feat: enhance auth schema and add CLI configuration

- Updated the user schema to include new fields: banned, banReason, and banExpires for improved user management.
- Introduced a new auth-cli configuration file to facilitate database schema generation and inspection for better-auth plugins.
- Ensured the CLI configuration mirrors the plugin set in auth.ts for consistency across the application.

.github/workflows/sync-version.yml

@@ -3,6 +3,7 @@ name: Sync version to MCP and CLI repos
 on:
   release:
     types: [published]
+  workflow_dispatch:
 
 jobs:
   sync-version:
@@ -15,55 +16,55 @@ jobs:
       - name: Get version
         id: get_version
         run: |
-          VERSION=$(jq -r .version apps/dokploy/package.json)
+          VERSION=$(jq -r .version apps/dokploy/package.json | sed 's/^v//')
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "Version: $VERSION"
 
       - name: Sync version to MCP repository
         run: |
-            git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/mcp.git mcp-repo
-            cd mcp-repo
-        
-            # Bump version
-            jq --arg v "${{ steps.get_version.outputs.version }}" '.version = $v' package.json > package.json.tmp
-            mv package.json.tmp package.json
-        
+            git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/mcp.git /tmp/mcp-repo
+            cd /tmp/mcp-repo
+
             # Regenerate tools from latest OpenAPI spec
             npm install -g pnpm
             pnpm install
             pnpm run fetch-openapi
             pnpm run generate
-        
+
+            # Bump version after install so pnpm install doesn't overwrite it
+            jq --arg v "${{ steps.get_version.outputs.version }}" '.version = $v' package.json > package.json.tmp
+            mv package.json.tmp package.json
+
             git config user.name "Dokploy Bot"
             git config user.email "bot@dokploy.com"
-        
+
             git add -A
             git commit -m "chore: bump version to ${{ steps.get_version.outputs.version }}" \
               -m "Source: ${{ github.repository }}@${{ github.sha }}" \
               -m "Release: ${{ github.event.release.html_url }}" \
               --allow-empty
-        
+
             git push
         
 
       - name: Sync version to CLI repository
         run: |
-          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/cli.git cli-repo
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/cli.git /tmp/cli-repo
 
-          cd cli-repo
+          cd /tmp/cli-repo
 
-          # Bump version
+          # Copy latest openapi spec and regenerate commands
+          cp ${{ github.workspace }}/openapi.json ./openapi.json
+          npm install -g pnpm
+          pnpm install
+          pnpm run generate
+
+          # Bump version after install so pnpm install doesn't overwrite it
           if [ -f package.json ]; then
             jq --arg v "${{ steps.get_version.outputs.version }}" '.version = $v' package.json > package.json.tmp
             mv package.json.tmp package.json
           fi
 
-          # Copy latest openapi spec and regenerate commands
-          cp ../openapi.json ./openapi.json
-          npm install -g pnpm
-          pnpm install
-          pnpm run generate
-
           git config user.name "Dokploy Bot"
           git config user.email "bot@dokploy.com"
 

apps/dokploy/components/dashboard/application/domains/handle-domain.tsx

@@ -666,7 +666,7 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 											<div className="space-y-0.5">
 												<FormLabel>Custom Entrypoint</FormLabel>
 												<FormDescription>
-													Use custom entrypoint for domina
+													Use custom entrypoint for domain
 													<br />
 													"web" and/or "websecure" is used by default.
 												</FormDescription>

apps/dokploy/components/dashboard/home/show-home.tsx

@@ -0,0 +1,291 @@
+import { formatDistanceToNow } from "date-fns";
+import { ArrowRight, Rocket, Server } from "lucide-react";
+import Link from "next/link";
+import { useMemo } from "react";
+import { Button } from "@/components/ui/button";
+import { Card } from "@/components/ui/card";
+import { api } from "@/utils/api";
+
+type DeploymentStatus = "idle" | "running" | "done" | "error";
+
+const statusDotClass: Record<string, string> = {
+	done: "bg-emerald-500",
+	running: "bg-amber-500",
+	error: "bg-red-500",
+	idle: "bg-muted-foreground/40",
+};
+
+function getServiceInfo(d: any) {
+	const app = d.application;
+	const comp = d.compose;
+	const serverName: string =
+		d.server?.name ?? app?.server?.name ?? comp?.server?.name ?? "Dokploy";
+	if (app?.environment?.project && app.environment) {
+		return {
+			name: app.name as string,
+			environment: app.environment.name as string,
+			projectName: app.environment.project.name as string,
+			serverName,
+			href: `/dashboard/project/${app.environment.project.projectId}/environment/${app.environment.environmentId}/services/application/${app.applicationId}`,
+		};
+	}
+	if (comp?.environment?.project && comp.environment) {
+		return {
+			name: comp.name as string,
+			environment: comp.environment.name as string,
+			projectName: comp.environment.project.name as string,
+			serverName,
+			href: `/dashboard/project/${comp.environment.project.projectId}/environment/${comp.environment.environmentId}/services/compose/${comp.composeId}`,
+		};
+	}
+	return null;
+}
+
+function StatCard({
+	label,
+	value,
+	delta,
+}: {
+	label: string;
+	value: string;
+	delta?: string;
+}) {
+	return (
+		<div className="rounded-xl border bg-background p-5 min-h-[140px] flex flex-col justify-between">
+			<span className="text-xs uppercase tracking-wider text-muted-foreground">
+				{label}
+			</span>
+			<div className="flex flex-col gap-1">
+				<span className="text-3xl font-semibold tracking-tight">{value}</span>
+				{delta && (
+					<span className="text-xs text-muted-foreground">{delta}</span>
+				)}
+			</div>
+		</div>
+	);
+}
+
+function StatusListCard({
+	label,
+	items,
+}: {
+	label: string;
+	items: { dotClass: string; label: string; count: number }[];
+}) {
+	return (
+		<div className="rounded-xl border bg-background p-5 min-h-[140px] flex flex-col gap-3">
+			<span className="text-xs uppercase tracking-wider text-muted-foreground">
+				{label}
+			</span>
+			<ul className="flex flex-col gap-1.5">
+				{items.map((item) => (
+					<li key={item.label} className="flex items-center gap-2.5 text-sm">
+						<span
+							className={`size-2 rounded-full shrink-0 ${item.dotClass}`}
+							aria-hidden
+						/>
+						<span className="font-semibold tabular-nums w-8">{item.count}</span>
+						<span className="text-muted-foreground">{item.label}</span>
+					</li>
+				))}
+			</ul>
+		</div>
+	);
+}
+
+export const ShowHome = () => {
+	const { data: auth } = api.user.get.useQuery();
+	const { data: homeStats } = api.project.homeStats.useQuery();
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canReadDeployments = !!permissions?.deployment.read;
+	const { data: deployments } = api.deployment.allCentralized.useQuery(
+		undefined,
+		{
+			enabled: canReadDeployments,
+			refetchInterval: 10000,
+		},
+	);
+
+	const firstName = auth?.user?.firstName?.trim();
+
+	const totals = homeStats ?? {
+		projects: 0,
+		environments: 0,
+		applications: 0,
+		compose: 0,
+		databases: 0,
+		services: 0,
+	};
+	const statusBreakdown = homeStats?.status ?? {
+		running: 0,
+		error: 0,
+		idle: 0,
+	};
+
+	const recentDeployments = useMemo(() => {
+		if (!deployments) return [];
+		return [...deployments]
+			.sort(
+				(a, b) =>
+					new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime(),
+			)
+			.slice(0, 10);
+	}, [deployments]);
+
+	const deployStats = useMemo(() => {
+		const now = Date.now();
+		const weekMs = 7 * 24 * 60 * 60 * 1000;
+		const lastStart = now - weekMs;
+		const prevStart = now - 2 * weekMs;
+
+		const last: NonNullable<typeof deployments> = [];
+		const prev: NonNullable<typeof deployments> = [];
+		for (const d of deployments ?? []) {
+			const t = new Date(d.createdAt).getTime();
+			if (t >= lastStart) last.push(d);
+			else if (t >= prevStart) prev.push(d);
+		}
+
+		const lastCount = last.length;
+		const prevCount = prev.length;
+		let delta: string | undefined;
+		if (prevCount > 0) {
+			const pct = Math.round(((lastCount - prevCount) / prevCount) * 100);
+			delta = `${pct >= 0 ? "+" : ""}${pct}% vs prev 7d`;
+		} else if (lastCount > 0) {
+			delta = "no prior data";
+		} else {
+			delta = "no activity yet";
+		}
+
+		return { value: String(lastCount), delta };
+	}, [deployments]);
+
+	return (
+		<div className="w-full">
+			<Card className="h-full bg-sidebar p-2.5 rounded-xl min-h-[85vh]">
+				<div className="rounded-xl bg-background shadow-md p-6 flex flex-col gap-6 h-full">
+					<div className="flex flex-col gap-6 sm:flex-row sm:items-end sm:justify-between">
+						<h1 className="text-3xl font-semibold tracking-tight">
+							{firstName ? `Welcome back, ${firstName}` : "Welcome back"}
+						</h1>
+						<Button asChild variant="secondary" className="w-fit">
+							<Link href="/dashboard/projects">
+								Go to projects
+								<ArrowRight className="size-4" />
+							</Link>
+						</Button>
+					</div>
+
+					<div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-4 gap-4">
+						<StatCard
+							label="Projects"
+							value={String(totals.projects)}
+							delta={`${totals.environments} ${totals.environments === 1 ? "environment" : "environments"}`}
+						/>
+						<StatCard
+							label="Services"
+							value={String(totals.services)}
+							delta={`${totals.applications} apps · ${totals.compose} compose · ${totals.databases} db`}
+						/>
+						<StatCard
+							label="Deploys / 7d"
+							value={deployStats.value}
+							delta={deployStats.delta}
+						/>
+						<StatusListCard
+							label="Status"
+							items={[
+								{
+									dotClass: "bg-emerald-500",
+									label: "running",
+									count: statusBreakdown.running,
+								},
+								{
+									dotClass: "bg-red-500",
+									label: "errored",
+									count: statusBreakdown.error,
+								},
+								{
+									dotClass: "bg-muted-foreground/40",
+									label: "idle",
+									count: statusBreakdown.idle,
+								},
+							]}
+						/>
+					</div>
+
+					<div className="rounded-xl border bg-background">
+						<div className="flex items-center justify-between px-5 py-4 border-b">
+							<div className="flex items-center gap-2">
+								<Rocket className="size-4 text-muted-foreground" />
+								<h2 className="text-sm font-semibold">Recent deployments</h2>
+							</div>
+							{canReadDeployments && (
+								<Link
+									href="/dashboard/deployments"
+									className="text-xs text-muted-foreground hover:text-foreground transition-colors"
+								>
+									view all →
+								</Link>
+							)}
+						</div>
+						{!canReadDeployments ? (
+							<div className="min-h-[400px] flex flex-col items-center justify-center gap-3 text-center text-sm text-muted-foreground p-10">
+								<Rocket className="size-8 opacity-40" />
+								<span>You do not have permission to view deployments.</span>
+							</div>
+						) : recentDeployments.length === 0 ? (
+							<div className="min-h-[400px] flex flex-col items-center justify-center gap-3 text-center text-sm text-muted-foreground p-10">
+								<Rocket className="size-8 opacity-40" />
+								<span>No deployments yet.</span>
+							</div>
+						) : (
+							<ul className="divide-y">
+								{recentDeployments.map((d) => {
+									const info = getServiceInfo(d);
+									if (!info) return null;
+									const status = (d.status ?? "idle") as DeploymentStatus;
+									return (
+										<li key={d.deploymentId}>
+											<Link
+												href={info.href}
+												className="flex items-center gap-4 px-5 py-4 hover:bg-muted/40 transition-colors"
+											>
+												<span
+													className={`size-2 rounded-full shrink-0 ${statusDotClass[status] ?? statusDotClass.idle}`}
+													aria-hidden
+												/>
+												<div className="flex flex-col min-w-0 flex-1">
+													<span className="text-sm truncate">{info.name}</span>
+													<span className="text-xs text-muted-foreground truncate">
+														{info.projectName} · {info.environment}
+													</span>
+												</div>
+												<span className="text-xs text-muted-foreground w-36 hidden lg:flex items-center justify-end gap-1.5 truncate">
+													<Server className="size-3 shrink-0" />
+													<span className="truncate">{info.serverName}</span>
+												</span>
+												<span className="text-xs text-muted-foreground w-20 text-right hidden sm:inline">
+													{status}
+												</span>
+												<span className="text-xs text-muted-foreground w-24 text-right hidden md:inline">
+													{formatDistanceToNow(new Date(d.createdAt), {
+														addSuffix: true,
+													})}
+												</span>
+												<span className="text-xs text-muted-foreground hover:text-foreground transition-colors">
+													logs →
+												</span>
+											</Link>
+										</li>
+									);
+								})}
+							</ul>
+						)}
+					</div>
+				</div>
+			</Card>
+		</div>
+	);
+};

apps/dokploy/components/dashboard/projects/show.tsx

@@ -166,6 +166,7 @@ export const ShowProjects = () => {
 						return (
 							total +
 							(env.applications?.length || 0) +
+							(env.libsql?.length || 0) +
 							(env.mariadb?.length || 0) +
 							(env.mongo?.length || 0) +
 							(env.mysql?.length || 0) +
@@ -178,6 +179,7 @@ export const ShowProjects = () => {
 						return (
 							total +
 							(env.applications?.length || 0) +
+							(env.libsql?.length || 0) +
 							(env.mariadb?.length || 0) +
 							(env.mongo?.length || 0) +
 							(env.mysql?.length || 0) +

apps/dokploy/components/dashboard/search-command.tsx

@@ -167,7 +167,7 @@ export const SearchCommand = () => {
 					<CommandGroup heading={"Application"} hidden={true}>
 						<CommandItem
 							onSelect={() => {
-								router.push("/dashboard/projects");
+								router.push("/dashboard/home");
 								setOpen(false);
 							}}
 						>

apps/dokploy/components/dashboard/settings/servers/welcome-stripe/welcome-subscription.tsx

@@ -425,7 +425,7 @@ export const WelcomeSubscription = () => {
 								onClick={() => {
 									if (stepper.isLast) {
 										setIsOpen(false);
-										push("/dashboard/projects");
+										push("/dashboard/home");
 									} else {
 										stepper.next();
 									}

apps/dokploy/components/layouts/side.tsx

@@ -19,6 +19,7 @@ import {
 	Forward,
 	GalleryVerticalEnd,
 	GitBranch,
+	House,
 	Key,
 	KeyRound,
 	Loader2,
@@ -148,6 +149,12 @@ type Menu = {
 // The `isEnabled` function is called to determine if the item should be displayed
 const MENU: Menu = {
 	home: [
+		{
+			isSingle: true,
+			title: "Home",
+			url: "/dashboard/home",
+			icon: House,
+		},
 		{
 			isSingle: true,
 			title: "Projects",

apps/dokploy/components/layouts/user-nav.tsx

@@ -80,7 +80,7 @@ export const UserNav = () => {
 					<DropdownMenuItem
 						className="cursor-pointer"
 						onClick={() => {
-							router.push("/dashboard/projects");
+							router.push("/dashboard/home");
 						}}
 					>
 						Projects

apps/dokploy/components/proprietary/sso/scim-dialog.tsx

@@ -0,0 +1,236 @@
+"use client";
+
+import { Copy, KeyRound, Loader2, Plus, Trash2 } from "lucide-react";
+import { type ReactNode, useState } from "react";
+import { toast } from "sonner";
+import { DialogAction } from "@/components/shared/dialog-action";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+	DialogTrigger,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { api } from "@/utils/api";
+import { useUrl } from "@/utils/hooks/use-url";
+
+interface Props {
+	children: ReactNode;
+}
+
+export const ScimDialog = ({ children }: Props) => {
+	const utils = api.useUtils();
+	const baseURL = useUrl();
+	const [open, setOpen] = useState(false);
+	const [newProviderId, setNewProviderId] = useState("");
+	const [justCreatedToken, setJustCreatedToken] = useState<{
+		providerId: string;
+		token: string;
+	} | null>(null);
+
+	const { data: providers = [], isPending } = api.scim.listProviders.useQuery(
+		undefined,
+		{ enabled: open },
+	);
+	const { mutateAsync: generateToken, isPending: isGenerating } =
+		api.scim.generateToken.useMutation();
+	const { mutateAsync: deleteProvider, isPending: isDeleting } =
+		api.scim.deleteProvider.useMutation();
+
+	const scimUrl = `${baseURL || "{baseURL}"}/api/auth/scim/v2`;
+
+	const handleGenerate = async () => {
+		const providerId = newProviderId.trim().toLowerCase();
+		if (!providerId) return;
+		try {
+			const result = await generateToken({ providerId });
+			setJustCreatedToken({
+				providerId: result.providerId,
+				token: result.scimToken,
+			});
+			setNewProviderId("");
+			await utils.scim.listProviders.invalidate();
+		} catch (err) {
+			toast.error(
+				err instanceof Error ? err.message : "Failed to generate SCIM token",
+			);
+		}
+	};
+
+	const handleDelete = async (providerId: string) => {
+		try {
+			await deleteProvider({ providerId });
+			toast.success("SCIM provider removed");
+			await utils.scim.listProviders.invalidate();
+		} catch (err) {
+			toast.error(
+				err instanceof Error ? err.message : "Failed to delete SCIM provider",
+			);
+		}
+	};
+
+	const handleCopy = async (value: string, label: string) => {
+		try {
+			await navigator.clipboard.writeText(value);
+			toast.success(`${label} copied`);
+		} catch {
+			toast.error("Failed to copy");
+		}
+	};
+
+	const handleOpenChange = (next: boolean) => {
+		setOpen(next);
+		if (!next) setJustCreatedToken(null);
+	};
+
+	return (
+		<Dialog open={open} onOpenChange={handleOpenChange}>
+			<DialogTrigger asChild>{children}</DialogTrigger>
+			<DialogContent className="sm:max-w-[560px]">
+				<DialogHeader>
+					<DialogTitle className="flex items-center gap-2">
+						<KeyRound className="size-5" />
+						SCIM provisioning
+					</DialogTitle>
+					<DialogDescription>
+						Automatically provision, update, and deactivate users from your
+						identity provider (Okta, Entra ID, etc.). Configure the SCIM endpoint
+						below in your IdP.
+					</DialogDescription>
+				</DialogHeader>
+				<div className="space-y-4 py-2">
+					<div className="grid gap-1">
+						<Label className="text-xs font-medium text-muted-foreground">
+							SCIM 2.0 endpoint URL
+						</Label>
+						<div className="flex items-center gap-2">
+							<p className="flex-1 break-all rounded-md bg-muted px-2 py-1.5 font-mono text-xs">
+								{scimUrl}
+							</p>
+							<Button
+								variant="outline"
+								size="icon"
+								className="size-8 shrink-0"
+								onClick={() => handleCopy(scimUrl, "Endpoint URL")}
+								disabled={!baseURL}
+							>
+								<Copy className="size-3.5" />
+							</Button>
+						</div>
+					</div>
+
+					{justCreatedToken && (
+						<div className="rounded-md border border-amber-500/40 bg-amber-500/10 p-3">
+							<p className="text-sm font-medium">
+								Bearer token for {justCreatedToken.providerId}
+							</p>
+							<p className="mt-1 text-xs text-muted-foreground">
+								Copy this token now — it will not be shown again. Paste it into
+								your IdP's SCIM configuration.
+							</p>
+							<div className="mt-2 flex items-center gap-2">
+								<p className="flex-1 break-all rounded-md bg-background px-2 py-1.5 font-mono text-xs">
+									{justCreatedToken.token}
+								</p>
+								<Button
+									variant="outline"
+									size="icon"
+									className="size-8 shrink-0"
+									onClick={() =>
+										handleCopy(justCreatedToken.token, "Bearer token")
+									}
+								>
+									<Copy className="size-3.5" />
+								</Button>
+							</div>
+						</div>
+					)}
+
+					<div className="space-y-2">
+						<Label className="text-sm font-medium">
+							Generate token for a new provider
+						</Label>
+						<div className="flex gap-2">
+							<Input
+								value={newProviderId}
+								onChange={(e) => setNewProviderId(e.target.value)}
+								placeholder="okta, entra, jumpcloud..."
+								className="font-mono text-sm"
+								onKeyDown={(e) => {
+									if (e.key === "Enter") {
+										e.preventDefault();
+										void handleGenerate();
+									}
+								}}
+							/>
+							<Button
+								size="sm"
+								onClick={handleGenerate}
+								disabled={!newProviderId.trim() || isGenerating}
+							>
+								<Plus className="mr-1 size-4" />
+								Generate
+							</Button>
+						</div>
+						<p className="text-xs text-muted-foreground">
+							Choose a unique identifier for this IdP connection (lowercase,
+							alphanumeric, dashes).
+						</p>
+					</div>
+
+					<div className="space-y-2">
+						<Label className="text-sm font-medium">Existing providers</Label>
+						{isPending ? (
+							<div className="flex items-center gap-2 justify-center py-4">
+								<Loader2 className="size-4 animate-spin text-muted-foreground" />
+								<span className="text-sm text-muted-foreground">Loading...</span>
+							</div>
+						) : providers.length === 0 ? (
+							<p className="rounded-md border border-dashed bg-muted/30 px-3 py-4 text-center text-sm text-muted-foreground">
+								No SCIM providers configured yet.
+							</p>
+						) : (
+							<ul className="flex flex-col gap-2">
+								{providers.map((provider) => (
+									<li
+										key={provider.id}
+										className="flex items-center gap-2 rounded-md border bg-muted/30 px-3 py-2"
+									>
+										<span className="flex-1 font-mono text-sm">
+											{provider.providerId}
+										</span>
+										<DialogAction
+											title="Remove SCIM provider"
+											description={`Remove "${provider.providerId}"? Existing provisioned users will stay but the IdP will no longer be able to sync.`}
+											type="destructive"
+											onClick={() => handleDelete(provider.providerId)}
+										>
+											<Button
+												variant="ghost"
+												size="icon"
+												className="size-8 shrink-0 text-destructive hover:text-destructive"
+												disabled={isDeleting}
+											>
+												<Trash2 className="size-3.5" />
+											</Button>
+										</DialogAction>
+									</li>
+								))}
+							</ul>
+						)}
+					</div>
+				</div>
+				<DialogFooter>
+					<Button variant="outline" onClick={() => handleOpenChange(false)}>
+						Close
+					</Button>
+				</DialogFooter>
+			</DialogContent>
+		</Dialog>
+	);
+};

apps/dokploy/components/proprietary/sso/sign-in-with-sso.tsx

@@ -44,7 +44,7 @@ export function SignInWithSSO({ children }: SignInWithSSOProps) {
 		try {
 			const { data, error } = await authClient.signIn.sso({
 				email: values.email,
-				callbackURL: "/dashboard/projects",
+				callbackURL: "/dashboard/home",
 			});
 			if (error) {
 				toast.error(error.message ?? "Failed to sign in with SSO");

apps/dokploy/components/proprietary/sso/sso-settings.tsx

@@ -2,6 +2,7 @@
 
 import {
 	Eye,
+	KeyRound,
 	Loader2,
 	LogIn,
 	Pencil,
@@ -34,6 +35,7 @@ import { api } from "@/utils/api";
 import { useUrl } from "@/utils/hooks/use-url";
 import { RegisterOidcDialog } from "./register-oidc-dialog";
 import { RegisterSamlDialog } from "./register-saml-dialog";
+import { ScimDialog } from "./scim-dialog";
 
 type ProviderForDetails = {
 	id: string | null;
@@ -169,15 +171,22 @@ export const SSOSettings = () => {
 						Users can sign in with their organization's IdP.
 					</CardDescription>
 				</div>
-				<Button
-					variant="outline"
-					size="sm"
-					onClick={() => setManageOriginsOpen(true)}
-					className="shrink-0"
-				>
-					<Shield className="mr-2 size-4" />
-					Manage origins
-				</Button>
+				<div className="flex flex-wrap gap-2 shrink-0">
+					<Button
+						variant="outline"
+						size="sm"
+						onClick={() => setManageOriginsOpen(true)}
+					>
+						<Shield className="mr-2 size-4" />
+						Manage origins
+					</Button>
+					<ScimDialog>
+						<Button variant="outline" size="sm">
+							<KeyRound className="mr-2 size-4" />
+							Manage SCIM
+						</Button>
+					</ScimDialog>
+				</div>
 			</div>
 
 			{isPending ? (

apps/dokploy/drizzle/0166_overjoyed_big_bertha.sql

@@ -0,0 +1,11 @@
+CREATE TABLE "scim_provider" (
+	"id" text PRIMARY KEY NOT NULL,
+	"provider_id" text NOT NULL,
+	"scim_token" text NOT NULL,
+	"organization_id" text,
+	CONSTRAINT "scim_provider_provider_id_unique" UNIQUE("provider_id"),
+	CONSTRAINT "scim_provider_scim_token_unique" UNIQUE("scim_token")
+);
+--> statement-breakpoint
+ALTER TABLE "two_factor" ADD COLUMN "verified" boolean DEFAULT true NOT NULL;--> statement-breakpoint
+ALTER TABLE "scim_provider" ADD CONSTRAINT "scim_provider_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "public"."organization"("id") ON DELETE cascade ON UPDATE no action;

apps/dokploy/drizzle/meta/_journal.json

@@ -1163,6 +1163,13 @@
       "when": 1775845419261,
       "tag": "0165_abnormal_greymalkin",
       "breakpoints": true
+    },
+    {
+      "idx": 166,
+      "version": "7",
+      "when": 1776576422440,
+      "tag": "0166_overjoyed_big_bertha",
+      "breakpoints": true
     }
   ]
 }

apps/dokploy/package.json

@@ -46,8 +46,8 @@
 		"@ai-sdk/mistral": "^3.0.20",
 		"@ai-sdk/openai": "^3.0.29",
 		"@ai-sdk/openai-compatible": "^2.0.30",
-		"@better-auth/api-key": "1.5.4",
-		"@better-auth/sso": "1.5.4",
+		"@better-auth/api-key": "1.6.5",
+		"@better-auth/sso": "1.6.5",
 		"@codemirror/autocomplete": "^6.18.6",
 		"@codemirror/lang-css": "^6.3.1",
 		"@codemirror/lang-json": "^6.0.1",
@@ -101,7 +101,7 @@
 		"ai": "^6.0.86",
 		"ai-sdk-ollama": "^3.7.0",
 		"bcrypt": "5.1.1",
-		"better-auth": "1.5.4",
+		"better-auth": "1.6.5",
 		"bl": "6.0.11",
 		"boxen": "^7.1.1",
 		"bullmq": "5.67.3",
@@ -113,7 +113,7 @@
 		"dockerode": "4.0.2",
 		"dompurify": "^3.3.3",
 		"dotenv": "16.4.5",
-		"drizzle-orm": "0.45.1",
+		"drizzle-orm": "0.45.2",
 		"drizzle-zod": "0.8.3",
 		"fancy-ansi": "^0.1.3",
 		"input-otp": "^1.4.2",

apps/dokploy/pages/_error.tsx

@@ -53,7 +53,7 @@ export default function Custom404({ statusCode, error }: Props) {
 
 						<div className="mt-5 flex flex-col justify-center items-center gap-2 sm:flex-row sm:gap-3">
 							<Link
-								href="/dashboard/projects"
+								href="/dashboard/home"
 								className={buttonVariants({
 									variant: "secondary",
 									className: "flex flex-row gap-2",

apps/dokploy/pages/dashboard/deployments.tsx

@@ -102,7 +102,7 @@ export async function getServerSideProps(ctx: GetServerSidePropsContext) {
 		return {
 			redirect: {
 				permanent: false,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/docker.tsx

@@ -24,7 +24,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/home.tsx

@@ -0,0 +1,53 @@
+import { validateRequest } from "@dokploy/server/lib/auth";
+import { createServerSideHelpers } from "@trpc/react-query/server";
+import type { GetServerSidePropsContext } from "next";
+import type { ReactElement } from "react";
+import superjson from "superjson";
+import { ShowHome } from "@/components/dashboard/home/show-home";
+import { DashboardLayout } from "@/components/layouts/dashboard-layout";
+import { appRouter } from "@/server/api/root";
+
+const Home = () => {
+	return <ShowHome />;
+};
+
+export default Home;
+
+Home.getLayout = (page: ReactElement) => {
+	return <DashboardLayout>{page}</DashboardLayout>;
+};
+
+export async function getServerSideProps(ctx: GetServerSidePropsContext) {
+	const { req, res } = ctx;
+	const { user, session } = await validateRequest(req);
+
+	if (!user) {
+		return {
+			redirect: {
+				permanent: true,
+				destination: "/",
+			},
+		};
+	}
+
+	const helpers = createServerSideHelpers({
+		router: appRouter,
+		ctx: {
+			req: req as any,
+			res: res as any,
+			db: null as any,
+			session: session as any,
+			user: user as any,
+		},
+		transformer: superjson,
+	});
+
+	await helpers.settings.isCloud.prefetch();
+	await helpers.user.get.prefetch();
+
+	return {
+		props: {
+			trpcState: helpers.dehydrate(),
+		},
+	};
+}

apps/dokploy/pages/dashboard/monitoring.tsx

@@ -96,7 +96,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}
@@ -122,7 +122,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: false,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId].tsx

@@ -509,6 +509,14 @@ const EnvironmentPage = (
 		deploy: api.mongo.deploy.useMutation(),
 	};
 
+	const libsqlActions = {
+		start: api.libsql.start.useMutation(),
+		stop: api.libsql.stop.useMutation(),
+		move: api.libsql.move.useMutation(),
+		delete: api.libsql.remove.useMutation(),
+		deploy: api.libsql.deploy.useMutation(),
+	};
+
 	const handleBulkStart = async () => {
 		let success = 0;
 		setIsBulkActionLoading(true);
@@ -541,6 +549,9 @@ const EnvironmentPage = (
 					case "mongo":
 						await mongoActions.start.mutateAsync({ mongoId: serviceId });
 						break;
+					case "libsql":
+						await libsqlActions.start.mutateAsync({ libsqlId: serviceId });
+						break;
 				}
 				success++;
 			} catch {
@@ -588,6 +599,9 @@ const EnvironmentPage = (
 					case "mongo":
 						await mongoActions.stop.mutateAsync({ mongoId: serviceId });
 						break;
+					case "libsql":
+						await libsqlActions.stop.mutateAsync({ libsqlId: serviceId });
+						break;
 				}
 				success++;
 			} catch {
@@ -664,6 +678,12 @@ const EnvironmentPage = (
 							targetEnvironmentId: selectedTargetEnvironment,
 						});
 						break;
+					case "libsql":
+						await libsqlActions.move.mutateAsync({
+							libsqlId: serviceId,
+							targetEnvironmentId: selectedTargetEnvironment,
+						});
+						break;
 				}
 				await utils.environment.one.invalidate({
 					environmentId,
@@ -733,6 +753,11 @@ const EnvironmentPage = (
 							mongoId: serviceId,
 						});
 						break;
+					case "libsql":
+						await libsqlActions.delete.mutateAsync({
+							libsqlId: serviceId,
+						});
+						break;
 				}
 				await utils.environment.one.invalidate({
 					environmentId,
@@ -799,6 +824,11 @@ const EnvironmentPage = (
 							mongoId: serviceId,
 						});
 						break;
+					case "libsql":
+						await libsqlActions.deploy.mutateAsync({
+							libsqlId: serviceId,
+						});
+						break;
 				}
 				success++;
 			} catch (error) {
@@ -1856,7 +1886,7 @@ export async function getServerSideProps(
 				return {
 					redirect: {
 						permanent: false,
-						destination: "/dashboard/projects",
+						destination: "/dashboard/home",
 					},
 				};
 			}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/application/[applicationId].tsx

@@ -490,7 +490,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/compose/[composeId].tsx

@@ -492,7 +492,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/libsql/[libsqlId].tsx

@@ -343,7 +343,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/mariadb/[mariadbId].tsx

@@ -372,7 +372,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/mongo/[mongoId].tsx

@@ -376,7 +376,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/mysql/[mysqlId].tsx

@@ -353,7 +353,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/postgres/[postgresId].tsx

@@ -360,7 +360,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/redis/[redisId].tsx

@@ -363,7 +363,7 @@ export async function getServerSideProps(
 			return {
 				redirect: {
 					permanent: false,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/pages/dashboard/requests.tsx

@@ -18,7 +18,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/schedules.tsx

@@ -35,7 +35,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/settings/billing.tsx

@@ -24,7 +24,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/settings/cluster.tsx

@@ -28,7 +28,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/settings/invoices.tsx

@@ -24,7 +24,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/settings/server.tsx

@@ -45,7 +45,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/swarm.tsx

@@ -46,7 +46,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/dashboard/traefik.tsx

@@ -24,7 +24,7 @@ export async function getServerSideProps(
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/index.tsx

@@ -106,7 +106,7 @@ export default function Home({ IS_CLOUD }: Props) {
 			}
 
 			toast.success("Logged in successfully");
-			router.push("/dashboard/projects");
+			router.push("/dashboard/home");
 		} catch {
 			toast.error("An error occurred while logging in");
 		} finally {
@@ -133,7 +133,7 @@ export default function Home({ IS_CLOUD }: Props) {
 			}
 
 			toast.success("Logged in successfully");
-			router.push("/dashboard/projects");
+			router.push("/dashboard/home");
 		} catch {
 			toast.error("An error occurred while verifying 2FA code");
 		} finally {
@@ -163,7 +163,7 @@ export default function Home({ IS_CLOUD }: Props) {
 			}
 
 			toast.success("Logged in successfully");
-			router.push("/dashboard/projects");
+			router.push("/dashboard/home");
 		} catch {
 			toast.error("An error occurred while verifying backup code");
 		} finally {
@@ -408,7 +408,7 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
 				return {
 					redirect: {
 						permanent: true,
-						destination: "/dashboard/projects",
+						destination: "/dashboard/home",
 					},
 				};
 			}
@@ -437,7 +437,7 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
 		return {
 			redirect: {
 				permanent: true,
-				destination: "/dashboard/projects",
+				destination: "/dashboard/home",
 			},
 		};
 	}

apps/dokploy/pages/invitation.tsx

@@ -139,7 +139,7 @@ const Invitation = ({
 			});
 
 			toast.success("Account created successfully");
-			router.push("/dashboard/projects");
+			router.push("/dashboard/home");
 		} catch {
 			toast.error("An error occurred while creating your account");
 		}

apps/dokploy/pages/register.tsx

@@ -303,7 +303,7 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
 			return {
 				redirect: {
 					permanent: true,
-					destination: "/dashboard/projects",
+					destination: "/dashboard/home",
 				},
 			};
 		}

apps/dokploy/server/api/root.ts

@@ -31,6 +31,7 @@ import { projectRouter } from "./routers/project";
 import { auditLogRouter } from "./routers/proprietary/audit-log";
 import { customRoleRouter } from "./routers/proprietary/custom-role";
 import { licenseKeyRouter } from "./routers/proprietary/license-key";
+import { scimRouter } from "./routers/proprietary/scim";
 import { ssoRouter } from "./routers/proprietary/sso";
 import { whitelabelingRouter } from "./routers/proprietary/whitelabeling";
 import { redirectsRouter } from "./routers/redirects";
@@ -93,6 +94,7 @@ export const appRouter = createTRPCRouter({
 	organization: organizationRouter,
 	licenseKey: licenseKeyRouter,
 	sso: ssoRouter,
+	scim: scimRouter,
 	whitelabeling: whitelabelingRouter,
 	customRole: customRoleRouter,
 	auditLog: auditLogRouter,

apps/dokploy/server/api/routers/project.ts

@@ -487,6 +487,148 @@ export const projectRouter = createTRPCRouter({
 		},
 	),
 
+	homeStats: protectedProcedure.query(async ({ ctx }) => {
+		const isPrivileged = ctx.user.role === "owner" || ctx.user.role === "admin";
+
+		let accessedProjects: string[] = [];
+		let accessedEnvironments: string[] = [];
+		let accessedServices: string[] = [];
+
+		if (!isPrivileged) {
+			const member = await findMemberByUserId(
+				ctx.user.id,
+				ctx.session.activeOrganizationId,
+			);
+			accessedProjects = member.accessedProjects;
+			accessedEnvironments = member.accessedEnvironments;
+			accessedServices = member.accessedServices;
+
+			if (accessedProjects.length === 0) {
+				return {
+					projects: 0,
+					environments: 0,
+					applications: 0,
+					compose: 0,
+					databases: 0,
+					services: 0,
+					status: { running: 0, error: 0, idle: 0 },
+				};
+			}
+		}
+
+		const projectIdFilter = isPrivileged
+			? eq(projects.organizationId, ctx.session.activeOrganizationId)
+			: and(
+					sql`${projects.projectId} IN (${sql.join(
+						accessedProjects.map((id) => sql`${id}`),
+						sql`, `,
+					)})`,
+					eq(projects.organizationId, ctx.session.activeOrganizationId),
+				);
+
+		const environmentFilter = isPrivileged
+			? undefined
+			: accessedEnvironments.length === 0
+				? sql`false`
+				: sql`${environments.environmentId} IN (${sql.join(
+						accessedEnvironments.map((envId) => sql`${envId}`),
+						sql`, `,
+					)})`;
+
+		const applyFilter = (col: AnyPgColumn) =>
+			isPrivileged ? undefined : buildServiceFilter(col, accessedServices);
+
+		const rows = await db.query.projects.findMany({
+			where: projectIdFilter,
+			columns: { projectId: true },
+			with: {
+				environments: {
+					where: environmentFilter,
+					columns: { environmentId: true },
+					with: {
+						applications: {
+							where: applyFilter(applications.applicationId),
+							columns: { applicationStatus: true },
+						},
+						compose: {
+							where: applyFilter(compose.composeId),
+							columns: { composeStatus: true },
+						},
+						libsql: {
+							where: applyFilter(libsql.libsqlId),
+							columns: { applicationStatus: true },
+						},
+						mariadb: {
+							where: applyFilter(mariadb.mariadbId),
+							columns: { applicationStatus: true },
+						},
+						mongo: {
+							where: applyFilter(mongo.mongoId),
+							columns: { applicationStatus: true },
+						},
+						mysql: {
+							where: applyFilter(mysql.mysqlId),
+							columns: { applicationStatus: true },
+						},
+						postgres: {
+							where: applyFilter(postgres.postgresId),
+							columns: { applicationStatus: true },
+						},
+						redis: {
+							where: applyFilter(redis.redisId),
+							columns: { applicationStatus: true },
+						},
+					},
+				},
+			},
+		});
+
+		let applicationsCount = 0;
+		let composeCount = 0;
+		let databasesCount = 0;
+		let environmentsCount = 0;
+		const status = { running: 0, error: 0, idle: 0 };
+		const bump = (s?: string | null) => {
+			if (s === "done") status.running++;
+			else if (s === "error") status.error++;
+			else status.idle++;
+		};
+
+		for (const project of rows) {
+			for (const env of project.environments) {
+				environmentsCount++;
+				applicationsCount += env.applications.length;
+				composeCount += env.compose.length;
+				databasesCount +=
+					env.libsql.length +
+					env.mariadb.length +
+					env.mongo.length +
+					env.mysql.length +
+					env.postgres.length +
+					env.redis.length;
+
+				for (const a of env.applications) bump(a.applicationStatus);
+				for (const c of env.compose) bump(c.composeStatus);
+				for (const s of env.libsql) bump(s.applicationStatus);
+				for (const s of env.mariadb) bump(s.applicationStatus);
+				for (const s of env.mongo) bump(s.applicationStatus);
+				for (const s of env.mysql) bump(s.applicationStatus);
+				for (const s of env.postgres) bump(s.applicationStatus);
+				for (const s of env.redis) bump(s.applicationStatus);
+			}
+		}
+
+		return {
+			projects: rows.length,
+			environments: environmentsCount,
+			applications: applicationsCount,
+			compose: composeCount,
+			databases: databasesCount,
+			services: applicationsCount + composeCount + databasesCount,
+			status,
+		};
+	}),
+
 	search: protectedProcedure
 		.input(
 			z.object({

apps/dokploy/server/api/routers/proprietary/scim.ts

@@ -0,0 +1,78 @@
+import { db } from "@dokploy/server/db";
+import { scimProvider } from "@dokploy/server/db/schema";
+import { requestToHeaders } from "@dokploy/server/index";
+import { auth } from "@dokploy/server/lib/auth";
+import { TRPCError } from "@trpc/server";
+import { and, asc, eq } from "drizzle-orm";
+import { z } from "zod";
+import { createTRPCRouter, enterpriseProcedure } from "@/server/api/trpc";
+
+const providerIdSchema = z
+	.string()
+	.min(1)
+	.max(64)
+	.regex(
+		/^[a-z0-9][a-z0-9-]*$/,
+		"Provider ID must be lowercase alphanumeric with optional dashes",
+	);
+
+export const scimRouter = createTRPCRouter({
+	listProviders: enterpriseProcedure.query(async ({ ctx }) => {
+		const providers = await db.query.scimProvider.findMany({
+			where: eq(scimProvider.organizationId, ctx.session.activeOrganizationId),
+			columns: {
+				id: true,
+				providerId: true,
+				organizationId: true,
+			},
+			orderBy: [asc(scimProvider.providerId)],
+		});
+		return providers;
+	}),
+	generateToken: enterpriseProcedure
+		.input(z.object({ providerId: providerIdSchema }))
+		.mutation(async ({ ctx, input }) => {
+			const existing = await db.query.scimProvider.findFirst({
+				where: eq(scimProvider.providerId, input.providerId),
+				columns: { id: true, organizationId: true },
+			});
+			if (existing) {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message: "A SCIM provider with this ID already exists",
+				});
+			}
+			const result = await auth.generateSCIMToken({
+				body: {
+					providerId: input.providerId,
+					organizationId: ctx.session.activeOrganizationId,
+				},
+				headers: requestToHeaders(ctx.req),
+			});
+			return { scimToken: result.scimToken, providerId: input.providerId };
+		}),
+	deleteProvider: enterpriseProcedure
+		.input(z.object({ providerId: providerIdSchema }))
+		.mutation(async ({ ctx, input }) => {
+			const [deleted] = await db
+				.delete(scimProvider)
+				.where(
+					and(
+						eq(scimProvider.providerId, input.providerId),
+						eq(
+							scimProvider.organizationId,
+							ctx.session.activeOrganizationId,
+						),
+					),
+				)
+				.returning({ id: scimProvider.id });
+			if (!deleted) {
+				throw new TRPCError({
+					code: "NOT_FOUND",
+					message:
+						"SCIM provider not found or you do not have permission to delete it",
+				});
+			}
+			return { success: true };
+		}),
+});

packages/server/auth-schema2.ts

@@ -1,299 +1,311 @@
 import { relations } from "drizzle-orm";
 import {
-	boolean,
-	index,
-	integer,
-	pgTable,
-	text,
-	timestamp,
-	uniqueIndex,
+  pgTable,
+  text,
+  timestamp,
+  boolean,
+  integer,
+  index,
+  uniqueIndex,
 } from "drizzle-orm/pg-core";
 
 export const user = pgTable("user", {
-	id: text("id").primaryKey(),
-	firstName: text("first_name").notNull(),
-	email: text("email").notNull().unique(),
-	emailVerified: boolean("email_verified").default(false).notNull(),
-	image: text("image"),
-	createdAt: timestamp("created_at").defaultNow().notNull(),
-	updatedAt: timestamp("updated_at")
-		.defaultNow()
-		.$onUpdate(() => /* @__PURE__ */ new Date())
-		.notNull(),
-	twoFactorEnabled: boolean("two_factor_enabled").default(false),
-	role: text("role"),
-	ownerId: text("owner_id"),
-	allowImpersonation: boolean("allow_impersonation").default(false),
-	lastName: text("last_name").default(""),
-	enableEnterpriseFeatures: boolean("enable_enterprise_features"),
-	isValidEnterpriseLicense: boolean("is_valid_enterprise_license"),
+  id: text("id").primaryKey(),
+  firstName: text("first_name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: boolean("email_verified").default(false).notNull(),
+  image: text("image"),
+  createdAt: timestamp("created_at").defaultNow().notNull(),
+  updatedAt: timestamp("updated_at")
+    .defaultNow()
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  twoFactorEnabled: boolean("two_factor_enabled").default(false),
+  role: text("role"),
+  banned: boolean("banned").default(false),
+  banReason: text("ban_reason"),
+  banExpires: timestamp("ban_expires"),
+  ownerId: text("owner_id"),
+  allowImpersonation: boolean("allow_impersonation").default(false),
+  lastName: text("last_name").default(""),
+  enableEnterpriseFeatures: boolean("enable_enterprise_features"),
+  isValidEnterpriseLicense: boolean("is_valid_enterprise_license"),
 });
 
 export const session = pgTable(
-	"session",
-	{
-		id: text("id").primaryKey(),
-		expiresAt: timestamp("expires_at").notNull(),
-		token: text("token").notNull().unique(),
-		createdAt: timestamp("created_at").defaultNow().notNull(),
-		updatedAt: timestamp("updated_at")
-			.$onUpdate(() => /* @__PURE__ */ new Date())
-			.notNull(),
-		ipAddress: text("ip_address"),
-		userAgent: text("user_agent"),
-		userId: text("user_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-		activeOrganizationId: text("active_organization_id"),
-	},
-	(table) => [index("session_userId_idx").on(table.userId)],
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: timestamp("expires_at").notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    activeOrganizationId: text("active_organization_id"),
+    impersonatedBy: text("impersonated_by"),
+  },
+  (table) => [index("session_userId_idx").on(table.userId)],
 );
 
 export const account = pgTable(
-	"account",
-	{
-		id: text("id").primaryKey(),
-		accountId: text("account_id").notNull(),
-		providerId: text("provider_id").notNull(),
-		userId: text("user_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-		accessToken: text("access_token"),
-		refreshToken: text("refresh_token"),
-		idToken: text("id_token"),
-		accessTokenExpiresAt: timestamp("access_token_expires_at"),
-		refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
-		scope: text("scope"),
-		password: text("password"),
-		createdAt: timestamp("created_at").defaultNow().notNull(),
-		updatedAt: timestamp("updated_at")
-			.$onUpdate(() => /* @__PURE__ */ new Date())
-			.notNull(),
-	},
-	(table) => [index("account_userId_idx").on(table.userId)],
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: timestamp("access_token_expires_at"),
+    refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("account_userId_idx").on(table.userId)],
 );
 
 export const verification = pgTable(
-	"verification",
-	{
-		id: text("id").primaryKey(),
-		identifier: text("identifier").notNull(),
-		value: text("value").notNull(),
-		expiresAt: timestamp("expires_at").notNull(),
-		createdAt: timestamp("created_at").defaultNow().notNull(),
-		updatedAt: timestamp("updated_at")
-			.defaultNow()
-			.$onUpdate(() => /* @__PURE__ */ new Date())
-			.notNull(),
-	},
-	(table) => [index("verification_identifier_idx").on(table.identifier)],
+  "verification",
+  {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .defaultNow()
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("verification_identifier_idx").on(table.identifier)],
 );
 
 export const apikey = pgTable(
-	"apikey",
-	{
-		id: text("id").primaryKey(),
-		configId: text("config_id").default("default").notNull(),
-		name: text("name"),
-		start: text("start"),
-		referenceId: text("reference_id").notNull(),
-		prefix: text("prefix"),
-		key: text("key").notNull(),
-		refillInterval: integer("refill_interval"),
-		refillAmount: integer("refill_amount"),
-		lastRefillAt: timestamp("last_refill_at"),
-		enabled: boolean("enabled").default(true),
-		rateLimitEnabled: boolean("rate_limit_enabled").default(true),
-		rateLimitTimeWindow: integer("rate_limit_time_window").default(86400000),
-		rateLimitMax: integer("rate_limit_max").default(10),
-		requestCount: integer("request_count").default(0),
-		remaining: integer("remaining"),
-		lastRequest: timestamp("last_request"),
-		expiresAt: timestamp("expires_at"),
-		createdAt: timestamp("created_at").notNull(),
-		updatedAt: timestamp("updated_at").notNull(),
-		permissions: text("permissions"),
-		metadata: text("metadata"),
-	},
-	(table) => [
-		index("apikey_configId_idx").on(table.configId),
-		index("apikey_referenceId_idx").on(table.referenceId),
-		index("apikey_key_idx").on(table.key),
-	],
+  "apikey",
+  {
+    id: text("id").primaryKey(),
+    configId: text("config_id").default("default").notNull(),
+    name: text("name"),
+    start: text("start"),
+    referenceId: text("reference_id").notNull(),
+    prefix: text("prefix"),
+    key: text("key").notNull(),
+    refillInterval: integer("refill_interval"),
+    refillAmount: integer("refill_amount"),
+    lastRefillAt: timestamp("last_refill_at"),
+    enabled: boolean("enabled").default(true),
+    rateLimitEnabled: boolean("rate_limit_enabled").default(true),
+    rateLimitTimeWindow: integer("rate_limit_time_window").default(86400000),
+    rateLimitMax: integer("rate_limit_max").default(10),
+    requestCount: integer("request_count").default(0),
+    remaining: integer("remaining"),
+    lastRequest: timestamp("last_request"),
+    expiresAt: timestamp("expires_at"),
+    createdAt: timestamp("created_at").notNull(),
+    updatedAt: timestamp("updated_at").notNull(),
+    permissions: text("permissions"),
+    metadata: text("metadata"),
+  },
+  (table) => [
+    index("apikey_configId_idx").on(table.configId),
+    index("apikey_referenceId_idx").on(table.referenceId),
+    index("apikey_key_idx").on(table.key),
+  ],
 );
 
 export const ssoProvider = pgTable("sso_provider", {
-	id: text("id").primaryKey(),
-	issuer: text("issuer").notNull(),
-	oidcConfig: text("oidc_config"),
-	samlConfig: text("saml_config"),
-	userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
-	providerId: text("provider_id").notNull().unique(),
-	organizationId: text("organization_id"),
-	domain: text("domain").notNull(),
+  id: text("id").primaryKey(),
+  issuer: text("issuer").notNull(),
+  oidcConfig: text("oidc_config"),
+  samlConfig: text("saml_config"),
+  userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+  providerId: text("provider_id").notNull().unique(),
+  organizationId: text("organization_id"),
+  domain: text("domain").notNull(),
 });
 
 export const twoFactor = pgTable(
-	"two_factor",
-	{
-		id: text("id").primaryKey(),
-		secret: text("secret").notNull(),
-		backupCodes: text("backup_codes").notNull(),
-		userId: text("user_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-	},
-	(table) => [
-		index("twoFactor_secret_idx").on(table.secret),
-		index("twoFactor_userId_idx").on(table.userId),
-	],
+  "two_factor",
+  {
+    id: text("id").primaryKey(),
+    secret: text("secret").notNull(),
+    backupCodes: text("backup_codes").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    verified: boolean("verified").default(true),
+  },
+  (table) => [
+    index("twoFactor_secret_idx").on(table.secret),
+    index("twoFactor_userId_idx").on(table.userId),
+  ],
 );
 
 export const organization = pgTable(
-	"organization",
-	{
-		id: text("id").primaryKey(),
-		name: text("name").notNull(),
-		slug: text("slug").notNull().unique(),
-		logo: text("logo"),
-		createdAt: timestamp("created_at").notNull(),
-		metadata: text("metadata"),
-	},
-	(table) => [uniqueIndex("organization_slug_uidx").on(table.slug)],
+  "organization",
+  {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    slug: text("slug").notNull().unique(),
+    logo: text("logo"),
+    createdAt: timestamp("created_at").notNull(),
+    metadata: text("metadata"),
+  },
+  (table) => [uniqueIndex("organization_slug_uidx").on(table.slug)],
 );
 
 export const organizationRole = pgTable(
-	"organization_role",
-	{
-		id: text("id").primaryKey(),
-		organizationId: text("organization_id")
-			.notNull()
-			.references(() => organization.id, { onDelete: "cascade" }),
-		role: text("role").notNull(),
-		permission: text("permission").notNull(),
-		createdAt: timestamp("created_at").defaultNow().notNull(),
-		updatedAt: timestamp("updated_at").$onUpdate(
-			() => /* @__PURE__ */ new Date(),
-		),
-	},
-	(table) => [
-		index("organizationRole_organizationId_idx").on(table.organizationId),
-		index("organizationRole_role_idx").on(table.role),
-	],
+  "organization_role",
+  {
+    id: text("id").primaryKey(),
+    organizationId: text("organization_id")
+      .notNull()
+      .references(() => organization.id, { onDelete: "cascade" }),
+    role: text("role").notNull(),
+    permission: text("permission").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at").$onUpdate(
+      () => /* @__PURE__ */ new Date(),
+    ),
+  },
+  (table) => [
+    index("organizationRole_organizationId_idx").on(table.organizationId),
+    index("organizationRole_role_idx").on(table.role),
+  ],
 );
 
 export const member = pgTable(
-	"member",
-	{
-		id: text("id").primaryKey(),
-		organizationId: text("organization_id")
-			.notNull()
-			.references(() => organization.id, { onDelete: "cascade" }),
-		userId: text("user_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-		role: text("role").default("member").notNull(),
-		createdAt: timestamp("created_at").notNull(),
-	},
-	(table) => [
-		index("member_organizationId_idx").on(table.organizationId),
-		index("member_userId_idx").on(table.userId),
-	],
+  "member",
+  {
+    id: text("id").primaryKey(),
+    organizationId: text("organization_id")
+      .notNull()
+      .references(() => organization.id, { onDelete: "cascade" }),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    role: text("role").default("member").notNull(),
+    createdAt: timestamp("created_at").notNull(),
+  },
+  (table) => [
+    index("member_organizationId_idx").on(table.organizationId),
+    index("member_userId_idx").on(table.userId),
+  ],
 );
 
 export const invitation = pgTable(
-	"invitation",
-	{
-		id: text("id").primaryKey(),
-		organizationId: text("organization_id")
-			.notNull()
-			.references(() => organization.id, { onDelete: "cascade" }),
-		email: text("email").notNull(),
-		role: text("role"),
-		status: text("status").default("pending").notNull(),
-		expiresAt: timestamp("expires_at").notNull(),
-		createdAt: timestamp("created_at").defaultNow().notNull(),
-		inviterId: text("inviter_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-	},
-	(table) => [
-		index("invitation_organizationId_idx").on(table.organizationId),
-		index("invitation_email_idx").on(table.email),
-	],
+  "invitation",
+  {
+    id: text("id").primaryKey(),
+    organizationId: text("organization_id")
+      .notNull()
+      .references(() => organization.id, { onDelete: "cascade" }),
+    email: text("email").notNull(),
+    role: text("role"),
+    status: text("status").default("pending").notNull(),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    inviterId: text("inviter_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (table) => [
+    index("invitation_organizationId_idx").on(table.organizationId),
+    index("invitation_email_idx").on(table.email),
+  ],
 );
 
+export const scimProvider = pgTable("scim_provider", {
+  id: text("id").primaryKey(),
+  providerId: text("provider_id").notNull().unique(),
+  scimToken: text("scim_token").notNull().unique(),
+  organizationId: text("organization_id"),
+});
+
 export const userRelations = relations(user, ({ many }) => ({
-	sessions: many(session),
-	accounts: many(account),
-	ssoProviders: many(ssoProvider),
-	twoFactors: many(twoFactor),
-	members: many(member),
-	invitations: many(invitation),
+  sessions: many(session),
+  accounts: many(account),
+  ssoProviders: many(ssoProvider),
+  twoFactors: many(twoFactor),
+  members: many(member),
+  invitations: many(invitation),
 }));
 
 export const sessionRelations = relations(session, ({ one }) => ({
-	user: one(user, {
-		fields: [session.userId],
-		references: [user.id],
-	}),
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id],
+  }),
 }));
 
 export const accountRelations = relations(account, ({ one }) => ({
-	user: one(user, {
-		fields: [account.userId],
-		references: [user.id],
-	}),
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id],
+  }),
 }));
 
 export const ssoProviderRelations = relations(ssoProvider, ({ one }) => ({
-	user: one(user, {
-		fields: [ssoProvider.userId],
-		references: [user.id],
-	}),
+  user: one(user, {
+    fields: [ssoProvider.userId],
+    references: [user.id],
+  }),
 }));
 
 export const twoFactorRelations = relations(twoFactor, ({ one }) => ({
-	user: one(user, {
-		fields: [twoFactor.userId],
-		references: [user.id],
-	}),
+  user: one(user, {
+    fields: [twoFactor.userId],
+    references: [user.id],
+  }),
 }));
 
 export const organizationRelations = relations(organization, ({ many }) => ({
-	organizationRoles: many(organizationRole),
-	members: many(member),
-	invitations: many(invitation),
+  organizationRoles: many(organizationRole),
+  members: many(member),
+  invitations: many(invitation),
 }));
 
 export const organizationRoleRelations = relations(
-	organizationRole,
-	({ one }) => ({
-		organization: one(organization, {
-			fields: [organizationRole.organizationId],
-			references: [organization.id],
-		}),
-	}),
+  organizationRole,
+  ({ one }) => ({
+    organization: one(organization, {
+      fields: [organizationRole.organizationId],
+      references: [organization.id],
+    }),
+  }),
 );
 
 export const memberRelations = relations(member, ({ one }) => ({
-	organization: one(organization, {
-		fields: [member.organizationId],
-		references: [organization.id],
-	}),
-	user: one(user, {
-		fields: [member.userId],
-		references: [user.id],
-	}),
+  organization: one(organization, {
+    fields: [member.organizationId],
+    references: [organization.id],
+  }),
+  user: one(user, {
+    fields: [member.userId],
+    references: [user.id],
+  }),
 }));
 
 export const invitationRelations = relations(invitation, ({ one }) => ({
-	organization: one(organization, {
-		fields: [invitation.organizationId],
-		references: [organization.id],
-	}),
-	user: one(user, {
-		fields: [invitation.inviterId],
-		references: [user.id],
-	}),
+  organization: one(organization, {
+    fields: [invitation.organizationId],
+    references: [organization.id],
+  }),
+  user: one(user, {
+    fields: [invitation.inviterId],
+    references: [user.id],
+  }),
 }));

packages/server/package.json

@@ -37,9 +37,10 @@
     "@ai-sdk/mistral": "^3.0.20",
     "@ai-sdk/openai": "^3.0.29",
     "@ai-sdk/openai-compatible": "^2.0.30",
-    "@better-auth/api-key": "1.5.4",
-    "@better-auth/sso": "1.5.4",
-    "@better-auth/utils": "0.3.1",
+    "@better-auth/api-key": "1.6.5",
+    "@better-auth/scim": "^1.6.5",
+    "@better-auth/sso": "1.6.5",
+    "@better-auth/utils": "0.4.0",
     "@faker-js/faker": "^8.4.1",
     "@octokit/auth-app": "^6.1.3",
     "@octokit/rest": "^20.1.2",
@@ -51,15 +52,14 @@
     "ai": "^6.0.86",
     "ai-sdk-ollama": "^3.7.0",
     "bcrypt": "5.1.1",
-    "better-auth": "1.5.4",
-    "better-call": "2.0.2",
+    "better-auth": "1.6.5",
     "bl": "6.0.11",
     "boxen": "^7.1.1",
     "date-fns": "3.6.0",
     "dockerode": "4.0.2",
     "dotenv": "16.4.5",
     "drizzle-dbml-generator": "0.10.0",
-    "drizzle-orm": "0.45.1",
+    "drizzle-orm": "0.45.2",
     "drizzle-zod": "0.5.1",
     "lodash": "4.17.21",
     "micromatch": "4.0.8",

packages/server/src/db/schema/account.ts

@@ -214,6 +214,7 @@ export const twoFactor = pgTable("two_factor", {
 	userId: text("user_id")
 		.notNull()
 		.references(() => user.id, { onDelete: "cascade" }),
+	verified: boolean("verified").notNull().default(true),
 });
 
 export const apikey = pgTable("apikey", {

packages/server/src/db/schema/index.ts

@@ -30,6 +30,7 @@ export * from "./redis";
 export * from "./registry";
 export * from "./rollbacks";
 export * from "./schedule";
+export * from "./scim";
 export * from "./security";
 export * from "./server";
 export * from "./session";

packages/server/src/db/schema/scim.ts

@@ -0,0 +1,22 @@
+import { relations } from "drizzle-orm";
+import { pgTable, text } from "drizzle-orm/pg-core";
+import { nanoid } from "nanoid";
+import { organization } from "./account";
+
+export const scimProvider = pgTable("scim_provider", {
+	id: text("id")
+		.primaryKey()
+		.$defaultFn(() => nanoid()),
+	providerId: text("provider_id").notNull().unique(),
+	scimToken: text("scim_token").notNull().unique(),
+	organizationId: text("organization_id").references(() => organization.id, {
+		onDelete: "cascade",
+	}),
+});
+
+export const scimProviderRelations = relations(scimProvider, ({ one }) => ({
+	organization: one(organization, {
+		fields: [scimProvider.organizationId],
+		references: [organization.id],
+	}),
+}));

packages/server/src/lib/auth-cli.ts

@@ -0,0 +1,52 @@
+import { apiKey } from "@better-auth/api-key";
+import { scim } from "@better-auth/scim";
+import { sso } from "@better-auth/sso";
+import { betterAuth } from "better-auth";
+import { drizzleAdapter } from "better-auth/adapters/drizzle";
+import { admin, organization, twoFactor } from "better-auth/plugins";
+import { db } from "../db";
+import * as schema from "../db/schema";
+import { ac, adminRole, memberRole, ownerRole } from "./access-control";
+
+/**
+ * Minimal better-auth config used only by `@better-auth/cli` to generate /
+ * inspect database schemas. Must mirror the plugin set in `auth.ts` so the CLI
+ * sees every table each plugin expects.
+ *
+ * Do NOT import this file from the runtime — use `auth.ts` for that.
+ */
+export const auth = betterAuth({
+	database: drizzleAdapter(db, {
+		provider: "pg",
+		schema,
+	}),
+	user: {
+		modelName: "user",
+		fields: {
+			name: "firstName",
+		},
+		additionalFields: {
+			role: { type: "string", input: false },
+			ownerId: { type: "string", input: false },
+			allowImpersonation: { type: "boolean", defaultValue: false },
+			lastName: { type: "string", required: false, defaultValue: "" },
+			enableEnterpriseFeatures: { type: "boolean", required: false },
+			isValidEnterpriseLicense: { type: "boolean", required: false },
+		},
+	},
+	plugins: [
+		apiKey({ enableMetadata: true, references: "user" }),
+		sso(),
+		twoFactor(),
+		organization({
+			ac,
+			roles: { owner: ownerRole, admin: adminRole, member: memberRole },
+			dynamicAccessControl: {
+				enabled: true,
+				maximumRolesPerOrganization: 10,
+			},
+		}),
+		scim(),
+		admin(),
+	],
+});

packages/server/src/lib/auth.ts

@@ -1,5 +1,6 @@
 import type { IncomingMessage } from "node:http";
 import { apiKey } from "@better-auth/api-key";
+import { scim } from "@better-auth/scim";
 import { sso } from "@better-auth/sso";
 import * as bcrypt from "bcrypt";
 import { betterAuth } from "better-auth";
@@ -178,7 +179,8 @@ const { handler, api } = betterAuth({
 							}
 						} else {
 							const isSSORequest = context?.path.includes("/sso");
-							if (isSSORequest) {
+							const isSCIMRequest = context?.path.includes("/scim");
+							if (isSSORequest || isSCIMRequest) {
 								return;
 							}
 							const isAdminPresent = await db.query.member.findFirst({
@@ -194,6 +196,7 @@ const { handler, api } = betterAuth({
 				},
 				after: async (user, context) => {
 					const isSSORequest = context?.path.includes("/sso");
+					const isSCIMRequest = context?.path.includes("/scim");
 					const isAdminPresent = await db.query.member.findFirst({
 						where: eq(schema.member.role, "owner"),
 					});
@@ -229,6 +232,10 @@ const { handler, api } = betterAuth({
 						}
 					}
 
+					if (isSCIMRequest) {
+						return;
+					}
+
 					if (IS_CLOUD || !isAdminPresent) {
 						await db.transaction(async (tx) => {
 							const organization = await tx
@@ -396,7 +403,24 @@ const { handler, api } = betterAuth({
 			enableMetadata: true,
 			references: "user",
 		}),
-		sso(),
+		sso({
+			saml: {
+				enableInResponseToValidation: false,
+			},
+		}),
+		scim({
+			beforeSCIMTokenGenerated: async ({ user }) => {
+				const dbUser = await db.query.user.findFirst({
+					where: eq(schema.user.id, user.id),
+					columns: { enableEnterpriseFeatures: true },
+				});
+				if (!dbUser?.enableEnterpriseFeatures) {
+					throw new APIError("FORBIDDEN", {
+						message: "SCIM provisioning requires an enterprise license",
+					});
+				}
+			},
+		}),
 		twoFactor(),
 		organization({
 			ac,
@@ -442,6 +466,9 @@ const _auth = {
 	createApiKey: api.createApiKey,
 	registerSSOProvider: api.registerSSOProvider,
 	updateSSOProvider: api.updateSSOProvider,
+	generateSCIMToken: api.generateSCIMToken,
+	listSCIMProviderConnections: api.listSCIMProviderConnections,
+	deleteSCIMProviderConnection: api.deleteSCIMProviderConnection,
 };
 
 export type AuthType = typeof _auth;