor_auth_enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.State = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, obj any) (model.WebhookRequest, error) {
+	var it model.WebhookRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"id"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.IsMultiFactorAuthEnabled = data
-		case "app_data":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
-			if err != nil {
-				return it, err
+			it.ID = data
+		}
+	}
+
+	return it, nil
+}
+
+// endregion **************************** input.gotpl *****************************
+
+// region    ************************** interface.gotpl ***************************
+
+// endregion ************************** interface.gotpl ***************************
+
+// region    **************************** object.gotpl ****************************
+
+var auditLogImplementors = []string{"AuditLog"}
+
+func (ec *executionContext) _AuditLog(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLog) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuditLog")
+		case "id":
+			out.Values[i] = ec._AuditLog_id(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.AppData = data
+		case "actor_id":
+			out.Values[i] = ec._AuditLog_actor_id(ctx, field, obj)
+		case "actor_type":
+			out.Values[i] = ec._AuditLog_actor_type(ctx, field, obj)
+		case "actor_email":
+			out.Values[i] = ec._AuditLog_actor_email(ctx, field, obj)
+		case "action":
+			out.Values[i] = ec._AuditLog_action(ctx, field, obj)
+		case "resource_type":
+			out.Values[i] = ec._AuditLog_resource_type(ctx, field, obj)
+		case "resource_id":
+			out.Values[i] = ec._AuditLog_resource_id(ctx, field, obj)
+		case "ip_address":
+			out.Values[i] = ec._AuditLog_ip_address(ctx, field, obj)
+		case "user_agent":
+			out.Values[i] = ec._AuditLog_user_agent(ctx, field, obj)
+		case "metadata":
+			out.Values[i] = ec._AuditLog_metadata(ctx, field, obj)
+		case "created_at":
+			out.Values[i] = ec._AuditLog_created_at(ctx, field, obj)
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var auditLogsImplementors = []string{"AuditLogs"}
+
+func (ec *executionContext) _AuditLogs(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLogs) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogsImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuditLogs")
+		case "pagination":
+			out.Values[i] = ec._AuditLogs_pagination(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "audit_logs":
+			out.Values[i] = ec._AuditLogs_audit_logs(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var authResponseImplementors = []string{"AuthResponse"}
+
+func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.SelectionSet, obj *model.AuthResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthResponse")
+		case "message":
+			out.Values[i] = ec._AuthResponse_message(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "should_show_email_otp_screen":
+			out.Values[i] = ec._AuthResponse_should_show_email_otp_screen(ctx, field, obj)
+		case "should_show_mobile_otp_screen":
+			out.Values[i] = ec._AuthResponse_should_show_mobile_otp_screen(ctx, field, obj)
+		case "should_show_totp_screen":
+			out.Values[i] = ec._AuthResponse_should_show_totp_screen(ctx, field, obj)
+		case "access_token":
+			out.Values[i] = ec._AuthResponse_access_token(ctx, field, obj)
+		case "id_token":
+			out.Values[i] = ec._AuthResponse_id_token(ctx, field, obj)
+		case "refresh_token":
+			out.Values[i] = ec._AuthResponse_refresh_token(ctx, field, obj)
+		case "expires_in":
+			out.Values[i] = ec._AuthResponse_expires_in(ctx, field, obj)
+		case "user":
+			out.Values[i] = ec._AuthResponse_user(ctx, field, obj)
+		case "authenticator_scanner_image":
+			out.Values[i] = ec._AuthResponse_authenticator_scanner_image(ctx, field, obj)
+		case "authenticator_secret":
+			out.Values[i] = ec._AuthResponse_authenticator_secret(ctx, field, obj)
+		case "authenticator_recovery_codes":
+			out.Values[i] = ec._AuthResponse_authenticator_recovery_codes(ctx, field, obj)
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
-}
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-func (ec *executionContext) unmarshalInputUpdateWebhookRequest(ctx context.Context, obj any) (model.UpdateWebhookRequest, error) {
-	var it model.UpdateWebhookRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
 	}
 
-	fieldsInOrder := [...]string{"id", "event_name", "event_description", "endpoint", "enabled", "headers"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
+	return out
+}
+
+var authzPermissionImplementors = []string{"AuthzPermission"}
+
+func (ec *executionContext) _AuthzPermission(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPermission) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzPermissionImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzPermission")
 		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
-			if err != nil {
-				return it, err
+			out.Values[i] = ec._AuthzPermission_id(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.ID = data
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
+		case "name":
+			out.Values[i] = ec._AuthzPermission_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.EventName = data
-		case "event_description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
+		case "description":
+			out.Values[i] = ec._AuthzPermission_description(ctx, field, obj)
+		case "resource":
+			out.Values[i] = ec._AuthzPermission_resource(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.EventDescription = data
-		case "endpoint":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
+		case "scopes":
+			out.Values[i] = ec._AuthzPermission_scopes(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Endpoint = data
-		case "enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
-			if err != nil {
-				return it, err
+		case "policies":
+			out.Values[i] = ec._AuthzPermission_policies(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Enabled = data
-		case "headers":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
-			if err != nil {
-				return it, err
+		case "decision_strategy":
+			out.Values[i] = ec._AuthzPermission_decision_strategy(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Headers = data
+		case "created_at":
+			out.Values[i] = ec._AuthzPermission_created_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "updated_at":
+			out.Values[i] = ec._AuthzPermission_updated_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
-}
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-func (ec *executionContext) unmarshalInputValidateJWTTokenRequest(ctx context.Context, obj any) (model.ValidateJWTTokenRequest, error) {
-	var it model.ValidateJWTTokenRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
 	}
 
-	fieldsInOrder := [...]string{"token_type", "token", "roles"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "token_type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token_type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.TokenType = data
-		case "token":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
+	return out
+}
+
+var authzPermissionsImplementors = []string{"AuthzPermissions"}
+
+func (ec *executionContext) _AuthzPermissions(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPermissions) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzPermissionsImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzPermissions")
+		case "pagination":
+			out.Values[i] = ec._AuthzPermissions_pagination(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Token = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
+		case "permissions":
+			out.Values[i] = ec._AuthzPermissions_permissions(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Roles = data
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
-}
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-func (ec *executionContext) unmarshalInputValidateSessionRequest(ctx context.Context, obj any) (model.ValidateSessionRequest, error) {
-	var it model.ValidateSessionRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
 	}
 
-	fieldsInOrder := [...]string{"cookie", "roles"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
+	return out
+}
+
+var authzPoliciesImplementors = []string{"AuthzPolicies"}
+
+func (ec *executionContext) _AuthzPolicies(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPolicies) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzPoliciesImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzPolicies")
+		case "pagination":
+			out.Values[i] = ec._AuthzPolicies_pagination(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "policies":
+			out.Values[i] = ec._AuthzPolicies_policies(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
-		switch k {
-		case "cookie":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("cookie"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var authzPolicyImplementors = []string{"AuthzPolicy"}
+
+func (ec *executionContext) _AuthzPolicy(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPolicy) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzPolicyImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzPolicy")
+		case "id":
+			out.Values[i] = ec._AuthzPolicy_id(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Cookie = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
+		case "name":
+			out.Values[i] = ec._AuthzPolicy_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "description":
+			out.Values[i] = ec._AuthzPolicy_description(ctx, field, obj)
+		case "type":
+			out.Values[i] = ec._AuthzPolicy_type(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "logic":
+			out.Values[i] = ec._AuthzPolicy_logic(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "decision_strategy":
+			out.Values[i] = ec._AuthzPolicy_decision_strategy(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "targets":
+			out.Values[i] = ec._AuthzPolicy_targets(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "created_at":
+			out.Values[i] = ec._AuthzPolicy_created_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Roles = data
+		case "updated_at":
+			out.Values[i] = ec._AuthzPolicy_updated_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
-}
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-func (ec *executionContext) unmarshalInputVerifyEmailRequest(ctx context.Context, obj any) (model.VerifyEmailRequest, error) {
-	var it model.VerifyEmailRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
 	}
 
-	fieldsInOrder := [...]string{"token", "state"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "token":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
+	return out
+}
+
+var authzPolicyTargetImplementors = []string{"AuthzPolicyTarget"}
+
+func (ec *executionContext) _AuthzPolicyTarget(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPolicyTarget) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzPolicyTargetImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzPolicyTarget")
+		case "id":
+			out.Values[i] = ec._AuthzPolicyTarget_id(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Token = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
+		case "target_type":
+			out.Values[i] = ec._AuthzPolicyTarget_target_type(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.State = data
+		case "target_value":
+			out.Values[i] = ec._AuthzPolicyTarget_target_value(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
-}
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-func (ec *executionContext) unmarshalInputVerifyOTPRequest(ctx context.Context, obj any) (model.VerifyOTPRequest, error) {
-	var it model.VerifyOTPRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
 	}
 
-	fieldsInOrder := [...]string{"email", "phone_number", "otp", "is_totp", "state"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
+	return out
+}
+
+var authzResourceImplementors = []string{"AuthzResource"}
+
+func (ec *executionContext) _AuthzResource(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzResource) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzResourceImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzResource")
+		case "id":
+			out.Values[i] = ec._AuthzResource_id(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.PhoneNumber = data
-		case "otp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
+		case "name":
+			out.Values[i] = ec._AuthzResource_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.Otp = data
-		case "is_totp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_totp"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
-			if err != nil {
-				return it, err
+		case "description":
+			out.Values[i] = ec._AuthzResource_description(ctx, field, obj)
+		case "created_at":
+			out.Values[i] = ec._AuthzResource_created_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.IsTotp = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
+		case "updated_at":
+			out.Values[i] = ec._AuthzResource_updated_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.State = data
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
-}
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, obj any) (model.WebhookRequest, error) {
-	var it model.WebhookRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
 	}
 
-	fieldsInOrder := [...]string{"id"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
-			if err != nil {
-				return it, err
+	return out
+}
+
+var authzResourceScopeImplementors = []string{"AuthzResourceScope"}
+
+func (ec *executionContext) _AuthzResourceScope(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzResourceScope) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzResourceScopeImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzResourceScope")
+		case "resource":
+			out.Values[i] = ec._AuthzResourceScope_resource(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
 			}
-			it.ID = data
+		case "scope":
+			out.Values[i] = ec._AuthzResourceScope_scope(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
 		}
 	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-	return it, nil
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
 }
 
-// endregion **************************** input.gotpl *****************************
+var authzResourcesImplementors = []string{"AuthzResources"}
 
-// region    ************************** interface.gotpl ***************************
+func (ec *executionContext) _AuthzResources(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzResources) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzResourcesImplementors)
 
-// endregion ************************** interface.gotpl ***************************
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AuthzResources")
+		case "pagination":
+			out.Values[i] = ec._AuthzResources_pagination(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "resources":
+			out.Values[i] = ec._AuthzResources_resources(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
 
-// region    **************************** object.gotpl ****************************
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
 
-var auditLogImplementors = []string{"AuditLog"}
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
 
-func (ec *executionContext) _AuditLog(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLog) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogImplementors)
+	return out
+}
+
+var authzScopeImplementors = []string{"AuthzScope"}
+
+func (ec *executionContext) _AuthzScope(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzScope) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzScopeImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuditLog")
+			out.Values[i] = graphql.MarshalString("AuthzScope")
 		case "id":
-			out.Values[i] = ec._AuditLog_id(ctx, field, obj)
+			out.Values[i] = ec._AuthzScope_id(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "actor_id":
-			out.Values[i] = ec._AuditLog_actor_id(ctx, field, obj)
-		case "actor_type":
-			out.Values[i] = ec._AuditLog_actor_type(ctx, field, obj)
-		case "actor_email":
-			out.Values[i] = ec._AuditLog_actor_email(ctx, field, obj)
-		case "action":
-			out.Values[i] = ec._AuditLog_action(ctx, field, obj)
-		case "resource_type":
-			out.Values[i] = ec._AuditLog_resource_type(ctx, field, obj)
-		case "resource_id":
-			out.Values[i] = ec._AuditLog_resource_id(ctx, field, obj)
-		case "ip_address":
-			out.Values[i] = ec._AuditLog_ip_address(ctx, field, obj)
-		case "user_agent":
-			out.Values[i] = ec._AuditLog_user_agent(ctx, field, obj)
-		case "metadata":
-			out.Values[i] = ec._AuditLog_metadata(ctx, field, obj)
+		case "name":
+			out.Values[i] = ec._AuthzScope_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "description":
+			out.Values[i] = ec._AuthzScope_description(ctx, field, obj)
 		case "created_at":
-			out.Values[i] = ec._AuditLog_created_at(ctx, field, obj)
+			out.Values[i] = ec._AuthzScope_created_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "updated_at":
+			out.Values[i] = ec._AuthzScope_updated_at(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -20682,24 +26212,24 @@ func (ec *executionContext) _AuditLog(ctx context.Context, sel ast.SelectionSet,
 	return out
 }
 
-var auditLogsImplementors = []string{"AuditLogs"}
+var authzScopesImplementors = []string{"AuthzScopes"}
 
-func (ec *executionContext) _AuditLogs(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLogs) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogsImplementors)
+func (ec *executionContext) _AuthzScopes(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzScopes) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authzScopesImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuditLogs")
+			out.Values[i] = graphql.MarshalString("AuthzScopes")
 		case "pagination":
-			out.Values[i] = ec._AuditLogs_pagination(ctx, field, obj)
+			out.Values[i] = ec._AuthzScopes_pagination(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "audit_logs":
-			out.Values[i] = ec._AuditLogs_audit_logs(ctx, field, obj)
+		case "scopes":
+			out.Values[i] = ec._AuthzScopes_scopes(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
@@ -20726,44 +26256,24 @@ func (ec *executionContext) _AuditLogs(ctx context.Context, sel ast.SelectionSet
 	return out
 }
 
-var authResponseImplementors = []string{"AuthResponse"}
+var checkPermissionResponseImplementors = []string{"CheckPermissionResponse"}
 
-func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.SelectionSet, obj *model.AuthResponse) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authResponseImplementors)
+func (ec *executionContext) _CheckPermissionResponse(ctx context.Context, sel ast.SelectionSet, obj *model.CheckPermissionResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, checkPermissionResponseImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthResponse")
-		case "message":
-			out.Values[i] = ec._AuthResponse_message(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("CheckPermissionResponse")
+		case "allowed":
+			out.Values[i] = ec._CheckPermissionResponse_allowed(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "should_show_email_otp_screen":
-			out.Values[i] = ec._AuthResponse_should_show_email_otp_screen(ctx, field, obj)
-		case "should_show_mobile_otp_screen":
-			out.Values[i] = ec._AuthResponse_should_show_mobile_otp_screen(ctx, field, obj)
-		case "should_show_totp_screen":
-			out.Values[i] = ec._AuthResponse_should_show_totp_screen(ctx, field, obj)
-		case "access_token":
-			out.Values[i] = ec._AuthResponse_access_token(ctx, field, obj)
-		case "id_token":
-			out.Values[i] = ec._AuthResponse_id_token(ctx, field, obj)
-		case "refresh_token":
-			out.Values[i] = ec._AuthResponse_refresh_token(ctx, field, obj)
-		case "expires_in":
-			out.Values[i] = ec._AuthResponse_expires_in(ctx, field, obj)
-		case "user":
-			out.Values[i] = ec._AuthResponse_user(ctx, field, obj)
-		case "authenticator_scanner_image":
-			out.Values[i] = ec._AuthResponse_authenticator_scanner_image(ctx, field, obj)
-		case "authenticator_secret":
-			out.Values[i] = ec._AuthResponse_authenticator_secret(ctx, field, obj)
-		case "authenticator_recovery_codes":
-			out.Values[i] = ec._AuthResponse_authenticator_recovery_codes(ctx, field, obj)
+		case "matched_policy":
+			out.Values[i] = ec._CheckPermissionResponse_matched_policy(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -21667,6 +27177,90 @@ func (ec *executionContext) _Mutation(ctx context.Context, sel ast.SelectionSet)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "_add_resource":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__add_resource(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_update_resource":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__update_resource(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_delete_resource":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__delete_resource(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_add_scope":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__add_scope(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_update_scope":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__update_scope(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_delete_scope":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__delete_scope(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_add_policy":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__add_policy(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_update_policy":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__update_policy(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_delete_policy":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__delete_policy(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_add_permission":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__add_permission(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_update_permission":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__update_permission(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "_delete_permission":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__delete_permission(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -21772,7 +27366,139 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_meta(ctx, field)
+				res = ec._Query_meta(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "session":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query_session(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "profile":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query_profile(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "validate_jwt_token":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query_validate_jwt_token(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "validate_session":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query_validate_session(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "_users":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query__users(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "_user":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query__user(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21785,7 +27511,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "session":
+		case "_verification_requests":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21794,7 +27520,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_session(ctx, field)
+				res = ec._Query__verification_requests(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21807,7 +27533,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "profile":
+		case "_admin_session":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21816,7 +27542,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_profile(ctx, field)
+				res = ec._Query__admin_session(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21829,7 +27555,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "validate_jwt_token":
+		case "_env":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21838,7 +27564,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_validate_jwt_token(ctx, field)
+				res = ec._Query__env(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21851,7 +27577,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "validate_session":
+		case "_webhook":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21860,7 +27586,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_validate_session(ctx, field)
+				res = ec._Query__webhook(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21873,7 +27599,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_users":
+		case "_webhooks":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21882,7 +27608,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__users(ctx, field)
+				res = ec._Query__webhooks(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21895,7 +27621,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_user":
+		case "_webhook_logs":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21904,7 +27630,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__user(ctx, field)
+				res = ec._Query__webhook_logs(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21917,7 +27643,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_verification_requests":
+		case "_email_templates":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21926,7 +27652,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__verification_requests(ctx, field)
+				res = ec._Query__email_templates(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21939,7 +27665,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_admin_session":
+		case "_audit_logs":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21948,7 +27674,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__admin_session(ctx, field)
+				res = ec._Query__audit_logs(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21961,7 +27687,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_env":
+		case "_resources":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21970,7 +27696,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__env(ctx, field)
+				res = ec._Query__resources(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -21983,7 +27709,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_webhook":
+		case "_scopes":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -21992,7 +27718,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__webhook(ctx, field)
+				res = ec._Query__scopes(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -22005,7 +27731,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_webhooks":
+		case "_policies":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -22014,7 +27740,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__webhooks(ctx, field)
+				res = ec._Query__policies(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -22027,7 +27753,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_webhook_logs":
+		case "_permissions":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -22036,7 +27762,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__webhook_logs(ctx, field)
+				res = ec._Query__permissions(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -22049,7 +27775,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_email_templates":
+		case "check_permission":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -22058,7 +27784,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__email_templates(ctx, field)
+				res = ec._Query_check_permission(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -22071,7 +27797,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_audit_logs":
+		case "my_permissions":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -22080,7 +27806,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__audit_logs(ctx, field)
+				res = ec._Query_my_permissions(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -22676,17 +28402,234 @@ func (ec *executionContext) _Webhooks(ctx context.Context, sel ast.SelectionSet,
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("Webhooks")
-		case "pagination":
-			out.Values[i] = ec._Webhooks_pagination(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("Webhooks")
+		case "pagination":
+			out.Values[i] = ec._Webhooks_pagination(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "webhooks":
+			out.Values[i] = ec._Webhooks_webhooks(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var __DirectiveImplementors = []string{"__Directive"}
+
+func (ec *executionContext) ___Directive(ctx context.Context, sel ast.SelectionSet, obj *introspection.Directive) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, __DirectiveImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("__Directive")
+		case "name":
+			out.Values[i] = ec.___Directive_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "description":
+			out.Values[i] = ec.___Directive_description(ctx, field, obj)
+		case "isRepeatable":
+			out.Values[i] = ec.___Directive_isRepeatable(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "locations":
+			out.Values[i] = ec.___Directive_locations(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "args":
+			out.Values[i] = ec.___Directive_args(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var __EnumValueImplementors = []string{"__EnumValue"}
+
+func (ec *executionContext) ___EnumValue(ctx context.Context, sel ast.SelectionSet, obj *introspection.EnumValue) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, __EnumValueImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("__EnumValue")
+		case "name":
+			out.Values[i] = ec.___EnumValue_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "description":
+			out.Values[i] = ec.___EnumValue_description(ctx, field, obj)
+		case "isDeprecated":
+			out.Values[i] = ec.___EnumValue_isDeprecated(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "deprecationReason":
+			out.Values[i] = ec.___EnumValue_deprecationReason(ctx, field, obj)
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var __FieldImplementors = []string{"__Field"}
+
+func (ec *executionContext) ___Field(ctx context.Context, sel ast.SelectionSet, obj *introspection.Field) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, __FieldImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("__Field")
+		case "name":
+			out.Values[i] = ec.___Field_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "description":
+			out.Values[i] = ec.___Field_description(ctx, field, obj)
+		case "args":
+			out.Values[i] = ec.___Field_args(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "type":
+			out.Values[i] = ec.___Field_type(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "isDeprecated":
+			out.Values[i] = ec.___Field_isDeprecated(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "deprecationReason":
+			out.Values[i] = ec.___Field_deprecationReason(ctx, field, obj)
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var __InputValueImplementors = []string{"__InputValue"}
+
+func (ec *executionContext) ___InputValue(ctx context.Context, sel ast.SelectionSet, obj *introspection.InputValue) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, __InputValueImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("__InputValue")
+		case "name":
+			out.Values[i] = ec.___InputValue_name(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "webhooks":
-			out.Values[i] = ec._Webhooks_webhooks(ctx, field, obj)
+		case "description":
+			out.Values[i] = ec.___InputValue_description(ctx, field, obj)
+		case "type":
+			out.Values[i] = ec.___InputValue_type(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "defaultValue":
+			out.Values[i] = ec.___InputValue_defaultValue(ctx, field, obj)
+		case "isDeprecated":
+			out.Values[i] = ec.___InputValue_isDeprecated(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "deprecationReason":
+			out.Values[i] = ec.___InputValue_deprecationReason(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -22710,36 +28653,35 @@ func (ec *executionContext) _Webhooks(ctx context.Context, sel ast.SelectionSet,
 	return out
 }
 
-var __DirectiveImplementors = []string{"__Directive"}
+var __SchemaImplementors = []string{"__Schema"}
 
-func (ec *executionContext) ___Directive(ctx context.Context, sel ast.SelectionSet, obj *introspection.Directive) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, __DirectiveImplementors)
+func (ec *executionContext) ___Schema(ctx context.Context, sel ast.SelectionSet, obj *introspection.Schema) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, __SchemaImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("__Directive")
-		case "name":
-			out.Values[i] = ec.___Directive_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
+			out.Values[i] = graphql.MarshalString("__Schema")
 		case "description":
-			out.Values[i] = ec.___Directive_description(ctx, field, obj)
-		case "isRepeatable":
-			out.Values[i] = ec.___Directive_isRepeatable(ctx, field, obj)
+			out.Values[i] = ec.___Schema_description(ctx, field, obj)
+		case "types":
+			out.Values[i] = ec.___Schema_types(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "locations":
-			out.Values[i] = ec.___Directive_locations(ctx, field, obj)
+		case "queryType":
+			out.Values[i] = ec.___Schema_queryType(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "args":
-			out.Values[i] = ec.___Directive_args(ctx, field, obj)
+		case "mutationType":
+			out.Values[i] = ec.___Schema_mutationType(ctx, field, obj)
+		case "subscriptionType":
+			out.Values[i] = ec.___Schema_subscriptionType(ctx, field, obj)
+		case "directives":
+			out.Values[i] = ec.___Schema_directives(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
@@ -22766,31 +28708,42 @@ func (ec *executionContext) ___Directive(ctx context.Context, sel ast.SelectionS
 	return out
 }
 
-var __EnumValueImplementors = []string{"__EnumValue"}
+var __TypeImplementors = []string{"__Type"}
 
-func (ec *executionContext) ___EnumValue(ctx context.Context, sel ast.SelectionSet, obj *introspection.EnumValue) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, __EnumValueImplementors)
+func (ec *executionContext) ___Type(ctx context.Context, sel ast.SelectionSet, obj *introspection.Type) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, __TypeImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("__EnumValue")
-		case "name":
-			out.Values[i] = ec.___EnumValue_name(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("__Type")
+		case "kind":
+			out.Values[i] = ec.___Type_kind(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "name":
+			out.Values[i] = ec.___Type_name(ctx, field, obj)
 		case "description":
-			out.Values[i] = ec.___EnumValue_description(ctx, field, obj)
-		case "isDeprecated":
-			out.Values[i] = ec.___EnumValue_isDeprecated(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "deprecationReason":
-			out.Values[i] = ec.___EnumValue_deprecationReason(ctx, field, obj)
+			out.Values[i] = ec.___Type_description(ctx, field, obj)
+		case "specifiedByURL":
+			out.Values[i] = ec.___Type_specifiedByURL(ctx, field, obj)
+		case "fields":
+			out.Values[i] = ec.___Type_fields(ctx, field, obj)
+		case "interfaces":
+			out.Values[i] = ec.___Type_interfaces(ctx, field, obj)
+		case "possibleTypes":
+			out.Values[i] = ec.___Type_possibleTypes(ctx, field, obj)
+		case "enumValues":
+			out.Values[i] = ec.___Type_enumValues(ctx, field, obj)
+		case "inputFields":
+			out.Values[i] = ec.___Type_inputFields(ctx, field, obj)
+		case "ofType":
+			out.Values[i] = ec.___Type_ofType(ctx, field, obj)
+		case "isOneOf":
+			out.Values[i] = ec.___Type_isOneOf(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -22814,258 +28767,389 @@ func (ec *executionContext) ___EnumValue(ctx context.Context, sel ast.SelectionS
 	return out
 }
 
-var __FieldImplementors = []string{"__Field"}
+// endregion **************************** object.gotpl ****************************
 
-func (ec *executionContext) ___Field(ctx context.Context, sel ast.SelectionSet, obj *introspection.Field) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, __FieldImplementors)
+// region    ***************************** type.gotpl *****************************
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("__Field")
-		case "name":
-			out.Values[i] = ec.___Field_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "description":
-			out.Values[i] = ec.___Field_description(ctx, field, obj)
-		case "args":
-			out.Values[i] = ec.___Field_args(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "type":
-			out.Values[i] = ec.___Field_type(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+func (ec *executionContext) unmarshalNAddEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddEmailTemplateRequest(ctx context.Context, v any) (model.AddEmailTemplateRequest, error) {
+	res, err := ec.unmarshalInputAddEmailTemplateRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAddPermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPermissionInput(ctx context.Context, v any) (model.AddPermissionInput, error) {
+	res, err := ec.unmarshalInputAddPermissionInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAddPolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPolicyInput(ctx context.Context, v any) (model.AddPolicyInput, error) {
+	res, err := ec.unmarshalInputAddPolicyInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAddResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddResourceInput(ctx context.Context, v any) (model.AddResourceInput, error) {
+	res, err := ec.unmarshalInputAddResourceInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAddScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddScopeInput(ctx context.Context, v any) (model.AddScopeInput, error) {
+	res, err := ec.unmarshalInputAddScopeInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAddWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddWebhookRequest(ctx context.Context, v any) (model.AddWebhookRequest, error) {
+	res, err := ec.unmarshalInputAddWebhookRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAdminLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminLoginRequest(ctx context.Context, v any) (model.AdminLoginRequest, error) {
+	res, err := ec.unmarshalInputAdminLoginRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNAdminSignupRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminSignupRequest(ctx context.Context, v any) (model.AdminSignupRequest, error) {
+	res, err := ec.unmarshalInputAdminSignupRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNAuditLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuditLog) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
 			}
-		case "isDeprecated":
-			out.Values[i] = ec.___Field_isDeprecated(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			ret[i] = ec.marshalNAuditLog2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLog(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
+		}
+
+	}
+	wg.Wait()
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
+
+	return ret
+}
+
+func (ec *executionContext) marshalNAuditLog2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLog(ctx context.Context, sel ast.SelectionSet, v *model.AuditLog) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuditLog(ctx, sel, v)
+}
+
+func (ec *executionContext) marshalNAuditLogs2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx context.Context, sel ast.SelectionSet, v model.AuditLogs) graphql.Marshaler {
+	return ec._AuditLogs(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNAuditLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx context.Context, sel ast.SelectionSet, v *model.AuditLogs) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuditLogs(ctx, sel, v)
+}
+
+func (ec *executionContext) marshalNAuthResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx context.Context, sel ast.SelectionSet, v model.AuthResponse) graphql.Marshaler {
+	return ec._AuthResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx context.Context, sel ast.SelectionSet, v *model.AuthResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuthResponse(ctx, sel, v)
+}
+
+func (ec *executionContext) marshalNAuthzPermission2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx context.Context, sel ast.SelectionSet, v model.AuthzPermission) graphql.Marshaler {
+	return ec._AuthzPermission(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNAuthzPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissionᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzPermission) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
 			}
-		case "deprecationReason":
-			out.Values[i] = ec.___Field_deprecationReason(ctx, field, obj)
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			ret[i] = ec.marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
 		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
 
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+	}
+	wg.Wait()
 
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
 	}
 
-	return out
+	return ret
 }
 
-var __InputValueImplementors = []string{"__InputValue"}
-
-func (ec *executionContext) ___InputValue(ctx context.Context, sel ast.SelectionSet, obj *introspection.InputValue) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, __InputValueImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("__InputValue")
-		case "name":
-			out.Values[i] = ec.___InputValue_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "description":
-			out.Values[i] = ec.___InputValue_description(ctx, field, obj)
-		case "type":
-			out.Values[i] = ec.___InputValue_type(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "defaultValue":
-			out.Values[i] = ec.___InputValue_defaultValue(ctx, field, obj)
-		case "isDeprecated":
-			out.Values[i] = ec.___InputValue_isDeprecated(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "deprecationReason":
-			out.Values[i] = ec.___InputValue_deprecationReason(ctx, field, obj)
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+func (ec *executionContext) marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPermission) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
 		return graphql.Null
 	}
+	return ec._AuthzPermission(ctx, sel, v)
+}
 
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+func (ec *executionContext) marshalNAuthzPermissions2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissions(ctx context.Context, sel ast.SelectionSet, v model.AuthzPermissions) graphql.Marshaler {
+	return ec._AuthzPermissions(ctx, sel, &v)
+}
 
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
+func (ec *executionContext) marshalNAuthzPermissions2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissions(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPermissions) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
 	}
+	return ec._AuthzPermissions(ctx, sel, v)
+}
 
-	return out
+func (ec *executionContext) marshalNAuthzPolicies2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicies(ctx context.Context, sel ast.SelectionSet, v model.AuthzPolicies) graphql.Marshaler {
+	return ec._AuthzPolicies(ctx, sel, &v)
 }
 
-var __SchemaImplementors = []string{"__Schema"}
+func (ec *executionContext) marshalNAuthzPolicies2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicies(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPolicies) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuthzPolicies(ctx, sel, v)
+}
 
-func (ec *executionContext) ___Schema(ctx context.Context, sel ast.SelectionSet, obj *introspection.Schema) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, __SchemaImplementors)
+func (ec *executionContext) marshalNAuthzPolicy2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx context.Context, sel ast.SelectionSet, v model.AuthzPolicy) graphql.Marshaler {
+	return ec._AuthzPolicy(ctx, sel, &v)
+}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("__Schema")
-		case "description":
-			out.Values[i] = ec.___Schema_description(ctx, field, obj)
-		case "types":
-			out.Values[i] = ec.___Schema_types(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "queryType":
-			out.Values[i] = ec.___Schema_queryType(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "mutationType":
-			out.Values[i] = ec.___Schema_mutationType(ctx, field, obj)
-		case "subscriptionType":
-			out.Values[i] = ec.___Schema_subscriptionType(ctx, field, obj)
-		case "directives":
-			out.Values[i] = ec.___Schema_directives(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+func (ec *executionContext) marshalNAuthzPolicy2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzPolicy) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			ret[i] = ec.marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
 		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
 
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+	}
+	wg.Wait()
 
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
 	}
 
-	return out
+	return ret
 }
 
-var __TypeImplementors = []string{"__Type"}
-
-func (ec *executionContext) ___Type(ctx context.Context, sel ast.SelectionSet, obj *introspection.Type) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, __TypeImplementors)
+func (ec *executionContext) marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPolicy) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuthzPolicy(ctx, sel, v)
+}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("__Type")
-		case "kind":
-			out.Values[i] = ec.___Type_kind(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+func (ec *executionContext) marshalNAuthzPolicyTarget2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTargetᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzPolicyTarget) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
 			}
-		case "name":
-			out.Values[i] = ec.___Type_name(ctx, field, obj)
-		case "description":
-			out.Values[i] = ec.___Type_description(ctx, field, obj)
-		case "specifiedByURL":
-			out.Values[i] = ec.___Type_specifiedByURL(ctx, field, obj)
-		case "fields":
-			out.Values[i] = ec.___Type_fields(ctx, field, obj)
-		case "interfaces":
-			out.Values[i] = ec.___Type_interfaces(ctx, field, obj)
-		case "possibleTypes":
-			out.Values[i] = ec.___Type_possibleTypes(ctx, field, obj)
-		case "enumValues":
-			out.Values[i] = ec.___Type_enumValues(ctx, field, obj)
-		case "inputFields":
-			out.Values[i] = ec.___Type_inputFields(ctx, field, obj)
-		case "ofType":
-			out.Values[i] = ec.___Type_ofType(ctx, field, obj)
-		case "isOneOf":
-			out.Values[i] = ec.___Type_isOneOf(ctx, field, obj)
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			ret[i] = ec.marshalNAuthzPolicyTarget2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTarget(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
 		}
+
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
+	wg.Wait()
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
 	}
 
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+	return ret
+}
 
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
+func (ec *executionContext) marshalNAuthzPolicyTarget2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTarget(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPolicyTarget) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
 	}
-
-	return out
+	return ec._AuthzPolicyTarget(ctx, sel, v)
 }
 
-// endregion **************************** object.gotpl ****************************
+func (ec *executionContext) marshalNAuthzResource2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx context.Context, sel ast.SelectionSet, v model.AuthzResource) graphql.Marshaler {
+	return ec._AuthzResource(ctx, sel, &v)
+}
 
-// region    ***************************** type.gotpl *****************************
+func (ec *executionContext) marshalNAuthzResource2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzResource) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
+			}
+			ret[i] = ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
+		}
 
-func (ec *executionContext) unmarshalNAddEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddEmailTemplateRequest(ctx context.Context, v any) (model.AddEmailTemplateRequest, error) {
-	res, err := ec.unmarshalInputAddEmailTemplateRequest(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
+	}
+	wg.Wait()
 
-func (ec *executionContext) unmarshalNAddWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddWebhookRequest(ctx context.Context, v any) (model.AddWebhookRequest, error) {
-	res, err := ec.unmarshalInputAddWebhookRequest(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
 
-func (ec *executionContext) unmarshalNAdminLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminLoginRequest(ctx context.Context, v any) (model.AdminLoginRequest, error) {
-	res, err := ec.unmarshalInputAdminLoginRequest(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
+	return ret
 }
 
-func (ec *executionContext) unmarshalNAdminSignupRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminSignupRequest(ctx context.Context, v any) (model.AdminSignupRequest, error) {
-	res, err := ec.unmarshalInputAdminSignupRequest(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
+func (ec *executionContext) marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx context.Context, sel ast.SelectionSet, v *model.AuthzResource) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuthzResource(ctx, sel, v)
 }
 
-func (ec *executionContext) marshalNAuditLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuditLog) graphql.Marshaler {
+func (ec *executionContext) marshalNAuthzResourceScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceScopeᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzResourceScope) graphql.Marshaler {
 	ret := make(graphql.Array, len(v))
 	var wg sync.WaitGroup
 	isLen1 := len(v) == 1
@@ -23089,7 +29173,7 @@ func (ec *executionContext) marshalNAuditLog2ᚕᚖgithubᚗcomᚋauthorizerdev
 			if !isLen1 {
 				defer wg.Done()
 			}
-			ret[i] = ec.marshalNAuditLog2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLog(ctx, sel, v[i])
+			ret[i] = ec.marshalNAuthzResourceScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceScope(ctx, sel, v[i])
 		}
 		if isLen1 {
 			f(i)
@@ -23109,42 +29193,100 @@ func (ec *executionContext) marshalNAuditLog2ᚕᚖgithubᚗcomᚋauthorizerdev
 	return ret
 }
 
-func (ec *executionContext) marshalNAuditLog2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLog(ctx context.Context, sel ast.SelectionSet, v *model.AuditLog) graphql.Marshaler {
+func (ec *executionContext) marshalNAuthzResourceScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceScope(ctx context.Context, sel ast.SelectionSet, v *model.AuthzResourceScope) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuditLog(ctx, sel, v)
+	return ec._AuthzResourceScope(ctx, sel, v)
 }
 
-func (ec *executionContext) marshalNAuditLogs2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx context.Context, sel ast.SelectionSet, v model.AuditLogs) graphql.Marshaler {
-	return ec._AuditLogs(ctx, sel, &v)
+func (ec *executionContext) marshalNAuthzResources2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResources(ctx context.Context, sel ast.SelectionSet, v model.AuthzResources) graphql.Marshaler {
+	return ec._AuthzResources(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNAuditLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx context.Context, sel ast.SelectionSet, v *model.AuditLogs) graphql.Marshaler {
+func (ec *executionContext) marshalNAuthzResources2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResources(ctx context.Context, sel ast.SelectionSet, v *model.AuthzResources) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuditLogs(ctx, sel, v)
+	return ec._AuthzResources(ctx, sel, v)
 }
 
-func (ec *executionContext) marshalNAuthResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx context.Context, sel ast.SelectionSet, v model.AuthResponse) graphql.Marshaler {
-	return ec._AuthResponse(ctx, sel, &v)
+func (ec *executionContext) marshalNAuthzScope2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx context.Context, sel ast.SelectionSet, v model.AuthzScope) graphql.Marshaler {
+	return ec._AuthzScope(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx context.Context, sel ast.SelectionSet, v *model.AuthResponse) graphql.Marshaler {
+func (ec *executionContext) marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopeᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzScope) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
+			}
+			ret[i] = ec.marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
+		}
+
+	}
+	wg.Wait()
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
+
+	return ret
+}
+
+func (ec *executionContext) marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx context.Context, sel ast.SelectionSet, v *model.AuthzScope) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuthResponse(ctx, sel, v)
+	return ec._AuthzScope(ctx, sel, v)
+}
+
+func (ec *executionContext) marshalNAuthzScopes2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopes(ctx context.Context, sel ast.SelectionSet, v model.AuthzScopes) graphql.Marshaler {
+	return ec._AuthzScopes(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNAuthzScopes2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopes(ctx context.Context, sel ast.SelectionSet, v *model.AuthzScopes) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AuthzScopes(ctx, sel, v)
 }
 
 func (ec *executionContext) unmarshalNBoolean2bool(ctx context.Context, v any) (bool, error) {
@@ -23163,6 +29305,25 @@ func (ec *executionContext) marshalNBoolean2bool(ctx context.Context, sel ast.Se
 	return res
 }
 
+func (ec *executionContext) unmarshalNCheckPermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionInput(ctx context.Context, v any) (model.CheckPermissionInput, error) {
+	res, err := ec.unmarshalInputCheckPermissionInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNCheckPermissionResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionResponse(ctx context.Context, sel ast.SelectionSet, v model.CheckPermissionResponse) graphql.Marshaler {
+	return ec._CheckPermissionResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNCheckPermissionResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionResponse(ctx context.Context, sel ast.SelectionSet, v *model.CheckPermissionResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._CheckPermissionResponse(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx context.Context, v any) (model.DeleteEmailTemplateRequest, error) {
 	res, err := ec.unmarshalInputDeleteEmailTemplateRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -23314,6 +29475,36 @@ func (ec *executionContext) marshalNID2string(ctx context.Context, sel ast.Selec
 	return res
 }
 
+func (ec *executionContext) unmarshalNID2ᚕstringᚄ(ctx context.Context, v any) ([]string, error) {
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]string, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNID2string(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
+func (ec *executionContext) marshalNID2ᚕstringᚄ(ctx context.Context, sel ast.SelectionSet, v []string) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	for i := range v {
+		ret[i] = ec.marshalNID2string(ctx, sel, v[i])
+	}
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
+
+	return ret
+}
+
 func (ec *executionContext) unmarshalNInt642int64(ctx context.Context, v any) (int64, error) {
 	res, err := graphql.UnmarshalInt64(v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -23393,6 +29584,26 @@ func (ec *executionContext) marshalNPagination2ᚖgithubᚗcomᚋauthorizerdev
 	return ec._Pagination(ctx, sel, v)
 }
 
+func (ec *executionContext) unmarshalNPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx context.Context, v any) ([]*model.PolicyTargetInput, error) {
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]*model.PolicyTargetInput, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNPolicyTargetInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInput(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
+func (ec *executionContext) unmarshalNPolicyTargetInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInput(ctx context.Context, v any) (*model.PolicyTargetInput, error) {
+	res, err := ec.unmarshalInputPolicyTargetInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
+}
+
 func (ec *executionContext) unmarshalNResendOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendOTPRequest(ctx context.Context, v any) (model.ResendOTPRequest, error) {
 	res, err := ec.unmarshalInputResendOTPRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -23507,11 +29718,31 @@ func (ec *executionContext) unmarshalNUpdateEnvRequest2githubᚗcomᚋauthorizer
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
+func (ec *executionContext) unmarshalNUpdatePermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePermissionInput(ctx context.Context, v any) (model.UpdatePermissionInput, error) {
+	res, err := ec.unmarshalInputUpdatePermissionInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNUpdatePolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePolicyInput(ctx context.Context, v any) (model.UpdatePolicyInput, error) {
+	res, err := ec.unmarshalInputUpdatePolicyInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
 func (ec *executionContext) unmarshalNUpdateProfileRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateProfileRequest(ctx context.Context, v any) (model.UpdateProfileRequest, error) {
 	res, err := ec.unmarshalInputUpdateProfileRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
+func (ec *executionContext) unmarshalNUpdateResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateResourceInput(ctx context.Context, v any) (model.UpdateResourceInput, error) {
+	res, err := ec.unmarshalInputUpdateResourceInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNUpdateScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateScopeInput(ctx context.Context, v any) (model.UpdateScopeInput, error) {
+	res, err := ec.unmarshalInputUpdateScopeInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
 func (ec *executionContext) unmarshalNUpdateUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateUserRequest(ctx context.Context, v any) (model.UpdateUserRequest, error) {
 	res, err := ec.unmarshalInputUpdateUserRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -24133,6 +30364,42 @@ func (ec *executionContext) marshalOBoolean2ᚖbool(ctx context.Context, sel ast
 	return res
 }
 
+func (ec *executionContext) unmarshalOID2ᚕstringᚄ(ctx context.Context, v any) ([]string, error) {
+	if v == nil {
+		return nil, nil
+	}
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]string, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNID2string(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
+func (ec *executionContext) marshalOID2ᚕstringᚄ(ctx context.Context, sel ast.SelectionSet, v []string) graphql.Marshaler {
+	if v == nil {
+		return graphql.Null
+	}
+	ret := make(graphql.Array, len(v))
+	for i := range v {
+		ret[i] = ec.marshalNID2string(ctx, sel, v[i])
+	}
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
+
+	return ret
+}
+
 func (ec *executionContext) unmarshalOID2ᚖstring(ctx context.Context, v any) (*string, error) {
 	if v == nil {
 		return nil, nil
@@ -24227,6 +30494,24 @@ func (ec *executionContext) unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthor
 	return &res, graphql.ErrorOnPath(ctx, err)
 }
 
+func (ec *executionContext) unmarshalOPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx context.Context, v any) ([]*model.PolicyTargetInput, error) {
+	if v == nil {
+		return nil, nil
+	}
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]*model.PolicyTargetInput, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNPolicyTargetInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInput(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
 func (ec *executionContext) unmarshalOSessionQueryRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐSessionQueryRequest(ctx context.Context, v any) (*model.SessionQueryRequest, error) {
 	if v == nil {
 		return nil, nil
diff --git a/internal/graph/model/models_gen.go b/internal/graph/model/models_gen.go
index 8c2ada58..f0e27d64 100644
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -9,6 +9,34 @@ type AddEmailTemplateRequest struct {
 	Design    *string `json:"design,omitempty"`
 }
 
+type AddPermissionInput struct {
+	Name             string   `json:"name"`
+	Description      *string  `json:"description,omitempty"`
+	ResourceID       string   `json:"resource_id"`
+	ScopeIds         []string `json:"scope_ids"`
+	PolicyIds        []string `json:"policy_ids"`
+	DecisionStrategy *string  `json:"decision_strategy,omitempty"`
+}
+
+type AddPolicyInput struct {
+	Name             string               `json:"name"`
+	Description      *string              `json:"description,omitempty"`
+	Type             string               `json:"type"`
+	Logic            *string              `json:"logic,omitempty"`
+	DecisionStrategy *string              `json:"decision_strategy,omitempty"`
+	Targets          []*PolicyTargetInput `json:"targets"`
+}
+
+type AddResourceInput struct {
+	Name        string  `json:"name"`
+	Description *string `json:"description,omitempty"`
+}
+
+type AddScopeInput struct {
+	Name        string  `json:"name"`
+	Description *string `json:"description,omitempty"`
+}
+
 type AddWebhookRequest struct {
 	EventName        string         `json:"event_name"`
 	EventDescription *string        `json:"event_description,omitempty"`
@@ -59,6 +87,87 @@ type AuthResponse struct {
 	AuthenticatorRecoveryCodes []*string `json:"authenticator_recovery_codes,omitempty"`
 }
 
+type AuthzPermission struct {
+	ID               string         `json:"id"`
+	Name             string         `json:"name"`
+	Description      *string        `json:"description,omitempty"`
+	Resource         *AuthzResource `json:"resource"`
+	Scopes           []*AuthzScope  `json:"scopes"`
+	Policies         []*AuthzPolicy `json:"policies"`
+	DecisionStrategy string         `json:"decision_strategy"`
+	CreatedAt        int64          `json:"created_at"`
+	UpdatedAt        int64          `json:"updated_at"`
+}
+
+type AuthzPermissions struct {
+	Pagination  *Pagination        `json:"pagination"`
+	Permissions []*AuthzPermission `json:"permissions"`
+}
+
+type AuthzPolicies struct {
+	Pagination *Pagination    `json:"pagination"`
+	Policies   []*AuthzPolicy `json:"policies"`
+}
+
+type AuthzPolicy struct {
+	ID               string               `json:"id"`
+	Name             string               `json:"name"`
+	Description      *string              `json:"description,omitempty"`
+	Type             string               `json:"type"`
+	Logic            string               `json:"logic"`
+	DecisionStrategy string               `json:"decision_strategy"`
+	Targets          []*AuthzPolicyTarget `json:"targets"`
+	CreatedAt        int64                `json:"created_at"`
+	UpdatedAt        int64                `json:"updated_at"`
+}
+
+type AuthzPolicyTarget struct {
+	ID          string `json:"id"`
+	TargetType  string `json:"target_type"`
+	TargetValue string `json:"target_value"`
+}
+
+type AuthzResource struct {
+	ID          string  `json:"id"`
+	Name        string  `json:"name"`
+	Description *string `json:"description,omitempty"`
+	CreatedAt   int64   `json:"created_at"`
+	UpdatedAt   int64   `json:"updated_at"`
+}
+
+type AuthzResourceScope struct {
+	Resource string `json:"resource"`
+	Scope    string `json:"scope"`
+}
+
+type AuthzResources struct {
+	Pagination *Pagination      `json:"pagination"`
+	Resources  []*AuthzResource `json:"resources"`
+}
+
+type AuthzScope struct {
+	ID          string  `json:"id"`
+	Name        string  `json:"name"`
+	Description *string `json:"description,omitempty"`
+	CreatedAt   int64   `json:"created_at"`
+	UpdatedAt   int64   `json:"updated_at"`
+}
+
+type AuthzScopes struct {
+	Pagination *Pagination   `json:"pagination"`
+	Scopes     []*AuthzScope `json:"scopes"`
+}
+
+type CheckPermissionInput struct {
+	Resource string `json:"resource"`
+	Scope    string `json:"scope"`
+}
+
+type CheckPermissionResponse struct {
+	Allowed       bool    `json:"allowed"`
+	MatchedPolicy *string `json:"matched_policy,omitempty"`
+}
+
 type DeleteEmailTemplateRequest struct {
 	ID string `json:"id"`
 }
@@ -304,6 +413,11 @@ type PaginationRequest struct {
 	Page  *int64 `json:"page,omitempty"`
 }
 
+type PolicyTargetInput struct {
+	TargetType  string `json:"target_type"`
+	TargetValue string `json:"target_value"`
+}
+
 type Query struct {
 }
 
@@ -446,6 +560,24 @@ type UpdateEnvRequest struct {
 	DisableTotpLogin                 *bool    `json:"DISABLE_TOTP_LOGIN,omitempty"`
 }
 
+type UpdatePermissionInput struct {
+	ID               string   `json:"id"`
+	Name             *string  `json:"name,omitempty"`
+	Description      *string  `json:"description,omitempty"`
+	ScopeIds         []string `json:"scope_ids,omitempty"`
+	PolicyIds        []string `json:"policy_ids,omitempty"`
+	DecisionStrategy *string  `json:"decision_strategy,omitempty"`
+}
+
+type UpdatePolicyInput struct {
+	ID               string               `json:"id"`
+	Name             *string              `json:"name,omitempty"`
+	Description      *string              `json:"description,omitempty"`
+	Logic            *string              `json:"logic,omitempty"`
+	DecisionStrategy *string              `json:"decision_strategy,omitempty"`
+	Targets          []*PolicyTargetInput `json:"targets,omitempty"`
+}
+
 type UpdateProfileRequest struct {
 	OldPassword              *string        `json:"old_password,omitempty"`
 	NewPassword              *string        `json:"new_password,omitempty"`
@@ -463,6 +595,18 @@ type UpdateProfileRequest struct {
 	AppData                  map[string]any `json:"app_data,omitempty"`
 }
 
+type UpdateResourceInput struct {
+	ID          string  `json:"id"`
+	Name        *string `json:"name,omitempty"`
+	Description *string `json:"description,omitempty"`
+}
+
+type UpdateScopeInput struct {
+	ID          string  `json:"id"`
+	Name        *string `json:"name,omitempty"`
+	Description *string `json:"description,omitempty"`
+}
+
 type UpdateUserRequest struct {
 	ID                       string         `json:"id"`
 	Email                    *string        `json:"email,omitempty"`
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 44e232d1..1e2253cc 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -641,6 +641,150 @@ input GetUserRequest {
   email: String
 }
 
+type AuthzResource {
+  id: ID!
+  name: String!
+  description: String
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzResources {
+  pagination: Pagination!
+  resources: [AuthzResource!]!
+}
+
+type AuthzScope {
+  id: ID!
+  name: String!
+  description: String
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzScopes {
+  pagination: Pagination!
+  scopes: [AuthzScope!]!
+}
+
+type AuthzPolicyTarget {
+  id: ID!
+  target_type: String!
+  target_value: String!
+}
+
+type AuthzPolicy {
+  id: ID!
+  name: String!
+  description: String
+  type: String!
+  logic: String!
+  decision_strategy: String!
+  targets: [AuthzPolicyTarget!]!
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzPolicies {
+  pagination: Pagination!
+  policies: [AuthzPolicy!]!
+}
+
+type AuthzPermission {
+  id: ID!
+  name: String!
+  description: String
+  resource: AuthzResource!
+  scopes: [AuthzScope!]!
+  policies: [AuthzPolicy!]!
+  decision_strategy: String!
+  created_at: Int64!
+  updated_at: Int64!
+}
+
+type AuthzPermissions {
+  pagination: Pagination!
+  permissions: [AuthzPermission!]!
+}
+
+type CheckPermissionResponse {
+  allowed: Boolean!
+  matched_policy: String
+}
+
+type AuthzResourceScope {
+  resource: String!
+  scope: String!
+}
+
+input AddResourceInput {
+  name: String!
+  description: String
+}
+
+input UpdateResourceInput {
+  id: ID!
+  name: String
+  description: String
+}
+
+input AddScopeInput {
+  name: String!
+  description: String
+}
+
+input UpdateScopeInput {
+  id: ID!
+  name: String
+  description: String
+}
+
+input PolicyTargetInput {
+  target_type: String!
+  target_value: String!
+}
+
+input AddPolicyInput {
+  name: String!
+  description: String
+  type: String!
+  logic: String
+  decision_strategy: String
+  targets: [PolicyTargetInput!]!
+}
+
+input UpdatePolicyInput {
+  id: ID!
+  name: String
+  description: String
+  logic: String
+  decision_strategy: String
+  targets: [PolicyTargetInput!]
+}
+
+input AddPermissionInput {
+  name: String!
+  description: String
+  resource_id: ID!
+  scope_ids: [ID!]!
+  policy_ids: [ID!]!
+  decision_strategy: String
+}
+
+input UpdatePermissionInput {
+  id: ID!
+  name: String
+  description: String
+  scope_ids: [ID!]
+  policy_ids: [ID!]
+  decision_strategy: String
+}
+
+input CheckPermissionInput {
+  resource: String!
+  scope: String!
+}
+
 type Mutation {
   signup(params: SignUpRequest!): AuthResponse!
   # Deprecated from v1.2.0
@@ -680,6 +824,22 @@ type Mutation {
   _add_email_template(params: AddEmailTemplateRequest!): Response!
   _update_email_template(params: UpdateEmailTemplateRequest!): Response!
   _delete_email_template(params: DeleteEmailTemplateRequest!): Response!
+  # Authorization: Resources
+  _add_resource(params: AddResourceInput!): AuthzResource!
+  _update_resource(params: UpdateResourceInput!): AuthzResource!
+  _delete_resource(id: ID!): Response!
+  # Authorization: Scopes
+  _add_scope(params: AddScopeInput!): AuthzScope!
+  _update_scope(params: UpdateScopeInput!): AuthzScope!
+  _delete_scope(id: ID!): Response!
+  # Authorization: Policies
+  _add_policy(params: AddPolicyInput!): AuthzPolicy!
+  _update_policy(params: UpdatePolicyInput!): AuthzPolicy!
+  _delete_policy(id: ID!): Response!
+  # Authorization: Permissions
+  _add_permission(params: AddPermissionInput!): AuthzPermission!
+  _update_permission(params: UpdatePermissionInput!): AuthzPermission!
+  _delete_permission(id: ID!): Response!
 }
 
 type Query {
@@ -700,4 +860,12 @@ type Query {
   _webhook_logs(params: ListWebhookLogRequest): WebhookLogs!
   _email_templates(params: PaginatedRequest): EmailTemplates!
   _audit_logs(params: ListAuditLogRequest): AuditLogs!
+  # Authorization: Admin queries
+  _resources(params: PaginatedRequest): AuthzResources!
+  _scopes(params: PaginatedRequest): AuthzScopes!
+  _policies(params: PaginatedRequest): AuthzPolicies!
+  _permissions(params: PaginatedRequest): AuthzPermissions!
+  # Authorization: User-facing queries
+  check_permission(params: CheckPermissionInput!): CheckPermissionResponse!
+  my_permissions: [AuthzResourceScope!]!
 }
diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index f931d469..c5f4b913 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -172,6 +172,66 @@ func (r *mutationResolver) DeleteEmailTemplate(ctx context.Context, params model
 	return r.GraphQLProvider.DeleteEmailTemplate(ctx, &params)
 }
 
+// AddResource is the resolver for the _add_resource field.
+func (r *mutationResolver) AddResource(ctx context.Context, params model.AddResourceInput) (*model.AuthzResource, error) {
+	return nil, fmt.Errorf("not implemented: AddResource")
+}
+
+// UpdateResource is the resolver for the _update_resource field.
+func (r *mutationResolver) UpdateResource(ctx context.Context, params model.UpdateResourceInput) (*model.AuthzResource, error) {
+	return nil, fmt.Errorf("not implemented: UpdateResource")
+}
+
+// DeleteResource is the resolver for the _delete_resource field.
+func (r *mutationResolver) DeleteResource(ctx context.Context, id string) (*model.Response, error) {
+	return nil, fmt.Errorf("not implemented: DeleteResource")
+}
+
+// AddScope is the resolver for the _add_scope field.
+func (r *mutationResolver) AddScope(ctx context.Context, params model.AddScopeInput) (*model.AuthzScope, error) {
+	return nil, fmt.Errorf("not implemented: AddScope")
+}
+
+// UpdateScope is the resolver for the _update_scope field.
+func (r *mutationResolver) UpdateScope(ctx context.Context, params model.UpdateScopeInput) (*model.AuthzScope, error) {
+	return nil, fmt.Errorf("not implemented: UpdateScope")
+}
+
+// DeleteScope is the resolver for the _delete_scope field.
+func (r *mutationResolver) DeleteScope(ctx context.Context, id string) (*model.Response, error) {
+	return nil, fmt.Errorf("not implemented: DeleteScope")
+}
+
+// AddPolicy is the resolver for the _add_policy field.
+func (r *mutationResolver) AddPolicy(ctx context.Context, params model.AddPolicyInput) (*model.AuthzPolicy, error) {
+	return nil, fmt.Errorf("not implemented: AddPolicy")
+}
+
+// UpdatePolicy is the resolver for the _update_policy field.
+func (r *mutationResolver) UpdatePolicy(ctx context.Context, params model.UpdatePolicyInput) (*model.AuthzPolicy, error) {
+	return nil, fmt.Errorf("not implemented: UpdatePolicy")
+}
+
+// DeletePolicy is the resolver for the _delete_policy field.
+func (r *mutationResolver) DeletePolicy(ctx context.Context, id string) (*model.Response, error) {
+	return nil, fmt.Errorf("not implemented: DeletePolicy")
+}
+
+// AddPermission is the resolver for the _add_permission field.
+func (r *mutationResolver) AddPermission(ctx context.Context, params model.AddPermissionInput) (*model.AuthzPermission, error) {
+	return nil, fmt.Errorf("not implemented: AddPermission")
+}
+
+// UpdatePermission is the resolver for the _update_permission field.
+func (r *mutationResolver) UpdatePermission(ctx context.Context, params model.UpdatePermissionInput) (*model.AuthzPermission, error) {
+	return nil, fmt.Errorf("not implemented: UpdatePermission")
+}
+
+// DeletePermission is the resolver for the _delete_permission field.
+func (r *mutationResolver) DeletePermission(ctx context.Context, id string) (*model.Response, error) {
+	return nil, fmt.Errorf("not implemented: DeletePermission")
+}
+
 // Meta is the resolver for the meta field.
 func (r *queryResolver) Meta(ctx context.Context) (*model.Meta, error) {
 	return r.GraphQLProvider.Meta(ctx)
@@ -247,6 +307,36 @@ func (r *queryResolver) AuditLogs(ctx context.Context, params *model.ListAuditLo
 	return r.GraphQLProvider.AuditLogs(ctx, params)
 }
 
+// Resources is the resolver for the _resources field.
+func (r *queryResolver) Resources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error) {
+	return nil, fmt.Errorf("not implemented: Resources")
+}
+
+// Scopes is the resolver for the _scopes field.
+func (r *queryResolver) Scopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error) {
+	return nil, fmt.Errorf("not implemented: Scopes")
+}
+
+// Policies is the resolver for the _policies field.
+func (r *queryResolver) Policies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error) {
+	return nil, fmt.Errorf("not implemented: Policies")
+}
+
+// Permissions is the resolver for the _permissions field.
+func (r *queryResolver) Permissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error) {
+	return nil, fmt.Errorf("not implemented: Permissions")
+}
+
+// CheckPermission is the resolver for the check_permission field.
+func (r *queryResolver) CheckPermission(ctx context.Context, params model.CheckPermissionInput) (*model.CheckPermissionResponse, error) {
+	return nil, fmt.Errorf("not implemented: CheckPermission")
+}
+
+// MyPermissions is the resolver for the my_permissions field.
+func (r *queryResolver) MyPermissions(ctx context.Context) ([]*model.AuthzResourceScope, error) {
+	return nil, fmt.Errorf("not implemented: MyPermissions")
+}
+
 // Mutation returns generated.MutationResolver implementation.
 func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResolver{r} }
 

From e2ea24579a8ba9abf3d53036b36315592c884eb0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 11:02:24 +0530
Subject: [PATCH 10/26] feat(authz): implement authorization GraphQL handlers

Add 18 GraphQL handler methods: CRUD for resources, scopes, policies,
permissions, plus check_permission and my_permissions user-facing queries.
Add AsAPI conversion methods to all authorization schemas.
Wire resolvers to graphql Provider interface.
---
 internal/graph/schema.resolvers.go     |  36 ++++----
 internal/graphql/add_permission.go     | 119 +++++++++++++++++++++++++
 internal/graphql/add_policy.go         |  82 +++++++++++++++++
 internal/graphql/add_resource.go       |  49 ++++++++++
 internal/graphql/add_scope.go          |  49 ++++++++++
 internal/graphql/check_permission.go   |  60 +++++++++++++
 internal/graphql/delete_permission.go  |  54 +++++++++++
 internal/graphql/delete_policy.go      |  48 ++++++++++
 internal/graphql/delete_resource.go    |  41 +++++++++
 internal/graphql/delete_scope.go       |  41 +++++++++
 internal/graphql/my_permissions.go     |  61 +++++++++++++
 internal/graphql/permissions.go        |  97 ++++++++++++++++++++
 internal/graphql/policies.go           |  46 ++++++++++
 internal/graphql/provider.go           |  61 +++++++++++++
 internal/graphql/resources.go          |  41 +++++++++
 internal/graphql/scopes.go             |  41 +++++++++
 internal/graphql/update_permission.go  | 117 ++++++++++++++++++++++++
 internal/graphql/update_policy.go      |  91 +++++++++++++++++++
 internal/graphql/update_resource.go    |  56 ++++++++++++
 internal/graphql/update_scope.go       |  56 ++++++++++++
 internal/storage/schemas/permission.go |  18 ++++
 internal/storage/schemas/policy.go     |  25 ++++++
 internal/storage/schemas/resource.go   |  13 +++
 internal/storage/schemas/scope.go      |  13 +++
 24 files changed, 1297 insertions(+), 18 deletions(-)
 create mode 100644 internal/graphql/add_permission.go
 create mode 100644 internal/graphql/add_policy.go
 create mode 100644 internal/graphql/add_resource.go
 create mode 100644 internal/graphql/add_scope.go
 create mode 100644 internal/graphql/check_permission.go
 create mode 100644 internal/graphql/delete_permission.go
 create mode 100644 internal/graphql/delete_policy.go
 create mode 100644 internal/graphql/delete_resource.go
 create mode 100644 internal/graphql/delete_scope.go
 create mode 100644 internal/graphql/my_permissions.go
 create mode 100644 internal/graphql/permissions.go
 create mode 100644 internal/graphql/policies.go
 create mode 100644 internal/graphql/resources.go
 create mode 100644 internal/graphql/scopes.go
 create mode 100644 internal/graphql/update_permission.go
 create mode 100644 internal/graphql/update_policy.go
 create mode 100644 internal/graphql/update_resource.go
 create mode 100644 internal/graphql/update_scope.go

diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index c5f4b913..5b117953 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -174,62 +174,62 @@ func (r *mutationResolver) DeleteEmailTemplate(ctx context.Context, params model
 
 // AddResource is the resolver for the _add_resource field.
 func (r *mutationResolver) AddResource(ctx context.Context, params model.AddResourceInput) (*model.AuthzResource, error) {
-	return nil, fmt.Errorf("not implemented: AddResource")
+	return r.GraphQLProvider.AddResource(ctx, &params)
 }
 
 // UpdateResource is the resolver for the _update_resource field.
 func (r *mutationResolver) UpdateResource(ctx context.Context, params model.UpdateResourceInput) (*model.AuthzResource, error) {
-	return nil, fmt.Errorf("not implemented: UpdateResource")
+	return r.GraphQLProvider.UpdateResource(ctx, &params)
 }
 
 // DeleteResource is the resolver for the _delete_resource field.
 func (r *mutationResolver) DeleteResource(ctx context.Context, id string) (*model.Response, error) {
-	return nil, fmt.Errorf("not implemented: DeleteResource")
+	return r.GraphQLProvider.DeleteResource(ctx, id)
 }
 
 // AddScope is the resolver for the _add_scope field.
 func (r *mutationResolver) AddScope(ctx context.Context, params model.AddScopeInput) (*model.AuthzScope, error) {
-	return nil, fmt.Errorf("not implemented: AddScope")
+	return r.GraphQLProvider.AddScope(ctx, &params)
 }
 
 // UpdateScope is the resolver for the _update_scope field.
 func (r *mutationResolver) UpdateScope(ctx context.Context, params model.UpdateScopeInput) (*model.AuthzScope, error) {
-	return nil, fmt.Errorf("not implemented: UpdateScope")
+	return r.GraphQLProvider.UpdateScope(ctx, &params)
 }
 
 // DeleteScope is the resolver for the _delete_scope field.
 func (r *mutationResolver) DeleteScope(ctx context.Context, id string) (*model.Response, error) {
-	return nil, fmt.Errorf("not implemented: DeleteScope")
+	return r.GraphQLProvider.DeleteScope(ctx, id)
 }
 
 // AddPolicy is the resolver for the _add_policy field.
 func (r *mutationResolver) AddPolicy(ctx context.Context, params model.AddPolicyInput) (*model.AuthzPolicy, error) {
-	return nil, fmt.Errorf("not implemented: AddPolicy")
+	return r.GraphQLProvider.AddPolicy(ctx, &params)
 }
 
 // UpdatePolicy is the resolver for the _update_policy field.
 func (r *mutationResolver) UpdatePolicy(ctx context.Context, params model.UpdatePolicyInput) (*model.AuthzPolicy, error) {
-	return nil, fmt.Errorf("not implemented: UpdatePolicy")
+	return r.GraphQLProvider.UpdatePolicy(ctx, &params)
 }
 
 // DeletePolicy is the resolver for the _delete_policy field.
 func (r *mutationResolver) DeletePolicy(ctx context.Context, id string) (*model.Response, error) {
-	return nil, fmt.Errorf("not implemented: DeletePolicy")
+	return r.GraphQLProvider.DeletePolicy(ctx, id)
 }
 
 // AddPermission is the resolver for the _add_permission field.
 func (r *mutationResolver) AddPermission(ctx context.Context, params model.AddPermissionInput) (*model.AuthzPermission, error) {
-	return nil, fmt.Errorf("not implemented: AddPermission")
+	return r.GraphQLProvider.AddPermission(ctx, &params)
 }
 
 // UpdatePermission is the resolver for the _update_permission field.
 func (r *mutationResolver) UpdatePermission(ctx context.Context, params model.UpdatePermissionInput) (*model.AuthzPermission, error) {
-	return nil, fmt.Errorf("not implemented: UpdatePermission")
+	return r.GraphQLProvider.UpdatePermission(ctx, &params)
 }
 
 // DeletePermission is the resolver for the _delete_permission field.
 func (r *mutationResolver) DeletePermission(ctx context.Context, id string) (*model.Response, error) {
-	return nil, fmt.Errorf("not implemented: DeletePermission")
+	return r.GraphQLProvider.DeletePermission(ctx, id)
 }
 
 // Meta is the resolver for the meta field.
@@ -309,32 +309,32 @@ func (r *queryResolver) AuditLogs(ctx context.Context, params *model.ListAuditLo
 
 // Resources is the resolver for the _resources field.
 func (r *queryResolver) Resources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error) {
-	return nil, fmt.Errorf("not implemented: Resources")
+	return r.GraphQLProvider.Resources(ctx, params)
 }
 
 // Scopes is the resolver for the _scopes field.
 func (r *queryResolver) Scopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error) {
-	return nil, fmt.Errorf("not implemented: Scopes")
+	return r.GraphQLProvider.Scopes(ctx, params)
 }
 
 // Policies is the resolver for the _policies field.
 func (r *queryResolver) Policies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error) {
-	return nil, fmt.Errorf("not implemented: Policies")
+	return r.GraphQLProvider.Policies(ctx, params)
 }
 
 // Permissions is the resolver for the _permissions field.
 func (r *queryResolver) Permissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error) {
-	return nil, fmt.Errorf("not implemented: Permissions")
+	return r.GraphQLProvider.Permissions(ctx, params)
 }
 
 // CheckPermission is the resolver for the check_permission field.
 func (r *queryResolver) CheckPermission(ctx context.Context, params model.CheckPermissionInput) (*model.CheckPermissionResponse, error) {
-	return nil, fmt.Errorf("not implemented: CheckPermission")
+	return r.GraphQLProvider.CheckPermission(ctx, &params)
 }
 
 // MyPermissions is the resolver for the my_permissions field.
 func (r *queryResolver) MyPermissions(ctx context.Context) ([]*model.AuthzResourceScope, error) {
-	return nil, fmt.Errorf("not implemented: MyPermissions")
+	return r.GraphQLProvider.MyPermissions(ctx)
 }
 
 // Mutation returns generated.MutationResolver implementation.
diff --git a/internal/graphql/add_permission.go b/internal/graphql/add_permission.go
new file mode 100644
index 00000000..71de28fe
--- /dev/null
+++ b/internal/graphql/add_permission.go
@@ -0,0 +1,119 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// AddPermission is the method to create a new authorization permission
+// binding a resource to scopes and policies.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPermissionInput) (*model.AuthzPermission, error) {
+	log := g.Log.With().Str("func", "AddPermission").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	name := strings.TrimSpace(params.Name)
+	if name == "" {
+		return nil, fmt.Errorf("permission name is required")
+	}
+
+	if strings.TrimSpace(params.ResourceID) == "" {
+		return nil, fmt.Errorf("resource_id is required")
+	}
+
+	if len(params.ScopeIds) == 0 {
+		return nil, fmt.Errorf("at least one scope_id is required")
+	}
+
+	if len(params.PolicyIds) == 0 {
+		return nil, fmt.Errorf("at least one policy_id is required")
+	}
+
+	description := ""
+	if params.Description != nil {
+		description = *params.Description
+	}
+
+	decisionStrategy := "affirmative"
+	if params.DecisionStrategy != nil {
+		decisionStrategy = *params.DecisionStrategy
+	}
+
+	// Verify resource exists
+	resource, err := g.StorageProvider.GetResourceByID(ctx, params.ResourceID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get resource by ID")
+		return nil, fmt.Errorf("resource not found: %s", params.ResourceID)
+	}
+
+	permission, err := g.StorageProvider.AddPermission(ctx, &schemas.Permission{
+		Name:             name,
+		Description:      description,
+		ResourceID:       params.ResourceID,
+		DecisionStrategy: decisionStrategy,
+	})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to add permission")
+		return nil, err
+	}
+
+	// Add permission scopes
+	apiScopes := make([]*model.AuthzScope, 0, len(params.ScopeIds))
+	for _, scopeID := range params.ScopeIds {
+		_, err := g.StorageProvider.AddPermissionScope(ctx, &schemas.PermissionScope{
+			PermissionID: permission.ID,
+			ScopeID:      scopeID,
+		})
+		if err != nil {
+			log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to add permission scope")
+			return nil, err
+		}
+		scope, err := g.StorageProvider.GetScopeByID(ctx, scopeID)
+		if err != nil {
+			log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to get scope by ID")
+			return nil, err
+		}
+		apiScopes = append(apiScopes, scope.AsAPIScope())
+	}
+
+	// Add permission policies
+	apiPolicies := make([]*model.AuthzPolicy, 0, len(params.PolicyIds))
+	for _, policyID := range params.PolicyIds {
+		_, err := g.StorageProvider.AddPermissionPolicy(ctx, &schemas.PermissionPolicy{
+			PermissionID: permission.ID,
+			PolicyID:     policyID,
+		})
+		if err != nil {
+			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to add permission policy")
+			return nil, err
+		}
+		policy, err := g.StorageProvider.GetPolicyByID(ctx, policyID)
+		if err != nil {
+			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy by ID")
+			return nil, err
+		}
+		targets, err := g.StorageProvider.GetPolicyTargets(ctx, policyID)
+		if err != nil {
+			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy targets")
+			return nil, err
+		}
+		apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
+}
diff --git a/internal/graphql/add_policy.go b/internal/graphql/add_policy.go
new file mode 100644
index 00000000..9cb60e81
--- /dev/null
+++ b/internal/graphql/add_policy.go
@@ -0,0 +1,82 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// AddPolicy is the method to create a new authorization policy with targets.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicyInput) (*model.AuthzPolicy, error) {
+	log := g.Log.With().Str("func", "AddPolicy").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	name := strings.TrimSpace(params.Name)
+	if name == "" {
+		return nil, fmt.Errorf("policy name is required")
+	}
+
+	policyType := strings.TrimSpace(params.Type)
+	if policyType == "" {
+		return nil, fmt.Errorf("policy type is required")
+	}
+
+	description := ""
+	if params.Description != nil {
+		description = *params.Description
+	}
+
+	logic := "positive"
+	if params.Logic != nil {
+		logic = *params.Logic
+	}
+
+	decisionStrategy := "affirmative"
+	if params.DecisionStrategy != nil {
+		decisionStrategy = *params.DecisionStrategy
+	}
+
+	policy, err := g.StorageProvider.AddPolicy(ctx, &schemas.Policy{
+		Name:             name,
+		Description:      description,
+		Type:             policyType,
+		Logic:            logic,
+		DecisionStrategy: decisionStrategy,
+	})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to add policy")
+		return nil, err
+	}
+
+	// Create policy targets
+	var targets []*schemas.PolicyTarget
+	for _, t := range params.Targets {
+		target, err := g.StorageProvider.AddPolicyTarget(ctx, &schemas.PolicyTarget{
+			PolicyID:    policy.ID,
+			TargetType:  t.TargetType,
+			TargetValue: t.TargetValue,
+		})
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to add policy target")
+			return nil, err
+		}
+		targets = append(targets, target)
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return policy.AsAPIPolicy(targets), nil
+}
diff --git a/internal/graphql/add_resource.go b/internal/graphql/add_resource.go
new file mode 100644
index 00000000..e76526b7
--- /dev/null
+++ b/internal/graphql/add_resource.go
@@ -0,0 +1,49 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// AddResource is the method to create a new authorization resource.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) AddResource(ctx context.Context, params *model.AddResourceInput) (*model.AuthzResource, error) {
+	log := g.Log.With().Str("func", "AddResource").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	name := strings.TrimSpace(params.Name)
+	if name == "" {
+		return nil, fmt.Errorf("resource name is required")
+	}
+
+	description := ""
+	if params.Description != nil {
+		description = *params.Description
+	}
+
+	resource, err := g.StorageProvider.AddResource(ctx, &schemas.Resource{
+		Name:        name,
+		Description: description,
+	})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to add resource")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return resource.AsAPIResource(), nil
+}
diff --git a/internal/graphql/add_scope.go b/internal/graphql/add_scope.go
new file mode 100644
index 00000000..f8bca98c
--- /dev/null
+++ b/internal/graphql/add_scope.go
@@ -0,0 +1,49 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// AddScope is the method to create a new authorization scope.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) AddScope(ctx context.Context, params *model.AddScopeInput) (*model.AuthzScope, error) {
+	log := g.Log.With().Str("func", "AddScope").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	name := strings.TrimSpace(params.Name)
+	if name == "" {
+		return nil, fmt.Errorf("scope name is required")
+	}
+
+	description := ""
+	if params.Description != nil {
+		description = *params.Description
+	}
+
+	scope, err := g.StorageProvider.AddScope(ctx, &schemas.Scope{
+		Name:        name,
+		Description: description,
+	})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to add scope")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return scope.AsAPIScope(), nil
+}
diff --git a/internal/graphql/check_permission.go b/internal/graphql/check_permission.go
new file mode 100644
index 00000000..0307939b
--- /dev/null
+++ b/internal/graphql/check_permission.go
@@ -0,0 +1,60 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// CheckPermission is the method to check if the authenticated user has a specific permission.
+// Permissions: authorized user
+func (g *graphqlProvider) CheckPermission(ctx context.Context, params *model.CheckPermissionInput) (*model.CheckPermissionResponse, error) {
+	log := g.Log.With().Str("func", "CheckPermission").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+
+	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get user from token")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	user, err := g.StorageProvider.GetUserByID(ctx, tokenData.UserID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get user by ID")
+		return nil, err
+	}
+
+	var roles []string
+	if user.Roles != "" {
+		roles = strings.Split(user.Roles, ",")
+	}
+
+	principal := &authorization.Principal{
+		ID:    user.ID,
+		Type:  "user",
+		Roles: roles,
+	}
+
+	result, err := g.AuthorizationProvider.CheckPermission(ctx, principal, params.Resource, params.Scope)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to check permission")
+		return nil, err
+	}
+
+	resp := &model.CheckPermissionResponse{
+		Allowed: result.Allowed,
+	}
+	if result.MatchedPolicy != "" {
+		resp.MatchedPolicy = &result.MatchedPolicy
+	}
+
+	return resp, nil
+}
diff --git a/internal/graphql/delete_permission.go b/internal/graphql/delete_permission.go
new file mode 100644
index 00000000..d6548aa5
--- /dev/null
+++ b/internal/graphql/delete_permission.go
@@ -0,0 +1,54 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// DeletePermission is the method to delete an authorization permission.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) DeletePermission(ctx context.Context, id string) (*model.Response, error) {
+	log := g.Log.With().Str("func", "DeletePermission").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(id) == "" {
+		return nil, fmt.Errorf("permission ID is required")
+	}
+
+	// Clean up join tables first
+	err = g.StorageProvider.DeletePermissionScopesByPermissionID(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete permission scopes")
+		return nil, err
+	}
+
+	err = g.StorageProvider.DeletePermissionPoliciesByPermissionID(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete permission policies")
+		return nil, err
+	}
+
+	err = g.StorageProvider.DeletePermission(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete permission")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return &model.Response{
+		Message: "Permission deleted successfully",
+	}, nil
+}
diff --git a/internal/graphql/delete_policy.go b/internal/graphql/delete_policy.go
new file mode 100644
index 00000000..ccd46df0
--- /dev/null
+++ b/internal/graphql/delete_policy.go
@@ -0,0 +1,48 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// DeletePolicy is the method to delete an authorization policy.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) DeletePolicy(ctx context.Context, id string) (*model.Response, error) {
+	log := g.Log.With().Str("func", "DeletePolicy").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(id) == "" {
+		return nil, fmt.Errorf("policy ID is required")
+	}
+
+	// Delete targets first
+	err = g.StorageProvider.DeletePolicyTargetsByPolicyID(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete policy targets")
+		return nil, err
+	}
+
+	err = g.StorageProvider.DeletePolicy(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete policy")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return &model.Response{
+		Message: "Policy deleted successfully",
+	}, nil
+}
diff --git a/internal/graphql/delete_resource.go b/internal/graphql/delete_resource.go
new file mode 100644
index 00000000..b982d0a7
--- /dev/null
+++ b/internal/graphql/delete_resource.go
@@ -0,0 +1,41 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// DeleteResource is the method to delete an authorization resource.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) DeleteResource(ctx context.Context, id string) (*model.Response, error) {
+	log := g.Log.With().Str("func", "DeleteResource").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(id) == "" {
+		return nil, fmt.Errorf("resource ID is required")
+	}
+
+	err = g.StorageProvider.DeleteResource(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete resource")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return &model.Response{
+		Message: "Resource deleted successfully",
+	}, nil
+}
diff --git a/internal/graphql/delete_scope.go b/internal/graphql/delete_scope.go
new file mode 100644
index 00000000..0d224d03
--- /dev/null
+++ b/internal/graphql/delete_scope.go
@@ -0,0 +1,41 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// DeleteScope is the method to delete an authorization scope.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) DeleteScope(ctx context.Context, id string) (*model.Response, error) {
+	log := g.Log.With().Str("func", "DeleteScope").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(id) == "" {
+		return nil, fmt.Errorf("scope ID is required")
+	}
+
+	err = g.StorageProvider.DeleteScope(ctx, id)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to delete scope")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return &model.Response{
+		Message: "Scope deleted successfully",
+	}, nil
+}
diff --git a/internal/graphql/my_permissions.go b/internal/graphql/my_permissions.go
new file mode 100644
index 00000000..23684193
--- /dev/null
+++ b/internal/graphql/my_permissions.go
@@ -0,0 +1,61 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// MyPermissions is the method to get all permissions for the authenticated user.
+// Permissions: authorized user
+func (g *graphqlProvider) MyPermissions(ctx context.Context) ([]*model.AuthzResourceScope, error) {
+	log := g.Log.With().Str("func", "MyPermissions").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+
+	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get user from token")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	user, err := g.StorageProvider.GetUserByID(ctx, tokenData.UserID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get user by ID")
+		return nil, err
+	}
+
+	var roles []string
+	if user.Roles != "" {
+		roles = strings.Split(user.Roles, ",")
+	}
+
+	principal := &authorization.Principal{
+		ID:    user.ID,
+		Type:  "user",
+		Roles: roles,
+	}
+
+	resourceScopes, err := g.AuthorizationProvider.GetPrincipalPermissions(ctx, principal)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get principal permissions")
+		return nil, err
+	}
+
+	res := make([]*model.AuthzResourceScope, len(resourceScopes))
+	for i, rs := range resourceScopes {
+		res[i] = &model.AuthzResourceScope{
+			Resource: rs.Resource,
+			Scope:    rs.Scope,
+		}
+	}
+
+	return res, nil
+}
diff --git a/internal/graphql/permissions.go b/internal/graphql/permissions.go
new file mode 100644
index 00000000..d52df923
--- /dev/null
+++ b/internal/graphql/permissions.go
@@ -0,0 +1,97 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// Permissions is the method to list authorization permissions with pagination.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) Permissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error) {
+	log := g.Log.With().Str("func", "Permissions").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	pagination := utils.GetPagination(params)
+	permissions, pagination, err := g.StorageProvider.ListPermissions(ctx, pagination)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to list permissions")
+		return nil, err
+	}
+
+	res := make([]*model.AuthzPermission, len(permissions))
+	for i, p := range permissions {
+		resource, err := g.StorageProvider.GetResourceByID(ctx, p.ResourceID)
+		if err != nil {
+			log.Debug().Err(err).Str("resource_id", p.ResourceID).Msg("Failed to get resource")
+			return nil, err
+		}
+
+		apiScopes, err := g.resolvePermissionScopes(ctx, p.ID)
+		if err != nil {
+			log.Debug().Err(err).Str("permission_id", p.ID).Msg("Failed to resolve permission scopes")
+			return nil, err
+		}
+
+		apiPolicies, err := g.resolvePermissionPolicies(ctx, p.ID)
+		if err != nil {
+			log.Debug().Err(err).Str("permission_id", p.ID).Msg("Failed to resolve permission policies")
+			return nil, err
+		}
+
+		res[i] = p.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies)
+	}
+
+	return &model.AuthzPermissions{
+		Pagination:  pagination,
+		Permissions: res,
+	}, nil
+}
+
+// resolvePermissionScopes resolves the scopes for a permission.
+func (g *graphqlProvider) resolvePermissionScopes(ctx context.Context, permissionID string) ([]*model.AuthzScope, error) {
+	permissionScopes, err := g.StorageProvider.GetPermissionScopes(ctx, permissionID)
+	if err != nil {
+		return nil, err
+	}
+	apiScopes := make([]*model.AuthzScope, 0, len(permissionScopes))
+	for _, ps := range permissionScopes {
+		scope, err := g.StorageProvider.GetScopeByID(ctx, ps.ScopeID)
+		if err != nil {
+			return nil, err
+		}
+		apiScopes = append(apiScopes, scope.AsAPIScope())
+	}
+	return apiScopes, nil
+}
+
+// resolvePermissionPolicies resolves the policies with their targets for a permission.
+func (g *graphqlProvider) resolvePermissionPolicies(ctx context.Context, permissionID string) ([]*model.AuthzPolicy, error) {
+	permissionPolicies, err := g.StorageProvider.GetPermissionPolicies(ctx, permissionID)
+	if err != nil {
+		return nil, err
+	}
+	apiPolicies := make([]*model.AuthzPolicy, 0, len(permissionPolicies))
+	for _, pp := range permissionPolicies {
+		policy, err := g.StorageProvider.GetPolicyByID(ctx, pp.PolicyID)
+		if err != nil {
+			return nil, err
+		}
+		targets, err := g.StorageProvider.GetPolicyTargets(ctx, policy.ID)
+		if err != nil {
+			return nil, err
+		}
+		apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
+	}
+	return apiPolicies, nil
+}
diff --git a/internal/graphql/policies.go b/internal/graphql/policies.go
new file mode 100644
index 00000000..5f21aa18
--- /dev/null
+++ b/internal/graphql/policies.go
@@ -0,0 +1,46 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// Policies is the method to list authorization policies with pagination.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) Policies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error) {
+	log := g.Log.With().Str("func", "Policies").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	pagination := utils.GetPagination(params)
+	policies, pagination, err := g.StorageProvider.ListPolicies(ctx, pagination)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to list policies")
+		return nil, err
+	}
+
+	res := make([]*model.AuthzPolicy, len(policies))
+	for i, p := range policies {
+		targets, err := g.StorageProvider.GetPolicyTargets(ctx, p.ID)
+		if err != nil {
+			log.Debug().Err(err).Str("policy_id", p.ID).Msg("Failed to get policy targets")
+			return nil, err
+		}
+		res[i] = p.AsAPIPolicy(targets)
+	}
+
+	return &model.AuthzPolicies{
+		Pagination: pagination,
+		Policies:   res,
+	}, nil
+}
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index dd2a96cf..6dac82de 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -187,4 +187,65 @@ type Provider interface {
 	// Webhooks is the method to list webhooks.
 	// Permissions: authorizer:admin
 	Webhooks(ctx context.Context, in *model.PaginatedRequest) (*model.Webhooks, error)
+
+	// === Fine-Grained Authorization ===
+
+	// AddResource creates a new authorization resource.
+	// Permissions: authorizer:admin
+	AddResource(ctx context.Context, params *model.AddResourceInput) (*model.AuthzResource, error)
+	// UpdateResource updates an existing authorization resource.
+	// Permissions: authorizer:admin
+	UpdateResource(ctx context.Context, params *model.UpdateResourceInput) (*model.AuthzResource, error)
+	// DeleteResource deletes an authorization resource by ID.
+	// Permissions: authorizer:admin
+	DeleteResource(ctx context.Context, id string) (*model.Response, error)
+	// Resources lists authorization resources with pagination.
+	// Permissions: authorizer:admin
+	Resources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error)
+
+	// AddScope creates a new authorization scope.
+	// Permissions: authorizer:admin
+	AddScope(ctx context.Context, params *model.AddScopeInput) (*model.AuthzScope, error)
+	// UpdateScope updates an existing authorization scope.
+	// Permissions: authorizer:admin
+	UpdateScope(ctx context.Context, params *model.UpdateScopeInput) (*model.AuthzScope, error)
+	// DeleteScope deletes an authorization scope by ID.
+	// Permissions: authorizer:admin
+	DeleteScope(ctx context.Context, id string) (*model.Response, error)
+	// Scopes lists authorization scopes with pagination.
+	// Permissions: authorizer:admin
+	Scopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error)
+
+	// AddPolicy creates a new authorization policy with targets.
+	// Permissions: authorizer:admin
+	AddPolicy(ctx context.Context, params *model.AddPolicyInput) (*model.AuthzPolicy, error)
+	// UpdatePolicy updates an existing authorization policy.
+	// Permissions: authorizer:admin
+	UpdatePolicy(ctx context.Context, params *model.UpdatePolicyInput) (*model.AuthzPolicy, error)
+	// DeletePolicy deletes an authorization policy by ID.
+	// Permissions: authorizer:admin
+	DeletePolicy(ctx context.Context, id string) (*model.Response, error)
+	// Policies lists authorization policies with pagination.
+	// Permissions: authorizer:admin
+	Policies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error)
+
+	// AddPermission creates a new authorization permission binding a resource to scopes and policies.
+	// Permissions: authorizer:admin
+	AddPermission(ctx context.Context, params *model.AddPermissionInput) (*model.AuthzPermission, error)
+	// UpdatePermission updates an existing authorization permission.
+	// Permissions: authorizer:admin
+	UpdatePermission(ctx context.Context, params *model.UpdatePermissionInput) (*model.AuthzPermission, error)
+	// DeletePermission deletes an authorization permission by ID.
+	// Permissions: authorizer:admin
+	DeletePermission(ctx context.Context, id string) (*model.Response, error)
+	// Permissions lists authorization permissions with pagination.
+	// Permissions: authorizer:admin
+	Permissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error)
+
+	// CheckPermission checks if the authenticated user has a specific permission on a resource.
+	// Permissions: authorized user
+	CheckPermission(ctx context.Context, params *model.CheckPermissionInput) (*model.CheckPermissionResponse, error)
+	// MyPermissions returns all resource:scope pairs the authenticated user has access to.
+	// Permissions: authorized user
+	MyPermissions(ctx context.Context) ([]*model.AuthzResourceScope, error)
 }
diff --git a/internal/graphql/resources.go b/internal/graphql/resources.go
new file mode 100644
index 00000000..c999fc0b
--- /dev/null
+++ b/internal/graphql/resources.go
@@ -0,0 +1,41 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// Resources is the method to list authorization resources with pagination.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) Resources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error) {
+	log := g.Log.With().Str("func", "Resources").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	pagination := utils.GetPagination(params)
+	resources, pagination, err := g.StorageProvider.ListResources(ctx, pagination)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to list resources")
+		return nil, err
+	}
+
+	res := make([]*model.AuthzResource, len(resources))
+	for i, r := range resources {
+		res[i] = r.AsAPIResource()
+	}
+
+	return &model.AuthzResources{
+		Pagination: pagination,
+		Resources:  res,
+	}, nil
+}
diff --git a/internal/graphql/scopes.go b/internal/graphql/scopes.go
new file mode 100644
index 00000000..da5054e9
--- /dev/null
+++ b/internal/graphql/scopes.go
@@ -0,0 +1,41 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// Scopes is the method to list authorization scopes with pagination.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) Scopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error) {
+	log := g.Log.With().Str("func", "Scopes").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	pagination := utils.GetPagination(params)
+	scopes, pagination, err := g.StorageProvider.ListScopes(ctx, pagination)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to list scopes")
+		return nil, err
+	}
+
+	res := make([]*model.AuthzScope, len(scopes))
+	for i, s := range scopes {
+		res[i] = s.AsAPIScope()
+	}
+
+	return &model.AuthzScopes{
+		Pagination: pagination,
+		Scopes:     res,
+	}, nil
+}
diff --git a/internal/graphql/update_permission.go b/internal/graphql/update_permission.go
new file mode 100644
index 00000000..d00fe0f2
--- /dev/null
+++ b/internal/graphql/update_permission.go
@@ -0,0 +1,117 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// UpdatePermission is the method to update an existing authorization permission.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) UpdatePermission(ctx context.Context, params *model.UpdatePermissionInput) (*model.AuthzPermission, error) {
+	log := g.Log.With().Str("func", "UpdatePermission").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(params.ID) == "" {
+		return nil, fmt.Errorf("permission ID is required")
+	}
+
+	permission, err := g.StorageProvider.GetPermissionByID(ctx, params.ID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get permission by ID")
+		return nil, err
+	}
+
+	if params.Name != nil {
+		name := strings.TrimSpace(*params.Name)
+		if name == "" {
+			return nil, fmt.Errorf("permission name cannot be empty")
+		}
+		permission.Name = name
+	}
+	if params.Description != nil {
+		permission.Description = *params.Description
+	}
+	if params.DecisionStrategy != nil {
+		permission.DecisionStrategy = *params.DecisionStrategy
+	}
+
+	permission, err = g.StorageProvider.UpdatePermission(ctx, permission)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to update permission")
+		return nil, err
+	}
+
+	// Replace scopes if provided
+	if params.ScopeIds != nil {
+		err = g.StorageProvider.DeletePermissionScopesByPermissionID(ctx, permission.ID)
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to delete existing permission scopes")
+			return nil, err
+		}
+		for _, scopeID := range params.ScopeIds {
+			_, err := g.StorageProvider.AddPermissionScope(ctx, &schemas.PermissionScope{
+				PermissionID: permission.ID,
+				ScopeID:      scopeID,
+			})
+			if err != nil {
+				log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to add permission scope")
+				return nil, err
+			}
+		}
+	}
+
+	// Replace policies if provided
+	if params.PolicyIds != nil {
+		err = g.StorageProvider.DeletePermissionPoliciesByPermissionID(ctx, permission.ID)
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to delete existing permission policies")
+			return nil, err
+		}
+		for _, policyID := range params.PolicyIds {
+			_, err := g.StorageProvider.AddPermissionPolicy(ctx, &schemas.PermissionPolicy{
+				PermissionID: permission.ID,
+				PolicyID:     policyID,
+			})
+			if err != nil {
+				log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to add permission policy")
+				return nil, err
+			}
+		}
+	}
+
+	// Resolve the full permission for the response
+	resource, err := g.StorageProvider.GetResourceByID(ctx, permission.ResourceID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get resource")
+		return nil, err
+	}
+
+	apiScopes, err := g.resolvePermissionScopes(ctx, permission.ID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve permission scopes")
+		return nil, err
+	}
+
+	apiPolicies, err := g.resolvePermissionPolicies(ctx, permission.ID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve permission policies")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
+}
diff --git a/internal/graphql/update_policy.go b/internal/graphql/update_policy.go
new file mode 100644
index 00000000..2b8ff195
--- /dev/null
+++ b/internal/graphql/update_policy.go
@@ -0,0 +1,91 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// UpdatePolicy is the method to update an existing authorization policy.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) UpdatePolicy(ctx context.Context, params *model.UpdatePolicyInput) (*model.AuthzPolicy, error) {
+	log := g.Log.With().Str("func", "UpdatePolicy").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(params.ID) == "" {
+		return nil, fmt.Errorf("policy ID is required")
+	}
+
+	policy, err := g.StorageProvider.GetPolicyByID(ctx, params.ID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get policy by ID")
+		return nil, err
+	}
+
+	if params.Name != nil {
+		name := strings.TrimSpace(*params.Name)
+		if name == "" {
+			return nil, fmt.Errorf("policy name cannot be empty")
+		}
+		policy.Name = name
+	}
+	if params.Description != nil {
+		policy.Description = *params.Description
+	}
+	if params.Logic != nil {
+		policy.Logic = *params.Logic
+	}
+	if params.DecisionStrategy != nil {
+		policy.DecisionStrategy = *params.DecisionStrategy
+	}
+
+	policy, err = g.StorageProvider.UpdatePolicy(ctx, policy)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to update policy")
+		return nil, err
+	}
+
+	// Replace targets if provided
+	var targets []*schemas.PolicyTarget
+	if params.Targets != nil {
+		err = g.StorageProvider.DeletePolicyTargetsByPolicyID(ctx, policy.ID)
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to delete existing policy targets")
+			return nil, err
+		}
+		for _, t := range params.Targets {
+			target, err := g.StorageProvider.AddPolicyTarget(ctx, &schemas.PolicyTarget{
+				PolicyID:    policy.ID,
+				TargetType:  t.TargetType,
+				TargetValue: t.TargetValue,
+			})
+			if err != nil {
+				log.Debug().Err(err).Msg("Failed to add policy target")
+				return nil, err
+			}
+			targets = append(targets, target)
+		}
+	} else {
+		targets, err = g.StorageProvider.GetPolicyTargets(ctx, policy.ID)
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to get policy targets")
+			return nil, err
+		}
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return policy.AsAPIPolicy(targets), nil
+}
diff --git a/internal/graphql/update_resource.go b/internal/graphql/update_resource.go
new file mode 100644
index 00000000..885cb825
--- /dev/null
+++ b/internal/graphql/update_resource.go
@@ -0,0 +1,56 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// UpdateResource is the method to update an existing authorization resource.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) UpdateResource(ctx context.Context, params *model.UpdateResourceInput) (*model.AuthzResource, error) {
+	log := g.Log.With().Str("func", "UpdateResource").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(params.ID) == "" {
+		return nil, fmt.Errorf("resource ID is required")
+	}
+
+	resource, err := g.StorageProvider.GetResourceByID(ctx, params.ID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get resource by ID")
+		return nil, err
+	}
+
+	if params.Name != nil {
+		name := strings.TrimSpace(*params.Name)
+		if name == "" {
+			return nil, fmt.Errorf("resource name cannot be empty")
+		}
+		resource.Name = name
+	}
+	if params.Description != nil {
+		resource.Description = *params.Description
+	}
+
+	resource, err = g.StorageProvider.UpdateResource(ctx, resource)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to update resource")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return resource.AsAPIResource(), nil
+}
diff --git a/internal/graphql/update_scope.go b/internal/graphql/update_scope.go
new file mode 100644
index 00000000..d681b6e9
--- /dev/null
+++ b/internal/graphql/update_scope.go
@@ -0,0 +1,56 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// UpdateScope is the method to update an existing authorization scope.
+// Permissions: authorizer:admin
+func (g *graphqlProvider) UpdateScope(ctx context.Context, params *model.UpdateScopeInput) (*model.AuthzScope, error) {
+	log := g.Log.With().Str("func", "UpdateScope").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+
+	if strings.TrimSpace(params.ID) == "" {
+		return nil, fmt.Errorf("scope ID is required")
+	}
+
+	scope, err := g.StorageProvider.GetScopeByID(ctx, params.ID)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get scope by ID")
+		return nil, err
+	}
+
+	if params.Name != nil {
+		name := strings.TrimSpace(*params.Name)
+		if name == "" {
+			return nil, fmt.Errorf("scope name cannot be empty")
+		}
+		scope.Name = name
+	}
+	if params.Description != nil {
+		scope.Description = *params.Description
+	}
+
+	scope, err = g.StorageProvider.UpdateScope(ctx, scope)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to update scope")
+		return nil, err
+	}
+
+	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+
+	return scope.AsAPIScope(), nil
+}
diff --git a/internal/storage/schemas/permission.go b/internal/storage/schemas/permission.go
index 51a50c05..1ad7e20f 100644
--- a/internal/storage/schemas/permission.go
+++ b/internal/storage/schemas/permission.go
@@ -1,5 +1,7 @@
 package schemas
 
+import "github.com/authorizerdev/authorizer/internal/graph/model"
+
 // Permission is the binding layer of the authorization model.
 // It connects a Resource to Scopes (via PermissionScope) and Policies (via PermissionPolicy).
 // A permission answers: "WHO can do WHAT on WHICH resource?"
@@ -92,3 +94,19 @@ type PolicyTargetView struct {
 	// TargetValue is the role name, user ID, client ID, or agent ID.
 	TargetValue string
 }
+
+// AsAPIPermission converts a storage Permission to the GraphQL API model
+// with its resolved resource, scopes, and policies.
+func (p *Permission) AsAPIPermission(resource *model.AuthzResource, scopes []*model.AuthzScope, policies []*model.AuthzPolicy) *model.AuthzPermission {
+	return &model.AuthzPermission{
+		ID:               p.ID,
+		Name:             p.Name,
+		Description:      &p.Description,
+		Resource:         resource,
+		Scopes:           scopes,
+		Policies:         policies,
+		DecisionStrategy: p.DecisionStrategy,
+		CreatedAt:        p.CreatedAt,
+		UpdatedAt:        p.UpdatedAt,
+	}
+}
diff --git a/internal/storage/schemas/policy.go b/internal/storage/schemas/policy.go
index 792209ad..f80b5ab6 100644
--- a/internal/storage/schemas/policy.go
+++ b/internal/storage/schemas/policy.go
@@ -1,5 +1,7 @@
 package schemas
 
+import "github.com/authorizerdev/authorizer/internal/graph/model"
+
 // Policy defines conditions for granting or denying access.
 // Policies are the brain of the authorization model -- they determine WHO gets access.
 // A policy has a Type (role-based, user-based, etc.) and Logic (positive=grant, negative=deny).
@@ -46,3 +48,26 @@ type PolicyTarget struct {
 	// CreatedAt is the unix timestamp of creation.
 	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
 }
+
+// AsAPIPolicy converts a storage Policy and its targets to the GraphQL API model.
+func (p *Policy) AsAPIPolicy(targets []*PolicyTarget) *model.AuthzPolicy {
+	apiTargets := make([]*model.AuthzPolicyTarget, len(targets))
+	for i, t := range targets {
+		apiTargets[i] = &model.AuthzPolicyTarget{
+			ID:          t.ID,
+			TargetType:  t.TargetType,
+			TargetValue: t.TargetValue,
+		}
+	}
+	return &model.AuthzPolicy{
+		ID:               p.ID,
+		Name:             p.Name,
+		Description:      &p.Description,
+		Type:             p.Type,
+		Logic:            p.Logic,
+		DecisionStrategy: p.DecisionStrategy,
+		Targets:          apiTargets,
+		CreatedAt:        p.CreatedAt,
+		UpdatedAt:        p.UpdatedAt,
+	}
+}
diff --git a/internal/storage/schemas/resource.go b/internal/storage/schemas/resource.go
index c8ee92b5..baad5de0 100644
--- a/internal/storage/schemas/resource.go
+++ b/internal/storage/schemas/resource.go
@@ -1,5 +1,7 @@
 package schemas
 
+import "github.com/authorizerdev/authorizer/internal/graph/model"
+
 // Resource represents a protected resource type in the authorization model.
 // Resources are types (e.g., "document", "invoice"), not instances.
 // They define WHAT is being protected.
@@ -18,3 +20,14 @@ type Resource struct {
 	// UpdatedAt is the unix timestamp of last update.
 	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
 }
+
+// AsAPIResource converts a storage Resource to the GraphQL API model.
+func (r *Resource) AsAPIResource() *model.AuthzResource {
+	return &model.AuthzResource{
+		ID:          r.ID,
+		Name:        r.Name,
+		Description: &r.Description,
+		CreatedAt:   r.CreatedAt,
+		UpdatedAt:   r.UpdatedAt,
+	}
+}
diff --git a/internal/storage/schemas/scope.go b/internal/storage/schemas/scope.go
index 4eb47406..6e5d35e1 100644
--- a/internal/storage/schemas/scope.go
+++ b/internal/storage/schemas/scope.go
@@ -1,5 +1,7 @@
 package schemas
 
+import "github.com/authorizerdev/authorizer/internal/graph/model"
+
 // Scope represents an action that can be performed on a resource.
 // Scopes are global verbs (e.g., "read", "write", "delete", "approve").
 // They define WHAT ACTIONS are allowed.
@@ -18,3 +20,14 @@ type Scope struct {
 	// UpdatedAt is the unix timestamp of last update.
 	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
 }
+
+// AsAPIScope converts a storage Scope to the GraphQL API model.
+func (s *Scope) AsAPIScope() *model.AuthzScope {
+	return &model.AuthzScope{
+		ID:          s.ID,
+		Name:        s.Name,
+		Description: &s.Description,
+		CreatedAt:   s.CreatedAt,
+		UpdatedAt:   s.UpdatedAt,
+	}
+}

From 91d544d5d7ee08302e20e22dac5508de60931372 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 11:05:28 +0530
Subject: [PATCH 11/26] feat(authz): add REST check-permission endpoint

Add POST /api/v1/check-permission endpoint for downstream services.
Extracts principal from JWT Bearer token, evaluates permission via
authorization engine, returns {allowed, matched_policy} JSON response.
---
 internal/http_handlers/check_permission.go | 116 +++++++++++++++++++++
 internal/http_handlers/provider.go         |   2 +
 internal/server/http_routes.go             |   1 +
 3 files changed, 119 insertions(+)
 create mode 100644 internal/http_handlers/check_permission.go

diff --git a/internal/http_handlers/check_permission.go b/internal/http_handlers/check_permission.go
new file mode 100644
index 00000000..9c37eebd
--- /dev/null
+++ b/internal/http_handlers/check_permission.go
@@ -0,0 +1,116 @@
+package http_handlers
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/authorizerdev/authorizer/internal/authorization"
+)
+
+// checkPermissionRequest is the JSON body for POST /api/v1/check-permission.
+type checkPermissionRequest struct {
+	Resource string `json:"resource"`
+	Scope    string `json:"scope"`
+}
+
+// checkPermissionResponse is the JSON response for POST /api/v1/check-permission.
+type checkPermissionResponse struct {
+	Allowed       bool   `json:"allowed"`
+	MatchedPolicy string `json:"matched_policy"`
+}
+
+// CheckPermissionHandler handles POST /api/v1/check-permission for downstream
+// services that need to verify whether a user has a specific permission without
+// using GraphQL. It validates the Bearer token, builds a Principal from the
+// token claims, and delegates to the authorization provider.
+func (h *httpProvider) CheckPermissionHandler() gin.HandlerFunc {
+	log := h.Log.With().Str("func", "CheckPermissionHandler").Logger()
+	return func(gc *gin.Context) {
+		// Extract and validate the access token from the Authorization header.
+		accessToken, err := h.TokenProvider.GetAccessToken(gc)
+		if err != nil {
+			log.Debug().Msg("Missing or malformed access token")
+			gc.Header("WWW-Authenticate", `Bearer realm="authorizer"`)
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error":             "invalid_request",
+				"error_description": "No access token provided",
+			})
+			return
+		}
+
+		claims, err := h.TokenProvider.ValidateAccessToken(gc, accessToken)
+		if err != nil {
+			log.Debug().Err(err).Msg("Invalid access token")
+			gc.Header("WWW-Authenticate", `Bearer realm="authorizer", error="invalid_token", error_description="The access token is invalid or has expired"`)
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error":             "invalid_token",
+				"error_description": "The access token is invalid or has expired",
+			})
+			return
+		}
+
+		// Parse the request body.
+		var req checkPermissionRequest
+		if err := gc.ShouldBindJSON(&req); err != nil {
+			log.Debug().Err(err).Msg("Invalid request body")
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "invalid_request",
+				"error_description": "Request body must be JSON with 'resource' and 'scope' fields",
+			})
+			return
+		}
+
+		req.Resource = strings.TrimSpace(req.Resource)
+		req.Scope = strings.TrimSpace(req.Scope)
+
+		if req.Resource == "" || req.Scope == "" {
+			gc.JSON(http.StatusBadRequest, gin.H{
+				"error":             "invalid_request",
+				"error_description": "Both 'resource' and 'scope' fields are required and must be non-empty",
+			})
+			return
+		}
+
+		// Build a Principal from the token claims.
+		userID, _ := claims["sub"].(string)
+		if userID == "" {
+			gc.JSON(http.StatusUnauthorized, gin.H{
+				"error":             "invalid_token",
+				"error_description": "Token is missing a valid 'sub' claim",
+			})
+			return
+		}
+
+		var roles []string
+		if rolesVal, ok := claims["roles"].([]interface{}); ok {
+			for _, r := range rolesVal {
+				if s, ok := r.(string); ok {
+					roles = append(roles, s)
+				}
+			}
+		}
+
+		principal := &authorization.Principal{
+			ID:    userID,
+			Type:  "user",
+			Roles: roles,
+		}
+
+		result, err := h.AuthorizationProvider.CheckPermission(gc.Request.Context(), principal, req.Resource, req.Scope)
+		if err != nil {
+			log.Error().Err(err).Msg("Authorization check failed")
+			gc.JSON(http.StatusInternalServerError, gin.H{
+				"error":             "server_error",
+				"error_description": "Failed to evaluate permission",
+			})
+			return
+		}
+
+		gc.JSON(http.StatusOK, checkPermissionResponse{
+			Allowed:       result.Allowed,
+			MatchedPolicy: result.MatchedPolicy,
+		})
+	}
+}
diff --git a/internal/http_handlers/provider.go b/internal/http_handlers/provider.go
index 966c2c3c..7e20be42 100644
--- a/internal/http_handlers/provider.go
+++ b/internal/http_handlers/provider.go
@@ -104,6 +104,8 @@ type Provider interface {
 	UserInfoHandler() gin.HandlerFunc
 	// VerifyEmailHandler is the main handler that handels all the verify email requests
 	VerifyEmailHandler() gin.HandlerFunc
+	// CheckPermissionHandler handles POST /api/v1/check-permission for fine-grained authorization checks
+	CheckPermissionHandler() gin.HandlerFunc
 
 	// ClientCheckMiddleware is the middleware that checks if the client is valid
 	ClientCheckMiddleware() gin.HandlerFunc
diff --git a/internal/server/http_routes.go b/internal/server/http_routes.go
index d4c13b47..b1441ccc 100644
--- a/internal/server/http_routes.go
+++ b/internal/server/http_routes.go
@@ -53,6 +53,7 @@ func (s *server) NewRouter() *gin.Engine {
 	router.POST("/oauth/token", s.Dependencies.HTTPProvider.TokenHandler())
 	router.POST("/oauth/revoke", s.Dependencies.HTTPProvider.RevokeRefreshTokenHandler())
 	router.POST("/oauth/introspect", s.Dependencies.HTTPProvider.IntrospectHandler())
+	router.POST("/api/v1/check-permission", s.Dependencies.HTTPProvider.CheckPermissionHandler())
 
 	// Set up template functions for JSON encoding.
 	// Escape </script> and <!-- to prevent script injection in <script> blocks.

From 5e0646f4e929a703cb657f34ce31f5d1b0879d9f Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 11:16:45 +0530
Subject: [PATCH 12/26] test(authz): add comprehensive authorization
 integration tests

Add 16 integration tests covering resource/scope/policy/permission CRUD,
permission evaluation with role-based policies, referential integrity
checks on delete, and cleanup. All tests pass with SQLite.
---
 .../integration_tests/authorization_test.go   | 387 ++++++++++++++++++
 internal/integration_tests/test_helper.go     |  12 +
 2 files changed, 399 insertions(+)
 create mode 100644 internal/integration_tests/authorization_test.go

diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
new file mode 100644
index 00000000..052231c4
--- /dev/null
+++ b/internal/integration_tests/authorization_test.go
@@ -0,0 +1,387 @@
+package integration_tests
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/crypto"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/refs"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestAuthorizationCRUD tests the fine-grained authorization CRUD operations
+// and permission checking.
+func TestAuthorizationCRUD(t *testing.T) {
+	cfg := getTestConfig()
+	ts := initTestSetup(t, cfg)
+	req, ctx := createContext(ts)
+
+	// Set admin auth cookie for admin operations
+	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
+	require.NoError(t, err)
+	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+	// IDs collected across subtests
+	var resourceID string
+	var scopeID string
+	var policyID string
+	var permissionID string
+
+	t.Run("should add resource", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.AddResource(ctx, &model.AddResourceInput{
+			Name:        "documents",
+			Description: refs.NewStringRef("Document resource for testing"),
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.NotEmpty(t, res.ID)
+		assert.Equal(t, "documents", res.Name)
+		assert.NotNil(t, res.Description)
+		assert.Equal(t, "Document resource for testing", *res.Description)
+		resourceID = res.ID
+	})
+
+	t.Run("should add scope", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.AddScope(ctx, &model.AddScopeInput{
+			Name:        "read",
+			Description: refs.NewStringRef("Read access scope"),
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.NotEmpty(t, res.ID)
+		assert.Equal(t, "read", res.Name)
+		scopeID = res.ID
+	})
+
+	t.Run("should add policy", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+			Name:        "user-role-policy",
+			Description: refs.NewStringRef("Policy for user role"),
+			Type:        "role",
+			Targets: []*model.PolicyTargetInput{
+				{
+					TargetType:  "role",
+					TargetValue: "user",
+				},
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.NotEmpty(t, res.ID)
+		assert.Equal(t, "user-role-policy", res.Name)
+		assert.Equal(t, "role", res.Type)
+		assert.Equal(t, "positive", res.Logic)
+		assert.Equal(t, "affirmative", res.DecisionStrategy)
+		require.Len(t, res.Targets, 1)
+		assert.Equal(t, "role", res.Targets[0].TargetType)
+		assert.Equal(t, "user", res.Targets[0].TargetValue)
+		policyID = res.ID
+	})
+
+	t.Run("should add permission", func(t *testing.T) {
+		require.NotEmpty(t, resourceID, "resourceID must be set from prior subtest")
+		require.NotEmpty(t, scopeID, "scopeID must be set from prior subtest")
+		require.NotEmpty(t, policyID, "policyID must be set from prior subtest")
+
+		res, err := ts.GraphQLProvider.AddPermission(ctx, &model.AddPermissionInput{
+			Name:       "documents-read",
+			ResourceID: resourceID,
+			ScopeIds:   []string{scopeID},
+			PolicyIds:  []string{policyID},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.NotEmpty(t, res.ID)
+		assert.Equal(t, "documents-read", res.Name)
+		assert.Equal(t, "affirmative", res.DecisionStrategy)
+		require.NotNil(t, res.Resource)
+		assert.Equal(t, resourceID, res.Resource.ID)
+		require.Len(t, res.Scopes, 1)
+		assert.Equal(t, scopeID, res.Scopes[0].ID)
+		require.Len(t, res.Policies, 1)
+		assert.Equal(t, policyID, res.Policies[0].ID)
+		permissionID = res.ID
+	})
+
+	t.Run("should list resources", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.Resources(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.GreaterOrEqual(t, len(res.Resources), 1)
+		assert.NotNil(t, res.Pagination)
+
+		found := false
+		for _, r := range res.Resources {
+			if r.ID == resourceID {
+				found = true
+				assert.Equal(t, "documents", r.Name)
+				break
+			}
+		}
+		assert.True(t, found, "expected resource not found in list")
+	})
+
+	t.Run("should list scopes", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.Scopes(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.GreaterOrEqual(t, len(res.Scopes), 1)
+	})
+
+	t.Run("should list policies", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.Policies(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.GreaterOrEqual(t, len(res.Policies), 1)
+	})
+
+	t.Run("should list permissions", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.Permissions(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.GreaterOrEqual(t, len(res.Permissions), 1)
+	})
+
+	t.Run("should update resource", func(t *testing.T) {
+		require.NotEmpty(t, resourceID)
+		newName := "documents-updated"
+		res, err := ts.GraphQLProvider.UpdateResource(ctx, &model.UpdateResourceInput{
+			ID:          resourceID,
+			Name:        &newName,
+			Description: refs.NewStringRef("Updated description"),
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Equal(t, resourceID, res.ID)
+		assert.Equal(t, "documents-updated", res.Name)
+		assert.Equal(t, "Updated description", *res.Description)
+
+		// Revert name for subsequent tests that reference "documents" by ID
+		origName := "documents"
+		_, err = ts.GraphQLProvider.UpdateResource(ctx, &model.UpdateResourceInput{
+			ID:   resourceID,
+			Name: &origName,
+		})
+		require.NoError(t, err)
+	})
+
+	// CheckPermission requires an authenticated user, not admin.
+	// Sign up a user, log in, and set the access token.
+	t.Run("should check permission granted by role", func(t *testing.T) {
+		// Clear admin cookie
+		req.Header.Del("Cookie")
+
+		email := "authz_test_" + uuid.New().String() + "@authorizer.dev"
+		password := "Password@123"
+
+		_, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
+			Email:           &email,
+			Password:        password,
+			ConfirmPassword: password,
+		})
+		require.NoError(t, err)
+
+		loginRes, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{
+			Email:    &email,
+			Password: password,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, loginRes)
+		require.NotNil(t, loginRes.User)
+
+		// User has "user" role by default (from DefaultRoles in config).
+		// Set access token for the CheckPermission call.
+		allData, err := ts.MemoryStoreProvider.GetAllData()
+		require.NoError(t, err)
+		accessToken := ""
+		for k, v := range allData {
+			if strings.Contains(k, constants.TokenTypeAccessToken) {
+				accessToken = v
+				break
+			}
+		}
+		require.NotEmpty(t, accessToken, "access token must be present in memory store")
+
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+		defer func() {
+			req.Header.Del("Authorization")
+			// Restore admin cookie for subsequent tests
+			req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+		}()
+
+		res, err := ts.GraphQLProvider.CheckPermission(ctx, &model.CheckPermissionInput{
+			Resource: "documents",
+			Scope:    "read",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.True(t, res.Allowed, "user with 'user' role should have read access to documents")
+	})
+
+	t.Run("should check permission denied for wrong role", func(t *testing.T) {
+		// Create a second policy that targets "admin" role only
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+		adminPolicy, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+			Name: "admin-only-policy",
+			Type: "role",
+			Targets: []*model.PolicyTargetInput{
+				{
+					TargetType:  "role",
+					TargetValue: "admin",
+				},
+			},
+		})
+		require.NoError(t, err)
+
+		// Add a "write" scope
+		writeScope, err := ts.GraphQLProvider.AddScope(ctx, &model.AddScopeInput{
+			Name: "write",
+		})
+		require.NoError(t, err)
+
+		// Create a permission that requires "admin" role for "write" on documents
+		_, err = ts.GraphQLProvider.AddPermission(ctx, &model.AddPermissionInput{
+			Name:       "documents-write",
+			ResourceID: resourceID,
+			ScopeIds:   []string{writeScope.ID},
+			PolicyIds:  []string{adminPolicy.ID},
+		})
+		require.NoError(t, err)
+
+		// Now sign up a regular user and check write permission (should be denied)
+		req.Header.Del("Cookie")
+
+		email2 := "authz_denied_" + uuid.New().String() + "@authorizer.dev"
+		password := "Password@123"
+
+		_, err = ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
+			Email:           &email2,
+			Password:        password,
+			ConfirmPassword: password,
+		})
+		require.NoError(t, err)
+
+		loginRes, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{
+			Email:    &email2,
+			Password: password,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, loginRes)
+
+		allData, err := ts.MemoryStoreProvider.GetAllData()
+		require.NoError(t, err)
+		accessToken := ""
+		for k, v := range allData {
+			if strings.Contains(k, constants.TokenTypeAccessToken) {
+				accessToken = v
+				break
+			}
+		}
+		require.NotEmpty(t, accessToken)
+
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+		defer func() {
+			req.Header.Del("Authorization")
+			req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+		}()
+
+		res, err := ts.GraphQLProvider.CheckPermission(ctx, &model.CheckPermissionInput{
+			Resource: "documents",
+			Scope:    "write",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.False(t, res.Allowed, "user with 'user' role should NOT have write access requiring admin role")
+	})
+
+	// Re-set admin cookie for remaining admin operations
+	t.Run("should delete permission", func(t *testing.T) {
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+		require.NotEmpty(t, permissionID)
+
+		res, err := ts.GraphQLProvider.DeletePermission(ctx, permissionID)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Contains(t, res.Message, "deleted")
+	})
+
+	t.Run("should delete resource blocked by permission", func(t *testing.T) {
+		// The "documents-write" permission still references this resource,
+		// so delete should fail.
+		_, err := ts.GraphQLProvider.DeleteResource(ctx, resourceID)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "permission")
+	})
+
+	t.Run("should delete scope blocked by permission", func(t *testing.T) {
+		// The "write" scope is referenced by "documents-write" permission.
+		// Find the write scope ID from the scopes list.
+		scopes, err := ts.GraphQLProvider.Scopes(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+		var writeScopeID string
+		for _, s := range scopes.Scopes {
+			if s.Name == "write" {
+				writeScopeID = s.ID
+				break
+			}
+		}
+		require.NotEmpty(t, writeScopeID, "write scope must exist")
+
+		_, err = ts.GraphQLProvider.DeleteScope(ctx, writeScopeID)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "permission")
+	})
+
+	t.Run("should delete policy blocked by permission", func(t *testing.T) {
+		// The "admin-only-policy" is referenced by "documents-write" permission.
+		policies, err := ts.GraphQLProvider.Policies(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+		var adminPolicyID string
+		for _, p := range policies.Policies {
+			if p.Name == "admin-only-policy" {
+				adminPolicyID = p.ID
+				break
+			}
+		}
+		require.NotEmpty(t, adminPolicyID, "admin-only-policy must exist")
+
+		_, err = ts.GraphQLProvider.DeletePolicy(ctx, adminPolicyID)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "permission")
+	})
+
+	// Cleanup: delete the remaining permission first, then the rest
+	t.Run("cleanup should delete remaining permission then resources", func(t *testing.T) {
+		// Find and delete the "documents-write" permission
+		perms, err := ts.GraphQLProvider.Permissions(ctx, &model.PaginatedRequest{})
+		require.NoError(t, err)
+
+		for _, p := range perms.Permissions {
+			if p.Name == "documents-write" {
+				res, err := ts.GraphQLProvider.DeletePermission(ctx, p.ID)
+				require.NoError(t, err)
+				assert.Contains(t, res.Message, "deleted")
+				break
+			}
+		}
+
+		// Now resource, scope, and policy should be deletable
+		res, err := ts.GraphQLProvider.DeleteResource(ctx, resourceID)
+		require.NoError(t, err)
+		assert.Contains(t, res.Message, "deleted")
+
+		res, err = ts.GraphQLProvider.DeleteScope(ctx, scopeID)
+		require.NoError(t, err)
+		assert.Contains(t, res.Message, "deleted")
+
+		res, err = ts.GraphQLProvider.DeletePolicy(ctx, policyID)
+		require.NoError(t, err)
+		assert.Contains(t, res.Message, "deleted")
+	})
+}
diff --git a/internal/integration_tests/test_helper.go b/internal/integration_tests/test_helper.go
index 52767e1a..e602bf04 100644
--- a/internal/integration_tests/test_helper.go
+++ b/internal/integration_tests/test_helper.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
+	"github.com/authorizerdev/authorizer/internal/authorization"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/email"
@@ -178,6 +179,16 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 	})
 	require.NoError(t, err)
 
+	// Initialize authorization provider
+	authzProvider, err := authorization.New(&authorization.Config{
+		Enforcement: "enforcing",
+		CacheTTL:    0,
+	}, &authorization.Dependencies{
+		Log:             &logger,
+		StorageProvider: storageProvider,
+	})
+	require.NoError(t, err)
+
 	// Initialize audit provider
 	auditProvider := audit.New(&audit.Dependencies{
 		Log:             &logger,
@@ -189,6 +200,7 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 		Log:                   &logger,
 		AuditProvider:         auditProvider,
 		AuthenticatorProvider: authProvider,
+		AuthorizationProvider: authzProvider,
 		EmailProvider:         emailProvider,
 		EventsProvider:        eventsProvider,
 		MemoryStoreProvider:   memoryStoreProvider,

From 7a942045000c484f04fcfdc213f91c3c0e85bcc6 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 11:25:21 +0530
Subject: [PATCH 13/26] feat(authz): add authorization dashboard UI

Add 5 authorization pages to admin dashboard: Resources, Scopes,
Policies, Permissions, and Evaluate. Include guided setup flow,
natural language permission summaries, and policy evaluation
test tool. Add Authorization nav item to sidebar.
---
 web/dashboard/src/components/Sidebar.tsx      |   2 +
 web/dashboard/src/graphql/mutation/index.ts   | 142 +++++
 web/dashboard/src/graphql/queries/index.ts    | 121 ++++
 web/dashboard/src/pages/Authorization.tsx     |  67 +++
 .../src/pages/authorization/Evaluate.tsx      | 222 +++++++
 .../src/pages/authorization/Permissions.tsx   | 568 ++++++++++++++++++
 .../src/pages/authorization/Policies.tsx      | 482 +++++++++++++++
 .../src/pages/authorization/Resources.tsx     | 307 ++++++++++
 .../src/pages/authorization/Scopes.tsx        | 301 ++++++++++
 web/dashboard/src/routes/index.tsx            |   2 +
 web/dashboard/src/types.ts                    |  83 +++
 11 files changed, 2297 insertions(+)
 create mode 100644 web/dashboard/src/pages/Authorization.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Evaluate.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Permissions.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Policies.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Resources.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Scopes.tsx

diff --git a/web/dashboard/src/components/Sidebar.tsx b/web/dashboard/src/components/Sidebar.tsx
index ba0756e6..bc4d7dbd 100644
--- a/web/dashboard/src/components/Sidebar.tsx
+++ b/web/dashboard/src/components/Sidebar.tsx
@@ -11,6 +11,7 @@ import {
 	LogOut,
 	Menu,
 	ExternalLink,
+	Shield,
 } from 'lucide-react';
 import type { LucideIcon } from 'lucide-react';
 import { cn } from '../lib/utils';
@@ -31,6 +32,7 @@ const navItems: NavItemConfig[] = [
 	{ name: 'Users', icon: Users, route: '/users' },
 	{ name: 'Webhooks', icon: Webhook, route: '/webhooks' },
 	{ name: 'Email Templates', icon: Mail, route: '/email-templates' },
+	{ name: 'Authorization', icon: Shield, route: '/authorization' },
 	{ name: 'Audit Logs', icon: ScrollText, route: '/audit-logs' },
 	{
 		name: 'API Playground',
diff --git a/web/dashboard/src/graphql/mutation/index.ts b/web/dashboard/src/graphql/mutation/index.ts
index 91dcdaec..403aac60 100644
--- a/web/dashboard/src/graphql/mutation/index.ts
+++ b/web/dashboard/src/graphql/mutation/index.ts
@@ -121,6 +121,148 @@ export const EditEmailTemplate = `
   }
 `;
 
+// Authorization mutations
+export const AddResource = `
+  mutation addResource($params: AddResourceInput!) {
+    _add_resource(params: $params) {
+      id
+      name
+      description
+    }
+  }
+`;
+
+export const UpdateResource = `
+  mutation updateResource($params: UpdateResourceInput!) {
+    _update_resource(params: $params) {
+      id
+      name
+      description
+    }
+  }
+`;
+
+export const DeleteResource = `
+  mutation deleteResource($id: ID!) {
+    _delete_resource(id: $id) {
+      message
+    }
+  }
+`;
+
+export const AddScope = `
+  mutation addScope($params: AddScopeInput!) {
+    _add_scope(params: $params) {
+      id
+      name
+      description
+    }
+  }
+`;
+
+export const UpdateScope = `
+  mutation updateScope($params: UpdateScopeInput!) {
+    _update_scope(params: $params) {
+      id
+      name
+      description
+    }
+  }
+`;
+
+export const DeleteScope = `
+  mutation deleteScope($id: ID!) {
+    _delete_scope(id: $id) {
+      message
+    }
+  }
+`;
+
+export const AddPolicy = `
+  mutation addPolicy($params: AddPolicyInput!) {
+    _add_policy(params: $params) {
+      id
+      name
+      description
+      type
+      logic
+      decision_strategy
+      targets {
+        id
+        target_type
+        target_value
+      }
+    }
+  }
+`;
+
+export const UpdatePolicy = `
+  mutation updatePolicy($params: UpdatePolicyInput!) {
+    _update_policy(params: $params) {
+      id
+      name
+      description
+      logic
+      decision_strategy
+      targets {
+        id
+        target_type
+        target_value
+      }
+    }
+  }
+`;
+
+export const DeletePolicy = `
+  mutation deletePolicy($id: ID!) {
+    _delete_policy(id: $id) {
+      message
+    }
+  }
+`;
+
+export const AddPermission = `
+  mutation addPermission($params: AddPermissionInput!) {
+    _add_permission(params: $params) {
+      id
+      name
+      description
+      resource {
+        id
+        name
+      }
+      scopes {
+        id
+        name
+      }
+      policies {
+        id
+        name
+      }
+      decision_strategy
+    }
+  }
+`;
+
+export const UpdatePermission = `
+  mutation updatePermission($params: UpdatePermissionInput!) {
+    _update_permission(params: $params) {
+      id
+      name
+      description
+      decision_strategy
+    }
+  }
+`;
+
+export const DeletePermission = `
+  mutation deletePermission($id: ID!) {
+    _delete_permission(id: $id) {
+      message
+    }
+  }
+`;
+
 export const DeleteEmailTemplate = `
   mutation deleteEmailTemplate($params: DeleteEmailTemplateRequest!) {
     _delete_email_template(params: $params) {
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index 053913a9..68320646 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -109,6 +109,127 @@ export const WebhookLogsQuery = `
   }
 `;
 
+// Authorization queries
+export const ResourcesQuery = `
+  query getResources($params: PaginatedRequest) {
+    _resources(params: $params) {
+      resources {
+        id
+        name
+        description
+        created_at
+        updated_at
+      }
+      pagination {
+        limit
+        page
+        offset
+        total
+      }
+    }
+  }
+`;
+
+export const ScopesQuery = `
+  query getScopes($params: PaginatedRequest) {
+    _scopes(params: $params) {
+      scopes {
+        id
+        name
+        description
+        created_at
+        updated_at
+      }
+      pagination {
+        limit
+        page
+        offset
+        total
+      }
+    }
+  }
+`;
+
+export const PoliciesQuery = `
+  query getPolicies($params: PaginatedRequest) {
+    _policies(params: $params) {
+      policies {
+        id
+        name
+        description
+        type
+        logic
+        decision_strategy
+        targets {
+          id
+          target_type
+          target_value
+        }
+        created_at
+        updated_at
+      }
+      pagination {
+        limit
+        page
+        offset
+        total
+      }
+    }
+  }
+`;
+
+export const PermissionsQuery = `
+  query getPermissions($params: PaginatedRequest) {
+    _permissions(params: $params) {
+      permissions {
+        id
+        name
+        description
+        resource {
+          id
+          name
+          description
+        }
+        scopes {
+          id
+          name
+          description
+        }
+        policies {
+          id
+          name
+          type
+          logic
+          decision_strategy
+          targets {
+            id
+            target_type
+            target_value
+          }
+        }
+        decision_strategy
+        created_at
+        updated_at
+      }
+      pagination {
+        limit
+        page
+        offset
+        total
+      }
+    }
+  }
+`;
+
+export const CheckPermissionQuery = `
+  query checkPermission($params: CheckPermissionInput!) {
+    check_permission(params: $params) {
+      allowed
+      matched_policy
+    }
+  }
+`;
+
 export const AuditLogsQuery = `
   query getAuditLogs($params: ListAuditLogRequest!) {
     _audit_logs(params: $params) {
diff --git a/web/dashboard/src/pages/Authorization.tsx b/web/dashboard/src/pages/Authorization.tsx
new file mode 100644
index 00000000..dcb713b6
--- /dev/null
+++ b/web/dashboard/src/pages/Authorization.tsx
@@ -0,0 +1,67 @@
+import React, { lazy, Suspense } from 'react';
+import { NavLink, Routes, Route, Navigate } from 'react-router-dom';
+import { cn } from '../lib/utils';
+
+const Resources = lazy(() => import('./authorization/Resources'));
+const Scopes = lazy(() => import('./authorization/Scopes'));
+const Policies = lazy(() => import('./authorization/Policies'));
+const Permissions = lazy(() => import('./authorization/Permissions'));
+const Evaluate = lazy(() => import('./authorization/Evaluate'));
+
+const tabs = [
+	{ name: 'Resources', path: 'resources' },
+	{ name: 'Scopes', path: 'scopes' },
+	{ name: 'Policies', path: 'policies' },
+	{ name: 'Permissions', path: 'permissions' },
+	{ name: 'Evaluate', path: 'evaluate' },
+];
+
+export default function Authorization() {
+	return (
+		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<div className="my-4">
+				<h1 className="text-2xl font-semibold text-gray-900">
+					Authorization
+				</h1>
+				<p className="mt-1 text-sm text-gray-500">
+					Fine-grained authorization management: resources, scopes, policies,
+					and permissions.
+				</p>
+			</div>
+
+			{/* Tab navigation */}
+			<div className="border-b border-gray-200 mb-6">
+				<nav className="-mb-px flex gap-4">
+					{tabs.map((tab) => (
+						<NavLink
+							key={tab.path}
+							to={tab.path}
+							className={({ isActive }) =>
+								cn(
+									'whitespace-nowrap border-b-2 pb-3 pt-2 px-1 text-sm font-medium transition-colors',
+									isActive
+										? 'border-blue-500 text-blue-600'
+										: 'border-transparent text-gray-500 hover:border-gray-300 hover:text-gray-700',
+								)
+							}
+						>
+							{tab.name}
+						</NavLink>
+					))}
+				</nav>
+			</div>
+
+			{/* Tab content */}
+			<Suspense fallback={<div className="py-8 text-center text-gray-400">Loading...</div>}>
+				<Routes>
+					<Route path="resources" element={<Resources />} />
+					<Route path="scopes" element={<Scopes />} />
+					<Route path="policies" element={<Policies />} />
+					<Route path="permissions" element={<Permissions />} />
+					<Route path="evaluate" element={<Evaluate />} />
+					<Route path="" element={<Navigate to="resources" replace />} />
+				</Routes>
+			</Suspense>
+		</div>
+	);
+}
diff --git a/web/dashboard/src/pages/authorization/Evaluate.tsx b/web/dashboard/src/pages/authorization/Evaluate.tsx
new file mode 100644
index 00000000..e851182d
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Evaluate.tsx
@@ -0,0 +1,222 @@
+import React from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import { Play, ShieldCheck, ShieldX, Info } from 'lucide-react';
+import {
+	CheckPermissionQuery,
+	ResourcesQuery,
+	ScopesQuery,
+} from '../../graphql/queries';
+import { getGraphQLErrorMessage } from '../../utils';
+import { Button } from '../../components/ui/button';
+import { Label } from '../../components/ui/label';
+import { Badge } from '../../components/ui/badge';
+import { Skeleton } from '../../components/ui/skeleton';
+import { Select } from '../../components/ui/select';
+import type {
+	AuthzResource,
+	AuthzResourcesResponse,
+	AuthzScope,
+	AuthzScopesResponse,
+	CheckPermissionResponse,
+} from '../../types';
+
+export default function Evaluate() {
+	const client = useClient();
+	const [resources, setResources] = React.useState<AuthzResource[]>([]);
+	const [scopes, setScopes] = React.useState<AuthzScope[]>([]);
+	const [selectedResource, setSelectedResource] = React.useState('');
+	const [selectedScope, setSelectedScope] = React.useState('');
+	const [loading, setLoading] = React.useState(false);
+	const [evaluating, setEvaluating] = React.useState(false);
+	const [result, setResult] = React.useState<{
+		allowed: boolean;
+		matched_policy?: string;
+	} | null>(null);
+
+	React.useEffect(() => {
+		const fetchData = async () => {
+			setLoading(true);
+			const [resourcesRes, scopesRes] = await Promise.all([
+				client
+					.query<AuthzResourcesResponse>(ResourcesQuery, {
+						params: { pagination: { limit: 100, page: 1 } },
+					})
+					.toPromise(),
+				client
+					.query<AuthzScopesResponse>(ScopesQuery, {
+						params: { pagination: { limit: 100, page: 1 } },
+					})
+					.toPromise(),
+			]);
+			if (resourcesRes.data?._resources) {
+				setResources(resourcesRes.data._resources.resources);
+			}
+			if (scopesRes.data?._scopes) {
+				setScopes(scopesRes.data._scopes.scopes);
+			}
+			setLoading(false);
+		};
+		fetchData();
+	}, []);
+
+	const handleEvaluate = async () => {
+		if (!selectedResource) {
+			toast.error('Select a resource');
+			return;
+		}
+		if (!selectedScope) {
+			toast.error('Select a scope');
+			return;
+		}
+		setEvaluating(true);
+		setResult(null);
+		const { data, error } = await client
+			.query<CheckPermissionResponse>(CheckPermissionQuery, {
+				params: {
+					resource: selectedResource,
+					scope: selectedScope,
+				},
+			})
+			.toPromise();
+		if (error) {
+			toast.error(
+				getGraphQLErrorMessage(error, 'Failed to evaluate permission'),
+			);
+		} else if (data?.check_permission) {
+			setResult(data.check_permission);
+		}
+		setEvaluating(false);
+	};
+
+	if (loading) {
+		return (
+			<div className="space-y-3">
+				{[1, 2, 3].map((i) => (
+					<Skeleton key={i} className="h-10 w-full" />
+				))}
+			</div>
+		);
+	}
+
+	return (
+		<div>
+			<div className="mb-4">
+				<h2 className="text-lg font-semibold text-gray-900">
+					Evaluate Permission
+				</h2>
+				<p className="text-sm text-gray-500">
+					Test whether a permission check would be allowed or denied.
+				</p>
+			</div>
+
+			<div className="rounded-md border border-blue-200 bg-blue-50 p-3 mb-6 flex items-start gap-2">
+				<Info className="h-4 w-4 text-blue-500 mt-0.5 shrink-0" />
+				<p className="text-sm text-blue-700">
+					This evaluates permissions for the currently logged-in admin session.
+					The <code className="bg-blue-100 px-1 rounded">check_permission</code>{' '}
+					query uses the authenticated user context to determine access.
+				</p>
+			</div>
+
+			<div className="max-w-md space-y-4">
+				{/* Resource */}
+				<div>
+					<Label htmlFor="eval-resource">Resource</Label>
+					<Select
+						id="eval-resource"
+						value={selectedResource}
+						onChange={(e) => setSelectedResource(e.target.value)}
+						className="mt-1"
+					>
+						<option value="">Select a resource...</option>
+						{resources.map((r) => (
+							<option key={r.id} value={r.name}>
+								{r.name}
+							</option>
+						))}
+					</Select>
+				</div>
+
+				{/* Scope */}
+				<div>
+					<Label htmlFor="eval-scope">Scope</Label>
+					<Select
+						id="eval-scope"
+						value={selectedScope}
+						onChange={(e) => setSelectedScope(e.target.value)}
+						className="mt-1"
+					>
+						<option value="">Select a scope...</option>
+						{scopes.map((s) => (
+							<option key={s.id} value={s.name}>
+								{s.name}
+							</option>
+						))}
+					</Select>
+				</div>
+
+				{/* Evaluate button */}
+				<Button
+					onClick={handleEvaluate}
+					disabled={evaluating || !selectedResource || !selectedScope}
+					className="w-full"
+				>
+					<Play className="h-4 w-4 mr-2" />
+					{evaluating ? 'Evaluating...' : 'Evaluate'}
+				</Button>
+			</div>
+
+			{/* Result panel */}
+			{result !== null && (
+				<div
+					className={`mt-6 rounded-md border p-4 ${
+						result.allowed
+							? 'border-green-200 bg-green-50'
+							: 'border-red-200 bg-red-50'
+					}`}
+				>
+					<div className="flex items-center gap-3 mb-2">
+						{result.allowed ? (
+							<ShieldCheck className="h-8 w-8 text-green-600" />
+						) : (
+							<ShieldX className="h-8 w-8 text-red-600" />
+						)}
+						<div>
+							<h3
+								className={`text-lg font-semibold ${result.allowed ? 'text-green-800' : 'text-red-800'}`}
+							>
+								{result.allowed ? 'Allowed' : 'Denied'}
+							</h3>
+							<p
+								className={`text-sm ${result.allowed ? 'text-green-600' : 'text-red-600'}`}
+							>
+								{result.allowed
+									? 'The permission check passed.'
+									: 'The permission check failed.'}
+							</p>
+						</div>
+					</div>
+					<div className="mt-3 space-y-2 text-sm">
+						<div className="flex items-center gap-2">
+							<span className="font-medium text-gray-700">Resource:</span>
+							<Badge>{selectedResource}</Badge>
+						</div>
+						<div className="flex items-center gap-2">
+							<span className="font-medium text-gray-700">Scope:</span>
+							<Badge variant="secondary">{selectedScope}</Badge>
+						</div>
+						{result.matched_policy && (
+							<div className="flex items-center gap-2">
+								<span className="font-medium text-gray-700">
+									Matched Policy:
+								</span>
+								<Badge variant="outline">{result.matched_policy}</Badge>
+							</div>
+						)}
+					</div>
+				</div>
+			)}
+		</div>
+	);
+}
diff --git a/web/dashboard/src/pages/authorization/Permissions.tsx b/web/dashboard/src/pages/authorization/Permissions.tsx
new file mode 100644
index 00000000..0937cdac
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Permissions.tsx
@@ -0,0 +1,568 @@
+import React from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import dayjs from 'dayjs';
+import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
+import {
+	PermissionsQuery,
+	ResourcesQuery,
+	ScopesQuery,
+	PoliciesQuery,
+} from '../../graphql/queries';
+import {
+	AddPermission,
+	UpdatePermission,
+	DeletePermission,
+} from '../../graphql/mutation';
+import { getGraphQLErrorMessage } from '../../utils';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Textarea } from '../../components/ui/textarea';
+import { Label } from '../../components/ui/label';
+import { Badge } from '../../components/ui/badge';
+import { Skeleton } from '../../components/ui/skeleton';
+import { Select } from '../../components/ui/select';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogFooter,
+	DialogDescription,
+} from '../../components/ui/dialog';
+import {
+	Table,
+	TableHeader,
+	TableBody,
+	TableRow,
+	TableHead,
+	TableCell,
+} from '../../components/ui/table';
+import type {
+	AuthzPermission,
+	AuthzPermissionsResponse,
+	AuthzResource,
+	AuthzResourcesResponse,
+	AuthzScope,
+	AuthzScopesResponse,
+	AuthzPolicy,
+	AuthzPoliciesResponse,
+} from '../../types';
+
+export default function Permissions() {
+	const client = useClient();
+	const [permissions, setPermissions] = React.useState<AuthzPermission[]>([]);
+	const [allResources, setAllResources] = React.useState<AuthzResource[]>([]);
+	const [allScopes, setAllScopes] = React.useState<AuthzScope[]>([]);
+	const [allPolicies, setAllPolicies] = React.useState<AuthzPolicy[]>([]);
+	const [loading, setLoading] = React.useState(false);
+	const [dialogOpen, setDialogOpen] = React.useState(false);
+	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
+	const [editingPermission, setEditingPermission] =
+		React.useState<AuthzPermission | null>(null);
+	const [deletingPermission, setDeletingPermission] =
+		React.useState<AuthzPermission | null>(null);
+	const [formName, setFormName] = React.useState('');
+	const [formDescription, setFormDescription] = React.useState('');
+	const [formResourceId, setFormResourceId] = React.useState('');
+	const [formScopeIds, setFormScopeIds] = React.useState<string[]>([]);
+	const [formPolicyIds, setFormPolicyIds] = React.useState<string[]>([]);
+	const [formDecisionStrategy, setFormDecisionStrategy] =
+		React.useState('affirmative');
+	const [saving, setSaving] = React.useState(false);
+
+	const fetchPermissions = async () => {
+		setLoading(true);
+		const { data, error } = await client
+			.query<AuthzPermissionsResponse>(PermissionsQuery, {
+				params: { pagination: { limit: 100, page: 1 } },
+			})
+			.toPromise();
+		if (data?._permissions) {
+			setPermissions(data._permissions.permissions);
+		}
+		if (error) {
+			toast.error(
+				getGraphQLErrorMessage(error, 'Failed to load permissions'),
+			);
+		}
+		setLoading(false);
+	};
+
+	const fetchRelatedData = async () => {
+		const [resourcesRes, scopesRes, policiesRes] = await Promise.all([
+			client
+				.query<AuthzResourcesResponse>(ResourcesQuery, {
+					params: { pagination: { limit: 100, page: 1 } },
+				})
+				.toPromise(),
+			client
+				.query<AuthzScopesResponse>(ScopesQuery, {
+					params: { pagination: { limit: 100, page: 1 } },
+				})
+				.toPromise(),
+			client
+				.query<AuthzPoliciesResponse>(PoliciesQuery, {
+					params: { pagination: { limit: 100, page: 1 } },
+				})
+				.toPromise(),
+		]);
+		if (resourcesRes.data?._resources) {
+			setAllResources(resourcesRes.data._resources.resources);
+		}
+		if (scopesRes.data?._scopes) {
+			setAllScopes(scopesRes.data._scopes.scopes);
+		}
+		if (policiesRes.data?._policies) {
+			setAllPolicies(policiesRes.data._policies.policies);
+		}
+	};
+
+	React.useEffect(() => {
+		fetchPermissions();
+		fetchRelatedData();
+	}, []);
+
+	const openAddDialog = () => {
+		setEditingPermission(null);
+		setFormName('');
+		setFormDescription('');
+		setFormResourceId('');
+		setFormScopeIds([]);
+		setFormPolicyIds([]);
+		setFormDecisionStrategy('affirmative');
+		setDialogOpen(true);
+	};
+
+	const openEditDialog = (permission: AuthzPermission) => {
+		setEditingPermission(permission);
+		setFormName(permission.name);
+		setFormDescription(permission.description || '');
+		setFormResourceId(permission.resource.id);
+		setFormScopeIds(permission.scopes.map((s) => s.id));
+		setFormPolicyIds(permission.policies.map((p) => p.id));
+		setFormDecisionStrategy(permission.decision_strategy);
+		setDialogOpen(true);
+	};
+
+	const openDeleteDialog = (permission: AuthzPermission) => {
+		setDeletingPermission(permission);
+		setDeleteDialogOpen(true);
+	};
+
+	const toggleScopeId = (id: string) => {
+		setFormScopeIds((prev) =>
+			prev.includes(id) ? prev.filter((s) => s !== id) : [...prev, id],
+		);
+	};
+
+	const togglePolicyId = (id: string) => {
+		setFormPolicyIds((prev) =>
+			prev.includes(id) ? prev.filter((p) => p !== id) : [...prev, id],
+		);
+	};
+
+	const handleSave = async () => {
+		if (!formName.trim()) {
+			toast.error('Name is required');
+			return;
+		}
+		if (!formResourceId) {
+			toast.error('Resource is required');
+			return;
+		}
+		if (formScopeIds.length === 0) {
+			toast.error('At least one scope is required');
+			return;
+		}
+		if (formPolicyIds.length === 0) {
+			toast.error('At least one policy is required');
+			return;
+		}
+		setSaving(true);
+		if (editingPermission) {
+			const { error } = await client
+				.mutation(UpdatePermission, {
+					params: {
+						id: editingPermission.id,
+						name: formName,
+						description: formDescription || undefined,
+						scope_ids: formScopeIds,
+						policy_ids: formPolicyIds,
+						decision_strategy: formDecisionStrategy,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(
+					getGraphQLErrorMessage(error, 'Failed to update permission'),
+				);
+			} else {
+				toast.success('Permission updated');
+				setDialogOpen(false);
+				fetchPermissions();
+			}
+		} else {
+			const { error } = await client
+				.mutation(AddPermission, {
+					params: {
+						name: formName,
+						description: formDescription || undefined,
+						resource_id: formResourceId,
+						scope_ids: formScopeIds,
+						policy_ids: formPolicyIds,
+						decision_strategy: formDecisionStrategy,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(
+					getGraphQLErrorMessage(error, 'Failed to add permission'),
+				);
+			} else {
+				toast.success('Permission added');
+				setDialogOpen(false);
+				fetchPermissions();
+			}
+		}
+		setSaving(false);
+	};
+
+	const handleDelete = async () => {
+		if (!deletingPermission) return;
+		setSaving(true);
+		const { error } = await client
+			.mutation(DeletePermission, { id: deletingPermission.id })
+			.toPromise();
+		if (error) {
+			toast.error(
+				getGraphQLErrorMessage(error, 'Failed to delete permission'),
+			);
+		} else {
+			toast.success('Permission deleted');
+			setDeleteDialogOpen(false);
+			setDeletingPermission(null);
+			fetchPermissions();
+		}
+		setSaving(false);
+	};
+
+	// Build natural language summary
+	const buildSummary = (): string => {
+		const resource = allResources.find((r) => r.id === formResourceId);
+		const scopes = allScopes.filter((s) => formScopeIds.includes(s.id));
+		const policies = allPolicies.filter((p) => formPolicyIds.includes(p.id));
+		if (!resource || scopes.length === 0 || policies.length === 0) {
+			return 'Select a resource, scopes, and policies to see a summary.';
+		}
+		const scopeNames = scopes.map((s) => s.name).join(', ');
+		const policyNames = policies.map((p) => `${p.name} (${p.type})`).join(', ');
+		const strategy =
+			formDecisionStrategy === 'affirmative'
+				? 'any matching policy grants access'
+				: 'all policies must match';
+		return `Allow ${scopeNames} on "${resource.name}" when ${policyNames} — ${strategy}.`;
+	};
+
+	return (
+		<div>
+			<div className="flex items-center justify-between mb-4">
+				<div>
+					<h2 className="text-lg font-semibold text-gray-900">Permissions</h2>
+					<p className="text-sm text-gray-500">
+						Combine resources, scopes, and policies into permission rules.
+					</p>
+				</div>
+				<Button onClick={openAddDialog}>
+					<Plus className="h-4 w-4 mr-2" />
+					Add Permission
+				</Button>
+			</div>
+
+			{loading ? (
+				<div className="space-y-3">
+					{[1, 2, 3].map((i) => (
+						<Skeleton key={i} className="h-10 w-full" />
+					))}
+				</div>
+			) : permissions.length > 0 ? (
+				<Table>
+					<TableHeader>
+						<TableRow>
+							<TableHead>Name</TableHead>
+							<TableHead>Resource</TableHead>
+							<TableHead>Scopes</TableHead>
+							<TableHead>Policies</TableHead>
+							<TableHead>Strategy</TableHead>
+							<TableHead>Created</TableHead>
+							<TableHead className="w-[100px]">Actions</TableHead>
+						</TableRow>
+					</TableHeader>
+					<TableBody>
+						{permissions.map((perm) => (
+							<TableRow key={perm.id}>
+								<TableCell className="font-medium">{perm.name}</TableCell>
+								<TableCell>
+									<Badge>{perm.resource.name}</Badge>
+								</TableCell>
+								<TableCell>
+									<div className="flex flex-wrap gap-1">
+										{perm.scopes.map((s) => (
+											<Badge key={s.id} variant="secondary">
+												{s.name}
+											</Badge>
+										))}
+									</div>
+								</TableCell>
+								<TableCell>
+									<div className="flex flex-wrap gap-1">
+										{perm.policies.map((p) => (
+											<Badge
+												key={p.id}
+												variant={
+													p.type === 'role' ? 'default' : 'outline'
+												}
+											>
+												{p.name}
+											</Badge>
+										))}
+									</div>
+								</TableCell>
+								<TableCell className="text-sm">
+									{perm.decision_strategy === 'affirmative'
+										? 'Any match'
+										: 'All must match'}
+								</TableCell>
+								<TableCell className="text-sm">
+									{dayjs(perm.created_at * 1000).format('MMM DD, YYYY')}
+								</TableCell>
+								<TableCell>
+									<div className="flex gap-1">
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openEditDialog(perm)}
+										>
+											<Pencil className="h-4 w-4" />
+										</Button>
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openDeleteDialog(perm)}
+										>
+											<Trash2 className="h-4 w-4 text-red-500" />
+										</Button>
+									</div>
+								</TableCell>
+							</TableRow>
+						))}
+					</TableBody>
+				</Table>
+			) : (
+				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
+					<AlertCircle className="h-16 w-16 mb-2" />
+					<p className="text-2xl font-bold">No Permissions</p>
+					<p className="text-sm mt-1">
+						Create resources, scopes, and policies first, then combine them
+						into permissions.
+					</p>
+				</div>
+			)}
+
+			{/* Add/Edit Dialog */}
+			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
+				<DialogContent className="max-w-lg max-h-[90vh] overflow-y-auto">
+					<DialogHeader>
+						<DialogTitle>
+							{editingPermission ? 'Edit Permission' : 'Add Permission'}
+						</DialogTitle>
+						<DialogDescription>
+							{editingPermission
+								? 'Update the permission configuration.'
+								: 'Build a permission by combining resource, scopes, and policies.'}
+						</DialogDescription>
+					</DialogHeader>
+					<div className="space-y-4">
+						<div>
+							<Label htmlFor="perm-name">Name</Label>
+							<Input
+								id="perm-name"
+								placeholder="e.g. View Documents"
+								value={formName}
+								onChange={(e) => setFormName(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+						<div>
+							<Label htmlFor="perm-desc">Description</Label>
+							<Textarea
+								id="perm-desc"
+								placeholder="Optional description"
+								value={formDescription}
+								onChange={(e) => setFormDescription(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+
+						{/* Resource */}
+						<div>
+							<Label htmlFor="perm-resource">Resource</Label>
+							<Select
+								id="perm-resource"
+								value={formResourceId}
+								onChange={(e) => setFormResourceId(e.target.value)}
+								className="mt-1"
+								disabled={!!editingPermission}
+							>
+								<option value="">Select a resource...</option>
+								{allResources.map((r) => (
+									<option key={r.id} value={r.id}>
+										{r.name}
+									</option>
+								))}
+							</Select>
+						</div>
+
+						{/* Scopes - multi-select checkboxes */}
+						<div>
+							<Label>Scopes</Label>
+							<div className="mt-1 space-y-2 max-h-32 overflow-y-auto border rounded-md p-2">
+								{allScopes.length === 0 ? (
+									<p className="text-sm text-gray-400">
+										No scopes defined yet.
+									</p>
+								) : (
+									allScopes.map((scope) => (
+										<label
+											key={scope.id}
+											className="flex items-center gap-2 text-sm cursor-pointer"
+										>
+											<input
+												type="checkbox"
+												checked={formScopeIds.includes(scope.id)}
+												onChange={() => toggleScopeId(scope.id)}
+												className="rounded border-gray-300"
+											/>
+											<span>{scope.name}</span>
+											{scope.description && (
+												<span className="text-gray-400">
+													- {scope.description}
+												</span>
+											)}
+										</label>
+									))
+								)}
+							</div>
+						</div>
+
+						{/* Policies - multi-select checkboxes with type preview */}
+						<div>
+							<Label>Policies</Label>
+							<div className="mt-1 space-y-2 max-h-40 overflow-y-auto border rounded-md p-2">
+								{allPolicies.length === 0 ? (
+									<p className="text-sm text-gray-400">
+										No policies defined yet.
+									</p>
+								) : (
+									allPolicies.map((policy) => (
+										<label
+											key={policy.id}
+											className="flex items-center gap-2 text-sm cursor-pointer"
+										>
+											<input
+												type="checkbox"
+												checked={formPolicyIds.includes(policy.id)}
+												onChange={() => togglePolicyId(policy.id)}
+												className="rounded border-gray-300"
+											/>
+											<span>{policy.name}</span>
+											<Badge
+												variant={
+													policy.type === 'role' ? 'default' : 'secondary'
+												}
+												className="text-xs"
+											>
+												{policy.type}
+											</Badge>
+											<span className="text-gray-400 text-xs">
+												{policy.targets
+													.map((t) => t.target_value)
+													.join(', ')}
+											</span>
+										</label>
+									))
+								)}
+							</div>
+						</div>
+
+						{/* Decision strategy */}
+						<div>
+							<Label htmlFor="perm-strategy">Decision Strategy</Label>
+							<Select
+								id="perm-strategy"
+								value={formDecisionStrategy}
+								onChange={(e) => setFormDecisionStrategy(e.target.value)}
+								className="mt-1"
+							>
+								<option value="affirmative">Any match grants</option>
+								<option value="unanimous">All must match</option>
+							</Select>
+						</div>
+
+						{/* Natural language summary */}
+						<div className="rounded-md bg-blue-50 p-3 text-sm text-blue-800">
+							<strong>Summary: </strong>
+							{buildSummary()}
+						</div>
+					</div>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button onClick={handleSave} disabled={saving}>
+							{saving
+								? 'Saving...'
+								: editingPermission
+									? 'Update'
+									: 'Add'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+
+			{/* Delete Confirmation Dialog */}
+			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>Delete Permission</DialogTitle>
+						<DialogDescription>
+							Are you sure you want to delete{' '}
+							<strong>{deletingPermission?.name}</strong>? This action cannot be
+							undone.
+						</DialogDescription>
+					</DialogHeader>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDeleteDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button
+							variant="destructive"
+							onClick={handleDelete}
+							disabled={saving}
+						>
+							{saving ? 'Deleting...' : 'Delete'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+		</div>
+	);
+}
diff --git a/web/dashboard/src/pages/authorization/Policies.tsx b/web/dashboard/src/pages/authorization/Policies.tsx
new file mode 100644
index 00000000..8245e7f1
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Policies.tsx
@@ -0,0 +1,482 @@
+import React from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import dayjs from 'dayjs';
+import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
+import { PoliciesQuery } from '../../graphql/queries';
+import { AddPolicy, UpdatePolicy, DeletePolicy } from '../../graphql/mutation';
+import { getGraphQLErrorMessage } from '../../utils';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Textarea } from '../../components/ui/textarea';
+import { Label } from '../../components/ui/label';
+import { Badge } from '../../components/ui/badge';
+import { Skeleton } from '../../components/ui/skeleton';
+import { Select } from '../../components/ui/select';
+import { Switch } from '../../components/ui/switch';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogFooter,
+	DialogDescription,
+} from '../../components/ui/dialog';
+import {
+	Table,
+	TableHeader,
+	TableBody,
+	TableRow,
+	TableHead,
+	TableCell,
+} from '../../components/ui/table';
+import type { AuthzPolicy, AuthzPoliciesResponse } from '../../types';
+
+interface PolicyTarget {
+	target_type: string;
+	target_value: string;
+}
+
+export default function Policies() {
+	const client = useClient();
+	const [policies, setPolicies] = React.useState<AuthzPolicy[]>([]);
+	const [loading, setLoading] = React.useState(false);
+	const [dialogOpen, setDialogOpen] = React.useState(false);
+	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
+	const [editingPolicy, setEditingPolicy] = React.useState<AuthzPolicy | null>(
+		null,
+	);
+	const [deletingPolicy, setDeletingPolicy] =
+		React.useState<AuthzPolicy | null>(null);
+	const [formName, setFormName] = React.useState('');
+	const [formDescription, setFormDescription] = React.useState('');
+	const [formType, setFormType] = React.useState('role');
+	const [formLogic, setFormLogic] = React.useState('positive');
+	const [formDecisionStrategy, setFormDecisionStrategy] =
+		React.useState('affirmative');
+	const [formTargets, setFormTargets] = React.useState<PolicyTarget[]>([
+		{ target_type: 'role', target_value: '' },
+	]);
+	const [saving, setSaving] = React.useState(false);
+
+	const fetchPolicies = async () => {
+		setLoading(true);
+		const { data, error } = await client
+			.query<AuthzPoliciesResponse>(PoliciesQuery, {
+				params: { pagination: { limit: 100, page: 1 } },
+			})
+			.toPromise();
+		if (data?._policies) {
+			setPolicies(data._policies.policies);
+		}
+		if (error) {
+			toast.error(getGraphQLErrorMessage(error, 'Failed to load policies'));
+		}
+		setLoading(false);
+	};
+
+	React.useEffect(() => {
+		fetchPolicies();
+	}, []);
+
+	const openAddDialog = () => {
+		setEditingPolicy(null);
+		setFormName('');
+		setFormDescription('');
+		setFormType('role');
+		setFormLogic('positive');
+		setFormDecisionStrategy('affirmative');
+		setFormTargets([{ target_type: 'role', target_value: '' }]);
+		setDialogOpen(true);
+	};
+
+	const openEditDialog = (policy: AuthzPolicy) => {
+		setEditingPolicy(policy);
+		setFormName(policy.name);
+		setFormDescription(policy.description || '');
+		setFormType(policy.type);
+		setFormLogic(policy.logic);
+		setFormDecisionStrategy(policy.decision_strategy);
+		setFormTargets(
+			policy.targets.map((t) => ({
+				target_type: t.target_type,
+				target_value: t.target_value,
+			})),
+		);
+		setDialogOpen(true);
+	};
+
+	const openDeleteDialog = (policy: AuthzPolicy) => {
+		setDeletingPolicy(policy);
+		setDeleteDialogOpen(true);
+	};
+
+	const handleTypeChange = (newType: string) => {
+		setFormType(newType);
+		setFormTargets([{ target_type: newType, target_value: '' }]);
+	};
+
+	const addTarget = () => {
+		setFormTargets([
+			...formTargets,
+			{ target_type: formType, target_value: '' },
+		]);
+	};
+
+	const removeTarget = (index: number) => {
+		setFormTargets(formTargets.filter((_, i) => i !== index));
+	};
+
+	const updateTarget = (index: number, value: string) => {
+		const updated = [...formTargets];
+		updated[index] = { ...updated[index], target_value: value };
+		setFormTargets(updated);
+	};
+
+	const handleSave = async () => {
+		if (!formName.trim()) {
+			toast.error('Name is required');
+			return;
+		}
+		const validTargets = formTargets.filter(
+			(t) => t.target_value.trim() !== '',
+		);
+		if (validTargets.length === 0) {
+			toast.error('At least one target is required');
+			return;
+		}
+		setSaving(true);
+		if (editingPolicy) {
+			const { error } = await client
+				.mutation(UpdatePolicy, {
+					params: {
+						id: editingPolicy.id,
+						name: formName,
+						description: formDescription || undefined,
+						logic: formLogic,
+						decision_strategy: formDecisionStrategy,
+						targets: validTargets,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(getGraphQLErrorMessage(error, 'Failed to update policy'));
+			} else {
+				toast.success('Policy updated');
+				setDialogOpen(false);
+				fetchPolicies();
+			}
+		} else {
+			const { error } = await client
+				.mutation(AddPolicy, {
+					params: {
+						name: formName,
+						description: formDescription || undefined,
+						type: formType,
+						logic: formLogic,
+						decision_strategy: formDecisionStrategy,
+						targets: validTargets,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(getGraphQLErrorMessage(error, 'Failed to add policy'));
+			} else {
+				toast.success('Policy added');
+				setDialogOpen(false);
+				fetchPolicies();
+			}
+		}
+		setSaving(false);
+	};
+
+	const handleDelete = async () => {
+		if (!deletingPolicy) return;
+		setSaving(true);
+		const { error } = await client
+			.mutation(DeletePolicy, { id: deletingPolicy.id })
+			.toPromise();
+		if (error) {
+			toast.error(getGraphQLErrorMessage(error, 'Failed to delete policy'));
+		} else {
+			toast.success('Policy deleted');
+			setDeleteDialogOpen(false);
+			setDeletingPolicy(null);
+			fetchPolicies();
+		}
+		setSaving(false);
+	};
+
+	return (
+		<div>
+			<div className="flex items-center justify-between mb-4">
+				<div>
+					<h2 className="text-lg font-semibold text-gray-900">Policies</h2>
+					<p className="text-sm text-gray-500">
+						Define who gets access based on roles or specific users.
+					</p>
+				</div>
+				<Button onClick={openAddDialog}>
+					<Plus className="h-4 w-4 mr-2" />
+					Add Policy
+				</Button>
+			</div>
+
+			{loading ? (
+				<div className="space-y-3">
+					{[1, 2, 3].map((i) => (
+						<Skeleton key={i} className="h-10 w-full" />
+					))}
+				</div>
+			) : policies.length > 0 ? (
+				<Table>
+					<TableHeader>
+						<TableRow>
+							<TableHead>Name</TableHead>
+							<TableHead>Type</TableHead>
+							<TableHead>Targets</TableHead>
+							<TableHead>Logic</TableHead>
+							<TableHead>Strategy</TableHead>
+							<TableHead>Created</TableHead>
+							<TableHead className="w-[100px]">Actions</TableHead>
+						</TableRow>
+					</TableHeader>
+					<TableBody>
+						{policies.map((policy) => (
+							<TableRow key={policy.id}>
+								<TableCell className="font-medium">{policy.name}</TableCell>
+								<TableCell>
+									<Badge variant={policy.type === 'role' ? 'default' : 'secondary'}>
+										{policy.type}
+									</Badge>
+								</TableCell>
+								<TableCell className="text-sm text-gray-500 max-w-[200px] truncate">
+									{policy.targets
+										.map((t) => t.target_value)
+										.join(', ')}
+								</TableCell>
+								<TableCell>
+									<Badge
+										variant={
+											policy.logic === 'positive' ? 'success' : 'destructive'
+										}
+									>
+										{policy.logic === 'positive' ? 'Grant' : 'Deny'}
+									</Badge>
+								</TableCell>
+								<TableCell className="text-sm">
+									{policy.decision_strategy === 'affirmative'
+										? 'Any match'
+										: 'All must match'}
+								</TableCell>
+								<TableCell className="text-sm">
+									{dayjs(policy.created_at * 1000).format('MMM DD, YYYY')}
+								</TableCell>
+								<TableCell>
+									<div className="flex gap-1">
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openEditDialog(policy)}
+										>
+											<Pencil className="h-4 w-4" />
+										</Button>
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openDeleteDialog(policy)}
+										>
+											<Trash2 className="h-4 w-4 text-red-500" />
+										</Button>
+									</div>
+								</TableCell>
+							</TableRow>
+						))}
+					</TableBody>
+				</Table>
+			) : (
+				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
+					<AlertCircle className="h-16 w-16 mb-2" />
+					<p className="text-2xl font-bold">No Policies</p>
+					<p className="text-sm mt-1">
+						Add a policy to define access rules.
+					</p>
+				</div>
+			)}
+
+			{/* Add/Edit Dialog */}
+			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
+				<DialogContent className="max-w-lg max-h-[90vh] overflow-y-auto">
+					<DialogHeader>
+						<DialogTitle>
+							{editingPolicy ? 'Edit Policy' : 'Add Policy'}
+						</DialogTitle>
+						<DialogDescription>
+							{editingPolicy
+								? 'Update the policy configuration.'
+								: 'Create a new access policy.'}
+						</DialogDescription>
+					</DialogHeader>
+					<div className="space-y-4">
+						<div>
+							<Label htmlFor="policy-name">Name</Label>
+							<Input
+								id="policy-name"
+								placeholder="e.g. Admin Access, Editor Role"
+								value={formName}
+								onChange={(e) => setFormName(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+						<div>
+							<Label htmlFor="policy-desc">Description</Label>
+							<Textarea
+								id="policy-desc"
+								placeholder="Optional description"
+								value={formDescription}
+								onChange={(e) => setFormDescription(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+
+						{/* Type toggle */}
+						{!editingPolicy && (
+							<div>
+								<Label>Type</Label>
+								<div className="flex items-center gap-3 mt-1">
+									<span
+										className={`text-sm ${formType === 'role' ? 'font-semibold text-gray-900' : 'text-gray-500'}`}
+									>
+										Roles
+									</span>
+									<Switch
+										checked={formType === 'user'}
+										onCheckedChange={(checked) =>
+											handleTypeChange(checked ? 'user' : 'role')
+										}
+									/>
+									<span
+										className={`text-sm ${formType === 'user' ? 'font-semibold text-gray-900' : 'text-gray-500'}`}
+									>
+										Specific Users
+									</span>
+								</div>
+							</div>
+						)}
+
+						{/* Logic */}
+						<div>
+							<Label htmlFor="policy-logic">Logic</Label>
+							<Select
+								id="policy-logic"
+								value={formLogic}
+								onChange={(e) => setFormLogic(e.target.value)}
+								className="mt-1"
+							>
+								<option value="positive">Grant when matched</option>
+								<option value="negative">Deny when matched</option>
+							</Select>
+						</div>
+
+						{/* Decision strategy */}
+						<div>
+							<Label htmlFor="policy-strategy">Decision Strategy</Label>
+							<Select
+								id="policy-strategy"
+								value={formDecisionStrategy}
+								onChange={(e) => setFormDecisionStrategy(e.target.value)}
+								className="mt-1"
+							>
+								<option value="affirmative">Any match grants</option>
+								<option value="unanimous">All must match</option>
+							</Select>
+						</div>
+
+						{/* Targets */}
+						<div>
+							<Label>
+								{formType === 'role' ? 'Role Names' : 'User Identifiers'}
+							</Label>
+							<div className="space-y-2 mt-1">
+								{formTargets.map((target, index) => (
+									<div key={index} className="flex gap-2">
+										<Input
+											placeholder={
+												formType === 'role'
+													? 'e.g. admin, editor'
+													: 'e.g. user@example.com'
+											}
+											value={target.target_value}
+											onChange={(e) => updateTarget(index, e.target.value)}
+											className="flex-1"
+										/>
+										{formTargets.length > 1 && (
+											<Button
+												variant="ghost"
+												size="icon"
+												onClick={() => removeTarget(index)}
+											>
+												<Trash2 className="h-4 w-4 text-red-500" />
+											</Button>
+										)}
+									</div>
+								))}
+								<Button
+									variant="outline"
+									size="sm"
+									onClick={addTarget}
+									className="mt-1"
+								>
+									<Plus className="h-3 w-3 mr-1" />
+									Add {formType === 'role' ? 'Role' : 'User'}
+								</Button>
+							</div>
+						</div>
+					</div>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button onClick={handleSave} disabled={saving}>
+							{saving ? 'Saving...' : editingPolicy ? 'Update' : 'Add'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+
+			{/* Delete Confirmation Dialog */}
+			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>Delete Policy</DialogTitle>
+						<DialogDescription>
+							Are you sure you want to delete{' '}
+							<strong>{deletingPolicy?.name}</strong>? This action cannot be
+							undone.
+						</DialogDescription>
+					</DialogHeader>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDeleteDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button
+							variant="destructive"
+							onClick={handleDelete}
+							disabled={saving}
+						>
+							{saving ? 'Deleting...' : 'Delete'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+		</div>
+	);
+}
diff --git a/web/dashboard/src/pages/authorization/Resources.tsx b/web/dashboard/src/pages/authorization/Resources.tsx
new file mode 100644
index 00000000..fca20a12
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Resources.tsx
@@ -0,0 +1,307 @@
+import React from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import dayjs from 'dayjs';
+import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
+import { ResourcesQuery } from '../../graphql/queries';
+import {
+	AddResource,
+	UpdateResource,
+	DeleteResource,
+} from '../../graphql/mutation';
+import { getGraphQLErrorMessage } from '../../utils';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Textarea } from '../../components/ui/textarea';
+import { Label } from '../../components/ui/label';
+import { Skeleton } from '../../components/ui/skeleton';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogFooter,
+	DialogDescription,
+} from '../../components/ui/dialog';
+import {
+	Table,
+	TableHeader,
+	TableBody,
+	TableRow,
+	TableHead,
+	TableCell,
+} from '../../components/ui/table';
+import type { AuthzResource, AuthzResourcesResponse } from '../../types';
+
+export default function Resources() {
+	const client = useClient();
+	const [resources, setResources] = React.useState<AuthzResource[]>([]);
+	const [loading, setLoading] = React.useState(false);
+	const [dialogOpen, setDialogOpen] = React.useState(false);
+	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
+	const [editingResource, setEditingResource] =
+		React.useState<AuthzResource | null>(null);
+	const [deletingResource, setDeletingResource] =
+		React.useState<AuthzResource | null>(null);
+	const [formName, setFormName] = React.useState('');
+	const [formDescription, setFormDescription] = React.useState('');
+	const [saving, setSaving] = React.useState(false);
+
+	const fetchResources = async () => {
+		setLoading(true);
+		const { data, error } = await client
+			.query<AuthzResourcesResponse>(ResourcesQuery, {
+				params: { pagination: { limit: 100, page: 1 } },
+			})
+			.toPromise();
+		if (data?._resources) {
+			setResources(data._resources.resources);
+		}
+		if (error) {
+			toast.error(getGraphQLErrorMessage(error, 'Failed to load resources'));
+		}
+		setLoading(false);
+	};
+
+	React.useEffect(() => {
+		fetchResources();
+	}, []);
+
+	const openAddDialog = () => {
+		setEditingResource(null);
+		setFormName('');
+		setFormDescription('');
+		setDialogOpen(true);
+	};
+
+	const openEditDialog = (resource: AuthzResource) => {
+		setEditingResource(resource);
+		setFormName(resource.name);
+		setFormDescription(resource.description || '');
+		setDialogOpen(true);
+	};
+
+	const openDeleteDialog = (resource: AuthzResource) => {
+		setDeletingResource(resource);
+		setDeleteDialogOpen(true);
+	};
+
+	const handleSave = async () => {
+		if (!formName.trim()) {
+			toast.error('Name is required');
+			return;
+		}
+		setSaving(true);
+		if (editingResource) {
+			const { error } = await client
+				.mutation(UpdateResource, {
+					params: {
+						id: editingResource.id,
+						name: formName,
+						description: formDescription || undefined,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(
+					getGraphQLErrorMessage(error, 'Failed to update resource'),
+				);
+			} else {
+				toast.success('Resource updated');
+				setDialogOpen(false);
+				fetchResources();
+			}
+		} else {
+			const { error } = await client
+				.mutation(AddResource, {
+					params: {
+						name: formName,
+						description: formDescription || undefined,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(getGraphQLErrorMessage(error, 'Failed to add resource'));
+			} else {
+				toast.success('Resource added');
+				setDialogOpen(false);
+				fetchResources();
+			}
+		}
+		setSaving(false);
+	};
+
+	const handleDelete = async () => {
+		if (!deletingResource) return;
+		setSaving(true);
+		const { error } = await client
+			.mutation(DeleteResource, { id: deletingResource.id })
+			.toPromise();
+		if (error) {
+			toast.error(getGraphQLErrorMessage(error, 'Failed to delete resource'));
+		} else {
+			toast.success('Resource deleted');
+			setDeleteDialogOpen(false);
+			setDeletingResource(null);
+			fetchResources();
+		}
+		setSaving(false);
+	};
+
+	return (
+		<div>
+			<div className="flex items-center justify-between mb-4">
+				<div>
+					<h2 className="text-lg font-semibold text-gray-900">Resources</h2>
+					<p className="text-sm text-gray-500">
+						Define the resources to protect with fine-grained authorization.
+					</p>
+				</div>
+				<Button onClick={openAddDialog}>
+					<Plus className="h-4 w-4 mr-2" />
+					Add Resource
+				</Button>
+			</div>
+
+			{loading ? (
+				<div className="space-y-3">
+					{[1, 2, 3].map((i) => (
+						<Skeleton key={i} className="h-10 w-full" />
+					))}
+				</div>
+			) : resources.length > 0 ? (
+				<Table>
+					<TableHeader>
+						<TableRow>
+							<TableHead>Name</TableHead>
+							<TableHead>Description</TableHead>
+							<TableHead>Created</TableHead>
+							<TableHead className="w-[100px]">Actions</TableHead>
+						</TableRow>
+					</TableHeader>
+					<TableBody>
+						{resources.map((resource) => (
+							<TableRow key={resource.id}>
+								<TableCell className="font-medium">
+									{resource.name}
+								</TableCell>
+								<TableCell className="text-sm text-gray-500">
+									{resource.description || '-'}
+								</TableCell>
+								<TableCell className="text-sm">
+									{dayjs(resource.created_at * 1000).format('MMM DD, YYYY')}
+								</TableCell>
+								<TableCell>
+									<div className="flex gap-1">
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openEditDialog(resource)}
+										>
+											<Pencil className="h-4 w-4" />
+										</Button>
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openDeleteDialog(resource)}
+										>
+											<Trash2 className="h-4 w-4 text-red-500" />
+										</Button>
+									</div>
+								</TableCell>
+							</TableRow>
+						))}
+					</TableBody>
+				</Table>
+			) : (
+				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
+					<AlertCircle className="h-16 w-16 mb-2" />
+					<p className="text-2xl font-bold">No Resources</p>
+					<p className="text-sm mt-1">
+						Add a resource to get started with authorization.
+					</p>
+				</div>
+			)}
+
+			{/* Add/Edit Dialog */}
+			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>
+							{editingResource ? 'Edit Resource' : 'Add Resource'}
+						</DialogTitle>
+						<DialogDescription>
+							{editingResource
+								? 'Update the resource details.'
+								: 'Define a new resource to protect.'}
+						</DialogDescription>
+					</DialogHeader>
+					<div className="space-y-4">
+						<div>
+							<Label htmlFor="resource-name">Name</Label>
+							<Input
+								id="resource-name"
+								placeholder="e.g. documents, projects"
+								value={formName}
+								onChange={(e) => setFormName(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+						<div>
+							<Label htmlFor="resource-desc">Description</Label>
+							<Textarea
+								id="resource-desc"
+								placeholder="Optional description"
+								value={formDescription}
+								onChange={(e) => setFormDescription(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+					</div>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button onClick={handleSave} disabled={saving}>
+							{saving ? 'Saving...' : editingResource ? 'Update' : 'Add'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+
+			{/* Delete Confirmation Dialog */}
+			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>Delete Resource</DialogTitle>
+						<DialogDescription>
+							Are you sure you want to delete{' '}
+							<strong>{deletingResource?.name}</strong>? This action cannot be
+							undone.
+						</DialogDescription>
+					</DialogHeader>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDeleteDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button
+							variant="destructive"
+							onClick={handleDelete}
+							disabled={saving}
+						>
+							{saving ? 'Deleting...' : 'Delete'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+		</div>
+	);
+}
diff --git a/web/dashboard/src/pages/authorization/Scopes.tsx b/web/dashboard/src/pages/authorization/Scopes.tsx
new file mode 100644
index 00000000..c998b800
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Scopes.tsx
@@ -0,0 +1,301 @@
+import React from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import dayjs from 'dayjs';
+import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
+import { ScopesQuery } from '../../graphql/queries';
+import { AddScope, UpdateScope, DeleteScope } from '../../graphql/mutation';
+import { getGraphQLErrorMessage } from '../../utils';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Textarea } from '../../components/ui/textarea';
+import { Label } from '../../components/ui/label';
+import { Skeleton } from '../../components/ui/skeleton';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogFooter,
+	DialogDescription,
+} from '../../components/ui/dialog';
+import {
+	Table,
+	TableHeader,
+	TableBody,
+	TableRow,
+	TableHead,
+	TableCell,
+} from '../../components/ui/table';
+import type { AuthzScope, AuthzScopesResponse } from '../../types';
+
+export default function Scopes() {
+	const client = useClient();
+	const [scopes, setScopes] = React.useState<AuthzScope[]>([]);
+	const [loading, setLoading] = React.useState(false);
+	const [dialogOpen, setDialogOpen] = React.useState(false);
+	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
+	const [editingScope, setEditingScope] = React.useState<AuthzScope | null>(
+		null,
+	);
+	const [deletingScope, setDeletingScope] = React.useState<AuthzScope | null>(
+		null,
+	);
+	const [formName, setFormName] = React.useState('');
+	const [formDescription, setFormDescription] = React.useState('');
+	const [saving, setSaving] = React.useState(false);
+
+	const fetchScopes = async () => {
+		setLoading(true);
+		const { data, error } = await client
+			.query<AuthzScopesResponse>(ScopesQuery, {
+				params: { pagination: { limit: 100, page: 1 } },
+			})
+			.toPromise();
+		if (data?._scopes) {
+			setScopes(data._scopes.scopes);
+		}
+		if (error) {
+			toast.error(getGraphQLErrorMessage(error, 'Failed to load scopes'));
+		}
+		setLoading(false);
+	};
+
+	React.useEffect(() => {
+		fetchScopes();
+	}, []);
+
+	const openAddDialog = () => {
+		setEditingScope(null);
+		setFormName('');
+		setFormDescription('');
+		setDialogOpen(true);
+	};
+
+	const openEditDialog = (scope: AuthzScope) => {
+		setEditingScope(scope);
+		setFormName(scope.name);
+		setFormDescription(scope.description || '');
+		setDialogOpen(true);
+	};
+
+	const openDeleteDialog = (scope: AuthzScope) => {
+		setDeletingScope(scope);
+		setDeleteDialogOpen(true);
+	};
+
+	const handleSave = async () => {
+		if (!formName.trim()) {
+			toast.error('Name is required');
+			return;
+		}
+		setSaving(true);
+		if (editingScope) {
+			const { error } = await client
+				.mutation(UpdateScope, {
+					params: {
+						id: editingScope.id,
+						name: formName,
+						description: formDescription || undefined,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(getGraphQLErrorMessage(error, 'Failed to update scope'));
+			} else {
+				toast.success('Scope updated');
+				setDialogOpen(false);
+				fetchScopes();
+			}
+		} else {
+			const { error } = await client
+				.mutation(AddScope, {
+					params: {
+						name: formName,
+						description: formDescription || undefined,
+					},
+				})
+				.toPromise();
+			if (error) {
+				toast.error(getGraphQLErrorMessage(error, 'Failed to add scope'));
+			} else {
+				toast.success('Scope added');
+				setDialogOpen(false);
+				fetchScopes();
+			}
+		}
+		setSaving(false);
+	};
+
+	const handleDelete = async () => {
+		if (!deletingScope) return;
+		setSaving(true);
+		const { error } = await client
+			.mutation(DeleteScope, { id: deletingScope.id })
+			.toPromise();
+		if (error) {
+			toast.error(getGraphQLErrorMessage(error, 'Failed to delete scope'));
+		} else {
+			toast.success('Scope deleted');
+			setDeleteDialogOpen(false);
+			setDeletingScope(null);
+			fetchScopes();
+		}
+		setSaving(false);
+	};
+
+	return (
+		<div>
+			<div className="flex items-center justify-between mb-4">
+				<div>
+					<h2 className="text-lg font-semibold text-gray-900">Scopes</h2>
+					<p className="text-sm text-gray-500">
+						Define the actions or operations that can be performed on resources.
+					</p>
+				</div>
+				<Button onClick={openAddDialog}>
+					<Plus className="h-4 w-4 mr-2" />
+					Add Scope
+				</Button>
+			</div>
+
+			{loading ? (
+				<div className="space-y-3">
+					{[1, 2, 3].map((i) => (
+						<Skeleton key={i} className="h-10 w-full" />
+					))}
+				</div>
+			) : scopes.length > 0 ? (
+				<Table>
+					<TableHeader>
+						<TableRow>
+							<TableHead>Name</TableHead>
+							<TableHead>Description</TableHead>
+							<TableHead>Created</TableHead>
+							<TableHead className="w-[100px]">Actions</TableHead>
+						</TableRow>
+					</TableHeader>
+					<TableBody>
+						{scopes.map((scope) => (
+							<TableRow key={scope.id}>
+								<TableCell className="font-medium">{scope.name}</TableCell>
+								<TableCell className="text-sm text-gray-500">
+									{scope.description || '-'}
+								</TableCell>
+								<TableCell className="text-sm">
+									{dayjs(scope.created_at * 1000).format('MMM DD, YYYY')}
+								</TableCell>
+								<TableCell>
+									<div className="flex gap-1">
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openEditDialog(scope)}
+										>
+											<Pencil className="h-4 w-4" />
+										</Button>
+										<Button
+											variant="ghost"
+											size="icon"
+											onClick={() => openDeleteDialog(scope)}
+										>
+											<Trash2 className="h-4 w-4 text-red-500" />
+										</Button>
+									</div>
+								</TableCell>
+							</TableRow>
+						))}
+					</TableBody>
+				</Table>
+			) : (
+				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
+					<AlertCircle className="h-16 w-16 mb-2" />
+					<p className="text-2xl font-bold">No Scopes</p>
+					<p className="text-sm mt-1">
+						Add a scope to define actions on your resources.
+					</p>
+				</div>
+			)}
+
+			{/* Add/Edit Dialog */}
+			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>
+							{editingScope ? 'Edit Scope' : 'Add Scope'}
+						</DialogTitle>
+						<DialogDescription>
+							{editingScope
+								? 'Update the scope details.'
+								: 'Define a new scope (action) for authorization.'}
+						</DialogDescription>
+					</DialogHeader>
+					<div className="space-y-4">
+						<div>
+							<Label htmlFor="scope-name">Name</Label>
+							<Input
+								id="scope-name"
+								placeholder="e.g. read, write, delete"
+								value={formName}
+								onChange={(e) => setFormName(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+						<div>
+							<Label htmlFor="scope-desc">Description</Label>
+							<Textarea
+								id="scope-desc"
+								placeholder="Optional description"
+								value={formDescription}
+								onChange={(e) => setFormDescription(e.target.value)}
+								className="mt-1"
+							/>
+						</div>
+					</div>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button onClick={handleSave} disabled={saving}>
+							{saving ? 'Saving...' : editingScope ? 'Update' : 'Add'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+
+			{/* Delete Confirmation Dialog */}
+			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>Delete Scope</DialogTitle>
+						<DialogDescription>
+							Are you sure you want to delete{' '}
+							<strong>{deletingScope?.name}</strong>? This action cannot be
+							undone.
+						</DialogDescription>
+					</DialogHeader>
+					<DialogFooter>
+						<Button
+							variant="outline"
+							onClick={() => setDeleteDialogOpen(false)}
+							disabled={saving}
+						>
+							Cancel
+						</Button>
+						<Button
+							variant="destructive"
+							onClick={handleDelete}
+							disabled={saving}
+						>
+							{saving ? 'Deleting...' : 'Delete'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+		</div>
+	);
+}
diff --git a/web/dashboard/src/routes/index.tsx b/web/dashboard/src/routes/index.tsx
index 4116986f..6b1da1e4 100644
--- a/web/dashboard/src/routes/index.tsx
+++ b/web/dashboard/src/routes/index.tsx
@@ -10,6 +10,7 @@ const Users = lazy(() => import('../pages/Users'));
 const Webhooks = lazy(() => import('../pages/Webhooks'));
 const EmailTemplates = lazy(() => import('../pages/EmailTemplates'));
 const AuditLogs = lazy(() => import('../pages/AuditLogs'));
+const Authorization = lazy(() => import('../pages/Authorization'));
 
 export const AppRoutes = () => {
 	const { isLoggedIn } = useAuthContext();
@@ -31,6 +32,7 @@ export const AppRoutes = () => {
 							<Route path="webhooks" element={<Webhooks />} />
 							<Route path="email-templates" element={<EmailTemplates />} />
 							<Route path="audit-logs" element={<AuditLogs />} />
+							<Route path="authorization/*" element={<Authorization />} />
 							<Route path="*" element={<Overview />} />
 						</Route>
 					</Routes>
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index 0974ec22..25113ad7 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -120,3 +120,86 @@ export interface AdminSessionResponse {
 		message: string;
 	};
 }
+
+// Authorization types
+
+export interface AuthzResource {
+	id: string;
+	name: string;
+	description?: string;
+	created_at: number;
+	updated_at: number;
+}
+
+export interface AuthzScope {
+	id: string;
+	name: string;
+	description?: string;
+	created_at: number;
+	updated_at: number;
+}
+
+export interface AuthzPolicyTarget {
+	id: string;
+	target_type: string;
+	target_value: string;
+}
+
+export interface AuthzPolicy {
+	id: string;
+	name: string;
+	description?: string;
+	type: string;
+	logic: string;
+	decision_strategy: string;
+	targets: AuthzPolicyTarget[];
+	created_at: number;
+	updated_at: number;
+}
+
+export interface AuthzPermission {
+	id: string;
+	name: string;
+	description?: string;
+	resource: AuthzResource;
+	scopes: AuthzScope[];
+	policies: AuthzPolicy[];
+	decision_strategy: string;
+	created_at: number;
+	updated_at: number;
+}
+
+export interface AuthzResourcesResponse {
+	_resources: {
+		pagination: PaginationInfo;
+		resources: AuthzResource[];
+	};
+}
+
+export interface AuthzScopesResponse {
+	_scopes: {
+		pagination: PaginationInfo;
+		scopes: AuthzScope[];
+	};
+}
+
+export interface AuthzPoliciesResponse {
+	_policies: {
+		pagination: PaginationInfo;
+		policies: AuthzPolicy[];
+	};
+}
+
+export interface AuthzPermissionsResponse {
+	_permissions: {
+		pagination: PaginationInfo;
+		permissions: AuthzPermission[];
+	};
+}
+
+export interface CheckPermissionResponse {
+	check_permission: {
+		allowed: boolean;
+		matched_policy?: string;
+	};
+}

From fdc2b4787df7fab8e6ed88ac02440a65c2abdf9a Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 14:51:10 +0530
Subject: [PATCH 14/26] fix(authz): address security audit findings (H-1, H-2,
 C-2, C-3, M-3)

- H-1: Make cache invalidation synchronous (remove goroutine) to prevent
  stale authorization decisions after policy changes
- H-2: Add allowlist validation for policy type, logic, and decision
  strategy in add/update handlers -- prevents silent permission escalation
  from typos
- C-2: Fix evaluateRoleTargets unanimous strategy returning true when no
  role targets exist (empty-target bypass)
- C-3: Fix DeletePolicy handler ordering -- storage provider now handles
  cascade deletion, preventing data loss on referential integrity failure
- M-3: Add name format validation (alphanumeric, hyphens, underscores,
  max 100 chars) in resource/scope/policy/permission add/update handlers
---
 internal/authorization/evaluator.go   |  4 +++-
 internal/graphql/add_permission.go    | 14 +++++++++++++-
 internal/graphql/add_policy.go        | 21 ++++++++++++++++++++-
 internal/graphql/add_resource.go      | 11 ++++++++++-
 internal/graphql/add_scope.go         | 11 ++++++++++-
 internal/graphql/delete_permission.go |  2 +-
 internal/graphql/delete_policy.go     | 11 +++--------
 internal/graphql/delete_resource.go   |  2 +-
 internal/graphql/delete_scope.go      |  2 +-
 internal/graphql/update_permission.go | 17 +++++++++++++++--
 internal/graphql/update_policy.go     | 23 ++++++++++++++++++++---
 internal/graphql/update_resource.go   | 11 ++++++++++-
 internal/graphql/update_scope.go      | 11 ++++++++++-
 13 files changed, 117 insertions(+), 23 deletions(-)

diff --git a/internal/authorization/evaluator.go b/internal/authorization/evaluator.go
index 7b2fac34..c3b65814 100644
--- a/internal/authorization/evaluator.go
+++ b/internal/authorization/evaluator.go
@@ -200,15 +200,17 @@ func evaluateRoleTargets(targets []schemas.PolicyTargetView, roles []string, str
 	switch strategy {
 	case constants.DecisionStrategyUnanimous:
 		// All role targets must be present in the principal's roles.
+		evaluated := false
 		for _, t := range targets {
 			if t.TargetType != constants.TargetTypeRole {
 				continue
 			}
+			evaluated = true
 			if _, ok := roleSet[t.TargetValue]; !ok {
 				return false
 			}
 		}
-		return true
+		return evaluated // false if no role targets existed
 	default:
 		// Affirmative (default): any role target match is sufficient.
 		for _, t := range targets {
diff --git a/internal/graphql/add_permission.go b/internal/graphql/add_permission.go
index 71de28fe..fb00385f 100644
--- a/internal/graphql/add_permission.go
+++ b/internal/graphql/add_permission.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
@@ -29,6 +30,14 @@ func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPe
 	if name == "" {
 		return nil, fmt.Errorf("permission name is required")
 	}
+	if len(name) > 100 {
+		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	}
+	for _, r := range name {
+		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+		}
+	}
 
 	if strings.TrimSpace(params.ResourceID) == "" {
 		return nil, fmt.Errorf("resource_id is required")
@@ -51,6 +60,9 @@ func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPe
 	if params.DecisionStrategy != nil {
 		decisionStrategy = *params.DecisionStrategy
 	}
+	if decisionStrategy != "affirmative" && decisionStrategy != "unanimous" {
+		return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+	}
 
 	// Verify resource exists
 	resource, err := g.StorageProvider.GetResourceByID(ctx, params.ResourceID)
@@ -113,7 +125,7 @@ func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPe
 		apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
 }
diff --git a/internal/graphql/add_policy.go b/internal/graphql/add_policy.go
index 9cb60e81..c9868c96 100644
--- a/internal/graphql/add_policy.go
+++ b/internal/graphql/add_policy.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
@@ -28,11 +29,23 @@ func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicy
 	if name == "" {
 		return nil, fmt.Errorf("policy name is required")
 	}
+	if len(name) > 100 {
+		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	}
+	for _, r := range name {
+		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+		}
+	}
 
 	policyType := strings.TrimSpace(params.Type)
 	if policyType == "" {
 		return nil, fmt.Errorf("policy type is required")
 	}
+	validPolicyTypes := map[string]bool{"role": true, "user": true}
+	if !validPolicyTypes[policyType] {
+		return nil, fmt.Errorf("invalid policy type: must be 'role' or 'user'")
+	}
 
 	description := ""
 	if params.Description != nil {
@@ -43,11 +56,17 @@ func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicy
 	if params.Logic != nil {
 		logic = *params.Logic
 	}
+	if logic != "positive" && logic != "negative" {
+		return nil, fmt.Errorf("invalid policy logic: must be 'positive' or 'negative'")
+	}
 
 	decisionStrategy := "affirmative"
 	if params.DecisionStrategy != nil {
 		decisionStrategy = *params.DecisionStrategy
 	}
+	if decisionStrategy != "affirmative" && decisionStrategy != "unanimous" {
+		return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+	}
 
 	policy, err := g.StorageProvider.AddPolicy(ctx, &schemas.Policy{
 		Name:             name,
@@ -76,7 +95,7 @@ func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicy
 		targets = append(targets, target)
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return policy.AsAPIPolicy(targets), nil
 }
diff --git a/internal/graphql/add_resource.go b/internal/graphql/add_resource.go
index e76526b7..3894f039 100644
--- a/internal/graphql/add_resource.go
+++ b/internal/graphql/add_resource.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
@@ -28,6 +29,14 @@ func (g *graphqlProvider) AddResource(ctx context.Context, params *model.AddReso
 	if name == "" {
 		return nil, fmt.Errorf("resource name is required")
 	}
+	if len(name) > 100 {
+		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	}
+	for _, r := range name {
+		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+		}
+	}
 
 	description := ""
 	if params.Description != nil {
@@ -43,7 +52,7 @@ func (g *graphqlProvider) AddResource(ctx context.Context, params *model.AddReso
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return resource.AsAPIResource(), nil
 }
diff --git a/internal/graphql/add_scope.go b/internal/graphql/add_scope.go
index f8bca98c..9cffcdd8 100644
--- a/internal/graphql/add_scope.go
+++ b/internal/graphql/add_scope.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
@@ -28,6 +29,14 @@ func (g *graphqlProvider) AddScope(ctx context.Context, params *model.AddScopeIn
 	if name == "" {
 		return nil, fmt.Errorf("scope name is required")
 	}
+	if len(name) > 100 {
+		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	}
+	for _, r := range name {
+		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+		}
+	}
 
 	description := ""
 	if params.Description != nil {
@@ -43,7 +52,7 @@ func (g *graphqlProvider) AddScope(ctx context.Context, params *model.AddScopeIn
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return scope.AsAPIScope(), nil
 }
diff --git a/internal/graphql/delete_permission.go b/internal/graphql/delete_permission.go
index d6548aa5..4f4e6300 100644
--- a/internal/graphql/delete_permission.go
+++ b/internal/graphql/delete_permission.go
@@ -46,7 +46,7 @@ func (g *graphqlProvider) DeletePermission(ctx context.Context, id string) (*mod
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return &model.Response{
 		Message: "Permission deleted successfully",
diff --git a/internal/graphql/delete_policy.go b/internal/graphql/delete_policy.go
index ccd46df0..2c1778f0 100644
--- a/internal/graphql/delete_policy.go
+++ b/internal/graphql/delete_policy.go
@@ -27,20 +27,15 @@ func (g *graphqlProvider) DeletePolicy(ctx context.Context, id string) (*model.R
 		return nil, fmt.Errorf("policy ID is required")
 	}
 
-	// Delete targets first
-	err = g.StorageProvider.DeletePolicyTargetsByPolicyID(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete policy targets")
-		return nil, err
-	}
-
+	// DeletePolicy checks referential integrity (permission_policy refs) and
+	// cascade-deletes policy targets internally.
 	err = g.StorageProvider.DeletePolicy(ctx, id)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to delete policy")
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return &model.Response{
 		Message: "Policy deleted successfully",
diff --git a/internal/graphql/delete_resource.go b/internal/graphql/delete_resource.go
index b982d0a7..039695cc 100644
--- a/internal/graphql/delete_resource.go
+++ b/internal/graphql/delete_resource.go
@@ -33,7 +33,7 @@ func (g *graphqlProvider) DeleteResource(ctx context.Context, id string) (*model
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return &model.Response{
 		Message: "Resource deleted successfully",
diff --git a/internal/graphql/delete_scope.go b/internal/graphql/delete_scope.go
index 0d224d03..df4b1e36 100644
--- a/internal/graphql/delete_scope.go
+++ b/internal/graphql/delete_scope.go
@@ -33,7 +33,7 @@ func (g *graphqlProvider) DeleteScope(ctx context.Context, id string) (*model.Re
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return &model.Response{
 		Message: "Scope deleted successfully",
diff --git a/internal/graphql/update_permission.go b/internal/graphql/update_permission.go
index d00fe0f2..4fb76622 100644
--- a/internal/graphql/update_permission.go
+++ b/internal/graphql/update_permission.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
@@ -39,13 +40,25 @@ func (g *graphqlProvider) UpdatePermission(ctx context.Context, params *model.Up
 		if name == "" {
 			return nil, fmt.Errorf("permission name cannot be empty")
 		}
+		if len(name) > 100 {
+			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		}
+		for _, r := range name {
+			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+			}
+		}
 		permission.Name = name
 	}
 	if params.Description != nil {
 		permission.Description = *params.Description
 	}
 	if params.DecisionStrategy != nil {
-		permission.DecisionStrategy = *params.DecisionStrategy
+		ds := *params.DecisionStrategy
+		if ds != "affirmative" && ds != "unanimous" {
+			return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+		}
+		permission.DecisionStrategy = ds
 	}
 
 	permission, err = g.StorageProvider.UpdatePermission(ctx, permission)
@@ -111,7 +124,7 @@ func (g *graphqlProvider) UpdatePermission(ctx context.Context, params *model.Up
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
 }
diff --git a/internal/graphql/update_policy.go b/internal/graphql/update_policy.go
index 2b8ff195..6116cff0 100644
--- a/internal/graphql/update_policy.go
+++ b/internal/graphql/update_policy.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
@@ -39,16 +40,32 @@ func (g *graphqlProvider) UpdatePolicy(ctx context.Context, params *model.Update
 		if name == "" {
 			return nil, fmt.Errorf("policy name cannot be empty")
 		}
+		if len(name) > 100 {
+			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		}
+		for _, r := range name {
+			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+			}
+		}
 		policy.Name = name
 	}
 	if params.Description != nil {
 		policy.Description = *params.Description
 	}
 	if params.Logic != nil {
-		policy.Logic = *params.Logic
+		logic := *params.Logic
+		if logic != "positive" && logic != "negative" {
+			return nil, fmt.Errorf("invalid policy logic: must be 'positive' or 'negative'")
+		}
+		policy.Logic = logic
 	}
 	if params.DecisionStrategy != nil {
-		policy.DecisionStrategy = *params.DecisionStrategy
+		ds := *params.DecisionStrategy
+		if ds != "affirmative" && ds != "unanimous" {
+			return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+		}
+		policy.DecisionStrategy = ds
 	}
 
 	policy, err = g.StorageProvider.UpdatePolicy(ctx, policy)
@@ -85,7 +102,7 @@ func (g *graphqlProvider) UpdatePolicy(ctx context.Context, params *model.Update
 		}
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return policy.AsAPIPolicy(targets), nil
 }
diff --git a/internal/graphql/update_resource.go b/internal/graphql/update_resource.go
index 885cb825..5e40b05f 100644
--- a/internal/graphql/update_resource.go
+++ b/internal/graphql/update_resource.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -38,6 +39,14 @@ func (g *graphqlProvider) UpdateResource(ctx context.Context, params *model.Upda
 		if name == "" {
 			return nil, fmt.Errorf("resource name cannot be empty")
 		}
+		if len(name) > 100 {
+			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		}
+		for _, r := range name {
+			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+			}
+		}
 		resource.Name = name
 	}
 	if params.Description != nil {
@@ -50,7 +59,7 @@ func (g *graphqlProvider) UpdateResource(ctx context.Context, params *model.Upda
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return resource.AsAPIResource(), nil
 }
diff --git a/internal/graphql/update_scope.go b/internal/graphql/update_scope.go
index d681b6e9..d7472025 100644
--- a/internal/graphql/update_scope.go
+++ b/internal/graphql/update_scope.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode"
 
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -38,6 +39,14 @@ func (g *graphqlProvider) UpdateScope(ctx context.Context, params *model.UpdateS
 		if name == "" {
 			return nil, fmt.Errorf("scope name cannot be empty")
 		}
+		if len(name) > 100 {
+			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		}
+		for _, r := range name {
+			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
+				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
+			}
+		}
 		scope.Name = name
 	}
 	if params.Description != nil {
@@ -50,7 +59,7 @@ func (g *graphqlProvider) UpdateScope(ctx context.Context, params *model.UpdateS
 		return nil, err
 	}
 
-	go g.AuthorizationProvider.InvalidateCache(ctx, "authz:")
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
 
 	return scope.AsAPIScope(), nil
 }

From 8eda5d0d4efc14fe4972596cf5f42558f5a417ce Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 14 Apr 2026 16:22:04 +0530
Subject: [PATCH 15/26] chore(deps): upgrade pgx v5.5.4->v5.9.1, gorm postgres
 v1.5.4->v1.6.0

Upgrade to latest available versions to address CVE-2026-33816 and
CVE-2026-33815 in pgx. Note: both CVEs have no upstream fix yet
(Fixed in: N/A) but govulncheck confirms the affected symbols
(Backend.Receive, FunctionCall.Decode, Bind.Decode) are not called
by Authorizer code. Also upgrades gorm v1.25.5->v1.25.10.
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index fe6714c4..a254cecd 100644
--- a/go.mod
+++ b/go.mod
@@ -37,9 +37,9 @@ require (
 	golang.org/x/time v0.15.0
 	gopkg.in/mail.v2 v2.3.1
 	gorm.io/driver/mysql v1.5.2
-	gorm.io/driver/postgres v1.5.4
+	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlserver v1.5.2
-	gorm.io/gorm v1.25.5
+	gorm.io/gorm v1.25.10
 )
 
 require (
@@ -88,8 +88,8 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.5.4 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgx/v5 v5.9.1 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
diff --git a/go.sum b/go.sum
index 53c54f41..2218e45c 100644
--- a/go.sum
+++ b/go.sum
@@ -210,10 +210,10 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.4 h1:Xp2aQS8uXButQdnCMWNmvx6UysWQQC+u1EoizjguY+8=
-github.com/jackc/pgx/v5 v5.5.4/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
+github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
 github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
@@ -481,14 +481,14 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/mysql v1.5.2 h1:QC2HRskSE75wBuOxe0+iCkyJZ+RqpudsQtqkp+IMuXs=
 gorm.io/driver/mysql v1.5.2/go.mod h1:pQLhh1Ut/WUAySdTHwBpBv6+JKcj+ua4ZFx1QQTBzb8=
-gorm.io/driver/postgres v1.5.4 h1:Iyrp9Meh3GmbSuyIAGyjkN+n9K+GHX9b9MqsTL4EJCo=
-gorm.io/driver/postgres v1.5.4/go.mod h1:Bgo89+h0CRcdA33Y6frlaHHVuTdOf87pmyzwW9C/BH0=
+gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
+gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
 gorm.io/driver/sqlserver v1.5.2 h1:+o4RQ8w1ohPbADhFqDxeeZnSWjwOcBnxBckjTbcP4wk=
 gorm.io/driver/sqlserver v1.5.2/go.mod h1:gaKF0MO0cfTq9Q3/XhkowSw4g6nIwHPGAs4hzKCmvBo=
 gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
 gorm.io/gorm v1.25.2-0.20230610234218-206613868439/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
-gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
-gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
+gorm.io/gorm v1.25.10 h1:dQpO+33KalOA+aFYGlK+EfxcI5MbO7EP2yYygwh9h+s=
+gorm.io/gorm v1.25.10/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 modernc.org/libc v1.22.5 h1:91BNch/e5B0uPbJFgqbxXuOnxBQjlS//icfQEGmvyjE=
 modernc.org/libc v1.22.5/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY=
 modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=

From 1967da25235d18950caa603db9ccc6b2abcc5914 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 14:57:31 +0530
Subject: [PATCH 16/26] feat(authz): add Prometheus metrics for check outcomes,
 unmatched checks, and latency

---
 internal/integration_tests/metrics_test.go | 30 ++++++++++++
 internal/metrics/metrics.go                | 57 ++++++++++++++++++++++
 2 files changed, 87 insertions(+)

diff --git a/internal/integration_tests/metrics_test.go b/internal/integration_tests/metrics_test.go
index 2f83a8ad..7a297abf 100644
--- a/internal/integration_tests/metrics_test.go
+++ b/internal/integration_tests/metrics_test.go
@@ -300,6 +300,36 @@ func TestRecordAuthEventHelpers(t *testing.T) {
 	})
 }
 
+// TestMetrics_AuthzCollectorsRegistered verifies the FGA authz collectors
+// (checks total, unmatched total, and check duration histogram) are registered
+// with the default Prometheus registry and appear in the scrape output once
+// incremented. It also asserts the low-cardinality label values are exactly
+// the package constants.
+func TestMetrics_AuthzCollectorsRegistered(t *testing.T) {
+	cfg := getTestConfig()
+	ts := initTestSetup(t, cfg)
+
+	router := gin.New()
+	router.GET("/metrics", ts.HttpProvider.MetricsHandler())
+
+	// Bump each collector once so it appears in scrape output.
+	metrics.RecordAuthzCheck(metrics.AuthzModePermissive, metrics.AuthzResultUnmatchedAllowed)
+	metrics.RecordAuthzUnmatched(metrics.AuthzModePermissive)
+	metrics.AuthzCheckDuration.Observe(0.001)
+
+	w := httptest.NewRecorder()
+	req, err := http.NewRequest(http.MethodGet, "/metrics", nil)
+	require.NoError(t, err)
+	router.ServeHTTP(w, req)
+
+	body := w.Body.String()
+	require.Contains(t, body, "authorizer_authz_checks_total")
+	require.Contains(t, body, "authorizer_authz_unmatched_total")
+	require.Contains(t, body, "authorizer_authz_check_duration_seconds")
+	require.Contains(t, body, `mode="permissive"`)
+	require.Contains(t, body, `result="unmatched_allowed"`)
+}
+
 // TestAdminLoginMetrics verifies admin login records metrics.
 func TestAdminLoginMetrics(t *testing.T) {
 	cfg := getTestConfig()
diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go
index 56e6e9c3..3177ca7f 100644
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -35,6 +35,21 @@ const (
 	StatusFailure = "failure"
 )
 
+// Authorization enforcement modes, used as the `mode` label on authz metrics.
+const (
+	AuthzModePermissive = "permissive"
+	AuthzModeEnforcing  = "enforcing"
+)
+
+// Authorization check result labels.
+const (
+	AuthzResultAllowed          = "allowed"           // matched policy, granted
+	AuthzResultDenied           = "denied"            // matched policy, denied
+	AuthzResultUnmatchedAllowed = "unmatched_allowed" // permissive fallthrough
+	AuthzResultUnmatchedDenied  = "unmatched_denied"  // enforcing fallthrough
+	AuthzResultError            = "error"             // validation / storage error
+)
+
 var (
 	// HTTPRequestsTotal is the total number of HTTP requests received.
 	HTTPRequestsTotal = prometheus.NewCounterVec(
@@ -129,6 +144,33 @@ var (
 			Help: "Total requests that omitted X-Authorizer-Client-ID (allowed for some routes)",
 		},
 	)
+
+	// AuthzChecksTotal counts every CheckPermission call, labelled by mode and result.
+	AuthzChecksTotal = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "authorizer_authz_checks_total",
+			Help: "Total fine-grained authorization checks. mode=permissive|enforcing. result=allowed|denied|unmatched_allowed|unmatched_denied|error",
+		},
+		[]string{"mode", "result"},
+	)
+
+	// AuthzUnmatchedTotal counts checks that found no matching permission. Primary rollout signal.
+	AuthzUnmatchedTotal = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "authorizer_authz_unmatched_total",
+			Help: "Total CheckPermission calls where no permission matched the (resource, scope). Watch this trend to zero before flipping mode to enforcing.",
+		},
+		[]string{"mode"},
+	)
+
+	// AuthzCheckDuration measures end-to-end CheckPermission latency.
+	AuthzCheckDuration = prometheus.NewHistogram(
+		prometheus.HistogramOpts{
+			Name:    "authorizer_authz_check_duration_seconds",
+			Help:    "CheckPermission latency including validation, cache, and storage queries",
+			Buckets: prometheus.DefBuckets,
+		},
+	)
 )
 
 // staticAssetPathSuffixes are path suffixes (after lowercasing) treated as static files
@@ -211,6 +253,9 @@ func Init() {
 		prometheus.MustRegister(GraphQLRequestDuration)
 		prometheus.MustRegister(DBHealthCheckTotal)
 		prometheus.MustRegister(ClientIDHeaderMissingTotal)
+		prometheus.MustRegister(AuthzChecksTotal)
+		prometheus.MustRegister(AuthzUnmatchedTotal)
+		prometheus.MustRegister(AuthzCheckDuration)
 	})
 }
 
@@ -260,3 +305,15 @@ func RecordGraphQLLimitRejection(limit string) {
 func RecordClientIDHeaderMissing() {
 	ClientIDHeaderMissingTotal.Inc()
 }
+
+// RecordAuthzCheck records a CheckPermission call outcome.
+// mode must be one of AuthzMode* constants; result must be one of AuthzResult* constants.
+func RecordAuthzCheck(mode, result string) {
+	AuthzChecksTotal.WithLabelValues(mode, result).Inc()
+}
+
+// RecordAuthzUnmatched records a CheckPermission call that found no matching permission.
+// mode must be one of AuthzMode* constants.
+func RecordAuthzUnmatched(mode string) {
+	AuthzUnmatchedTotal.WithLabelValues(mode).Inc()
+}

From b557d4b2389eb850ff4dd186f710509f58542137 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 15:30:58 +0530
Subject: [PATCH 17/26] feat(authz): add per-key warn rate limiter for
 unmatched checks

---
 internal/authorization/warn_limiter.go      | 38 ++++++++++++++++++
 internal/authorization/warn_limiter_test.go | 44 +++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 internal/authorization/warn_limiter.go
 create mode 100644 internal/authorization/warn_limiter_test.go

diff --git a/internal/authorization/warn_limiter.go b/internal/authorization/warn_limiter.go
new file mode 100644
index 00000000..a087179d
--- /dev/null
+++ b/internal/authorization/warn_limiter.go
@@ -0,0 +1,38 @@
+package authorization
+
+import (
+	"sync"
+	"time"
+)
+
+// warnLimiter is a per-key rate limiter. It permits a key to "fire" at most once
+// per configured window. Used to tame the authz.unmatched warn log so that a
+// permissive-mode deployment does not emit one line per request.
+//
+// A window of zero disables rate limiting (every call returns true).
+type warnLimiter struct {
+	window time.Duration
+	last   sync.Map // key string -> time.Time of last allow
+}
+
+// newWarnLimiter constructs a warnLimiter with the given window. A window <= 0
+// disables rate limiting.
+func newWarnLimiter(window time.Duration) *warnLimiter {
+	return &warnLimiter{window: window}
+}
+
+// allow returns true if the key has not fired within the last window.
+// It records the current time for the key on success.
+func (w *warnLimiter) allow(key string) bool {
+	if w.window <= 0 {
+		return true
+	}
+	now := time.Now()
+	if prev, ok := w.last.Load(key); ok {
+		if now.Sub(prev.(time.Time)) < w.window {
+			return false
+		}
+	}
+	w.last.Store(key, now)
+	return true
+}
diff --git a/internal/authorization/warn_limiter_test.go b/internal/authorization/warn_limiter_test.go
new file mode 100644
index 00000000..4e290adf
--- /dev/null
+++ b/internal/authorization/warn_limiter_test.go
@@ -0,0 +1,44 @@
+package authorization
+
+import (
+	"testing"
+	"time"
+)
+
+func TestWarnLimiter_FirstCallAllowed(t *testing.T) {
+	l := newWarnLimiter(time.Minute)
+	if !l.allow("k1") {
+		t.Fatal("first call for a key must be allowed")
+	}
+}
+
+func TestWarnLimiter_SecondCallSameKeyBlocked(t *testing.T) {
+	l := newWarnLimiter(time.Minute)
+	_ = l.allow("k1")
+	if l.allow("k1") {
+		t.Fatal("second call for the same key within window must be blocked")
+	}
+}
+
+func TestWarnLimiter_DifferentKeysIndependent(t *testing.T) {
+	l := newWarnLimiter(time.Minute)
+	if !l.allow("k1") || !l.allow("k2") {
+		t.Fatal("distinct keys must each be allowed independently")
+	}
+}
+
+func TestWarnLimiter_ExpiryLetsThroughAgain(t *testing.T) {
+	l := newWarnLimiter(10 * time.Millisecond)
+	_ = l.allow("k1")
+	time.Sleep(15 * time.Millisecond)
+	if !l.allow("k1") {
+		t.Fatal("after window expiry the key must be allowed again")
+	}
+}
+
+func TestWarnLimiter_ZeroWindowAlwaysAllows(t *testing.T) {
+	l := newWarnLimiter(0)
+	if !l.allow("k1") || !l.allow("k1") {
+		t.Fatal("zero window means rate-limiting disabled; every call must pass")
+	}
+}

From ab1b12bd730d33a9689a4a224ee524ed2d6611dc Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 15:35:03 +0530
Subject: [PATCH 18/26] fix(authz): rewrite warn-limiter tests to avoid ||
 short-circuit

---
 internal/authorization/warn_limiter_test.go | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/internal/authorization/warn_limiter_test.go b/internal/authorization/warn_limiter_test.go
index 4e290adf..2ea2165c 100644
--- a/internal/authorization/warn_limiter_test.go
+++ b/internal/authorization/warn_limiter_test.go
@@ -22,8 +22,11 @@ func TestWarnLimiter_SecondCallSameKeyBlocked(t *testing.T) {
 
 func TestWarnLimiter_DifferentKeysIndependent(t *testing.T) {
 	l := newWarnLimiter(time.Minute)
-	if !l.allow("k1") || !l.allow("k2") {
-		t.Fatal("distinct keys must each be allowed independently")
+	if !l.allow("k1") {
+		t.Fatal("distinct keys: k1 must be allowed")
+	}
+	if !l.allow("k2") {
+		t.Fatal("distinct keys: k2 must be allowed independently of k1")
 	}
 }
 
@@ -38,7 +41,10 @@ func TestWarnLimiter_ExpiryLetsThroughAgain(t *testing.T) {
 
 func TestWarnLimiter_ZeroWindowAlwaysAllows(t *testing.T) {
 	l := newWarnLimiter(0)
-	if !l.allow("k1") || !l.allow("k1") {
-		t.Fatal("zero window means rate-limiting disabled; every call must pass")
+	if !l.allow("k1") {
+		t.Fatal("zero window: first call must be allowed")
+	}
+	if !l.allow("k1") {
+		t.Fatal("zero window: second call must also be allowed (rate-limiting disabled)")
 	}
 }

From 7bb1fed53cd370d5a18d6f4aa9a8b47f09c2e8aa Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 15:48:29 +0530
Subject: [PATCH 19/26] feat(authz): add in-process per-(resource,scope)
 unmatched counter

---
 internal/authorization/cache.go      | 26 ++++++++++++++++++++++++++
 internal/authorization/cache_test.go | 22 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 internal/authorization/cache_test.go

diff --git a/internal/authorization/cache.go b/internal/authorization/cache.go
index 5f911040..d829dfb0 100644
--- a/internal/authorization/cache.go
+++ b/internal/authorization/cache.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 )
 
@@ -14,6 +15,7 @@ type cache struct {
 	ttl       time.Duration
 	data      sync.Map
 	expiryMap sync.Map
+	counters  sync.Map // counter key string -> *int64 (atomic-incremented)
 }
 
 // newCache creates a new local cache. If ttlSeconds is 0, caching is disabled.
@@ -93,3 +95,27 @@ func validResourcesKey() string {
 func validScopesKey() string {
 	return "authz:valid_scopes"
 }
+
+// unmatchedCounterKey builds the map key for a (resource, scope) unmatched event.
+func unmatchedCounterKey(resource, scope string) string {
+	return "authz:unmatched:" + resource + ":" + scope
+}
+
+// bumpUnmatched increments the unmatched-check counter for the given (resource, scope).
+// Counters are in-process only; they are reset on restart. A future dashboard view
+// reads them to surface "uncovered checks" to operators during rollout.
+func (c *cache) bumpUnmatched(resource, scope string) {
+	key := unmatchedCounterKey(resource, scope)
+	v, _ := c.counters.LoadOrStore(key, new(int64))
+	atomic.AddInt64(v.(*int64), 1)
+}
+
+// unmatchedCount returns the current unmatched counter for the given (resource, scope).
+// Returns 0 if the key has never been bumped.
+func (c *cache) unmatchedCount(resource, scope string) int64 {
+	key := unmatchedCounterKey(resource, scope)
+	if v, ok := c.counters.Load(key); ok {
+		return atomic.LoadInt64(v.(*int64))
+	}
+	return 0
+}
diff --git a/internal/authorization/cache_test.go b/internal/authorization/cache_test.go
new file mode 100644
index 00000000..074218ee
--- /dev/null
+++ b/internal/authorization/cache_test.go
@@ -0,0 +1,22 @@
+package authorization
+
+import (
+	"testing"
+)
+
+func TestCache_UnmatchedCounter_IncrementsAndReads(t *testing.T) {
+	c := newCache(60) // 60s TTL, irrelevant for counter which persists in the separate map
+	c.bumpUnmatched("orders", "read")
+	c.bumpUnmatched("orders", "read")
+	c.bumpUnmatched("users", "delete")
+
+	if got := c.unmatchedCount("orders", "read"); got != 2 {
+		t.Fatalf("expected orders:read count=2, got %d", got)
+	}
+	if got := c.unmatchedCount("users", "delete"); got != 1 {
+		t.Fatalf("expected users:delete count=1, got %d", got)
+	}
+	if got := c.unmatchedCount("nope", "nope"); got != 0 {
+		t.Fatalf("expected unknown count=0, got %d", got)
+	}
+}

From 71990511fc8db40cda097b1a9d33322c76f63713 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 18:27:18 +0530
Subject: [PATCH 20/26] feat(authz): drop 'disabled' mode, wire metrics and
 rate-limited warn for unmatched checks

---
 go.mod                                        |   1 +
 internal/authorization/evaluator.go           |  97 +++++++-----
 internal/authorization/provider.go            |   7 +-
 internal/constants/authorization.go           |   3 -
 .../integration_tests/authorization_test.go   | 146 ++++++++++++++++++
 internal/integration_tests/test_helper.go     |  22 ++-
 6 files changed, 235 insertions(+), 41 deletions(-)

diff --git a/go.mod b/go.mod
index a254cecd..19a8bdbd 100644
--- a/go.mod
+++ b/go.mod
@@ -95,6 +95,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/libsql/libsql-client-go v0.0.0-20231026052543-fce76c0f39a7 // indirect
 	github.com/libsql/sqlite-antlr4-parser v0.0.0-20230802215326-5cb5bb604475 // indirect
diff --git a/internal/authorization/evaluator.go b/internal/authorization/evaluator.go
index c3b65814..eee59e89 100644
--- a/internal/authorization/evaluator.go
+++ b/internal/authorization/evaluator.go
@@ -4,9 +4,11 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"time"
 
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 )
 
@@ -18,34 +20,42 @@ type policyResult struct {
 
 // CheckPermission evaluates whether a principal can perform a scope on a resource.
 // It follows this sequence:
-//  1. Check enforcement mode (disabled returns true immediately)
-//  2. Validate inputs
-//  3. Check MaxScopes ceiling
-//  4. Check cache
-//  5. Query storage for matching permissions
-//  6. Evaluate policies using decision strategies
-//  7. Cache and return result
-func (p *provider) CheckPermission(ctx context.Context, principal *Principal, resource string, scope string) (*CheckResult, error) {
-	// Step 1: Enforcement mode check.
-	if p.config.Enforcement == constants.AuthorizationEnforcementDisabled {
-		return &CheckResult{Allowed: true}, nil
-	}
-
-	// Step 2: Validate inputs.
+//  1. Validate inputs
+//  2. Check MaxScopes ceiling
+//  3. Check cache
+//  4. Query storage for matching permissions
+//  5. Evaluate policies using decision strategies
+//  6. Cache and return result
+//
+// Every terminal path records exactly one metrics.RecordAuthzCheck call, and
+// AuthzCheckDuration is observed via defer.
+func (p *provider) CheckPermission(ctx context.Context, principal *Principal, resource string, scope string) (result *CheckResult, err error) {
+	start := time.Now()
+	defer func() {
+		metrics.AuthzCheckDuration.Observe(time.Since(start).Seconds())
+	}()
+
+	mode := p.config.Enforcement
+
+	// Validate inputs.
 	if principal == nil {
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
 		return nil, fmt.Errorf("principal is required")
 	}
 	if !isValidIdentifier(principal.ID) {
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
 		return nil, fmt.Errorf("invalid principal ID: %q", principal.ID)
 	}
 	if !isValidIdentifier(resource) {
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
 		return nil, fmt.Errorf("invalid resource: %q", resource)
 	}
 	if !isValidIdentifier(scope) {
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
 		return nil, fmt.Errorf("invalid scope: %q", scope)
 	}
 
-	// Step 3: MaxScopes ceiling.
+	// MaxScopes ceiling.
 	if principal.MaxScopes != nil {
 		scopeStr := resource + ":" + scope
 		found := false
@@ -61,11 +71,12 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 				Str("resource", resource).
 				Str("scope", scope).
 				Msg("denied by MaxScopes ceiling")
+			metrics.RecordAuthzCheck(mode, metrics.AuthzResultDenied)
 			return &CheckResult{Allowed: false}, nil
 		}
 	}
 
-	// Step 4: Check cache.
+	// Cache.
 	cacheKey := evalKey(principal.ID, resource, scope)
 	if cached, ok := p.cache.get(cacheKey); ok {
 		allowed := cached == "true"
@@ -75,28 +86,33 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 			Str("scope", scope).
 			Bool("allowed", allowed).
 			Msg("authorization cache hit")
+		if allowed {
+			metrics.RecordAuthzCheck(mode, metrics.AuthzResultAllowed)
+		} else {
+			metrics.RecordAuthzCheck(mode, metrics.AuthzResultDenied)
+		}
 		return &CheckResult{Allowed: allowed}, nil
 	}
 
-	// Step 5: Check known resources and scopes.
+	// Resource/scope existence.
 	if err := p.validateResourceExists(ctx, resource); err != nil {
-		return p.handleNoPermission(cacheKey, principal, resource, scope), nil
+		return p.handleNoPermission(mode, cacheKey, principal, resource, scope), nil
 	}
 	if err := p.validateScopeExists(ctx, scope); err != nil {
-		return p.handleNoPermission(cacheKey, principal, resource, scope), nil
+		return p.handleNoPermission(mode, cacheKey, principal, resource, scope), nil
 	}
 
-	// Step 6: Query storage for permissions matching this resource+scope.
+	// Permissions.
 	perms, err := p.storageProvider.GetPermissionsForResourceScope(ctx, resource, scope)
 	if err != nil {
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
 		return nil, fmt.Errorf("failed to query permissions: %w", err)
 	}
-
 	if len(perms) == 0 {
-		return p.handleNoPermission(cacheKey, principal, resource, scope), nil
+		return p.handleNoPermission(mode, cacheKey, principal, resource, scope), nil
 	}
 
-	// Step 7: Evaluate each permission's policies.
+	// Policy evaluation.
 	for _, perm := range perms {
 		allowed, matchedPolicy := p.evaluatePermission(principal, perm)
 		if allowed {
@@ -107,6 +123,7 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 				Str("scope", scope).
 				Str("matched_policy", matchedPolicy).
 				Msg("authorization granted")
+			metrics.RecordAuthzCheck(mode, metrics.AuthzResultAllowed)
 			return &CheckResult{Allowed: true, MatchedPolicy: matchedPolicy}, nil
 		}
 	}
@@ -118,24 +135,36 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 		Str("resource", resource).
 		Str("scope", scope).
 		Msg("authorization denied: no matching policy")
+	metrics.RecordAuthzCheck(mode, metrics.AuthzResultDenied)
 	return &CheckResult{Allowed: false}, nil
 }
 
 // handleNoPermission returns a deny or allow result based on enforcement mode.
-// In permissive mode, it logs a warning and allows. In enforcing mode, it denies.
-// The result is cached (negative caching).
-func (p *provider) handleNoPermission(cacheKey string, principal *Principal, resource, scope string) *CheckResult {
-	if p.config.Enforcement == constants.AuthorizationEnforcementPermissive {
-		p.log.Warn().
-			Str("principal_id", principal.ID).
-			Str("resource", resource).
-			Str("scope", scope).
-			Msg("no matching permission found (permissive mode: allowing)")
+// In permissive mode, it emits a rate-limited warn log (one line per
+// (resource,scope) per window) and allows; in enforcing mode, it denies.
+// The result is cached (negative caching) and the per-mode metrics counters
+// (checks_total + unmatched_total) are bumped.
+func (p *provider) handleNoPermission(mode, cacheKey string, principal *Principal, resource, scope string) *CheckResult {
+	p.cache.bumpUnmatched(resource, scope)
+	metrics.RecordAuthzUnmatched(mode)
+
+	if mode == constants.AuthorizationEnforcementPermissive {
+		if p.warnLimiter.allow(resource + ":" + scope) {
+			p.log.Warn().
+				Bool("authz.unmatched", true).
+				Str("mode", mode).
+				Str("principal_id", principal.ID).
+				Str("resource", resource).
+				Str("scope", scope).
+				Msg("no matching permission (permissive: allowing)")
+		}
 		p.cache.set(cacheKey, "true")
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultUnmatchedAllowed)
 		return &CheckResult{Allowed: true}
 	}
 
 	p.cache.set(cacheKey, "false")
+	metrics.RecordAuthzCheck(mode, metrics.AuthzResultUnmatchedDenied)
 	return &CheckResult{Allowed: false}
 }
 
@@ -266,10 +295,6 @@ func resolveDecision(results []policyResult, strategy string) (bool, string) {
 // GetPrincipalPermissions returns all granted resource:scope pairs for a principal.
 // It iterates all known resources and scopes, checking each combination.
 func (p *provider) GetPrincipalPermissions(ctx context.Context, principal *Principal) ([]ResourceScope, error) {
-	if p.config.Enforcement == constants.AuthorizationEnforcementDisabled {
-		return nil, nil
-	}
-
 	if principal == nil {
 		return nil, fmt.Errorf("principal is required")
 	}
diff --git a/internal/authorization/provider.go b/internal/authorization/provider.go
index 4836c918..283823ea 100644
--- a/internal/authorization/provider.go
+++ b/internal/authorization/provider.go
@@ -2,6 +2,7 @@ package authorization
 
 import (
 	"context"
+	"time"
 
 	"github.com/rs/zerolog"
 
@@ -67,7 +68,9 @@ type Dependencies struct {
 // The values are passed in from cmd/root.go.
 type Config struct {
 	// Enforcement is the authorization enforcement mode:
-	// "disabled", "permissive", or "enforcing".
+	// "permissive" (default) or "enforcing".
+	// Permissive allows checks with no matching permission and emits a
+	// rate-limited warn log. Enforcing denies checks with no matching permission.
 	Enforcement string
 	// CacheTTL is the cache time-to-live in seconds. 0 disables caching.
 	CacheTTL int64
@@ -79,6 +82,7 @@ type provider struct {
 	log             *zerolog.Logger
 	storageProvider storage.Provider
 	cache           *cache
+	warnLimiter     *warnLimiter
 }
 
 // New creates a new authorization provider.
@@ -88,6 +92,7 @@ func New(cfg *Config, deps *Dependencies) (Provider, error) {
 		log:             deps.Log,
 		storageProvider: deps.StorageProvider,
 		cache:           newCache(cfg.CacheTTL),
+		warnLimiter:     newWarnLimiter(60 * time.Second),
 	}
 	return p, nil
 }
diff --git a/internal/constants/authorization.go b/internal/constants/authorization.go
index 8a211dad..21df7874 100644
--- a/internal/constants/authorization.go
+++ b/internal/constants/authorization.go
@@ -18,9 +18,6 @@ const (
 	// DecisionStrategyUnanimous grants only if ALL policies/targets agree (AND logic).
 	DecisionStrategyUnanimous = "unanimous"
 
-	// AuthorizationEnforcementDisabled turns off the authorization engine entirely.
-	// All check_permission calls return true. Default for backward compatibility.
-	AuthorizationEnforcementDisabled = "disabled"
 	// AuthorizationEnforcementPermissive returns true when no matching permission
 	// exists, but logs a warning. Useful for migration/development.
 	AuthorizationEnforcementPermissive = "permissive"
diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
index 052231c4..00bdc75e 100644
--- a/internal/integration_tests/authorization_test.go
+++ b/internal/integration_tests/authorization_test.go
@@ -1,15 +1,19 @@
 package integration_tests
 
 import (
+	"context"
 	"fmt"
 	"strings"
 	"testing"
 
+	"github.com/authorizerdev/authorizer/internal/authorization"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/crypto"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -385,3 +389,145 @@ func TestAuthorizationCRUD(t *testing.T) {
 		assert.Contains(t, res.Message, "deleted")
 	})
 }
+
+// TestCheckPermission_PermissiveDefault_NoPermissions_Allows verifies that
+// permissive mode allows a check for a (resource, scope) pair that has no
+// matching permission registered.
+func TestCheckPermission_PermissiveDefault_NoPermissions_Allows(t *testing.T) {
+	cfg := getTestConfig()
+	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementPermissive
+	ts := initTestSetup(t, cfg)
+	_, ctx := createContext(ts)
+
+	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:   "user-1",
+		Type: constants.PrincipalTypeUser,
+	}, "orders", "read")
+
+	require.NoError(t, err)
+	require.True(t, result.Allowed, "permissive mode with no permissions must allow")
+}
+
+// TestCheckPermission_Enforcing_NoPermissions_Denies verifies that enforcing
+// mode denies a check for a (resource, scope) pair with no matching permission.
+func TestCheckPermission_Enforcing_NoPermissions_Denies(t *testing.T) {
+	cfg := getTestConfig()
+	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementEnforcing
+	ts := initTestSetup(t, cfg)
+	_, ctx := createContext(ts)
+
+	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:   "user-1",
+		Type: constants.PrincipalTypeUser,
+	}, "orders", "read")
+
+	require.NoError(t, err)
+	require.False(t, result.Allowed, "enforcing mode with no permissions must deny")
+}
+
+// TestCheckPermission_Permissive_WithExplicitDenyPolicy_StillDenies verifies
+// that once a permission exists for the (resource, scope) and attaches a
+// negative-logic policy that matches the principal, the check is denied even
+// in permissive mode. Permissive only loosens the "no matching permission"
+// path, not evaluated deny decisions.
+func TestCheckPermission_Permissive_WithExplicitDenyPolicy_StillDenies(t *testing.T) {
+	cfg := getTestConfig()
+	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementPermissive
+	ts := initTestSetup(t, cfg)
+	req, ctx := createContext(ts)
+
+	// Authenticate as admin for seeding operations.
+	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
+	require.NoError(t, err)
+	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+	// Seed resource + scope + permission + negative role policy targeting "blocked-role".
+	seedResourceScopePermissionWithDenyPolicy(t, ts, ctx, "orders", "read", "blocked-role")
+
+	// Clear admin cookie — CheckPermission here is a direct provider call; no auth context needed.
+	req.Header.Del("Cookie")
+
+	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:    "user-1",
+		Type:  constants.PrincipalTypeUser,
+		Roles: []string{"blocked-role"},
+	}, "orders", "read")
+
+	require.NoError(t, err)
+	require.False(t, result.Allowed, "explicit deny must apply even in permissive mode")
+}
+
+// TestCheckPermission_IncrementsPrometheusCounters verifies that an unmatched
+// check in permissive mode increments metrics.AuthzUnmatchedTotal by exactly
+// one for the "permissive" label.
+func TestCheckPermission_IncrementsPrometheusCounters(t *testing.T) {
+	cfg := getTestConfig()
+	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementPermissive
+	ts := initTestSetup(t, cfg)
+	_, ctx := createContext(ts)
+
+	before := testutil.ToFloat64(metrics.AuthzUnmatchedTotal.WithLabelValues(metrics.AuthzModePermissive))
+
+	_, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:   "user-1",
+		Type: constants.PrincipalTypeUser,
+	}, "orders", "read")
+	require.NoError(t, err)
+
+	after := testutil.ToFloat64(metrics.AuthzUnmatchedTotal.WithLabelValues(metrics.AuthzModePermissive))
+	require.Equal(t, before+1, after, "unmatched counter must increment once per unmatched check")
+}
+
+// seedResourceScopePermissionWithDenyPolicy seeds a resource, scope, a
+// negative-logic role policy targeting the given role, and a permission that
+// links them. It uses the GraphQL provider (mirroring TestAuthorizationCRUD),
+// so the caller must have already authenticated as admin on the request
+// attached to ts.GinContext.
+func seedResourceScopePermissionWithDenyPolicy(
+	t *testing.T,
+	ts *testSetup,
+	ctx context.Context,
+	resource, scope, role string,
+) {
+	t.Helper()
+
+	res, err := ts.GraphQLProvider.AddResource(ctx, &model.AddResourceInput{
+		Name:        resource,
+		Description: refs.NewStringRef("seed resource"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, res)
+
+	sc, err := ts.GraphQLProvider.AddScope(ctx, &model.AddScopeInput{
+		Name:        scope,
+		Description: refs.NewStringRef("seed scope"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, sc)
+
+	negative := constants.PolicyLogicNegative
+	policy, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+		Name:        "deny-" + role + "-" + uuid.New().String(),
+		Description: refs.NewStringRef("seed deny policy"),
+		Type:        constants.PolicyTypeRole,
+		Logic:       &negative,
+		Targets: []*model.PolicyTargetInput{
+			{
+				TargetType:  constants.TargetTypeRole,
+				TargetValue: role,
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, policy)
+	require.Equal(t, constants.PolicyLogicNegative, policy.Logic, "policy must be stored as negative")
+
+	perm, err := ts.GraphQLProvider.AddPermission(ctx, &model.AddPermissionInput{
+		Name:       resource + "-" + scope,
+		ResourceID: res.ID,
+		ScopeIds:   []string{sc.ID},
+		PolicyIds:  []string{policy.ID},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, perm)
+}
diff --git a/internal/integration_tests/test_helper.go b/internal/integration_tests/test_helper.go
index e602bf04..8727d049 100644
--- a/internal/integration_tests/test_helper.go
+++ b/internal/integration_tests/test_helper.go
@@ -43,6 +43,9 @@ type testSetup struct {
 	MemoryStoreProvider   memory_store.Provider
 	AuthenticatorProvider authenticators.Provider
 	TokenProvider         token.Provider
+	// Authz is the authorization provider, exposed for tests that exercise
+	// CheckPermission / GetPrincipalPermissions directly (bypassing GraphQL).
+	Authz authorization.Provider
 }
 
 func createContext(s *testSetup) (*http.Request, context.Context) {
@@ -180,8 +183,14 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 	require.NoError(t, err)
 
 	// Initialize authorization provider
+	enforcementMode := cfg.AuthorizationEnforcement
+	if enforcementMode == "" {
+		// Default to "enforcing" for tests that don't explicitly set a mode, to
+		// preserve existing behavior for TestAuthorizationCRUD and friends.
+		enforcementMode = constants.AuthorizationEnforcementEnforcing
+	}
 	authzProvider, err := authorization.New(&authorization.Config{
-		Enforcement: "enforcing",
+		Enforcement: enforcementMode,
 		CacheTTL:    0,
 	}, &authorization.Dependencies{
 		Log:             &logger,
@@ -262,5 +271,16 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 		MemoryStoreProvider:   memoryStoreProvider,
 		AuthenticatorProvider: authProvider,
 		TokenProvider:         tokenProvider,
+		Authz:                 authzProvider,
 	}
 }
+
+// testSetupWithAuthzMode builds a test setup with the authorization provider
+// wired to the given enforcement mode ("permissive" or "enforcing").
+// Mirrors initTestSetup but overrides AuthorizationEnforcement on the config
+// before any providers are constructed.
+func testSetupWithAuthzMode(t *testing.T, mode string) *testSetup {
+	cfg := getTestConfig()
+	cfg.AuthorizationEnforcement = mode
+	return initTestSetup(t, cfg)
+}

From 0f53c00a2d997be98b1af88d901538b9c96bb71e Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 18:38:49 +0530
Subject: [PATCH 21/26] refactor(authz): use testSetupWithAuthzMode helper;
 clarify test-default rationale

---
 .../integration_tests/authorization_test.go    | 18 +++++-------------
 internal/integration_tests/test_helper.go      |  8 ++++++--
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
index 00bdc75e..7f6216e5 100644
--- a/internal/integration_tests/authorization_test.go
+++ b/internal/integration_tests/authorization_test.go
@@ -394,9 +394,7 @@ func TestAuthorizationCRUD(t *testing.T) {
 // permissive mode allows a check for a (resource, scope) pair that has no
 // matching permission registered.
 func TestCheckPermission_PermissiveDefault_NoPermissions_Allows(t *testing.T) {
-	cfg := getTestConfig()
-	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementPermissive
-	ts := initTestSetup(t, cfg)
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementPermissive)
 	_, ctx := createContext(ts)
 
 	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
@@ -411,9 +409,7 @@ func TestCheckPermission_PermissiveDefault_NoPermissions_Allows(t *testing.T) {
 // TestCheckPermission_Enforcing_NoPermissions_Denies verifies that enforcing
 // mode denies a check for a (resource, scope) pair with no matching permission.
 func TestCheckPermission_Enforcing_NoPermissions_Denies(t *testing.T) {
-	cfg := getTestConfig()
-	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementEnforcing
-	ts := initTestSetup(t, cfg)
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementEnforcing)
 	_, ctx := createContext(ts)
 
 	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
@@ -431,13 +427,11 @@ func TestCheckPermission_Enforcing_NoPermissions_Denies(t *testing.T) {
 // in permissive mode. Permissive only loosens the "no matching permission"
 // path, not evaluated deny decisions.
 func TestCheckPermission_Permissive_WithExplicitDenyPolicy_StillDenies(t *testing.T) {
-	cfg := getTestConfig()
-	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementPermissive
-	ts := initTestSetup(t, cfg)
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementPermissive)
 	req, ctx := createContext(ts)
 
 	// Authenticate as admin for seeding operations.
-	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
+	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
 	require.NoError(t, err)
 	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
 
@@ -461,9 +455,7 @@ func TestCheckPermission_Permissive_WithExplicitDenyPolicy_StillDenies(t *testin
 // check in permissive mode increments metrics.AuthzUnmatchedTotal by exactly
 // one for the "permissive" label.
 func TestCheckPermission_IncrementsPrometheusCounters(t *testing.T) {
-	cfg := getTestConfig()
-	cfg.AuthorizationEnforcement = constants.AuthorizationEnforcementPermissive
-	ts := initTestSetup(t, cfg)
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementPermissive)
 	_, ctx := createContext(ts)
 
 	before := testutil.ToFloat64(metrics.AuthzUnmatchedTotal.WithLabelValues(metrics.AuthzModePermissive))
diff --git a/internal/integration_tests/test_helper.go b/internal/integration_tests/test_helper.go
index 8727d049..d7378903 100644
--- a/internal/integration_tests/test_helper.go
+++ b/internal/integration_tests/test_helper.go
@@ -185,8 +185,12 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 	// Initialize authorization provider
 	enforcementMode := cfg.AuthorizationEnforcement
 	if enforcementMode == "" {
-		// Default to "enforcing" for tests that don't explicitly set a mode, to
-		// preserve existing behavior for TestAuthorizationCRUD and friends.
+		// Integration tests default to "enforcing" so legacy tests (TestAuthorizationCRUD,
+		// etc.) that seed permissions and expect strict evaluation keep working without
+		// explicit mode setup. Note: production's default is "permissive" after Task 5;
+		// this test-only default intentionally diverges. Tests exercising permissive
+		// semantics MUST set cfg.AuthorizationEnforcement explicitly (or use
+		// testSetupWithAuthzMode).
 		enforcementMode = constants.AuthorizationEnforcementEnforcing
 	}
 	authzProvider, err := authorization.New(&authorization.Config{

From 6d6667724224119e9d410ec4ea9ee06ad6688bf8 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 21 Apr 2026 18:45:50 +0530
Subject: [PATCH 22/26] feat(authz): default enforcement to permissive, migrate
 legacy 'disabled' with one-time log

---
 cmd/root.go                                   | 54 +++++++++++++++++--
 internal/config/config.go                     |  4 +-
 .../integration_tests/authorization_test.go   | 29 ++++++++++
 3 files changed, 81 insertions(+), 6 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 6996fbef..b4cbd5bd 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -20,6 +20,7 @@ import (
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/email"
 	"github.com/authorizerdev/authorizer/internal/events"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/http_handlers"
 	"github.com/authorizerdev/authorizer/internal/memory_store"
 	"github.com/authorizerdev/authorizer/internal/metrics"
@@ -75,6 +76,12 @@ var (
 	}
 )
 
+// legacyDisabledObserved is set when the operator passes the now-removed
+// authorization-enforcement=disabled value. runRoot emits a one-time INFO log
+// after the logger is configured. We cannot log from applyFlagDefaults because
+// it runs before the logger is ready.
+var legacyDisabledObserved bool
+
 func init() {
 	f := RootCmd.Flags()
 
@@ -237,7 +244,7 @@ func init() {
 	f.StringVar(&rootArgs.config.BackchannelLogoutURI, "backchannel-logout-uri", "", "URL to POST a signed logout_token to when users log out successfully. Leave empty (default) to disable back-channel logout notifications. See OIDC Back-Channel Logout 1.0.")
 
 	// Fine-grained authorization flags
-	f.StringVar(&rootArgs.config.AuthorizationEnforcement, "authorization-enforcement", "disabled", "Authorization enforcement mode: disabled, permissive, or enforcing")
+	f.StringVar(&rootArgs.config.AuthorizationEnforcement, "authorization-enforcement", "permissive", "Authorization enforcement mode: permissive (default) or enforcing")
 	f.Int64Var(&rootArgs.config.AuthorizationCacheTTL, "authorization-cache-ttl", 300, "Cache TTL in seconds for permission checks (0 to disable)")
 	f.BoolVar(&rootArgs.config.IncludePermissionsInToken, "include-permissions-in-token", false, "Include permissions in JWT access tokens")
 	f.BoolVar(&rootArgs.config.AuthorizationLogAllChecks, "authorization-log-all-checks", false, "Audit log all permission checks, not just denials")
@@ -328,11 +335,34 @@ func applyFlagDefaults() {
 	if len(c.RobloxScopes) == 0 {
 		c.RobloxScopes = append([]string(nil), defaultRobloxScopes...)
 	}
-	if strings.TrimSpace(c.AuthorizationEnforcement) == "" {
-		c.AuthorizationEnforcement = "disabled"
+	rawEnforcement := c.AuthorizationEnforcement
+	c.AuthorizationEnforcement = NormalizeAuthzEnforcement(rawEnforcement)
+	if strings.TrimSpace(rawEnforcement) == "disabled" {
+		// Remember the legacy input so runRoot can log the one-time migration
+		// notice after the logger is configured. We cannot log here because
+		// applyFlagDefaults runs before the logger is ready.
+		legacyDisabledObserved = true
 	}
 }
 
+// NormalizeAuthzEnforcement returns the canonical enforcement mode for the given input.
+//   - "" (empty) and unknown values map to "permissive" (the new default).
+//   - "disabled" (legacy value) maps to "permissive" and is logged by the caller
+//     as a one-time migration notice.
+//   - "permissive" and "enforcing" pass through unchanged.
+//
+// Callers are responsible for emitting the legacy-migration log when they
+// observe the "disabled" input value.
+func NormalizeAuthzEnforcement(v string) string {
+	switch strings.TrimSpace(v) {
+	case constants.AuthorizationEnforcementEnforcing:
+		return constants.AuthorizationEnforcementEnforcing
+	case constants.AuthorizationEnforcementPermissive, "":
+		return constants.AuthorizationEnforcementPermissive
+	}
+	return constants.AuthorizationEnforcementPermissive
+}
+
 // Run the service
 func runRoot(c *cobra.Command, args []string) {
 	applyFlagDefaults()
@@ -479,8 +509,22 @@ func runRoot(c *cobra.Command, args []string) {
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to create authorization provider")
 	}
-	if rootArgs.config.AuthorizationEnforcement != "disabled" {
-		log.Info().Str("enforcement", rootArgs.config.AuthorizationEnforcement).Msg("authorization enforcement enabled")
+	if legacyDisabledObserved {
+		log.Info().Msg("authz: 'disabled' is no longer a supported enforcement mode; migrated to 'permissive'. CheckPermission calls with no matching permission will return ALLOWED and log authz.unmatched=true. Set --authorization-enforcement=enforcing once permissions are seeded.")
+	}
+
+	switch rootArgs.config.AuthorizationEnforcement {
+	case constants.AuthorizationEnforcementEnforcing:
+		// Check once at startup whether any permissions exist. If zero, emit a
+		// loud warn so operators don't lock themselves out in prod.
+		_, pr, lerr := storageProvider.ListPermissions(context.Background(), &model.Pagination{Limit: 1, Page: 1})
+		if lerr == nil && pr != nil && pr.Total == 0 {
+			log.Warn().Msg("authz mode=enforcing but 0 permissions configured — all check_permission calls will DENY. Seed permissions or switch to --authorization-enforcement=permissive.")
+		} else {
+			log.Info().Msg("authz mode=enforcing: unmatched CheckPermission calls will be DENIED.")
+		}
+	default:
+		log.Info().Msg("authz mode=permissive: unmatched CheckPermission calls will be ALLOWED and logged with authz.unmatched=true.")
 	}
 
 	// SMS provider
diff --git a/internal/config/config.go b/internal/config/config.go
index 619c97e1..6b14d387 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -319,7 +319,9 @@ type Config struct {
 
 	// Fine-Grained Authorization
 	// AuthorizationEnforcement is the authorization enforcement mode.
-	// Valid values: "disabled" (default), "permissive", "enforcing".
+	// Valid values: "permissive" (default) or "enforcing".
+	// Legacy value "disabled" is accepted and migrated to "permissive" with a
+	// one-time INFO log emitted at startup.
 	AuthorizationEnforcement string
 	// AuthorizationCacheTTL is the cache time-to-live in seconds for permission checks.
 	// Set to 0 to disable caching. Default: 300 (5 minutes).
diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
index 7f6216e5..0e284f53 100644
--- a/internal/integration_tests/authorization_test.go
+++ b/internal/integration_tests/authorization_test.go
@@ -6,7 +6,9 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/authorizerdev/authorizer/cmd"
 	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/crypto"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
@@ -523,3 +525,30 @@ func seedResourceScopePermissionWithDenyPolicy(
 	require.NoError(t, err)
 	require.NotNil(t, perm)
 }
+
+// TestConfig_LegacyDisabledMigration_NormalizesToPermissive verifies that the
+// legacy "disabled" enforcement value is migrated to "permissive". The actual
+// one-time migration log is emitted by runRoot (see cmd/root.go); here we only
+// assert the canonical value produced by the normalizer.
+func TestConfig_LegacyDisabledMigration_NormalizesToPermissive(t *testing.T) {
+	cfg := &config.Config{AuthorizationEnforcement: "disabled"}
+	migrated := cmd.NormalizeAuthzEnforcement(cfg.AuthorizationEnforcement)
+	require.Equal(t, constants.AuthorizationEnforcementPermissive, migrated)
+}
+
+// TestConfig_EmptyValue_NormalizesToPermissive verifies the empty string (flag
+// unset) maps to the new default.
+func TestConfig_EmptyValue_NormalizesToPermissive(t *testing.T) {
+	require.Equal(t, constants.AuthorizationEnforcementPermissive, cmd.NormalizeAuthzEnforcement(""))
+}
+
+// TestConfig_UnknownValue_NormalizesToPermissive verifies unrecognized input is
+// mapped to the safe default ("permissive") rather than propagated.
+func TestConfig_UnknownValue_NormalizesToPermissive(t *testing.T) {
+	require.Equal(t, constants.AuthorizationEnforcementPermissive, cmd.NormalizeAuthzEnforcement("banana"))
+}
+
+// TestConfig_Enforcing_Preserved verifies "enforcing" passes through unchanged.
+func TestConfig_Enforcing_Preserved(t *testing.T) {
+	require.Equal(t, constants.AuthorizationEnforcementEnforcing, cmd.NormalizeAuthzEnforcement("enforcing"))
+}

From bca16fd2a1cfa0f7b0dc74ab988a900381a27a4a Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 22 Apr 2026 10:49:37 +0530
Subject: [PATCH 23/26] refactor(authz): simplify NormalizeAuthzEnforcement and
 log startup permission-probe errors

---
 cmd/root.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index b4cbd5bd..7ba961ee 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -354,11 +354,8 @@ func applyFlagDefaults() {
 // Callers are responsible for emitting the legacy-migration log when they
 // observe the "disabled" input value.
 func NormalizeAuthzEnforcement(v string) string {
-	switch strings.TrimSpace(v) {
-	case constants.AuthorizationEnforcementEnforcing:
+	if strings.TrimSpace(v) == constants.AuthorizationEnforcementEnforcing {
 		return constants.AuthorizationEnforcementEnforcing
-	case constants.AuthorizationEnforcementPermissive, "":
-		return constants.AuthorizationEnforcementPermissive
 	}
 	return constants.AuthorizationEnforcementPermissive
 }
@@ -518,9 +515,12 @@ func runRoot(c *cobra.Command, args []string) {
 		// Check once at startup whether any permissions exist. If zero, emit a
 		// loud warn so operators don't lock themselves out in prod.
 		_, pr, lerr := storageProvider.ListPermissions(context.Background(), &model.Pagination{Limit: 1, Page: 1})
-		if lerr == nil && pr != nil && pr.Total == 0 {
+		switch {
+		case lerr != nil:
+			log.Warn().Err(lerr).Msg("authz: failed to probe permission count at startup; enforcing mode active")
+		case pr != nil && pr.Total == 0:
 			log.Warn().Msg("authz mode=enforcing but 0 permissions configured — all check_permission calls will DENY. Seed permissions or switch to --authorization-enforcement=permissive.")
-		} else {
+		default:
 			log.Info().Msg("authz mode=enforcing: unmatched CheckPermission calls will be DENIED.")
 		}
 	default:

From 3f1c50b6c27a2fa53d0d3bba4195aafa7768f4c4 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 23 Apr 2026 03:00:30 +0530
Subject: [PATCH 24/26] fix(authz): pagination offset, fail-closed validation,
 typed valid-set cache, DoS caps

---
 internal/authorization/cache.go               |  47 +++++-
 internal/authorization/evaluator.go           | 140 ++++++++++++------
 .../integration_tests/authorization_test.go   |  52 ++++++-
 3 files changed, 188 insertions(+), 51 deletions(-)

diff --git a/internal/authorization/cache.go b/internal/authorization/cache.go
index d829dfb0..2d0e7e92 100644
--- a/internal/authorization/cache.go
+++ b/internal/authorization/cache.go
@@ -16,6 +16,11 @@ type cache struct {
 	data      sync.Map
 	expiryMap sync.Map
 	counters  sync.Map // counter key string -> *int64 (atomic-incremented)
+	// validSets holds membership-style caches (known resource names, known scope names).
+	// Stored separately from .data so string-valued entries never collide, and so
+	// the typed map lookup is O(1) without string parsing.
+	// A zero-length set is a valid cached value meaning "DB was reachable and empty".
+	validSets sync.Map // cache key -> map[string]struct{}
 }
 
 // newCache creates a new local cache. If ttlSeconds is 0, caching is disabled.
@@ -70,7 +75,8 @@ func (c *cache) set(key string, value string) {
 
 // deleteByPrefix removes all cached entries whose key starts with the given prefix.
 // Used when admin mutations change resources, scopes, or policies to invalidate
-// all related cached decisions.
+// all related cached decisions. Iterates both the string-valued data map and the
+// typed validSets map so both storage tiers are wiped in lockstep.
 func (c *cache) deleteByPrefix(prefix string) {
 	c.data.Range(func(key, _ any) bool {
 		if strings.HasPrefix(key.(string), prefix) {
@@ -79,6 +85,45 @@ func (c *cache) deleteByPrefix(prefix string) {
 		}
 		return true
 	})
+	c.validSets.Range(func(key, _ any) bool {
+		if strings.HasPrefix(key.(string), prefix) {
+			c.validSets.Delete(key)
+			c.expiryMap.Delete(key)
+		}
+		return true
+	})
+}
+
+// getValidSet returns the cached membership set for the given key.
+// The second return value reports whether the cache had an entry at all.
+// Callers must not mutate the returned map.
+func (c *cache) getValidSet(key string) (map[string]struct{}, bool) {
+	if !c.enabled() {
+		return nil, false
+	}
+	expiry, ok := c.expiryMap.Load(key)
+	if !ok {
+		return nil, false
+	}
+	if time.Now().After(expiry.(time.Time)) {
+		c.validSets.Delete(key)
+		c.expiryMap.Delete(key)
+		return nil, false
+	}
+	v, ok := c.validSets.Load(key)
+	if !ok {
+		return nil, false
+	}
+	return v.(map[string]struct{}), true
+}
+
+// setValidSet stores a membership set under the given key with the configured TTL.
+func (c *cache) setValidSet(key string, set map[string]struct{}) {
+	if !c.enabled() {
+		return
+	}
+	c.validSets.Store(key, set)
+	c.expiryMap.Store(key, time.Now().Add(c.ttl))
 }
 
 // evalKey constructs a cache key for an authorization evaluation result.
diff --git a/internal/authorization/evaluator.go b/internal/authorization/evaluator.go
index eee59e89..a734d1f2 100644
--- a/internal/authorization/evaluator.go
+++ b/internal/authorization/evaluator.go
@@ -3,7 +3,6 @@ package authorization
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/authorizerdev/authorizer/internal/constants"
@@ -12,6 +11,11 @@ import (
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 )
 
+// MaxPrincipalPermissionEvaluations caps GetPrincipalPermissions at this many
+// resource*scope evaluations per call. Callers hitting the cap receive a sentinel
+// error so they can detect incomplete output.
+const MaxPrincipalPermissionEvaluations = 10000
+
 // policyResult holds the outcome of a single policy evaluation.
 type policyResult struct {
 	granted    bool
@@ -94,12 +98,28 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 		return &CheckResult{Allowed: allowed}, nil
 	}
 
-	// Resource/scope existence.
-	if err := p.validateResourceExists(ctx, resource); err != nil {
-		return p.handleNoPermission(mode, cacheKey, principal, resource, scope), nil
+	// Resource/scope existence. Fail-closed: if the probe itself errors, surface
+	// the error to the caller rather than falling through to handleNoPermission
+	// (which in permissive mode would incorrectly allow a DB-blip'd request).
+	knownResource, err := p.validateResourceExists(ctx, resource)
+	if err != nil {
+		metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
+		return nil, err
 	}
-	if err := p.validateScopeExists(ctx, scope); err != nil {
-		return p.handleNoPermission(mode, cacheKey, principal, resource, scope), nil
+	knownScope := true
+	if knownResource {
+		// Only probe scope when resource is valid; avoids a second lookup on
+		// the unknown-resource path.
+		knownScope, err = p.validateScopeExists(ctx, scope)
+		if err != nil {
+			metrics.RecordAuthzCheck(mode, metrics.AuthzResultError)
+			return nil, err
+		}
+	}
+	if !knownResource || !knownScope {
+		// Unknown identifier — skip counter bumps (DoS guard for attacker-
+		// controlled inputs from the public REST endpoint).
+		return p.handleNoPermission(mode, cacheKey, principal, resource, scope, false /* isKnown */), nil
 	}
 
 	// Permissions.
@@ -109,7 +129,9 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 		return nil, fmt.Errorf("failed to query permissions: %w", err)
 	}
 	if len(perms) == 0 {
-		return p.handleNoPermission(mode, cacheKey, principal, resource, scope), nil
+		// Known (resource, scope) but no permission row — this is the signal
+		// we DO want to track for rollout.
+		return p.handleNoPermission(mode, cacheKey, principal, resource, scope, true /* isKnown */), nil
 	}
 
 	// Policy evaluation.
@@ -142,14 +164,23 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 // handleNoPermission returns a deny or allow result based on enforcement mode.
 // In permissive mode, it emits a rate-limited warn log (one line per
 // (resource,scope) per window) and allows; in enforcing mode, it denies.
-// The result is cached (negative caching) and the per-mode metrics counters
-// (checks_total + unmatched_total) are bumped.
-func (p *provider) handleNoPermission(mode, cacheKey string, principal *Principal, resource, scope string) *CheckResult {
-	p.cache.bumpUnmatched(resource, scope)
-	metrics.RecordAuthzUnmatched(mode)
+// The result is cached (negative caching) and the checks_total metric is bumped.
+//
+// The isKnown parameter reports whether (resource, scope) are both registered
+// in the DB. Counters and the warn-limiter are only bumped for known pairs to
+// prevent unbounded growth of cache.counters / warnLimiter.last from attacker-
+// controlled input on the public /api/v1/check-permission REST endpoint.
+func (p *provider) handleNoPermission(mode, cacheKey string, principal *Principal, resource, scope string, isKnown bool) *CheckResult {
+	if isKnown {
+		// Only track rollout signal for registered (resource, scope) pairs.
+		// Unknown identifiers are rejected here to prevent unbounded counter
+		// growth from attacker-controlled input on the public REST endpoint.
+		p.cache.bumpUnmatched(resource, scope)
+		metrics.RecordAuthzUnmatched(mode)
+	}
 
 	if mode == constants.AuthorizationEnforcementPermissive {
-		if p.warnLimiter.allow(resource + ":" + scope) {
+		if isKnown && p.warnLimiter.allow(resource+":"+scope) {
 			p.log.Warn().
 				Bool("authz.unmatched", true).
 				Str("mode", mode).
@@ -314,6 +345,14 @@ func (p *provider) GetPrincipalPermissions(ctx context.Context, principal *Princ
 		return nil, fmt.Errorf("failed to list scopes: %w", err)
 	}
 
+	// Hard ceiling: refuse to enumerate O(R*S) permissions beyond the cap.
+	// A tenant with, e.g., 1000 resources * 100 scopes = 100k CheckPermission
+	// calls per request would otherwise saturate the authz subsystem.
+	if int64(len(resources))*int64(len(scopes)) > int64(MaxPrincipalPermissionEvaluations) {
+		return nil, fmt.Errorf("too many permissions to enumerate: %d resources * %d scopes exceeds cap of %d",
+			len(resources), len(scopes), MaxPrincipalPermissionEvaluations)
+	}
+
 	var granted []ResourceScope
 	for _, res := range resources {
 		for _, sc := range scopes {
@@ -344,58 +383,59 @@ func (p *provider) InvalidateCache(ctx context.Context, prefix string) error {
 	return nil
 }
 
-// validateResourceExists checks that the given resource name is registered in the DB.
-// Results are cached to avoid repeated DB lookups.
-func (p *provider) validateResourceExists(ctx context.Context, resource string) error {
+// validateResourceExists reports whether the given resource is registered.
+// Returns (true, nil) if known; (false, nil) if definitively unknown;
+// (false, err) if the storage probe itself failed.
+//
+// A probe error must NOT be masked as "unknown" — previously this helper
+// returned nil on DB failure, which in permissive mode caused the caller to
+// fall through to allow. We now fail-closed on probe error so a transient DB
+// blip cannot flip a legitimate unknown-resource path to Allowed:true.
+func (p *provider) validateResourceExists(ctx context.Context, resource string) (bool, error) {
 	cacheKey := validResourcesKey()
-	if cached, ok := p.cache.get(cacheKey); ok {
-		if strings.Contains(","+cached+",", ","+resource+",") {
-			return nil
-		}
-		return fmt.Errorf("unknown resource: %s", resource)
+	if set, ok := p.cache.getValidSet(cacheKey); ok {
+		_, found := set[resource]
+		return found, nil
 	}
 
 	names, err := p.fetchAllResources(ctx)
 	if err != nil {
-		// On error, allow the request to proceed (fail open for validation,
-		// the actual permission check will still be default-deny).
-		return nil
+		return false, fmt.Errorf("probe resources: %w", err)
 	}
 
-	p.cache.set(cacheKey, strings.Join(names, ","))
-
+	set := make(map[string]struct{}, len(names))
 	for _, n := range names {
-		if n == resource {
-			return nil
-		}
+		set[n] = struct{}{}
 	}
-	return fmt.Errorf("unknown resource: %s", resource)
+	p.cache.setValidSet(cacheKey, set)
+
+	_, found := set[resource]
+	return found, nil
 }
 
-// validateScopeExists checks that the given scope name is registered in the DB.
-// Results are cached to avoid repeated DB lookups.
-func (p *provider) validateScopeExists(ctx context.Context, scope string) error {
+// validateScopeExists reports whether the given scope is registered.
+// Returns (true, nil) if known; (false, nil) if definitively unknown;
+// (false, err) if the storage probe itself failed.
+func (p *provider) validateScopeExists(ctx context.Context, scope string) (bool, error) {
 	cacheKey := validScopesKey()
-	if cached, ok := p.cache.get(cacheKey); ok {
-		if strings.Contains(","+cached+",", ","+scope+",") {
-			return nil
-		}
-		return fmt.Errorf("unknown scope: %s", scope)
+	if set, ok := p.cache.getValidSet(cacheKey); ok {
+		_, found := set[scope]
+		return found, nil
 	}
 
 	names, err := p.fetchAllScopes(ctx)
 	if err != nil {
-		return nil
+		return false, fmt.Errorf("probe scopes: %w", err)
 	}
 
-	p.cache.set(cacheKey, strings.Join(names, ","))
-
+	set := make(map[string]struct{}, len(names))
 	for _, n := range names {
-		if n == scope {
-			return nil
-		}
+		set[n] = struct{}{}
 	}
-	return fmt.Errorf("unknown scope: %s", scope)
+	p.cache.setValidSet(cacheKey, set)
+
+	_, found := set[scope]
+	return found, nil
 }
 
 // fetchAllResources retrieves all resource names from storage using pagination.
@@ -406,8 +446,9 @@ func (p *provider) fetchAllResources(ctx context.Context) ([]string, error) {
 
 	for {
 		pagination := &model.Pagination{
-			Limit: limit,
-			Page:  page,
+			Limit:  limit,
+			Offset: (page - 1) * limit,
+			Page:   page,
 		}
 		resources, paginationResult, err := p.storageProvider.ListResources(ctx, pagination)
 		if err != nil {
@@ -434,8 +475,9 @@ func (p *provider) fetchAllScopes(ctx context.Context) ([]string, error) {
 
 	for {
 		pagination := &model.Pagination{
-			Limit: limit,
-			Page:  page,
+			Limit:  limit,
+			Offset: (page - 1) * limit,
+			Page:   page,
 		}
 		scopes, paginationResult, err := p.storageProvider.ListScopes(ctx, pagination)
 		if err != nil {
diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
index 0e284f53..8dbc6c19 100644
--- a/internal/integration_tests/authorization_test.go
+++ b/internal/integration_tests/authorization_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/refs"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/assert"
@@ -455,11 +456,19 @@ func TestCheckPermission_Permissive_WithExplicitDenyPolicy_StillDenies(t *testin
 
 // TestCheckPermission_IncrementsPrometheusCounters verifies that an unmatched
 // check in permissive mode increments metrics.AuthzUnmatchedTotal by exactly
-// one for the "permissive" label.
+// one for the "permissive" label. The (resource, scope) pair MUST be registered
+// first so that the "known but no matching permission" path is exercised —
+// unknown identifiers intentionally no longer bump the counter (DoS guard).
 func TestCheckPermission_IncrementsPrometheusCounters(t *testing.T) {
 	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementPermissive)
 	_, ctx := createContext(ts)
 
+	// Seed resource + scope directly via storage (no permission). This makes
+	// validateResourceExists / validateScopeExists return known=true, so the
+	// subsequent CheckPermission lands on the "known, no permission" path
+	// that DOES bump counters.
+	seedKnownResourceScopeNoPermission(t, ts, ctx, "orders", "read")
+
 	before := testutil.ToFloat64(metrics.AuthzUnmatchedTotal.WithLabelValues(metrics.AuthzModePermissive))
 
 	_, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
@@ -472,6 +481,47 @@ func TestCheckPermission_IncrementsPrometheusCounters(t *testing.T) {
 	require.Equal(t, before+1, after, "unmatched counter must increment once per unmatched check")
 }
 
+// TestCheckPermission_UnknownResource_PermissiveStillAllows_ButDoesNotBumpUnmatchedCounter
+// verifies the DoS guard: permissive mode still allows the request (so callers
+// aren't broken by a typo/unknown identifier), but the unmatched counter and
+// warn-limiter MUST NOT grow for attacker-controlled input on the public
+// /api/v1/check-permission endpoint. Otherwise a caller could flood the
+// in-process sync.Map with arbitrary (resource, scope) combinations.
+func TestCheckPermission_UnknownResource_PermissiveStillAllows_ButDoesNotBumpUnmatchedCounter(t *testing.T) {
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementPermissive)
+	_, ctx := createContext(ts)
+
+	before := testutil.ToFloat64(metrics.AuthzUnmatchedTotal.WithLabelValues(metrics.AuthzModePermissive))
+
+	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID: "user-1", Type: constants.PrincipalTypeUser,
+	}, "unknown-resource", "unknown-scope")
+
+	require.NoError(t, err)
+	require.True(t, result.Allowed, "permissive still allows unknown resource")
+
+	after := testutil.ToFloat64(metrics.AuthzUnmatchedTotal.WithLabelValues(metrics.AuthzModePermissive))
+	require.Equal(t, before, after, "unknown-resource calls must NOT bump the unmatched counter (DoS guard)")
+}
+
+// seedKnownResourceScopeNoPermission inserts a Resource and Scope row via the
+// storage provider without attaching a Permission. This is the minimal seed
+// needed to exercise the "known (resource, scope), no matching permission"
+// path in CheckPermission after Fix B/C.
+func seedKnownResourceScopeNoPermission(t *testing.T, ts *testSetup, _ context.Context, resource, scope string) {
+	t.Helper()
+	_, err := ts.StorageProvider.AddResource(context.Background(), &schemas.Resource{
+		Name:        resource,
+		Description: "seed (no permission) resource",
+	})
+	require.NoError(t, err)
+	_, err = ts.StorageProvider.AddScope(context.Background(), &schemas.Scope{
+		Name:        scope,
+		Description: "seed (no permission) scope",
+	})
+	require.NoError(t, err)
+}
+
 // seedResourceScopePermissionWithDenyPolicy seeds a resource, scope, a
 // negative-logic role policy targeting the given role, and a permission that
 // links them. It uses the GraphQL provider (mirroring TestAuthorizationCRUD),

From 5e7701498b9ddb34bdd29581b9a535077a425d4b Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 23 Apr 2026 03:13:35 +0530
Subject: [PATCH 25/26] fix(authz): compensating rollback, typo-tolerant flag,
 string constants, test coverage

---
 cmd/root.go                                   |  41 ++-
 internal/graphql/add_permission.go            |  65 +++-
 internal/graphql/add_policy.go                |  23 +-
 internal/graphql/check_permission.go          |   3 +-
 internal/graphql/my_permissions.go            |   3 +-
 internal/graphql/update_permission.go         |   6 +-
 internal/graphql/update_policy.go             |  11 +-
 internal/http_handlers/check_permission.go    |   3 +-
 .../integration_tests/authorization_test.go   | 336 ++++++++++++++++++
 9 files changed, 451 insertions(+), 40 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 7ba961ee..48b671fc 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -82,6 +82,17 @@ var (
 // it runs before the logger is ready.
 var legacyDisabledObserved bool
 
+// legacyTypoObserved is set when the operator passes an
+// authorization-enforcement value that is neither empty, "permissive",
+// "enforcing" (any case), nor the legacy "disabled". runRoot emits a warning
+// after the logger is configured so operators notice fat-fingered flags
+// instead of being silently demoted to "permissive".
+var legacyTypoObserved bool
+
+// rawAuthzEnforcement preserves the operator-supplied --authorization-enforcement
+// value before normalization, so runRoot can echo it back in the typo warning.
+var rawAuthzEnforcement string
+
 func init() {
 	f := RootCmd.Flags()
 
@@ -336,25 +347,39 @@ func applyFlagDefaults() {
 		c.RobloxScopes = append([]string(nil), defaultRobloxScopes...)
 	}
 	rawEnforcement := c.AuthorizationEnforcement
+	rawAuthzEnforcement = rawEnforcement
 	c.AuthorizationEnforcement = NormalizeAuthzEnforcement(rawEnforcement)
-	if strings.TrimSpace(rawEnforcement) == "disabled" {
+	trimmed := strings.TrimSpace(rawEnforcement)
+	switch {
+	case strings.EqualFold(trimmed, "disabled"):
 		// Remember the legacy input so runRoot can log the one-time migration
 		// notice after the logger is configured. We cannot log here because
 		// applyFlagDefaults runs before the logger is ready.
 		legacyDisabledObserved = true
+	case trimmed == "",
+		strings.EqualFold(trimmed, constants.AuthorizationEnforcementPermissive),
+		strings.EqualFold(trimmed, constants.AuthorizationEnforcementEnforcing):
+		// Canonical input (case-insensitive) or unset; nothing to flag.
+	default:
+		// Anything else is a typo or unknown value. Surface it as a warning
+		// in runRoot so operators see their fat-fingered flag instead of
+		// being silently demoted to permissive.
+		legacyTypoObserved = true
 	}
 }
 
 // NormalizeAuthzEnforcement returns the canonical enforcement mode for the given input.
-//   - "" (empty) and unknown values map to "permissive" (the new default).
-//   - "disabled" (legacy value) maps to "permissive" and is logged by the caller
-//     as a one-time migration notice.
-//   - "permissive" and "enforcing" pass through unchanged.
+//   - "enforcing" (case-insensitive, whitespace-tolerant) maps to "enforcing".
+//   - "" (empty), "permissive" (any case), "disabled" (legacy), and any
+//     unrecognized value map to "permissive" — the new safe default.
 //
-// Callers are responsible for emitting the legacy-migration log when they
-// observe the "disabled" input value.
+// Callers (applyFlagDefaults / runRoot) are responsible for emitting the
+// legacy-migration notice for "disabled" (via legacyDisabledObserved) and a
+// typo warning for unrecognized input (via legacyTypoObserved) after the
+// logger is configured.
 func NormalizeAuthzEnforcement(v string) string {
-	if strings.TrimSpace(v) == constants.AuthorizationEnforcementEnforcing {
+	trimmed := strings.TrimSpace(v)
+	if strings.EqualFold(trimmed, constants.AuthorizationEnforcementEnforcing) {
 		return constants.AuthorizationEnforcementEnforcing
 	}
 	return constants.AuthorizationEnforcementPermissive
diff --git a/internal/graphql/add_permission.go b/internal/graphql/add_permission.go
index fb00385f..689ebe05 100644
--- a/internal/graphql/add_permission.go
+++ b/internal/graphql/add_permission.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -56,12 +57,13 @@ func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPe
 		description = *params.Description
 	}
 
-	decisionStrategy := "affirmative"
+	decisionStrategy := constants.DecisionStrategyAffirmative
 	if params.DecisionStrategy != nil {
 		decisionStrategy = *params.DecisionStrategy
 	}
-	if decisionStrategy != "affirmative" && decisionStrategy != "unanimous" {
-		return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+	if decisionStrategy != constants.DecisionStrategyAffirmative && decisionStrategy != constants.DecisionStrategyUnanimous {
+		return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
+			constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
 	}
 
 	// Verify resource exists
@@ -82,50 +84,83 @@ func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPe
 		return nil, err
 	}
 
-	// Add permission scopes
+	// Attach scopes + policies. The storage layer does not expose transactions
+	// across these provider-level calls, so a failure mid-attach would leave
+	// the newly created permission row orphaned (present but with partial or
+	// no scope/policy links). To keep the system consistent we compensate by
+	// deleting the permission when any attach step fails. The delete uses
+	// context.Background() so it survives request cancellation (mirrors the
+	// pattern already used for InvalidateCache below). If the compensation
+	// itself fails, log at ERROR level so operators can manually clean up,
+	// but still return the ORIGINAL error — that is the failure operators
+	// need to see first.
+	apiScopes, apiPolicies, err := g.attachPermissionScopesAndPolicies(ctx, permission.ID, params)
+	if err != nil {
+		if delErr := g.StorageProvider.DeletePermission(context.Background(), permission.ID); delErr != nil {
+			log.Error().
+				Err(delErr).
+				Str("permission_id", permission.ID).
+				Msg("failed to roll back orphaned permission after partial AddPermission failure; manual cleanup required")
+		}
+		return nil, err
+	}
+
+	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
+
+	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
+}
+
+// attachPermissionScopesAndPolicies creates PermissionScope and PermissionPolicy
+// link rows for a newly added permission and returns the API-shape scope and
+// policy slices used to build the GraphQL response. It returns the first error
+// encountered so the caller can roll back the permission.
+func (g *graphqlProvider) attachPermissionScopesAndPolicies(
+	ctx context.Context,
+	permissionID string,
+	params *model.AddPermissionInput,
+) ([]*model.AuthzScope, []*model.AuthzPolicy, error) {
+	log := g.Log.With().Str("func", "attachPermissionScopesAndPolicies").Logger()
+
 	apiScopes := make([]*model.AuthzScope, 0, len(params.ScopeIds))
 	for _, scopeID := range params.ScopeIds {
 		_, err := g.StorageProvider.AddPermissionScope(ctx, &schemas.PermissionScope{
-			PermissionID: permission.ID,
+			PermissionID: permissionID,
 			ScopeID:      scopeID,
 		})
 		if err != nil {
 			log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to add permission scope")
-			return nil, err
+			return nil, nil, err
 		}
 		scope, err := g.StorageProvider.GetScopeByID(ctx, scopeID)
 		if err != nil {
 			log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to get scope by ID")
-			return nil, err
+			return nil, nil, err
 		}
 		apiScopes = append(apiScopes, scope.AsAPIScope())
 	}
 
-	// Add permission policies
 	apiPolicies := make([]*model.AuthzPolicy, 0, len(params.PolicyIds))
 	for _, policyID := range params.PolicyIds {
 		_, err := g.StorageProvider.AddPermissionPolicy(ctx, &schemas.PermissionPolicy{
-			PermissionID: permission.ID,
+			PermissionID: permissionID,
 			PolicyID:     policyID,
 		})
 		if err != nil {
 			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to add permission policy")
-			return nil, err
+			return nil, nil, err
 		}
 		policy, err := g.StorageProvider.GetPolicyByID(ctx, policyID)
 		if err != nil {
 			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy by ID")
-			return nil, err
+			return nil, nil, err
 		}
 		targets, err := g.StorageProvider.GetPolicyTargets(ctx, policyID)
 		if err != nil {
 			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy targets")
-			return nil, err
+			return nil, nil, err
 		}
 		apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
 	}
 
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
+	return apiScopes, apiPolicies, nil
 }
diff --git a/internal/graphql/add_policy.go b/internal/graphql/add_policy.go
index c9868c96..6fb7ba85 100644
--- a/internal/graphql/add_policy.go
+++ b/internal/graphql/add_policy.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -42,9 +43,13 @@ func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicy
 	if policyType == "" {
 		return nil, fmt.Errorf("policy type is required")
 	}
-	validPolicyTypes := map[string]bool{"role": true, "user": true}
+	validPolicyTypes := map[string]bool{
+		constants.PolicyTypeRole: true,
+		constants.PolicyTypeUser: true,
+	}
 	if !validPolicyTypes[policyType] {
-		return nil, fmt.Errorf("invalid policy type: must be 'role' or 'user'")
+		return nil, fmt.Errorf("invalid policy type: must be '%s' or '%s'",
+			constants.PolicyTypeRole, constants.PolicyTypeUser)
 	}
 
 	description := ""
@@ -52,20 +57,22 @@ func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicy
 		description = *params.Description
 	}
 
-	logic := "positive"
+	logic := constants.PolicyLogicPositive
 	if params.Logic != nil {
 		logic = *params.Logic
 	}
-	if logic != "positive" && logic != "negative" {
-		return nil, fmt.Errorf("invalid policy logic: must be 'positive' or 'negative'")
+	if logic != constants.PolicyLogicPositive && logic != constants.PolicyLogicNegative {
+		return nil, fmt.Errorf("invalid policy logic: must be '%s' or '%s'",
+			constants.PolicyLogicPositive, constants.PolicyLogicNegative)
 	}
 
-	decisionStrategy := "affirmative"
+	decisionStrategy := constants.DecisionStrategyAffirmative
 	if params.DecisionStrategy != nil {
 		decisionStrategy = *params.DecisionStrategy
 	}
-	if decisionStrategy != "affirmative" && decisionStrategy != "unanimous" {
-		return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+	if decisionStrategy != constants.DecisionStrategyAffirmative && decisionStrategy != constants.DecisionStrategyUnanimous {
+		return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
+			constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
 	}
 
 	policy, err := g.StorageProvider.AddPolicy(ctx, &schemas.Policy{
diff --git a/internal/graphql/check_permission.go b/internal/graphql/check_permission.go
index 0307939b..d73a8db6 100644
--- a/internal/graphql/check_permission.go
+++ b/internal/graphql/check_permission.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
@@ -39,7 +40,7 @@ func (g *graphqlProvider) CheckPermission(ctx context.Context, params *model.Che
 
 	principal := &authorization.Principal{
 		ID:    user.ID,
-		Type:  "user",
+		Type:  constants.PrincipalTypeUser,
 		Roles: roles,
 	}
 
diff --git a/internal/graphql/my_permissions.go b/internal/graphql/my_permissions.go
index 23684193..60b7374b 100644
--- a/internal/graphql/my_permissions.go
+++ b/internal/graphql/my_permissions.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
@@ -39,7 +40,7 @@ func (g *graphqlProvider) MyPermissions(ctx context.Context) ([]*model.AuthzReso
 
 	principal := &authorization.Principal{
 		ID:    user.ID,
-		Type:  "user",
+		Type:  constants.PrincipalTypeUser,
 		Roles: roles,
 	}
 
diff --git a/internal/graphql/update_permission.go b/internal/graphql/update_permission.go
index 4fb76622..ca093459 100644
--- a/internal/graphql/update_permission.go
+++ b/internal/graphql/update_permission.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -55,8 +56,9 @@ func (g *graphqlProvider) UpdatePermission(ctx context.Context, params *model.Up
 	}
 	if params.DecisionStrategy != nil {
 		ds := *params.DecisionStrategy
-		if ds != "affirmative" && ds != "unanimous" {
-			return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+		if ds != constants.DecisionStrategyAffirmative && ds != constants.DecisionStrategyUnanimous {
+			return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
+				constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
 		}
 		permission.DecisionStrategy = ds
 	}
diff --git a/internal/graphql/update_policy.go b/internal/graphql/update_policy.go
index 6116cff0..71a8e7fc 100644
--- a/internal/graphql/update_policy.go
+++ b/internal/graphql/update_policy.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -55,15 +56,17 @@ func (g *graphqlProvider) UpdatePolicy(ctx context.Context, params *model.Update
 	}
 	if params.Logic != nil {
 		logic := *params.Logic
-		if logic != "positive" && logic != "negative" {
-			return nil, fmt.Errorf("invalid policy logic: must be 'positive' or 'negative'")
+		if logic != constants.PolicyLogicPositive && logic != constants.PolicyLogicNegative {
+			return nil, fmt.Errorf("invalid policy logic: must be '%s' or '%s'",
+				constants.PolicyLogicPositive, constants.PolicyLogicNegative)
 		}
 		policy.Logic = logic
 	}
 	if params.DecisionStrategy != nil {
 		ds := *params.DecisionStrategy
-		if ds != "affirmative" && ds != "unanimous" {
-			return nil, fmt.Errorf("invalid decision strategy: must be 'affirmative' or 'unanimous'")
+		if ds != constants.DecisionStrategyAffirmative && ds != constants.DecisionStrategyUnanimous {
+			return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
+				constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
 		}
 		policy.DecisionStrategy = ds
 	}
diff --git a/internal/http_handlers/check_permission.go b/internal/http_handlers/check_permission.go
index 9c37eebd..25313c77 100644
--- a/internal/http_handlers/check_permission.go
+++ b/internal/http_handlers/check_permission.go
@@ -7,6 +7,7 @@ import (
 	"github.com/gin-gonic/gin"
 
 	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/constants"
 )
 
 // checkPermissionRequest is the JSON body for POST /api/v1/check-permission.
@@ -94,7 +95,7 @@ func (h *httpProvider) CheckPermissionHandler() gin.HandlerFunc {
 
 		principal := &authorization.Principal{
 			ID:    userID,
-			Type:  "user",
+			Type:  constants.PrincipalTypeUser,
 			Roles: roles,
 		}
 
diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
index 8dbc6c19..3d6c4769 100644
--- a/internal/integration_tests/authorization_test.go
+++ b/internal/integration_tests/authorization_test.go
@@ -3,6 +3,8 @@ package integration_tests
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 
@@ -15,6 +17,7 @@ import (
 	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/assert"
@@ -602,3 +605,336 @@ func TestConfig_UnknownValue_NormalizesToPermissive(t *testing.T) {
 func TestConfig_Enforcing_Preserved(t *testing.T) {
 	require.Equal(t, constants.AuthorizationEnforcementEnforcing, cmd.NormalizeAuthzEnforcement("enforcing"))
 }
+
+// TestConfig_MixedCaseEnforcing_Preserved verifies the normalizer is tolerant
+// of mixed case, uppercase, and surrounding whitespace on "enforcing". This
+// guards against a silent demotion to permissive when an operator types
+// `--authorization-enforcement Enforcing` or sets `ENFORCING` via CI.
+func TestConfig_MixedCaseEnforcing_Preserved(t *testing.T) {
+	require.Equal(t, constants.AuthorizationEnforcementEnforcing, cmd.NormalizeAuthzEnforcement("Enforcing"))
+	require.Equal(t, constants.AuthorizationEnforcementEnforcing, cmd.NormalizeAuthzEnforcement("ENFORCING"))
+	require.Equal(t, constants.AuthorizationEnforcementEnforcing, cmd.NormalizeAuthzEnforcement("  enforcing  "))
+}
+
+// seedResourceScopePermissionWithRolePolicy seeds a resource, scope, a
+// role policy with the given logic targeting the given role, and a permission
+// that links them. Shared implementation used by the positive- and
+// negative-logic helpers.
+func seedResourceScopePermissionWithRolePolicy(
+	t *testing.T,
+	ts *testSetup,
+	ctx context.Context,
+	resource, scope, role, logic string,
+) {
+	t.Helper()
+
+	res, err := ts.GraphQLProvider.AddResource(ctx, &model.AddResourceInput{
+		Name:        resource,
+		Description: refs.NewStringRef("seed resource"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, res)
+
+	sc, err := ts.GraphQLProvider.AddScope(ctx, &model.AddScopeInput{
+		Name:        scope,
+		Description: refs.NewStringRef("seed scope"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, sc)
+
+	logicRef := logic
+	policy, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+		Name:        logic + "-" + role + "-" + uuid.New().String(),
+		Description: refs.NewStringRef("seed role policy"),
+		Type:        constants.PolicyTypeRole,
+		Logic:       &logicRef,
+		Targets: []*model.PolicyTargetInput{
+			{
+				TargetType:  constants.TargetTypeRole,
+				TargetValue: role,
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, policy)
+	require.Equal(t, logic, policy.Logic, "policy must be stored with requested logic")
+
+	perm, err := ts.GraphQLProvider.AddPermission(ctx, &model.AddPermissionInput{
+		Name:       resource + "-" + scope + "-" + uuid.New().String(),
+		ResourceID: res.ID,
+		ScopeIds:   []string{sc.ID},
+		PolicyIds:  []string{policy.ID},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, perm)
+}
+
+// seedResourceScopePermissionWithPositivePolicy seeds a resource, scope, a
+// positive-logic role policy targeting the given role, and a permission that
+// links them. Mirrors seedResourceScopePermissionWithDenyPolicy but with grant
+// semantics.
+func seedResourceScopePermissionWithPositivePolicy(
+	t *testing.T,
+	ts *testSetup,
+	ctx context.Context,
+	resource, scope, role string,
+) {
+	t.Helper()
+	seedResourceScopePermissionWithRolePolicy(t, ts, ctx, resource, scope, role, constants.PolicyLogicPositive)
+}
+
+// seedResourceScopeWithUnanimousDualRolePolicy seeds a resource, scope, TWO
+// positive-logic role policies (one per role), and a permission that links
+// them with DecisionStrategy=unanimous. This is the minimal setup to exercise
+// the unanimous evaluation path (all attached policies must agree).
+func seedResourceScopeWithUnanimousDualRolePolicy(
+	t *testing.T,
+	ts *testSetup,
+	ctx context.Context,
+	resource, scope, roleA, roleB string,
+) {
+	t.Helper()
+
+	res, err := ts.GraphQLProvider.AddResource(ctx, &model.AddResourceInput{
+		Name:        resource,
+		Description: refs.NewStringRef("seed resource"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, res)
+
+	sc, err := ts.GraphQLProvider.AddScope(ctx, &model.AddScopeInput{
+		Name:        scope,
+		Description: refs.NewStringRef("seed scope"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, sc)
+
+	positive := constants.PolicyLogicPositive
+
+	policyA, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+		Name:        "grant-" + roleA + "-" + uuid.New().String(),
+		Description: refs.NewStringRef("seed positive role policy A"),
+		Type:        constants.PolicyTypeRole,
+		Logic:       &positive,
+		Targets: []*model.PolicyTargetInput{
+			{
+				TargetType:  constants.TargetTypeRole,
+				TargetValue: roleA,
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, policyA)
+
+	policyB, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+		Name:        "grant-" + roleB + "-" + uuid.New().String(),
+		Description: refs.NewStringRef("seed positive role policy B"),
+		Type:        constants.PolicyTypeRole,
+		Logic:       &positive,
+		Targets: []*model.PolicyTargetInput{
+			{
+				TargetType:  constants.TargetTypeRole,
+				TargetValue: roleB,
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, policyB)
+
+	unanimous := constants.DecisionStrategyUnanimous
+	perm, err := ts.GraphQLProvider.AddPermission(ctx, &model.AddPermissionInput{
+		Name:             resource + "-" + scope + "-" + uuid.New().String(),
+		ResourceID:       res.ID,
+		ScopeIds:         []string{sc.ID},
+		PolicyIds:        []string{policyA.ID, policyB.ID},
+		DecisionStrategy: &unanimous,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, perm)
+	require.Equal(t, constants.DecisionStrategyUnanimous, perm.DecisionStrategy,
+		"permission must be persisted with unanimous strategy")
+}
+
+// seedResourceScopeWithUserPolicyPermission seeds a resource, scope, a
+// positive-logic user policy targeting the given userID, and a permission that
+// links them. Exercises the PolicyTypeUser path: the policy matches on
+// principal.ID, not roles.
+func seedResourceScopeWithUserPolicyPermission(
+	t *testing.T,
+	ts *testSetup,
+	ctx context.Context,
+	resource, scope, userID string,
+) {
+	t.Helper()
+
+	res, err := ts.GraphQLProvider.AddResource(ctx, &model.AddResourceInput{
+		Name:        resource,
+		Description: refs.NewStringRef("seed resource"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, res)
+
+	sc, err := ts.GraphQLProvider.AddScope(ctx, &model.AddScopeInput{
+		Name:        scope,
+		Description: refs.NewStringRef("seed scope"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, sc)
+
+	positive := constants.PolicyLogicPositive
+	policy, err := ts.GraphQLProvider.AddPolicy(ctx, &model.AddPolicyInput{
+		Name:        "user-grant-" + uuid.New().String(),
+		Description: refs.NewStringRef("seed user policy"),
+		Type:        constants.PolicyTypeUser,
+		Logic:       &positive,
+		Targets: []*model.PolicyTargetInput{
+			{
+				TargetType:  constants.TargetTypeUser,
+				TargetValue: userID,
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, policy)
+
+	perm, err := ts.GraphQLProvider.AddPermission(ctx, &model.AddPermissionInput{
+		Name:       resource + "-" + scope + "-" + uuid.New().String(),
+		ResourceID: res.ID,
+		ScopeIds:   []string{sc.ID},
+		PolicyIds:  []string{policy.ID},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, perm)
+}
+
+// TestCheckPermission_MaxScopes_InsideCeiling_UsesPolicy verifies that when a
+// principal's delegation ceiling (MaxScopes) explicitly includes the requested
+// resource:scope, the normal policy evaluation proceeds and a matching
+// positive policy still grants access.
+func TestCheckPermission_MaxScopes_InsideCeiling_UsesPolicy(t *testing.T) {
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementEnforcing)
+	req, ctx := createContext(ts)
+	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
+	require.NoError(t, err)
+	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+	seedResourceScopePermissionWithPositivePolicy(t, ts, ctx, "docs", "read", "viewer")
+
+	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:        "user-1",
+		Type:      constants.PrincipalTypeUser,
+		Roles:     []string{"viewer"},
+		MaxScopes: []string{"docs:read"},
+	}, "docs", "read")
+	require.NoError(t, err)
+	require.True(t, result.Allowed)
+}
+
+// TestCheckPermission_MaxScopes_OutsideCeiling_DeniesBeforePolicy verifies that
+// even when a principal's roles/policies would normally grant access, a
+// MaxScopes ceiling that does not include the requested resource:scope MUST
+// deny the check short-circuit — delegation ceilings are evaluated before
+// policy matching.
+func TestCheckPermission_MaxScopes_OutsideCeiling_DeniesBeforePolicy(t *testing.T) {
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementEnforcing)
+	req, ctx := createContext(ts)
+	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
+	require.NoError(t, err)
+	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+	seedResourceScopePermissionWithPositivePolicy(t, ts, ctx, "docs", "read", "viewer")
+
+	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:        "user-1",
+		Type:      constants.PrincipalTypeUser,
+		Roles:     []string{"viewer"},
+		MaxScopes: []string{"docs:write"},
+	}, "docs", "read")
+	require.NoError(t, err)
+	require.False(t, result.Allowed, "MaxScopes ceiling must deny before policy eval")
+}
+
+// TestCheckPermission_UnanimousDecisionStrategy_AllPoliciesMustAgree verifies
+// that a permission with DecisionStrategy=unanimous only grants when every
+// attached policy's target matches the principal. A principal with only one of
+// the two required roles must be denied; a principal with both is allowed.
+func TestCheckPermission_UnanimousDecisionStrategy_AllPoliciesMustAgree(t *testing.T) {
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementEnforcing)
+	req, ctx := createContext(ts)
+	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
+	require.NoError(t, err)
+	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+	seedResourceScopeWithUnanimousDualRolePolicy(t, ts, ctx, "ledger", "read", "accountant", "auditor")
+
+	res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:    "user-1",
+		Type:  constants.PrincipalTypeUser,
+		Roles: []string{"accountant"},
+	}, "ledger", "read")
+	require.NoError(t, err)
+	require.False(t, res.Allowed, "unanimous: missing one role")
+
+	res2, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:    "user-2",
+		Type:  constants.PrincipalTypeUser,
+		Roles: []string{"accountant", "auditor"},
+	}, "ledger", "read")
+	require.NoError(t, err)
+	require.True(t, res2.Allowed, "unanimous: all roles present")
+}
+
+// TestCheckPermission_UserTypePolicy_MatchesOnPrincipalID verifies that a
+// PolicyTypeUser policy matches the principal by its ID (not by role). The
+// seeded policy grants access to a specific user; any other user must be
+// denied.
+func TestCheckPermission_UserTypePolicy_MatchesOnPrincipalID(t *testing.T) {
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementEnforcing)
+	req, ctx := createContext(ts)
+	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
+	require.NoError(t, err)
+	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
+
+	seedResourceScopeWithUserPolicyPermission(t, ts, ctx, "secret", "read", "user-alice")
+
+	res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:   "user-alice",
+		Type: constants.PrincipalTypeUser,
+	}, "secret", "read")
+	require.NoError(t, err)
+	require.True(t, res.Allowed)
+
+	res2, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
+		ID:   "user-bob",
+		Type: constants.PrincipalTypeUser,
+	}, "secret", "read")
+	require.NoError(t, err)
+	require.False(t, res2.Allowed)
+}
+
+// TestCheckPermissionREST_NoAuth_ReturnsUnauthorized verifies that POST
+// /api/v1/check-permission rejects requests without a Bearer token with a 401
+// (and a WWW-Authenticate challenge). This is the minimum authentication
+// contract for the REST check-permission endpoint.
+func TestCheckPermissionREST_NoAuth_ReturnsUnauthorized(t *testing.T) {
+	ts := testSetupWithAuthzMode(t, constants.AuthorizationEnforcementPermissive)
+
+	// testSetup doesn't persist a router field, but the CheckPermissionHandler
+	// needs only ContextMiddleware to be wired for gc.Request to be present.
+	// Mirror the pattern metrics_test.go uses for HTTP handler tests.
+	router := gin.New()
+	router.Use(ts.HttpProvider.ContextMiddleware())
+	router.POST("/api/v1/check-permission", ts.HttpProvider.CheckPermissionHandler())
+
+	body := strings.NewReader(`{"resource":"some-res","scope":"some-scope"}`)
+	httpReq := httptest.NewRequest(http.MethodPost, "/api/v1/check-permission", body)
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	rec := httptest.NewRecorder()
+	router.ServeHTTP(rec, httpReq)
+
+	require.Equal(t, http.StatusUnauthorized, rec.Code,
+		"REST /api/v1/check-permission must require Bearer token")
+	require.Contains(t, rec.Header().Get("WWW-Authenticate"), "Bearer",
+		"401 must advertise Bearer auth via WWW-Authenticate challenge")
+}

From 78ab37d06ec17338b919e1e67862fe8511ce0510 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 23 Apr 2026 03:18:45 +0530
Subject: [PATCH 26/26] refactor(authz): drop phantom error return, startup
 probe timeout, safer cache decode, shared identifier constant

---
 cmd/root.go                           |  7 ++--
 internal/authorization/cache.go       |  5 +--
 internal/authorization/evaluator.go   | 52 ++++++++++++++++++---------
 internal/authorization/provider.go    |  4 +--
 internal/authorization/validators.go  | 10 ++++--
 internal/constants/authorization.go   |  6 ++++
 internal/graphql/add_permission.go    |  4 +--
 internal/graphql/add_policy.go        |  4 +--
 internal/graphql/add_resource.go      |  5 +--
 internal/graphql/add_scope.go         |  5 +--
 internal/graphql/update_permission.go |  4 +--
 internal/graphql/update_policy.go     |  4 +--
 internal/graphql/update_resource.go   |  5 +--
 internal/graphql/update_scope.go      |  5 +--
 14 files changed, 79 insertions(+), 41 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 48b671fc..ec458523 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -538,8 +538,11 @@ func runRoot(c *cobra.Command, args []string) {
 	switch rootArgs.config.AuthorizationEnforcement {
 	case constants.AuthorizationEnforcementEnforcing:
 		// Check once at startup whether any permissions exist. If zero, emit a
-		// loud warn so operators don't lock themselves out in prod.
-		_, pr, lerr := storageProvider.ListPermissions(context.Background(), &model.Pagination{Limit: 1, Page: 1})
+		// loud warn so operators don't lock themselves out in prod. Bounded
+		// context prevents a hung DB at boot from blocking startup indefinitely.
+		probeCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		_, pr, lerr := storageProvider.ListPermissions(probeCtx, &model.Pagination{Limit: 1, Page: 1})
+		cancel()
 		switch {
 		case lerr != nil:
 			log.Warn().Err(lerr).Msg("authz: failed to probe permission count at startup; enforcing mode active")
diff --git a/internal/authorization/cache.go b/internal/authorization/cache.go
index 2d0e7e92..ab1e035e 100644
--- a/internal/authorization/cache.go
+++ b/internal/authorization/cache.go
@@ -37,8 +37,9 @@ func (c *cache) enabled() bool {
 
 // get retrieves a cached value by key. Returns the value and whether the key
 // was found and still valid. Expired entries are lazily deleted on access.
-// This returns cached "false" results identically to "true" results,
-// ensuring constant-time behavior for both outcomes.
+// Both positive and negative cached results (authorization "true"/"false")
+// follow the same lookup path, avoiding a cache-stampede on repeated
+// deny evaluations for the same (principal, resource, scope).
 func (c *cache) get(key string) (string, bool) {
 	if !c.enabled() {
 		return "", false
diff --git a/internal/authorization/evaluator.go b/internal/authorization/evaluator.go
index a734d1f2..8393e9dc 100644
--- a/internal/authorization/evaluator.go
+++ b/internal/authorization/evaluator.go
@@ -16,6 +16,15 @@ import (
 // error so they can detect incomplete output.
 const MaxPrincipalPermissionEvaluations = 10000
 
+// Boolean-valued cache entries use these sentinel strings. Any other value
+// stored under an evalKey is a bug — the lookup branch below treats it as a
+// cache miss (returns to the full evaluation path) rather than silently
+// coercing to false.
+const (
+	cacheValTrue  = "true"
+	cacheValFalse = "false"
+)
+
 // policyResult holds the outcome of a single policy evaluation.
 type policyResult struct {
 	granted    bool
@@ -83,19 +92,30 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 	// Cache.
 	cacheKey := evalKey(principal.ID, resource, scope)
 	if cached, ok := p.cache.get(cacheKey); ok {
-		allowed := cached == "true"
-		p.log.Debug().
-			Str("principal_id", principal.ID).
-			Str("resource", resource).
-			Str("scope", scope).
-			Bool("allowed", allowed).
-			Msg("authorization cache hit")
-		if allowed {
+		switch cached {
+		case cacheValTrue:
+			p.log.Debug().
+				Str("principal_id", principal.ID).
+				Str("resource", resource).
+				Str("scope", scope).
+				Bool("allowed", true).
+				Msg("authorization cache hit")
 			metrics.RecordAuthzCheck(mode, metrics.AuthzResultAllowed)
-		} else {
+			return &CheckResult{Allowed: true}, nil
+		case cacheValFalse:
+			p.log.Debug().
+				Str("principal_id", principal.ID).
+				Str("resource", resource).
+				Str("scope", scope).
+				Bool("allowed", false).
+				Msg("authorization cache hit")
 			metrics.RecordAuthzCheck(mode, metrics.AuthzResultDenied)
+			return &CheckResult{Allowed: false}, nil
+		default:
+			// Unexpected cache value — treat as a miss and fall through to full eval.
+			p.log.Warn().Str("cache_key", cacheKey).Str("value", cached).
+				Msg("authz: unexpected cached eval value, ignoring")
 		}
-		return &CheckResult{Allowed: allowed}, nil
 	}
 
 	// Resource/scope existence. Fail-closed: if the probe itself errors, surface
@@ -138,7 +158,7 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 	for _, perm := range perms {
 		allowed, matchedPolicy := p.evaluatePermission(principal, perm)
 		if allowed {
-			p.cache.set(cacheKey, "true")
+			p.cache.set(cacheKey, cacheValTrue)
 			p.log.Debug().
 				Str("principal_id", principal.ID).
 				Str("resource", resource).
@@ -151,7 +171,7 @@ func (p *provider) CheckPermission(ctx context.Context, principal *Principal, re
 	}
 
 	// No permission granted access.
-	p.cache.set(cacheKey, "false")
+	p.cache.set(cacheKey, cacheValFalse)
 	p.log.Debug().
 		Str("principal_id", principal.ID).
 		Str("resource", resource).
@@ -189,12 +209,12 @@ func (p *provider) handleNoPermission(mode, cacheKey string, principal *Principa
 				Str("scope", scope).
 				Msg("no matching permission (permissive: allowing)")
 		}
-		p.cache.set(cacheKey, "true")
+		p.cache.set(cacheKey, cacheValTrue)
 		metrics.RecordAuthzCheck(mode, metrics.AuthzResultUnmatchedAllowed)
 		return &CheckResult{Allowed: true}
 	}
 
-	p.cache.set(cacheKey, "false")
+	p.cache.set(cacheKey, cacheValFalse)
 	metrics.RecordAuthzCheck(mode, metrics.AuthzResultUnmatchedDenied)
 	return &CheckResult{Allowed: false}
 }
@@ -377,10 +397,10 @@ func (p *provider) GetPrincipalPermissions(ctx context.Context, principal *Princ
 }
 
 // InvalidateCache removes cached authorization data matching the given prefix.
-func (p *provider) InvalidateCache(ctx context.Context, prefix string) error {
+// Called by admin mutations when permissions/policies change.
+func (p *provider) InvalidateCache(ctx context.Context, prefix string) {
 	p.cache.deleteByPrefix(prefix)
 	p.log.Debug().Str("prefix", prefix).Msg("authorization cache invalidated")
-	return nil
 }
 
 // validateResourceExists reports whether the given resource is registered.
diff --git a/internal/authorization/provider.go b/internal/authorization/provider.go
index 283823ea..5472cf71 100644
--- a/internal/authorization/provider.go
+++ b/internal/authorization/provider.go
@@ -52,9 +52,9 @@ type Provider interface {
 	// Used for JWT embedding and dashboard display.
 	GetPrincipalPermissions(ctx context.Context, principal *Principal) ([]ResourceScope, error)
 
-	// InvalidateCache removes cached authorization data.
+	// InvalidateCache removes cached authorization data matching the given prefix.
 	// Called by admin mutations when permissions/policies change.
-	InvalidateCache(ctx context.Context, prefix string) error
+	InvalidateCache(ctx context.Context, prefix string)
 }
 
 // Dependencies carries shared resources for constructing an authorization Provider.
diff --git a/internal/authorization/validators.go b/internal/authorization/validators.go
index 9b09e46e..b91422ce 100644
--- a/internal/authorization/validators.go
+++ b/internal/authorization/validators.go
@@ -1,12 +1,16 @@
 package authorization
 
-import "unicode"
+import (
+	"unicode"
+
+	"github.com/authorizerdev/authorizer/internal/constants"
+)
 
 // isValidIdentifier checks that a string is safe for use in cache keys
 // and database queries. Allows alphanumeric, hyphens, underscores.
-// Max 100 characters. Empty strings are invalid.
+// Max constants.MaxAuthzIdentifierLength characters. Empty strings are invalid.
 func isValidIdentifier(s string) bool {
-	if len(s) == 0 || len(s) > 100 {
+	if len(s) == 0 || len(s) > constants.MaxAuthzIdentifierLength {
 		return false
 	}
 	for _, r := range s {
diff --git a/internal/constants/authorization.go b/internal/constants/authorization.go
index 21df7874..533f6e11 100644
--- a/internal/constants/authorization.go
+++ b/internal/constants/authorization.go
@@ -36,4 +36,10 @@ const (
 	TargetTypeRole = "role"
 	// TargetTypeUser is a policy target that matches by user ID.
 	TargetTypeUser = "user"
+
+	// MaxAuthzIdentifierLength is the maximum allowed length for
+	// authorization resource names, scope names, policy names, and other
+	// FGA identifiers. The limit keeps caches bounded and ensures identifiers
+	// fit within reasonable index / column sizes across all storage providers.
+	MaxAuthzIdentifierLength = 100
 )
diff --git a/internal/graphql/add_permission.go b/internal/graphql/add_permission.go
index 689ebe05..73025dbe 100644
--- a/internal/graphql/add_permission.go
+++ b/internal/graphql/add_permission.go
@@ -31,8 +31,8 @@ func (g *graphqlProvider) AddPermission(ctx context.Context, params *model.AddPe
 	if name == "" {
 		return nil, fmt.Errorf("permission name is required")
 	}
-	if len(name) > 100 {
-		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	if len(name) > constants.MaxAuthzIdentifierLength {
+		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 	}
 	for _, r := range name {
 		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/add_policy.go b/internal/graphql/add_policy.go
index 6fb7ba85..3a2772d8 100644
--- a/internal/graphql/add_policy.go
+++ b/internal/graphql/add_policy.go
@@ -30,8 +30,8 @@ func (g *graphqlProvider) AddPolicy(ctx context.Context, params *model.AddPolicy
 	if name == "" {
 		return nil, fmt.Errorf("policy name is required")
 	}
-	if len(name) > 100 {
-		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	if len(name) > constants.MaxAuthzIdentifierLength {
+		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 	}
 	for _, r := range name {
 		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/add_resource.go b/internal/graphql/add_resource.go
index 3894f039..c467ed7b 100644
--- a/internal/graphql/add_resource.go
+++ b/internal/graphql/add_resource.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -29,8 +30,8 @@ func (g *graphqlProvider) AddResource(ctx context.Context, params *model.AddReso
 	if name == "" {
 		return nil, fmt.Errorf("resource name is required")
 	}
-	if len(name) > 100 {
-		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	if len(name) > constants.MaxAuthzIdentifierLength {
+		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 	}
 	for _, r := range name {
 		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/add_scope.go b/internal/graphql/add_scope.go
index 9cffcdd8..55be0d3a 100644
--- a/internal/graphql/add_scope.go
+++ b/internal/graphql/add_scope.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -29,8 +30,8 @@ func (g *graphqlProvider) AddScope(ctx context.Context, params *model.AddScopeIn
 	if name == "" {
 		return nil, fmt.Errorf("scope name is required")
 	}
-	if len(name) > 100 {
-		return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+	if len(name) > constants.MaxAuthzIdentifierLength {
+		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 	}
 	for _, r := range name {
 		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/update_permission.go b/internal/graphql/update_permission.go
index ca093459..da93c045 100644
--- a/internal/graphql/update_permission.go
+++ b/internal/graphql/update_permission.go
@@ -41,8 +41,8 @@ func (g *graphqlProvider) UpdatePermission(ctx context.Context, params *model.Up
 		if name == "" {
 			return nil, fmt.Errorf("permission name cannot be empty")
 		}
-		if len(name) > 100 {
-			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		if len(name) > constants.MaxAuthzIdentifierLength {
+			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 		}
 		for _, r := range name {
 			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/update_policy.go b/internal/graphql/update_policy.go
index 71a8e7fc..ccf2dc36 100644
--- a/internal/graphql/update_policy.go
+++ b/internal/graphql/update_policy.go
@@ -41,8 +41,8 @@ func (g *graphqlProvider) UpdatePolicy(ctx context.Context, params *model.Update
 		if name == "" {
 			return nil, fmt.Errorf("policy name cannot be empty")
 		}
-		if len(name) > 100 {
-			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		if len(name) > constants.MaxAuthzIdentifierLength {
+			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 		}
 		for _, r := range name {
 			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/update_resource.go b/internal/graphql/update_resource.go
index 5e40b05f..5a13e598 100644
--- a/internal/graphql/update_resource.go
+++ b/internal/graphql/update_resource.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
@@ -39,8 +40,8 @@ func (g *graphqlProvider) UpdateResource(ctx context.Context, params *model.Upda
 		if name == "" {
 			return nil, fmt.Errorf("resource name cannot be empty")
 		}
-		if len(name) > 100 {
-			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		if len(name) > constants.MaxAuthzIdentifierLength {
+			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 		}
 		for _, r := range name {
 			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
diff --git a/internal/graphql/update_scope.go b/internal/graphql/update_scope.go
index d7472025..e7f63c1c 100644
--- a/internal/graphql/update_scope.go
+++ b/internal/graphql/update_scope.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
@@ -39,8 +40,8 @@ func (g *graphqlProvider) UpdateScope(ctx context.Context, params *model.UpdateS
 		if name == "" {
 			return nil, fmt.Errorf("scope name cannot be empty")
 		}
-		if len(name) > 100 {
-			return nil, fmt.Errorf("invalid name: must be 100 characters or fewer")
+		if len(name) > constants.MaxAuthzIdentifierLength {
+			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
 		}
 		for _, r := range name {
 			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {