chore: add push trigger for version sync on tag creation

refactor: improve Badge component formatting in requests table
Merge pull request #4303 from Dokploy/fix/requests-status-fallback-downstream
2026-06-18 05:35:26 +02:00 · 2026-04-24 22:46:18 -06:00 · 2026-04-24 22:34:48 -06:00 · 2026-04-24 22:33:52 -06:00 · 2026-04-24 22:33:24 -06:00 · 2026-04-24 22:01:35 -06:00
38 changed files with 1068 additions and 9735 deletions
--- a/.github/workflows/sync-version.yml
+++ b/.github/workflows/sync-version.yml
@@ -3,6 +3,9 @@ name: Sync version to MCP and CLI repos
 on:
  release:
    types: [published]
+  push:
+    tags:
+      - 'v*'
  workflow_dispatch:

 jobs:
--- a/apps/dokploy/components/dashboard/requests/columns.tsx
+++ b/apps/dokploy/components/dashboard/requests/columns.tsx
@@ -79,8 +79,11 @@ export const columns: ColumnDef<LogEntry>[] = [
 							: log.RequestPath}
 					</div>
 					<div className="flex flex-row gap-3 w-full">
-						<Badge variant={getStatusColor(log.OriginStatus)}>
-							Status: {formatStatusLabel(log.OriginStatus)}
+						<Badge
+							variant={getStatusColor(log.OriginStatus || log.DownstreamStatus)}
+						>
+							Status:{" "}
+							{formatStatusLabel(log.OriginStatus || log.DownstreamStatus)}
 						</Badge>
 						<Badge variant={"secondary"}>
 							Exec Time: {formatDuration(log.Duration)}
--- a/apps/dokploy/components/dashboard/requests/requests-table.tsx
+++ b/apps/dokploy/components/dashboard/requests/requests-table.tsx
@@ -185,7 +185,7 @@ export const RequestsTable = ({ dateRange }: RequestsTableProps) => {
 					<div className="flex flex-col gap-4  w-full overflow-auto">
 						<div className="flex items-center gap-2 max-sm:flex-wrap">
 							<Input
-								placeholder="Filter by name..."
+								placeholder="Filter by hostname..."
 								value={search}
 								onChange={(event) => setSearch(event.target.value)}
 								className="md:max-w-sm"
--- a/apps/dokploy/components/proprietary/sso/scim-dialog.tsx
+++ b/apps/dokploy/components/proprietary/sso/scim-dialog.tsx
@@ -1,236 +0,0 @@
-"use client";
-
-import { Copy, KeyRound, Loader2, Plus, Trash2 } from "lucide-react";
-import { type ReactNode, useState } from "react";
-import { toast } from "sonner";
-import { DialogAction } from "@/components/shared/dialog-action";
-import { Button } from "@/components/ui/button";
-import {
-	Dialog,
-	DialogContent,
-	DialogDescription,
-	DialogFooter,
-	DialogHeader,
-	DialogTitle,
-	DialogTrigger,
-} from "@/components/ui/dialog";
-import { Input } from "@/components/ui/input";
-import { Label } from "@/components/ui/label";
-import { api } from "@/utils/api";
-import { useUrl } from "@/utils/hooks/use-url";
-
-interface Props {
-	children: ReactNode;
-}
-
-export const ScimDialog = ({ children }: Props) => {
-	const utils = api.useUtils();
-	const baseURL = useUrl();
-	const [open, setOpen] = useState(false);
-	const [newProviderId, setNewProviderId] = useState("");
-	const [justCreatedToken, setJustCreatedToken] = useState<{
-		providerId: string;
-		token: string;
-	} | null>(null);
-
-	const { data: providers = [], isPending } = api.scim.listProviders.useQuery(
-		undefined,
-		{ enabled: open },
-	);
-	const { mutateAsync: generateToken, isPending: isGenerating } =
-		api.scim.generateToken.useMutation();
-	const { mutateAsync: deleteProvider, isPending: isDeleting } =
-		api.scim.deleteProvider.useMutation();
-
-	const scimUrl = `${baseURL || "{baseURL}"}/api/auth/scim/v2`;
-
-	const handleGenerate = async () => {
-		const providerId = newProviderId.trim().toLowerCase();
-		if (!providerId) return;
-		try {
-			const result = await generateToken({ providerId });
-			setJustCreatedToken({
-				providerId: result.providerId,
-				token: result.scimToken,
-			});
-			setNewProviderId("");
-			await utils.scim.listProviders.invalidate();
-		} catch (err) {
-			toast.error(
-				err instanceof Error ? err.message : "Failed to generate SCIM token",
-			);
-		}
-	};
-
-	const handleDelete = async (providerId: string) => {
-		try {
-			await deleteProvider({ providerId });
-			toast.success("SCIM provider removed");
-			await utils.scim.listProviders.invalidate();
-		} catch (err) {
-			toast.error(
-				err instanceof Error ? err.message : "Failed to delete SCIM provider",
-			);
-		}
-	};
-
-	const handleCopy = async (value: string, label: string) => {
-		try {
-			await navigator.clipboard.writeText(value);
-			toast.success(`${label} copied`);
-		} catch {
-			toast.error("Failed to copy");
-		}
-	};
-
-	const handleOpenChange = (next: boolean) => {
-		setOpen(next);
-		if (!next) setJustCreatedToken(null);
-	};
-
-	return (
-		<Dialog open={open} onOpenChange={handleOpenChange}>
-			<DialogTrigger asChild>{children}</DialogTrigger>
-			<DialogContent className="sm:max-w-[560px]">
-				<DialogHeader>
-					<DialogTitle className="flex items-center gap-2">
-						<KeyRound className="size-5" />
-						SCIM provisioning
-					</DialogTitle>
-					<DialogDescription>
-						Automatically provision, update, and deactivate users from your
-						identity provider (Okta, Entra ID, etc.). Configure the SCIM endpoint
-						below in your IdP.
-					</DialogDescription>
-				</DialogHeader>
-				<div className="space-y-4 py-2">
-					<div className="grid gap-1">
-						<Label className="text-xs font-medium text-muted-foreground">
-							SCIM 2.0 endpoint URL
-						</Label>
-						<div className="flex items-center gap-2">
-							<p className="flex-1 break-all rounded-md bg-muted px-2 py-1.5 font-mono text-xs">
-								{scimUrl}
-							</p>
-							<Button
-								variant="outline"
-								size="icon"
-								className="size-8 shrink-0"
-								onClick={() => handleCopy(scimUrl, "Endpoint URL")}
-								disabled={!baseURL}
-							>
-								<Copy className="size-3.5" />
-							</Button>
-						</div>
-					</div>
-
-					{justCreatedToken && (
-						<div className="rounded-md border border-amber-500/40 bg-amber-500/10 p-3">
-							<p className="text-sm font-medium">
-								Bearer token for {justCreatedToken.providerId}
-							</p>
-							<p className="mt-1 text-xs text-muted-foreground">
-								Copy this token now — it will not be shown again. Paste it into
-								your IdP's SCIM configuration.
-							</p>
-							<div className="mt-2 flex items-center gap-2">
-								<p className="flex-1 break-all rounded-md bg-background px-2 py-1.5 font-mono text-xs">
-									{justCreatedToken.token}
-								</p>
-								<Button
-									variant="outline"
-									size="icon"
-									className="size-8 shrink-0"
-									onClick={() =>
-										handleCopy(justCreatedToken.token, "Bearer token")
-									}
-								>
-									<Copy className="size-3.5" />
-								</Button>
-							</div>
-						</div>
-					)}
-
-					<div className="space-y-2">
-						<Label className="text-sm font-medium">
-							Generate token for a new provider
-						</Label>
-						<div className="flex gap-2">
-							<Input
-								value={newProviderId}
-								onChange={(e) => setNewProviderId(e.target.value)}
-								placeholder="okta, entra, jumpcloud..."
-								className="font-mono text-sm"
-								onKeyDown={(e) => {
-									if (e.key === "Enter") {
-										e.preventDefault();
-										void handleGenerate();
-									}
-								}}
-							/>
-							<Button
-								size="sm"
-								onClick={handleGenerate}
-								disabled={!newProviderId.trim() || isGenerating}
-							>
-								<Plus className="mr-1 size-4" />
-								Generate
-							</Button>
-						</div>
-						<p className="text-xs text-muted-foreground">
-							Choose a unique identifier for this IdP connection (lowercase,
-							alphanumeric, dashes).
-						</p>
-					</div>
-
-					<div className="space-y-2">
-						<Label className="text-sm font-medium">Existing providers</Label>
-						{isPending ? (
-							<div className="flex items-center gap-2 justify-center py-4">
-								<Loader2 className="size-4 animate-spin text-muted-foreground" />
-								<span className="text-sm text-muted-foreground">Loading...</span>
-							</div>
-						) : providers.length === 0 ? (
-							<p className="rounded-md border border-dashed bg-muted/30 px-3 py-4 text-center text-sm text-muted-foreground">
-								No SCIM providers configured yet.
-							</p>
-						) : (
-							<ul className="flex flex-col gap-2">
-								{providers.map((provider) => (
-									<li
-										key={provider.id}
-										className="flex items-center gap-2 rounded-md border bg-muted/30 px-3 py-2"
-									>
-										<span className="flex-1 font-mono text-sm">
-											{provider.providerId}
-										</span>
-										<DialogAction
-											title="Remove SCIM provider"
-											description={`Remove "${provider.providerId}"? Existing provisioned users will stay but the IdP will no longer be able to sync.`}
-											type="destructive"
-											onClick={() => handleDelete(provider.providerId)}
-										>
-											<Button
-												variant="ghost"
-												size="icon"
-												className="size-8 shrink-0 text-destructive hover:text-destructive"
-												disabled={isDeleting}
-											>
-												<Trash2 className="size-3.5" />
-											</Button>
-										</DialogAction>
-									</li>
-								))}
-							</ul>
-						)}
-					</div>
-				</div>
-				<DialogFooter>
-					<Button variant="outline" onClick={() => handleOpenChange(false)}>
-						Close
-					</Button>
-				</DialogFooter>
-			</DialogContent>
-		</Dialog>
-	);
-};
--- a/apps/dokploy/components/proprietary/sso/sso-settings.tsx
+++ b/apps/dokploy/components/proprietary/sso/sso-settings.tsx
@@ -2,7 +2,6 @@

 import {
 	Eye,
-	KeyRound,
 	Loader2,
 	LogIn,
 	Pencil,
@@ -35,7 +34,6 @@ import { api } from "@/utils/api";
 import { useUrl } from "@/utils/hooks/use-url";
 import { RegisterOidcDialog } from "./register-oidc-dialog";
 import { RegisterSamlDialog } from "./register-saml-dialog";
-import { ScimDialog } from "./scim-dialog";

 type ProviderForDetails = {
 	id: string | null;
@@ -171,22 +169,15 @@ export const SSOSettings = () => {
 						Users can sign in with their organization&apos;s IdP.
 					</CardDescription>
 				</div>
-				<div className="flex flex-wrap gap-2 shrink-0">
-					<Button
-						variant="outline"
-						size="sm"
-						onClick={() => setManageOriginsOpen(true)}
-					>
-						<Shield className="mr-2 size-4" />
-						Manage origins
-					</Button>
-					<ScimDialog>
-						<Button variant="outline" size="sm">
-							<KeyRound className="mr-2 size-4" />
-							Manage SCIM
-						</Button>
-					</ScimDialog>
-				</div>
+				<Button
+					variant="outline"
+					size="sm"
+					onClick={() => setManageOriginsOpen(true)}
+					className="shrink-0"
+				>
+					<Shield className="mr-2 size-4" />
+					Manage origins
+				</Button>
 			</div>

 			{isPending ? (
--- a/apps/dokploy/drizzle/0166_overjoyed_big_bertha.sql
+++ b/apps/dokploy/drizzle/0166_overjoyed_big_bertha.sql
@@ -1,11 +0,0 @@
-CREATE TABLE "scim_provider" (
-	"id" text PRIMARY KEY NOT NULL,
-	"provider_id" text NOT NULL,
-	"scim_token" text NOT NULL,
-	"organization_id" text,
-	CONSTRAINT "scim_provider_provider_id_unique" UNIQUE("provider_id"),
-	CONSTRAINT "scim_provider_scim_token_unique" UNIQUE("scim_token")
-);
--> statement-breakpoint
-ALTER TABLE "two_factor" ADD COLUMN "verified" boolean DEFAULT true NOT NULL;--> statement-breakpoint
-ALTER TABLE "scim_provider" ADD CONSTRAINT "scim_provider_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "public"."organization"("id") ON DELETE cascade ON UPDATE no action;
--- a/apps/dokploy/drizzle/meta/0166_snapshot.json
+++ b/apps/dokploy/drizzle/meta/0166_snapshot.json
--- a/apps/dokploy/drizzle/meta/_journal.json
+++ b/apps/dokploy/drizzle/meta/_journal.json
@@ -1163,13 +1163,6 @@
      "when": 1775845419261,
      "tag": "0165_abnormal_greymalkin",
      "breakpoints": true
-    },
-    {
-      "idx": 166,
-      "version": "7",
-      "when": 1776576422440,
-      "tag": "0166_overjoyed_big_bertha",
-      "breakpoints": true
    }
  ]
 }
--- a/apps/dokploy/package.json
+++ b/apps/dokploy/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "dokploy",
-	"version": "v0.29.0",
+	"version": "v0.29.2",
 	"private": true,
 	"license": "Apache-2.0",
 	"type": "module",
@@ -46,8 +46,8 @@
 		"@ai-sdk/mistral": "^3.0.20",
 		"@ai-sdk/openai": "^3.0.29",
 		"@ai-sdk/openai-compatible": "^2.0.30",
-		"@better-auth/api-key": "1.6.5",
-		"@better-auth/sso": "1.6.5",
+		"@better-auth/api-key": "1.5.4",
+		"@better-auth/sso": "1.5.4",
 		"@codemirror/autocomplete": "^6.18.6",
 		"@codemirror/lang-css": "^6.3.1",
 		"@codemirror/lang-json": "^6.0.1",
@@ -101,7 +101,7 @@
 		"ai": "^6.0.86",
 		"ai-sdk-ollama": "^3.7.0",
 		"bcrypt": "5.1.1",
-		"better-auth": "1.6.5",
+		"better-auth": "1.5.4",
 		"bl": "6.0.11",
 		"boxen": "^7.1.1",
 		"bullmq": "5.67.3",
@@ -113,7 +113,7 @@
 		"dockerode": "4.0.2",
 		"dompurify": "^3.3.3",
 		"dotenv": "16.4.5",
-		"drizzle-orm": "0.45.2",
+		"drizzle-orm": "0.45.1",
 		"drizzle-zod": "0.8.3",
 		"fancy-ansi": "^0.1.3",
 		"input-otp": "^1.4.2",
@@ -147,7 +147,7 @@
 		"shell-quote": "^1.8.1",
 		"slugify": "^1.6.6",
 		"sonner": "^1.7.4",
-		"ssh2": "1.15.0",
+		"ssh2": "~1.16.0",
 		"stripe": "17.2.0",
 		"superjson": "^2.2.2",
 		"swagger-ui-react": "^5.31.2",
--- a/apps/dokploy/pages/api/deploy/[refreshToken].ts
+++ b/apps/dokploy/pages/api/deploy/[refreshToken].ts
@@ -12,6 +12,15 @@ import type { DeploymentJob } from "@/server/queues/queue-types";
 import { myQueue } from "@/server/queues/queueSetup";
 import { deploy } from "@/server/utils/deploy";

+/**
+ * Log a webhook handler error server-side without leaking its shape to the HTTP
+ * response. Drizzle errors carry the raw SQL query, column list and parameters,
+ * so we never forward the error object to the client.
+ */
+export const logWebhookError = (context: string, error: unknown) => {
+	console.error(context, error);
+};
+
 /**
 * Helper function to get package_version from registry_package events
 */
@@ -262,14 +271,15 @@ export default async function handler(
 				);
 			}
 		} catch (error) {
-			res.status(400).json({ message: "Error deploying Application", error });
+			logWebhookError("Error deploying Application:", error);
+			res.status(400).json({ message: "Error deploying Application" });
 			return;
 		}

 		res.status(200).json({ message: "Application deployed successfully" });
 	} catch (error) {
-		console.log(error);
-		res.status(400).json({ message: "Error deploying Application", error });
+		logWebhookError("Error deploying Application:", error);
+		res.status(400).json({ message: "Error deploying Application" });
 	}
 }

--- a/apps/dokploy/pages/api/deploy/compose/[refreshToken].ts
+++ b/apps/dokploy/pages/api/deploy/compose/[refreshToken].ts
@@ -12,6 +12,7 @@ import {
 	extractCommittedPaths,
 	extractHash,
 	getProviderByHeader,
+	logWebhookError,
 } from "../[refreshToken]";

 export default async function handler(
@@ -195,13 +196,14 @@ export default async function handler(
 				);
 			}
 		} catch (error) {
-			res.status(400).json({ message: "Error deploying Compose", error });
+			logWebhookError("Error deploying Compose:", error);
+			res.status(400).json({ message: "Error deploying Compose" });
 			return;
 		}

 		res.status(200).json({ message: "Compose deployed successfully" });
 	} catch (error) {
-		console.log(error);
-		res.status(400).json({ message: "Error deploying Compose", error });
+		logWebhookError("Error deploying Compose:", error);
+		res.status(400).json({ message: "Error deploying Compose" });
 	}
 }
--- a/apps/dokploy/pages/api/deploy/github.ts
+++ b/apps/dokploy/pages/api/deploy/github.ts
@@ -17,7 +17,11 @@ import { applications, compose, github } from "@/server/db/schema";
 import type { DeploymentJob } from "@/server/queues/queue-types";
 import { myQueue } from "@/server/queues/queueSetup";
 import { deploy } from "@/server/utils/deploy";
-import { extractCommitMessage, extractHash } from "./[refreshToken]";
+import {
+	extractCommitMessage,
+	extractHash,
+	logWebhookError,
+} from "./[refreshToken]";

 export default async function handler(
 	req: NextApiRequest,
@@ -197,10 +201,8 @@ export default async function handler(
 			});
 			return;
 		} catch (error) {
-			console.error("Error deploying applications on tag:", error);
-			res
-				.status(400)
-				.json({ message: "Error deploying applications on tag", error });
+			logWebhookError("Error deploying applications on tag:", error);
+			res.status(400).json({ message: "Error deploying applications on tag" });
 			return;
 		}
 	}
@@ -322,7 +324,8 @@ export default async function handler(
 			}
 			res.status(200).json({ message: `Deployed ${totalApps} apps` });
 		} catch (error) {
-			res.status(400).json({ message: "Error deploying Application", error });
+			logWebhookError("Error deploying Application:", error);
+			res.status(400).json({ message: "Error deploying Application" });
 		}
 	} else if (req.headers["x-github-event"] === "pull_request") {
 		const prId = githubBody?.pull_request?.id;
--- a/apps/dokploy/server/api/root.ts
+++ b/apps/dokploy/server/api/root.ts
@@ -31,7 +31,6 @@ import { projectRouter } from "./routers/project";
 import { auditLogRouter } from "./routers/proprietary/audit-log";
 import { customRoleRouter } from "./routers/proprietary/custom-role";
 import { licenseKeyRouter } from "./routers/proprietary/license-key";
-import { scimRouter } from "./routers/proprietary/scim";
 import { ssoRouter } from "./routers/proprietary/sso";
 import { whitelabelingRouter } from "./routers/proprietary/whitelabeling";
 import { redirectsRouter } from "./routers/redirects";
@@ -94,7 +93,6 @@ export const appRouter = createTRPCRouter({
 	organization: organizationRouter,
 	licenseKey: licenseKeyRouter,
 	sso: ssoRouter,
-	scim: scimRouter,
 	whitelabeling: whitelabelingRouter,
 	customRole: customRoleRouter,
 	auditLog: auditLogRouter,
--- a/apps/dokploy/server/api/routers/backup.ts
+++ b/apps/dokploy/server/api/routers/backup.ts
@@ -458,9 +458,26 @@ export const backupRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			try {
 				const destination = await findDestinationById(input.destinationId);
+				if (destination.organizationId !== ctx.session.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this destination.",
+					});
+				}
+				if (input.serverId) {
+					const targetServer = await findServerById(input.serverId);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this server.",
+						});
+					}
+				}
 				const rcloneFlags = getS3Credentials(destination);
 				const bucketPath = `:s3:${destination.bucket}`;

--- a/apps/dokploy/server/api/routers/cluster.ts
+++ b/apps/dokploy/server/api/routers/cluster.ts
@@ -18,7 +18,16 @@ export const clusterRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
+			if (input.serverId) {
+				const targetServer = await findServerById(input.serverId);
+				if (targetServer.organizationId !== ctx.session.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this server.",
+					});
+				}
+			}
 			const docker = await getRemoteDocker(input.serverId);
 			const workers: DockerNode[] = await docker.listNodes();
 			return workers;
@@ -32,6 +41,15 @@ export const clusterRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ input, ctx }) => {
+			if (input.serverId) {
+				const targetServer = await findServerById(input.serverId);
+				if (targetServer.organizationId !== ctx.session.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this server.",
+					});
+				}
+			}
 			try {
 				const drainCommand = `docker node update --availability drain ${input.nodeId}`;
 				const removeCommand = `docker node rm ${input.nodeId} --force`;
@@ -65,7 +83,16 @@ export const clusterRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
+			if (input.serverId) {
+				const targetServer = await findServerById(input.serverId);
+				if (targetServer.organizationId !== ctx.session.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this server.",
+					});
+				}
+			}
 			const docker = await getRemoteDocker(input.serverId);
 			const result = await docker.swarmInspect();
 			const docker_version = await docker.version();
@@ -88,7 +115,16 @@ export const clusterRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
+			if (input.serverId) {
+				const targetServer = await findServerById(input.serverId);
+				if (targetServer.organizationId !== ctx.session.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this server.",
+					});
+				}
+			}
 			const docker = await getRemoteDocker(input.serverId);
 			const result = await docker.swarmInspect();
 			const docker_version = await docker.version();
--- a/apps/dokploy/server/api/routers/deployment.ts
+++ b/apps/dokploy/server/api/routers/deployment.ts
@@ -16,6 +16,7 @@ import {
 	checkServicePermissionAndAccess,
 	findMemberByUserId,
 } from "@dokploy/server/services/permission";
+import { findServerById } from "@dokploy/server/services/server";
 import { TRPCError } from "@trpc/server";
 import { desc, eq } from "drizzle-orm";
 import { z } from "zod";
@@ -52,7 +53,14 @@ export const deploymentRouter = createTRPCRouter({
 		}),
 	allByServer: withPermission("deployment", "read")
 		.input(apiFindAllByServer)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
+			const targetServer = await findServerById(input.serverId);
+			if (targetServer.organizationId !== ctx.session.activeOrganizationId) {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You don't have access to this server.",
+				});
+			}
 			return await findAllDeploymentsByServerId(input.serverId);
 		}),
 	allCentralized: withPermission("deployment", "read").query(
--- a/apps/dokploy/server/api/routers/organization.ts
+++ b/apps/dokploy/server/api/routers/organization.ts
@@ -1,5 +1,5 @@
 import { db } from "@dokploy/server/db";
-import { IS_CLOUD } from "@dokploy/server/index";
+import { IS_CLOUD, sendInvitationEmail } from "@dokploy/server/index";
 import { TRPCError } from "@trpc/server";
 import { and, desc, eq, exists } from "drizzle-orm";
 import { nanoid } from "nanoid";
@@ -325,6 +325,24 @@ export const organizationRouter = createTRPCRouter({
 				})
 				.returning();

+			if (IS_CLOUD && created) {
+				const host =
+					process.env.NODE_ENV === "development"
+						? "http://localhost:3000"
+						: "https://app.dokploy.com";
+				const inviteLink = `${host}/invitation?token=${created.id}`;
+
+				const org = await db.query.organization.findFirst({
+					where: eq(organization.id, orgId),
+				});
+
+				await sendInvitationEmail({
+					email,
+					inviteLink,
+					organizationName: org?.name || "organization",
+				});
+			}
+
 			await audit(ctx, {
 				action: "create",
 				resourceType: "organization",
--- a/apps/dokploy/server/api/routers/proprietary/scim.ts
+++ b/apps/dokploy/server/api/routers/proprietary/scim.ts
@@ -1,78 +0,0 @@
-import { db } from "@dokploy/server/db";
-import { scimProvider } from "@dokploy/server/db/schema";
-import { requestToHeaders } from "@dokploy/server/index";
-import { auth } from "@dokploy/server/lib/auth";
-import { TRPCError } from "@trpc/server";
-import { and, asc, eq } from "drizzle-orm";
-import { z } from "zod";
-import { createTRPCRouter, enterpriseProcedure } from "@/server/api/trpc";
-
-const providerIdSchema = z
-	.string()
-	.min(1)
-	.max(64)
-	.regex(
-		/^[a-z0-9][a-z0-9-]*$/,
-		"Provider ID must be lowercase alphanumeric with optional dashes",
-	);
-
-export const scimRouter = createTRPCRouter({
-	listProviders: enterpriseProcedure.query(async ({ ctx }) => {
-		const providers = await db.query.scimProvider.findMany({
-			where: eq(scimProvider.organizationId, ctx.session.activeOrganizationId),
-			columns: {
-				id: true,
-				providerId: true,
-				organizationId: true,
-			},
-			orderBy: [asc(scimProvider.providerId)],
-		});
-		return providers;
-	}),
-	generateToken: enterpriseProcedure
-		.input(z.object({ providerId: providerIdSchema }))
-		.mutation(async ({ ctx, input }) => {
-			const existing = await db.query.scimProvider.findFirst({
-				where: eq(scimProvider.providerId, input.providerId),
-				columns: { id: true, organizationId: true },
-			});
-			if (existing) {
-				throw new TRPCError({
-					code: "BAD_REQUEST",
-					message: "A SCIM provider with this ID already exists",
-				});
-			}
-			const result = await auth.generateSCIMToken({
-				body: {
-					providerId: input.providerId,
-					organizationId: ctx.session.activeOrganizationId,
-				},
-				headers: requestToHeaders(ctx.req),
-			});
-			return { scimToken: result.scimToken, providerId: input.providerId };
-		}),
-	deleteProvider: enterpriseProcedure
-		.input(z.object({ providerId: providerIdSchema }))
-		.mutation(async ({ ctx, input }) => {
-			const [deleted] = await db
-				.delete(scimProvider)
-				.where(
-					and(
-						eq(scimProvider.providerId, input.providerId),
-						eq(
-							scimProvider.organizationId,
-							ctx.session.activeOrganizationId,
-						),
-					),
-				)
-				.returning({ id: scimProvider.id });
-			if (!deleted) {
-				throw new TRPCError({
-					code: "NOT_FOUND",
-					message:
-						"SCIM provider not found or you do not have permission to delete it",
-				});
-			}
-			return { success: true };
-		}),
-});
--- a/apps/dokploy/server/api/routers/schedule.ts
+++ b/apps/dokploy/server/api/routers/schedule.ts
@@ -7,19 +7,25 @@ import {
 	updateScheduleSchema,
 } from "@dokploy/server/db/schema/schedule";
 import { runCommand } from "@dokploy/server/index";
-import { checkServicePermissionAndAccess } from "@dokploy/server/services/permission";
+import {
+	checkPermission,
+	checkServicePermissionAndAccess,
+	findMemberByUserId,
+} from "@dokploy/server/services/permission";
 import {
 	createSchedule,
 	deleteSchedule,
 	findScheduleById,
 	updateSchedule,
 } from "@dokploy/server/services/schedule";
+import { findServerById } from "@dokploy/server/services/server";
 import { TRPCError } from "@trpc/server";
 import { asc, desc, eq } from "drizzle-orm";
 import { z } from "zod";
 import { audit } from "@/server/api/utils/audit";
 import { removeJob, schedule } from "@/server/utils/backup";
 import { createTRPCRouter, protectedProcedure } from "../trpc";
+
 export const scheduleRouter = createTRPCRouter({
 	create: protectedProcedure
 		.input(createScheduleSchema)
@@ -29,6 +35,45 @@ export const scheduleRouter = createTRPCRouter({
 				await checkServicePermissionAndAccess(ctx, serviceId, {
 					schedule: ["create"],
 				});
+			} else {
+				if (input.scheduleType === "dokploy-server" && IS_CLOUD) {
+					throw new TRPCError({
+						code: "FORBIDDEN",
+						message:
+							"Host-level schedules are not available in the cloud version.",
+					});
+				}
+
+				await checkPermission(ctx, { schedule: ["create"] });
+
+				if (
+					input.scheduleType === "server" ||
+					input.scheduleType === "dokploy-server"
+				) {
+					const member = await findMemberByUserId(
+						ctx.user.id,
+						ctx.session.activeOrganizationId,
+					);
+					if (member.role !== "owner" && member.role !== "admin") {
+						throw new TRPCError({
+							code: "FORBIDDEN",
+							message:
+								"Only owners and admins can manage server-level schedules.",
+						});
+					}
+				}
+
+				if (input.scheduleType === "server" && input.serverId) {
+					const targetServer = await findServerById(input.serverId);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this server.",
+						});
+					}
+				}
 			}
 			const newSchedule = await createSchedule(input);

@@ -57,12 +102,77 @@ export const scheduleRouter = createTRPCRouter({
 		.input(updateScheduleSchema)
 		.mutation(async ({ input, ctx }) => {
 			const existingSchedule = await findScheduleById(input.scheduleId);
+
+			if (
+				IS_CLOUD &&
+				input.scheduleType &&
+				input.scheduleType !== existingSchedule.scheduleType
+			) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Changing scheduleType is not allowed in the cloud version.",
+				});
+			}
+
 			const serviceId =
 				existingSchedule.applicationId || existingSchedule.composeId;
 			if (serviceId) {
 				await checkServicePermissionAndAccess(ctx, serviceId, {
 					schedule: ["update"],
 				});
+			} else {
+				if (existingSchedule.scheduleType === "dokploy-server" && IS_CLOUD) {
+					throw new TRPCError({
+						code: "FORBIDDEN",
+						message:
+							"Host-level schedules are not available in the cloud version.",
+					});
+				}
+
+				await checkPermission(ctx, { schedule: ["update"] });
+
+				if (
+					existingSchedule.scheduleType === "server" ||
+					existingSchedule.scheduleType === "dokploy-server"
+				) {
+					const member = await findMemberByUserId(
+						ctx.user.id,
+						ctx.session.activeOrganizationId,
+					);
+					if (member.role !== "owner" && member.role !== "admin") {
+						throw new TRPCError({
+							code: "FORBIDDEN",
+							message:
+								"Only owners and admins can manage server-level schedules.",
+						});
+					}
+				}
+
+				if (
+					existingSchedule.scheduleType === "server" &&
+					existingSchedule.serverId
+				) {
+					const targetServer = await findServerById(existingSchedule.serverId);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this server.",
+						});
+					}
+				}
+
+				if (
+					existingSchedule.scheduleType === "dokploy-server" &&
+					existingSchedule.userId &&
+					existingSchedule.userId !== ctx.user.id
+				) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You can only manage your own host-level schedules.",
+					});
+				}
 			}
 			const updatedSchedule = await updateSchedule(input);

@@ -107,6 +217,56 @@ export const scheduleRouter = createTRPCRouter({
 				await checkServicePermissionAndAccess(ctx, serviceId, {
 					schedule: ["delete"],
 				});
+			} else {
+				if (scheduleItem.scheduleType === "dokploy-server" && IS_CLOUD) {
+					throw new TRPCError({
+						code: "FORBIDDEN",
+						message:
+							"Host-level schedules are not available in the cloud version.",
+					});
+				}
+
+				await checkPermission(ctx, { schedule: ["delete"] });
+
+				if (
+					scheduleItem.scheduleType === "server" ||
+					scheduleItem.scheduleType === "dokploy-server"
+				) {
+					const member = await findMemberByUserId(
+						ctx.user.id,
+						ctx.session.activeOrganizationId,
+					);
+					if (member.role !== "owner" && member.role !== "admin") {
+						throw new TRPCError({
+							code: "FORBIDDEN",
+							message:
+								"Only owners and admins can manage server-level schedules.",
+						});
+					}
+				}
+
+				if (scheduleItem.scheduleType === "server" && scheduleItem.serverId) {
+					const targetServer = await findServerById(scheduleItem.serverId);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this server.",
+						});
+					}
+				}
+
+				if (
+					scheduleItem.scheduleType === "dokploy-server" &&
+					scheduleItem.userId &&
+					scheduleItem.userId !== ctx.user.id
+				) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You can only manage your own host-level schedules.",
+					});
+				}
 			}
 			await deleteSchedule(input.scheduleId);

@@ -148,6 +308,30 @@ export const scheduleRouter = createTRPCRouter({
 				await checkServicePermissionAndAccess(ctx, input.id, {
 					schedule: ["read"],
 				});
+			} else {
+				await checkPermission(ctx, { schedule: ["read"] });
+
+				if (input.scheduleType === "server") {
+					const targetServer = await findServerById(input.id);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this server.",
+						});
+					}
+				}
+
+				if (
+					input.scheduleType === "dokploy-server" &&
+					input.id !== ctx.user.id
+				) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You can only list your own host-level schedules.",
+					});
+				}
 			}
 			const where = {
 				application: eq(schedules.applicationId, input.id),
@@ -178,6 +362,31 @@ export const scheduleRouter = createTRPCRouter({
 				await checkServicePermissionAndAccess(ctx, serviceId, {
 					schedule: ["read"],
 				});
+			} else {
+				await checkPermission(ctx, { schedule: ["read"] });
+
+				if (schedule.scheduleType === "server" && schedule.serverId) {
+					const targetServer = await findServerById(schedule.serverId);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this schedule.",
+						});
+					}
+				}
+
+				if (
+					schedule.scheduleType === "dokploy-server" &&
+					schedule.userId &&
+					schedule.userId !== ctx.user.id
+				) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this schedule.",
+					});
+				}
 			}
 			return schedule;
 		}),
@@ -191,6 +400,56 @@ export const scheduleRouter = createTRPCRouter({
 				await checkServicePermissionAndAccess(ctx, serviceId, {
 					schedule: ["create"],
 				});
+			} else {
+				if (scheduleItem.scheduleType === "dokploy-server" && IS_CLOUD) {
+					throw new TRPCError({
+						code: "FORBIDDEN",
+						message:
+							"Host-level schedules are not available in the cloud version.",
+					});
+				}
+
+				await checkPermission(ctx, { schedule: ["create"] });
+
+				if (
+					scheduleItem.scheduleType === "server" ||
+					scheduleItem.scheduleType === "dokploy-server"
+				) {
+					const member = await findMemberByUserId(
+						ctx.user.id,
+						ctx.session.activeOrganizationId,
+					);
+					if (member.role !== "owner" && member.role !== "admin") {
+						throw new TRPCError({
+							code: "FORBIDDEN",
+							message:
+								"Only owners and admins can manage server-level schedules.",
+						});
+					}
+				}
+
+				if (scheduleItem.scheduleType === "server" && scheduleItem.serverId) {
+					const targetServer = await findServerById(scheduleItem.serverId);
+					if (
+						targetServer.organizationId !== ctx.session.activeOrganizationId
+					) {
+						throw new TRPCError({
+							code: "UNAUTHORIZED",
+							message: "You don't have access to this server.",
+						});
+					}
+				}
+
+				if (
+					scheduleItem.scheduleType === "dokploy-server" &&
+					scheduleItem.userId &&
+					scheduleItem.userId !== ctx.user.id
+				) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You can only manage your own host-level schedules.",
+					});
+				}
 			}
 			try {
 				await runCommand(input.scheduleId);
--- a/apps/dokploy/server/api/routers/user.ts
+++ b/apps/dokploy/server/api/routers/user.ts
@@ -9,12 +9,12 @@ import {
 	getWebServerSettings,
 	IS_CLOUD,
 	removeUserById,
+	renderInvitationEmail,
 	sendEmailNotification,
 	sendResendNotification,
 	updateUser,
 } from "@dokploy/server";
 import { db } from "@dokploy/server/db";
-import { hasValidLicense } from "@dokploy/server/services/proprietary/license-key";
 import {
 	account,
 	apiAssignPermissions,
@@ -29,6 +29,7 @@ import {
 	hasPermission,
 	resolvePermissions,
 } from "@dokploy/server/services/permission";
+import { hasValidLicense } from "@dokploy/server/services/proprietary/license-key";
 import { TRPCError } from "@trpc/server";
 import * as bcrypt from "bcrypt";
 import { and, asc, eq, gt } from "drizzle-orm";
@@ -639,27 +640,26 @@ export const userRouter = createTRPCRouter({
 			);

 			try {
-				const htmlContent = `
-\t\t\t\t<p>You are invited to join ${organization?.name || "organization"} on Dokploy. Click the link to accept the invitation: <a href="${inviteLink}">Accept Invitation</a></p>
-\t\t\t\t`;
+				const toEmail = currentInvitation?.email || "";
+				const orgName = organization?.name || "organization";
+				const subject = `You've been invited to join ${orgName} on Dokploy`;
+				const html = await renderInvitationEmail({
+					email: toEmail,
+					inviteLink,
+					organizationName: orgName,
+				});

 				if (email) {
 					await sendEmailNotification(
-						{
-							...email,
-							toAddresses: [currentInvitation?.email || ""],
-						},
-						"Invitation to join organization",
-						htmlContent,
+						{ ...email, toAddresses: [toEmail] },
+						subject,
+						html,
 					);
 				} else if (resend) {
 					await sendResendNotification(
-						{
-							...resend,
-							toAddresses: [currentInvitation?.email || ""],
-						},
-						"Invitation to join organization",
-						htmlContent,
+						{ ...resend, toAddresses: [toEmail] },
+						subject,
+						html,
 					);
 				}
 			} catch (error) {
--- a/apps/dokploy/server/api/routers/volume-backups.ts
+++ b/apps/dokploy/server/api/routers/volume-backups.ts
@@ -15,7 +15,9 @@ import {
 	updateVolumeBackupSchema,
 	volumeBackups,
 } from "@dokploy/server/db/schema";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { checkServicePermissionAndAccess } from "@dokploy/server/services/permission";
+import { findServerById } from "@dokploy/server/services/server";
 import {
 	execAsyncRemote,
 	execAsyncStream,
@@ -265,7 +267,23 @@ export const volumeBackupsRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.subscription(async ({ input }) => {
+		.subscription(async ({ input, ctx }) => {
+			const destination = await findDestinationById(input.destinationId);
+			if (destination.organizationId !== ctx.session.activeOrganizationId) {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You don't have access to this destination.",
+				});
+			}
+			if (input.serverId) {
+				const targetServer = await findServerById(input.serverId);
+				if (targetServer.organizationId !== ctx.session.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You don't have access to this server.",
+					});
+				}
+			}
 			return observable<string>((emit) => {
 				const runRestore = async () => {
 					try {
--- a/apps/dokploy/server/wss/docker-container-logs.ts
+++ b/apps/dokploy/server/wss/docker-container-logs.ts
@@ -85,6 +85,11 @@ export const setupDockerContainerLogsWebSocketServer = (
 			if (serverId) {
 				const server = await findServerById(serverId);

+				if (server.organizationId !== session.activeOrganizationId) {
+					ws.close();
+					return;
+				}
+
 				if (!server.sshKeyId) return;
 				const client = new Client();
 				client
--- a/apps/dokploy/server/wss/docker-container-terminal.ts
+++ b/apps/dokploy/server/wss/docker-container-terminal.ts
@@ -61,6 +61,12 @@ export const setupDockerContainerTerminalWebSocketServer = (
 		try {
 			if (serverId) {
 				const server = await findServerById(serverId);
+
+				if (server.organizationId !== session.activeOrganizationId) {
+					ws.close();
+					return;
+				}
+
 				if (!server.sshKeyId)
 					throw new Error("No SSH key available for this server");

--- a/apps/dokploy/server/wss/listen-deployment.ts
+++ b/apps/dokploy/server/wss/listen-deployment.ts
@@ -57,6 +57,11 @@ export const setupDeploymentLogsWebSocketServer = (
 			if (serverId) {
 				const server = await findServerById(serverId);

+				if (server.organizationId !== session.activeOrganizationId) {
+					ws.close();
+					return;
+				}
+
 				if (!server.sshKeyId) {
 					ws.close();
 					return;
--- a/apps/dokploy/server/wss/terminal.ts
+++ b/apps/dokploy/server/wss/terminal.ts
@@ -154,6 +154,11 @@ export const setupTerminalWebSocketServer = (
 				return;
 			}

+			if (server.organizationId !== session.activeOrganizationId) {
+				ws.close();
+				return;
+			}
+
 			const { ipAddress: host, port, username, sshKey, sshKeyId } = server;

 			if (!sshKeyId) {
--- a/packages/server/auth-schema2.ts
+++ b/packages/server/auth-schema2.ts
@@ -1,311 +1,299 @@
 import { relations } from "drizzle-orm";
 import {
-  pgTable,
-  text,
-  timestamp,
-  boolean,
-  integer,
-  index,
-  uniqueIndex,
+	boolean,
+	index,
+	integer,
+	pgTable,
+	text,
+	timestamp,
+	uniqueIndex,
 } from "drizzle-orm/pg-core";

 export const user = pgTable("user", {
-  id: text("id").primaryKey(),
-  firstName: text("first_name").notNull(),
-  email: text("email").notNull().unique(),
-  emailVerified: boolean("email_verified").default(false).notNull(),
-  image: text("image"),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .defaultNow()
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  twoFactorEnabled: boolean("two_factor_enabled").default(false),
-  role: text("role"),
-  banned: boolean("banned").default(false),
-  banReason: text("ban_reason"),
-  banExpires: timestamp("ban_expires"),
-  ownerId: text("owner_id"),
-  allowImpersonation: boolean("allow_impersonation").default(false),
-  lastName: text("last_name").default(""),
-  enableEnterpriseFeatures: boolean("enable_enterprise_features"),
-  isValidEnterpriseLicense: boolean("is_valid_enterprise_license"),
+	id: text("id").primaryKey(),
+	firstName: text("first_name").notNull(),
+	email: text("email").notNull().unique(),
+	emailVerified: boolean("email_verified").default(false).notNull(),
+	image: text("image"),
+	createdAt: timestamp("created_at").defaultNow().notNull(),
+	updatedAt: timestamp("updated_at")
+		.defaultNow()
+		.$onUpdate(() => /* @__PURE__ */ new Date())
+		.notNull(),
+	twoFactorEnabled: boolean("two_factor_enabled").default(false),
+	role: text("role"),
+	ownerId: text("owner_id"),
+	allowImpersonation: boolean("allow_impersonation").default(false),
+	lastName: text("last_name").default(""),
+	enableEnterpriseFeatures: boolean("enable_enterprise_features"),
+	isValidEnterpriseLicense: boolean("is_valid_enterprise_license"),
 });

 export const session = pgTable(
-  "session",
-  {
-    id: text("id").primaryKey(),
-    expiresAt: timestamp("expires_at").notNull(),
-    token: text("token").notNull().unique(),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at")
-      .$onUpdate(() => /* @__PURE__ */ new Date())
-      .notNull(),
-    ipAddress: text("ip_address"),
-    userAgent: text("user_agent"),
-    userId: text("user_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-    activeOrganizationId: text("active_organization_id"),
-    impersonatedBy: text("impersonated_by"),
-  },
-  (table) => [index("session_userId_idx").on(table.userId)],
+	"session",
+	{
+		id: text("id").primaryKey(),
+		expiresAt: timestamp("expires_at").notNull(),
+		token: text("token").notNull().unique(),
+		createdAt: timestamp("created_at").defaultNow().notNull(),
+		updatedAt: timestamp("updated_at")
+			.$onUpdate(() => /* @__PURE__ */ new Date())
+			.notNull(),
+		ipAddress: text("ip_address"),
+		userAgent: text("user_agent"),
+		userId: text("user_id")
+			.notNull()
+			.references(() => user.id, { onDelete: "cascade" }),
+		activeOrganizationId: text("active_organization_id"),
+	},
+	(table) => [index("session_userId_idx").on(table.userId)],
 );

 export const account = pgTable(
-  "account",
-  {
-    id: text("id").primaryKey(),
-    accountId: text("account_id").notNull(),
-    providerId: text("provider_id").notNull(),
-    userId: text("user_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-    accessToken: text("access_token"),
-    refreshToken: text("refresh_token"),
-    idToken: text("id_token"),
-    accessTokenExpiresAt: timestamp("access_token_expires_at"),
-    refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
-    scope: text("scope"),
-    password: text("password"),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at")
-      .$onUpdate(() => /* @__PURE__ */ new Date())
-      .notNull(),
-  },
-  (table) => [index("account_userId_idx").on(table.userId)],
+	"account",
+	{
+		id: text("id").primaryKey(),
+		accountId: text("account_id").notNull(),
+		providerId: text("provider_id").notNull(),
+		userId: text("user_id")
+			.notNull()
+			.references(() => user.id, { onDelete: "cascade" }),
+		accessToken: text("access_token"),
+		refreshToken: text("refresh_token"),
+		idToken: text("id_token"),
+		accessTokenExpiresAt: timestamp("access_token_expires_at"),
+		refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+		scope: text("scope"),
+		password: text("password"),
+		createdAt: timestamp("created_at").defaultNow().notNull(),
+		updatedAt: timestamp("updated_at")
+			.$onUpdate(() => /* @__PURE__ */ new Date())
+			.notNull(),
+	},
+	(table) => [index("account_userId_idx").on(table.userId)],
 );

 export const verification = pgTable(
-  "verification",
-  {
-    id: text("id").primaryKey(),
-    identifier: text("identifier").notNull(),
-    value: text("value").notNull(),
-    expiresAt: timestamp("expires_at").notNull(),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at")
-      .defaultNow()
-      .$onUpdate(() => /* @__PURE__ */ new Date())
-      .notNull(),
-  },
-  (table) => [index("verification_identifier_idx").on(table.identifier)],
+	"verification",
+	{
+		id: text("id").primaryKey(),
+		identifier: text("identifier").notNull(),
+		value: text("value").notNull(),
+		expiresAt: timestamp("expires_at").notNull(),
+		createdAt: timestamp("created_at").defaultNow().notNull(),
+		updatedAt: timestamp("updated_at")
+			.defaultNow()
+			.$onUpdate(() => /* @__PURE__ */ new Date())
+			.notNull(),
+	},
+	(table) => [index("verification_identifier_idx").on(table.identifier)],
 );

 export const apikey = pgTable(
-  "apikey",
-  {
-    id: text("id").primaryKey(),
-    configId: text("config_id").default("default").notNull(),
-    name: text("name"),
-    start: text("start"),
-    referenceId: text("reference_id").notNull(),
-    prefix: text("prefix"),
-    key: text("key").notNull(),
-    refillInterval: integer("refill_interval"),
-    refillAmount: integer("refill_amount"),
-    lastRefillAt: timestamp("last_refill_at"),
-    enabled: boolean("enabled").default(true),
-    rateLimitEnabled: boolean("rate_limit_enabled").default(true),
-    rateLimitTimeWindow: integer("rate_limit_time_window").default(86400000),
-    rateLimitMax: integer("rate_limit_max").default(10),
-    requestCount: integer("request_count").default(0),
-    remaining: integer("remaining"),
-    lastRequest: timestamp("last_request"),
-    expiresAt: timestamp("expires_at"),
-    createdAt: timestamp("created_at").notNull(),
-    updatedAt: timestamp("updated_at").notNull(),
-    permissions: text("permissions"),
-    metadata: text("metadata"),
-  },
-  (table) => [
-    index("apikey_configId_idx").on(table.configId),
-    index("apikey_referenceId_idx").on(table.referenceId),
-    index("apikey_key_idx").on(table.key),
-  ],
+	"apikey",
+	{
+		id: text("id").primaryKey(),
+		configId: text("config_id").default("default").notNull(),
+		name: text("name"),
+		start: text("start"),
+		referenceId: text("reference_id").notNull(),
+		prefix: text("prefix"),
+		key: text("key").notNull(),
+		refillInterval: integer("refill_interval"),
+		refillAmount: integer("refill_amount"),
+		lastRefillAt: timestamp("last_refill_at"),
+		enabled: boolean("enabled").default(true),
+		rateLimitEnabled: boolean("rate_limit_enabled").default(true),
+		rateLimitTimeWindow: integer("rate_limit_time_window").default(86400000),
+		rateLimitMax: integer("rate_limit_max").default(10),
+		requestCount: integer("request_count").default(0),
+		remaining: integer("remaining"),
+		lastRequest: timestamp("last_request"),
+		expiresAt: timestamp("expires_at"),
+		createdAt: timestamp("created_at").notNull(),
+		updatedAt: timestamp("updated_at").notNull(),
+		permissions: text("permissions"),
+		metadata: text("metadata"),
+	},
+	(table) => [
+		index("apikey_configId_idx").on(table.configId),
+		index("apikey_referenceId_idx").on(table.referenceId),
+		index("apikey_key_idx").on(table.key),
+	],
 );

 export const ssoProvider = pgTable("sso_provider", {
-  id: text("id").primaryKey(),
-  issuer: text("issuer").notNull(),
-  oidcConfig: text("oidc_config"),
-  samlConfig: text("saml_config"),
-  userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
-  providerId: text("provider_id").notNull().unique(),
-  organizationId: text("organization_id"),
-  domain: text("domain").notNull(),
+	id: text("id").primaryKey(),
+	issuer: text("issuer").notNull(),
+	oidcConfig: text("oidc_config"),
+	samlConfig: text("saml_config"),
+	userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+	providerId: text("provider_id").notNull().unique(),
+	organizationId: text("organization_id"),
+	domain: text("domain").notNull(),
 });

 export const twoFactor = pgTable(
-  "two_factor",
-  {
-    id: text("id").primaryKey(),
-    secret: text("secret").notNull(),
-    backupCodes: text("backup_codes").notNull(),
-    userId: text("user_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-    verified: boolean("verified").default(true),
-  },
-  (table) => [
-    index("twoFactor_secret_idx").on(table.secret),
-    index("twoFactor_userId_idx").on(table.userId),
-  ],
+	"two_factor",
+	{
+		id: text("id").primaryKey(),
+		secret: text("secret").notNull(),
+		backupCodes: text("backup_codes").notNull(),
+		userId: text("user_id")
+			.notNull()
+			.references(() => user.id, { onDelete: "cascade" }),
+	},
+	(table) => [
+		index("twoFactor_secret_idx").on(table.secret),
+		index("twoFactor_userId_idx").on(table.userId),
+	],
 );

 export const organization = pgTable(
-  "organization",
-  {
-    id: text("id").primaryKey(),
-    name: text("name").notNull(),
-    slug: text("slug").notNull().unique(),
-    logo: text("logo"),
-    createdAt: timestamp("created_at").notNull(),
-    metadata: text("metadata"),
-  },
-  (table) => [uniqueIndex("organization_slug_uidx").on(table.slug)],
+	"organization",
+	{
+		id: text("id").primaryKey(),
+		name: text("name").notNull(),
+		slug: text("slug").notNull().unique(),
+		logo: text("logo"),
+		createdAt: timestamp("created_at").notNull(),
+		metadata: text("metadata"),
+	},
+	(table) => [uniqueIndex("organization_slug_uidx").on(table.slug)],
 );

 export const organizationRole = pgTable(
-  "organization_role",
-  {
-    id: text("id").primaryKey(),
-    organizationId: text("organization_id")
-      .notNull()
-      .references(() => organization.id, { onDelete: "cascade" }),
-    role: text("role").notNull(),
-    permission: text("permission").notNull(),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at").$onUpdate(
-      () => /* @__PURE__ */ new Date(),
-    ),
-  },
-  (table) => [
-    index("organizationRole_organizationId_idx").on(table.organizationId),
-    index("organizationRole_role_idx").on(table.role),
-  ],
+	"organization_role",
+	{
+		id: text("id").primaryKey(),
+		organizationId: text("organization_id")
+			.notNull()
+			.references(() => organization.id, { onDelete: "cascade" }),
+		role: text("role").notNull(),
+		permission: text("permission").notNull(),
+		createdAt: timestamp("created_at").defaultNow().notNull(),
+		updatedAt: timestamp("updated_at").$onUpdate(
+			() => /* @__PURE__ */ new Date(),
+		),
+	},
+	(table) => [
+		index("organizationRole_organizationId_idx").on(table.organizationId),
+		index("organizationRole_role_idx").on(table.role),
+	],
 );

 export const member = pgTable(
-  "member",
-  {
-    id: text("id").primaryKey(),
-    organizationId: text("organization_id")
-      .notNull()
-      .references(() => organization.id, { onDelete: "cascade" }),
-    userId: text("user_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-    role: text("role").default("member").notNull(),
-    createdAt: timestamp("created_at").notNull(),
-  },
-  (table) => [
-    index("member_organizationId_idx").on(table.organizationId),
-    index("member_userId_idx").on(table.userId),
-  ],
+	"member",
+	{
+		id: text("id").primaryKey(),
+		organizationId: text("organization_id")
+			.notNull()
+			.references(() => organization.id, { onDelete: "cascade" }),
+		userId: text("user_id")
+			.notNull()
+			.references(() => user.id, { onDelete: "cascade" }),
+		role: text("role").default("member").notNull(),
+		createdAt: timestamp("created_at").notNull(),
+	},
+	(table) => [
+		index("member_organizationId_idx").on(table.organizationId),
+		index("member_userId_idx").on(table.userId),
+	],
 );

 export const invitation = pgTable(
-  "invitation",
-  {
-    id: text("id").primaryKey(),
-    organizationId: text("organization_id")
-      .notNull()
-      .references(() => organization.id, { onDelete: "cascade" }),
-    email: text("email").notNull(),
-    role: text("role"),
-    status: text("status").default("pending").notNull(),
-    expiresAt: timestamp("expires_at").notNull(),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    inviterId: text("inviter_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-  },
-  (table) => [
-    index("invitation_organizationId_idx").on(table.organizationId),
-    index("invitation_email_idx").on(table.email),
-  ],
+	"invitation",
+	{
+		id: text("id").primaryKey(),
+		organizationId: text("organization_id")
+			.notNull()
+			.references(() => organization.id, { onDelete: "cascade" }),
+		email: text("email").notNull(),
+		role: text("role"),
+		status: text("status").default("pending").notNull(),
+		expiresAt: timestamp("expires_at").notNull(),
+		createdAt: timestamp("created_at").defaultNow().notNull(),
+		inviterId: text("inviter_id")
+			.notNull()
+			.references(() => user.id, { onDelete: "cascade" }),
+	},
+	(table) => [
+		index("invitation_organizationId_idx").on(table.organizationId),
+		index("invitation_email_idx").on(table.email),
+	],
 );

-export const scimProvider = pgTable("scim_provider", {
-  id: text("id").primaryKey(),
-  providerId: text("provider_id").notNull().unique(),
-  scimToken: text("scim_token").notNull().unique(),
-  organizationId: text("organization_id"),
-});
-
 export const userRelations = relations(user, ({ many }) => ({
-  sessions: many(session),
-  accounts: many(account),
-  ssoProviders: many(ssoProvider),
-  twoFactors: many(twoFactor),
-  members: many(member),
-  invitations: many(invitation),
+	sessions: many(session),
+	accounts: many(account),
+	ssoProviders: many(ssoProvider),
+	twoFactors: many(twoFactor),
+	members: many(member),
+	invitations: many(invitation),
 }));

 export const sessionRelations = relations(session, ({ one }) => ({
-  user: one(user, {
-    fields: [session.userId],
-    references: [user.id],
-  }),
+	user: one(user, {
+		fields: [session.userId],
+		references: [user.id],
+	}),
 }));

 export const accountRelations = relations(account, ({ one }) => ({
-  user: one(user, {
-    fields: [account.userId],
-    references: [user.id],
-  }),
+	user: one(user, {
+		fields: [account.userId],
+		references: [user.id],
+	}),
 }));

 export const ssoProviderRelations = relations(ssoProvider, ({ one }) => ({
-  user: one(user, {
-    fields: [ssoProvider.userId],
-    references: [user.id],
-  }),
+	user: one(user, {
+		fields: [ssoProvider.userId],
+		references: [user.id],
+	}),
 }));

 export const twoFactorRelations = relations(twoFactor, ({ one }) => ({
-  user: one(user, {
-    fields: [twoFactor.userId],
-    references: [user.id],
-  }),
+	user: one(user, {
+		fields: [twoFactor.userId],
+		references: [user.id],
+	}),
 }));

 export const organizationRelations = relations(organization, ({ many }) => ({
-  organizationRoles: many(organizationRole),
-  members: many(member),
-  invitations: many(invitation),
+	organizationRoles: many(organizationRole),
+	members: many(member),
+	invitations: many(invitation),
 }));

 export const organizationRoleRelations = relations(
-  organizationRole,
-  ({ one }) => ({
-    organization: one(organization, {
-      fields: [organizationRole.organizationId],
-      references: [organization.id],
-    }),
-  }),
+	organizationRole,
+	({ one }) => ({
+		organization: one(organization, {
+			fields: [organizationRole.organizationId],
+			references: [organization.id],
+		}),
+	}),
 );

 export const memberRelations = relations(member, ({ one }) => ({
-  organization: one(organization, {
-    fields: [member.organizationId],
-    references: [organization.id],
-  }),
-  user: one(user, {
-    fields: [member.userId],
-    references: [user.id],
-  }),
+	organization: one(organization, {
+		fields: [member.organizationId],
+		references: [organization.id],
+	}),
+	user: one(user, {
+		fields: [member.userId],
+		references: [user.id],
+	}),
 }));

 export const invitationRelations = relations(invitation, ({ one }) => ({
-  organization: one(organization, {
-    fields: [invitation.organizationId],
-    references: [organization.id],
-  }),
-  user: one(user, {
-    fields: [invitation.inviterId],
-    references: [user.id],
-  }),
+	organization: one(organization, {
+		fields: [invitation.organizationId],
+		references: [organization.id],
+	}),
+	user: one(user, {
+		fields: [invitation.inviterId],
+		references: [user.id],
+	}),
 }));
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -37,10 +37,9 @@
    "@ai-sdk/mistral": "^3.0.20",
    "@ai-sdk/openai": "^3.0.29",
    "@ai-sdk/openai-compatible": "^2.0.30",
-    "@better-auth/api-key": "1.6.5",
-    "@better-auth/scim": "^1.6.5",
-    "@better-auth/sso": "1.6.5",
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/api-key": "1.5.4",
+    "@better-auth/sso": "1.5.4",
+    "@better-auth/utils": "0.3.1",
    "@faker-js/faker": "^8.4.1",
    "@octokit/auth-app": "^6.1.3",
    "@octokit/rest": "^20.1.2",
@@ -52,14 +51,15 @@
    "ai": "^6.0.86",
    "ai-sdk-ollama": "^3.7.0",
    "bcrypt": "5.1.1",
-    "better-auth": "1.6.5",
+    "better-auth": "1.5.4",
+    "better-call": "2.0.2",
    "bl": "6.0.11",
    "boxen": "^7.1.1",
    "date-fns": "3.6.0",
    "dockerode": "4.0.2",
    "dotenv": "16.4.5",
    "drizzle-dbml-generator": "0.10.0",
-    "drizzle-orm": "0.45.2",
+    "drizzle-orm": "0.45.1",
    "drizzle-zod": "0.5.1",
    "lodash": "4.17.21",
    "micromatch": "4.0.8",
@@ -80,7 +80,7 @@
    "semver": "7.7.3",
    "shell-quote": "^1.8.1",
    "slugify": "^1.6.6",
-    "ssh2": "1.15.0",
+    "ssh2": "~1.16.0",
    "toml": "3.0.0",
    "ws": "8.16.0",
    "yaml": "2.8.1",
--- a/packages/server/src/db/schema/account.ts
+++ b/packages/server/src/db/schema/account.ts
@@ -214,7 +214,6 @@ export const twoFactor = pgTable("two_factor", {
 	userId: text("user_id")
 		.notNull()
 		.references(() => user.id, { onDelete: "cascade" }),
-	verified: boolean("verified").notNull().default(true),
 });

 export const apikey = pgTable("apikey", {
--- a/packages/server/src/db/schema/index.ts
+++ b/packages/server/src/db/schema/index.ts
@@ -30,7 +30,6 @@ export * from "./redis";
 export * from "./registry";
 export * from "./rollbacks";
 export * from "./schedule";
-export * from "./scim";
 export * from "./security";
 export * from "./server";
 export * from "./session";
--- a/packages/server/src/db/schema/scim.ts
+++ b/packages/server/src/db/schema/scim.ts
@@ -1,22 +0,0 @@
-import { relations } from "drizzle-orm";
-import { pgTable, text } from "drizzle-orm/pg-core";
-import { nanoid } from "nanoid";
-import { organization } from "./account";
-
-export const scimProvider = pgTable("scim_provider", {
-	id: text("id")
-		.primaryKey()
-		.$defaultFn(() => nanoid()),
-	providerId: text("provider_id").notNull().unique(),
-	scimToken: text("scim_token").notNull().unique(),
-	organizationId: text("organization_id").references(() => organization.id, {
-		onDelete: "cascade",
-	}),
-});
-
-export const scimProviderRelations = relations(scimProvider, ({ one }) => ({
-	organization: one(organization, {
-		fields: [scimProvider.organizationId],
-		references: [organization.id],
-	}),
-}));
--- a/packages/server/src/emails/emails/invitation.tsx
+++ b/packages/server/src/emails/emails/invitation.tsx
@@ -14,21 +14,18 @@ import {
 	Text,
 } from "@react-email/components";

-export type TemplateProps = {
-	email: string;
-	name: string;
-};
-
-interface VercelInviteUserEmailProps {
+interface InvitationEmailProps {
 	inviteLink: string;
 	toEmail: string;
+	organizationName: string;
 }

 export const InvitationEmail = ({
 	inviteLink,
 	toEmail,
-}: VercelInviteUserEmailProps) => {
-	const previewText = "Join to Dokploy";
+	organizationName = "an organization",
+}: InvitationEmailProps) => {
+	const previewText = `You've been invited to join ${organizationName} on Dokploy`;
 	return (
 		<Html>
 			<Head />
@@ -44,50 +41,67 @@ export const InvitationEmail = ({
 					},
 				}}
 			>
-				<Body className="bg-white my-auto mx-auto font-sans px-2">
-					<Container className="border border-solid border-[#eaeaea] rounded-lg my-[40px] mx-auto p-[20px] max-w-[465px]">
-						<Section className="mt-[32px]">
+				<Body className="bg-[#f4f4f5] my-auto mx-auto font-sans">
+					<Container className="my-[40px] mx-auto max-w-[520px]">
+						{/* Header */}
+						<Section className="bg-[#09090b] rounded-t-xl px-[40px] py-[32px] text-center">
 							<Img
-								src={
-									"https://raw.githubusercontent.com/Dokploy/dokploy/refs/heads/canary/apps/dokploy/logo.png"
-								}
-								width="100"
-								height="50"
+								src="https://raw.githubusercontent.com/Dokploy/website/refs/heads/main/apps/docs/public/logo-dokploy-blackpng.png"
+								width="190"
+								height="120"
 								alt="Dokploy"
 								className="my-0 mx-auto"
 							/>
 						</Section>
-						<Heading className="text-black text-[24px] font-normal text-center p-0 my-[30px] mx-0">
-							Join to <strong>Dokploy</strong>
-						</Heading>
-						<Text className="text-black text-[14px] leading-[24px]">
-							Hello,
-						</Text>
-						<Text className="text-black text-[14px] leading-[24px]">
-							You have been invited to join <strong>Dokploy</strong>, a platform
-							that helps for deploying your apps to the cloud.
-						</Text>
-						<Section className="text-center mt-[32px] mb-[32px]">
-							<Button
-								href={inviteLink}
-								className="bg-[#000000] rounded text-white text-[12px] font-semibold no-underline text-center px-5 py-3"
-							>
-								Join the team 🚀
-							</Button>
+
+						{/* Body */}
+						<Section className="bg-white px-[40px] py-[32px]">
+							<Heading className="text-[#09090b] text-[22px] font-semibold m-0 mb-[8px]">
+								You've been invited to join {organizationName}
+							</Heading>
+							<Text className="text-[#71717a] text-[14px] leading-[22px] m-0 mb-[24px]">
+								You have been invited to join{" "}
+								<strong className="text-[#09090b]">{organizationName}</strong>{" "}
+								on Dokploy, the platform for deploying your apps to the cloud.
+								Click the button below to accept the invitation.
+							</Text>
+
+							{/* CTA Button */}
+							<Section className="text-center mb-[24px]">
+								<Button
+									href={inviteLink}
+									className="bg-[#09090b] rounded-lg text-white text-[14px] font-semibold no-underline text-center px-[24px] py-[12px]"
+								>
+									Accept Invitation
+								</Button>
+							</Section>
+
+							<Text className="text-[#a1a1aa] text-[13px] leading-[20px] m-0 text-center mb-[16px]">
+								If the button above doesn't work, copy and paste the following
+								link into your browser:
+							</Text>
+							<Text className="text-[#71717a] text-[12px] leading-[18px] m-0 text-center break-all">
+								{inviteLink}
+							</Text>
+						</Section>
+
+						{/* Footer */}
+						<Section className="bg-[#fafafa] rounded-b-xl px-[40px] py-[24px] text-center border-t border-solid border-[#e4e4e7]">
+							<Hr className="border border-solid border-[#e4e4e7] my-0 mb-[16px] mx-0 w-full" />
+							<Text className="text-[#a1a1aa] text-[12px] leading-[18px] m-0">
+								This invitation was intended for{" "}
+								<span className="text-[#71717a]">{toEmail}</span>. This invite
+								was sent from{" "}
+								<Link
+									href="https://dokploy.com"
+									className="text-[#71717a] underline"
+								>
+									Dokploy Cloud
+								</Link>
+								. If you were not expecting this invitation, you can safely
+								ignore this email.
+							</Text>
 						</Section>
-						<Text className="text-black text-[14px] leading-[24px]">
-							or copy and paste this URL into your browser:{" "}
-							<Link href={inviteLink} className="text-blue-600 no-underline">
-								https://dokploy.com
-							</Link>
-						</Text>
-						<Hr className="border border-solid border-[#eaeaea] my-[26px] mx-0 w-full" />
-						<Text className="text-[#666666] text-[12px] leading-[24px]">
-							This invitation was intended for {toEmail}. This invite was sent
-							from <strong className="text-black">dokploy.com</strong>. If you
-							were not expecting this invitation, you can ignore this email. If
-							you are concerned about your account's safety, please reply to
-						</Text>
 					</Container>
 				</Body>
 			</Tailwind>
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -108,6 +108,7 @@ export * from "./utils/notifications/docker-cleanup";
 export * from "./utils/notifications/dokploy-restart";
 export * from "./utils/notifications/server-threshold";
 export * from "./utils/notifications/utils";
+export * from "./verification/send-verification-email";
 export * from "./utils/process/execAsync";
 export * from "./utils/process/spawnAsync";
 export * from "./utils/providers/bitbucket";
--- a/packages/server/src/lib/auth-cli.ts
+++ b/packages/server/src/lib/auth-cli.ts
@@ -1,52 +0,0 @@
-import { apiKey } from "@better-auth/api-key";
-import { scim } from "@better-auth/scim";
-import { sso } from "@better-auth/sso";
-import { betterAuth } from "better-auth";
-import { drizzleAdapter } from "better-auth/adapters/drizzle";
-import { admin, organization, twoFactor } from "better-auth/plugins";
-import { db } from "../db";
-import * as schema from "../db/schema";
-import { ac, adminRole, memberRole, ownerRole } from "./access-control";
-
-/**
- * Minimal better-auth config used only by `@better-auth/cli` to generate /
- * inspect database schemas. Must mirror the plugin set in `auth.ts` so the CLI
- * sees every table each plugin expects.
- *
- * Do NOT import this file from the runtime — use `auth.ts` for that.
- */
-export const auth = betterAuth({
-	database: drizzleAdapter(db, {
-		provider: "pg",
-		schema,
-	}),
-	user: {
-		modelName: "user",
-		fields: {
-			name: "firstName",
-		},
-		additionalFields: {
-			role: { type: "string", input: false },
-			ownerId: { type: "string", input: false },
-			allowImpersonation: { type: "boolean", defaultValue: false },
-			lastName: { type: "string", required: false, defaultValue: "" },
-			enableEnterpriseFeatures: { type: "boolean", required: false },
-			isValidEnterpriseLicense: { type: "boolean", required: false },
-		},
-	},
-	plugins: [
-		apiKey({ enableMetadata: true, references: "user" }),
-		sso(),
-		twoFactor(),
-		organization({
-			ac,
-			roles: { owner: ownerRole, admin: adminRole, member: memberRole },
-			dynamicAccessControl: {
-				enabled: true,
-				maximumRolesPerOrganization: 10,
-			},
-		}),
-		scim(),
-		admin(),
-	],
-});
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -1,6 +1,5 @@
 import type { IncomingMessage } from "node:http";
 import { apiKey } from "@better-auth/api-key";
-import { scim } from "@better-auth/scim";
 import { sso } from "@better-auth/sso";
 import * as bcrypt from "bcrypt";
 import { betterAuth } from "better-auth";
@@ -179,8 +178,7 @@ const { handler, api } = betterAuth({
 							}
 						} else {
 							const isSSORequest = context?.path.includes("/sso");
-							const isSCIMRequest = context?.path.includes("/scim");
-							if (isSSORequest || isSCIMRequest) {
+							if (isSSORequest) {
 								return;
 							}
 							const isAdminPresent = await db.query.member.findFirst({
@@ -196,7 +194,6 @@ const { handler, api } = betterAuth({
 				},
 				after: async (user, context) => {
 					const isSSORequest = context?.path.includes("/sso");
-					const isSCIMRequest = context?.path.includes("/scim");
 					const isAdminPresent = await db.query.member.findFirst({
 						where: eq(schema.member.role, "owner"),
 					});
@@ -232,10 +229,6 @@ const { handler, api } = betterAuth({
 						}
 					}

-					if (isSCIMRequest) {
-						return;
-					}
-
 					if (IS_CLOUD || !isAdminPresent) {
 						await db.transaction(async (tx) => {
 							const organization = await tx
@@ -403,24 +396,7 @@ const { handler, api } = betterAuth({
 			enableMetadata: true,
 			references: "user",
 		}),
-		sso({
-			saml: {
-				enableInResponseToValidation: false,
-			},
-		}),
-		scim({
-			beforeSCIMTokenGenerated: async ({ user }) => {
-				const dbUser = await db.query.user.findFirst({
-					where: eq(schema.user.id, user.id),
-					columns: { enableEnterpriseFeatures: true },
-				});
-				if (!dbUser?.enableEnterpriseFeatures) {
-					throw new APIError("FORBIDDEN", {
-						message: "SCIM provisioning requires an enterprise license",
-					});
-				}
-			},
-		}),
+		sso(),
 		twoFactor(),
 		organization({
 			ac,
@@ -433,23 +409,6 @@ const { handler, api } = betterAuth({
 				enabled: true,
 				maximumRolesPerOrganization: 10,
 			},
-			async sendInvitationEmail(data, _request) {
-				if (IS_CLOUD) {
-					const host =
-						process.env.NODE_ENV === "development"
-							? "http://localhost:3000"
-							: "https://app.dokploy.com";
-					const inviteLink = `${host}/invitation?token=${data.id}`;
-
-					await sendEmail({
-						email: data.email,
-						subject: "Invitation to join organization",
-						text: `
-					<p>You are invited to join ${data.organization.name} on Dokploy. Click the link to accept the invitation: <a href="${inviteLink}">Accept Invitation</a></p>
-					`,
-					});
-				}
-			},
 		}),
 		...(IS_CLOUD
 			? [
@@ -466,9 +425,6 @@ const _auth = {
 	createApiKey: api.createApiKey,
 	registerSSOProvider: api.registerSSOProvider,
 	updateSSOProvider: api.updateSSOProvider,
-	generateSCIMToken: api.generateSCIMToken,
-	listSCIMProviderConnections: api.listSCIMProviderConnections,
-	deleteSCIMProviderConnection: api.deleteSCIMProviderConnection,
 };

 export type AuthType = typeof _auth;
@@ -508,8 +464,10 @@ export const validateRequest = async (request: IncomingMessage) => {
 				};
 			}

-			const organizationId = JSON.parse(
-				apiKeyRecord.metadata || "{}",
+			const organizationId = (
+				JSON.parse(apiKeyRecord.metadata || "{}") as {
+					organizationId?: string;
+				}
 			).organizationId;

 			if (!organizationId) {
--- a/packages/server/src/services/preview-deployment.ts
+++ b/packages/server/src/services/preview-deployment.ts
@@ -30,13 +30,9 @@ export const findPreviewDeploymentById = async (
 		with: {
 			domain: true,
 			application: {
-				with: {
-					server: true,
-					environment: {
-						with: {
-							project: true,
-						},
-					},
+				columns: {
+					applicationId: true,
+					serverId: true,
 				},
 			},
 		},
--- a/packages/server/src/utils/access-log/utils.ts
+++ b/packages/server/src/utils/access-log/utils.ts
@@ -120,7 +120,7 @@ export function parseRawConfig(

 		if (search) {
 			parsedLogs = parsedLogs.filter((log) =>
-				log.RequestPath.toLowerCase().includes(search.toLowerCase()),
+				log.RequestHost.toLowerCase().includes(search.toLowerCase()),
 			);
 		}

--- a/packages/server/src/verification/send-verification-email.tsx
+++ b/packages/server/src/verification/send-verification-email.tsx
@@ -1,4 +1,5 @@
 import { renderAsync } from "@react-email/components";
+import InvitationEmail from "../emails/emails/invitation";
 import VerifyEmailTemplate from "../emails/emails/verify-email";
 import { sendEmailNotification } from "../utils/notifications/utils";

@@ -51,3 +52,42 @@ export const sendVerificationEmail = async ({
 		text: html,
 	});
 };
+
+export const renderInvitationEmail = async ({
+	email,
+	inviteLink,
+	organizationName,
+}: {
+	email: string;
+	inviteLink: string;
+	organizationName: string;
+}) => {
+	return renderAsync(
+		InvitationEmail({
+			inviteLink,
+			toEmail: email,
+			organizationName,
+		}),
+	);
+};
+
+export const sendInvitationEmail = async ({
+	email,
+	inviteLink,
+	organizationName,
+}: {
+	email: string;
+	inviteLink: string;
+	organizationName: string;
+}) => {
+	const html = await renderInvitationEmail({
+		email,
+		inviteLink,
+		organizationName,
+	});
+	await sendEmail({
+		email,
+		subject: `You've been invited to join ${organizationName} on Dokploy`,
+		text: html,
+	});
+};
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
Author	SHA1	Message	Date
Mauricio Siu	fb6b06f064	chore: add push trigger for version sync on tag creation	2026-04-24 22:46:18 -06:00
Mauricio Siu	09824facf8	refactor: improve Badge component formatting in requests table	2026-04-24 22:34:48 -06:00
Mauricio Siu	bd46eaec5c	Merge pull request #4303 from Dokploy/fix/requests-status-fallback-downstream fix: fallback to DownstreamStatus when OriginStatus is 0 in requests table	2026-04-24 22:33:52 -06:00
Mauricio Siu	e9fdc19b96	fix: fallback to DownstreamStatus when OriginStatus is 0 in requests table Closes #4250	2026-04-24 22:33:24 -06:00
Mauricio Siu	3e81cdac4d	Merge pull request #4255 from manalkaff/fix/requests-filter-by-hostname fix: filter requests by hostname instead of path	2026-04-24 22:01:35 -06:00
Mauricio Siu	e72c51444c	Merge pull request #4281 from sajdakabir/fix/4276-sanitize-webhook-error-responses fix: stop leaking Drizzle SQL queries in webhook error responses (#4276)	2026-04-24 21:59:50 -06:00
Mauricio Siu	940d18ad25	Merge pull request #4302 from Dokploy/fix/send-email-cloud-version feat: implement invitation email functionality for organization creation	2026-04-24 21:51:53 -06:00
autofix-ci[bot]	c41b69c925	[autofix.ci] apply automated fixes	2026-04-25 03:40:50 +00:00
Mauricio Siu	b610f7aeff	feat: implement invitation email functionality for organization creation - Added `sendInvitationEmail` function to send invitation emails when a new organization is created in the cloud environment. - Updated email template to enhance the invitation message and included a direct link for users to accept the invitation. - Refactored email sending logic in the user router to utilize the new invitation email rendering function. - Improved organization invitation email design for better user experience.	2026-04-24 21:40:08 -06:00
Mauricio Siu	cdd77a04dc	Merge pull request #4129 from NomisCZ/fix/ssh2-isdate-nodejs23 fix: drop .zip deployment - isDate is not a function	2026-04-24 12:58:03 -06:00
Mauricio Siu	05f22edfe5	chore: bump version to v0.29.2 in package.json	2026-04-24 12:53:03 -06:00
Mauricio Siu	29480cde90	Merge pull request #4298 from Dokploy/fix/GHSA-f8wj-5c4w-frhg-cross-org-idor Fix/ghsa f8wj 5c4w frhg cross org idor	2026-04-24 12:49:24 -06:00
Mauricio Siu	232ccc9139	feat: add organization-level authorization checks to WebSocket servers - Implemented checks in the WebSocket server setups for Docker container logs, terminal, and deployment logs to ensure users can only access resources associated with their active organization. - Enhanced security by closing WebSocket connections if the organization ID does not match the session's active organization ID.	2026-04-24 12:47:51 -06:00
Mauricio Siu	018e2b153e	fix: add cross-org ownership checks to cluster, deployment, backup, and WebSocket endpoints Prevents owner/admin users of one organization from accessing servers, destinations, and Docker Swarm join tokens belonging to other organizations by validating organizationId on all endpoints that accept serverId or destinationId as direct input. - cluster: validate serverId org on getNodes, addWorker, addManager, removeWorker - deployment: validate serverId org on allByServer - backup: validate destinationId + serverId org on listBackupFiles - volume-backups: validate destinationId + serverId org on restoreVolumeBackupWithLogs - wss: validate server org on docker-container-logs, docker-container-terminal, listen-deployment, and terminal WebSocket handlers - auth: fix TypeScript type for API key metadata parsing	2026-04-24 12:44:42 -06:00
sajdakabir	f8c6c8f7cc	fix: stop leaking Drizzle SQL queries in webhook error responses (#4276 )	2026-04-22 13:06:22 +05:30
Mauricio Siu	d7af82731c	Merge pull request #4279 from Dokploy/fix/GHSA-7wmr-57mg-h5q6-schedule-authz fix(schedule): add authz checks for server and host-level schedules	2026-04-21 21:38:26 -06:00
Mauricio Siu	c3fa638a56	feat: enhance schedule management with permission checks and cloud restrictions - Added comprehensive permission checks for creating, updating, and deleting schedules based on user roles (owner/admin) and schedule types (server/dokploy-server). - Implemented restrictions for cloud users to prevent managing host-level schedules and changing schedule types. - Improved access control for server-level schedules to ensure users can only manage schedules associated with their organization.	2026-04-21 21:36:44 -06:00
Mauricio Siu	98a586478e	chore: bump version to v0.29.1 in package.json	2026-04-19 12:07:02 -06:00
Mauricio Siu	13248c8d8a	Merge pull request #4257 from colocated/fix/4256-preview-deployment-too-many-args fix: preview deployments broken on v0.29.0 — postgres 100-arg limit	2026-04-19 12:06:17 -06:00
Jack	54417ca8e7	fix: limit application columns in findPreviewDeploymentById to avoid postgres 100-arg limit Closes #4256	2026-04-19 11:14:47 +01:00
manalkaff	598fae0e92	fix: filter requests by hostname instead of path The search filter on the Requests tab was incorrectly filtering by RequestPath instead of RequestHost, causing "filter by name" to match URL paths rather than hostnames. Updated the placeholder text to reflect the correct field being searched. Fixes #4249	2026-04-19 17:30:42 +08:00
Šimon Orság	eafbd0353e	fix: strictly use ssh2 1.16.0 package	2026-04-04 17:18:03 +02:00
Šimon Orság	91ebf3b6f5	fix: upgrade ssh2 from 1.15.0 to ^1.16.0 (util.isDate removed in Node.js v23+)	2026-04-03 01:09:28 +02:00