diff --git a/.github/workflows/alteration-compatibility-integration-test.yml b/.github/workflows/alteration-compatibility-integration-test.yml
index 96cd0493c9c..f73c141d369 100644
--- a/.github/workflows/alteration-compatibility-integration-test.yml
+++ b/.github/workflows/alteration-compatibility-integration-test.yml
@@ -51,7 +51,7 @@ jobs:
     env:
       INTEGRATION_TEST: true
     steps:
-      - uses: logto-io/actions-package-logto-artifact@v1.1.0
+      - uses: logto-io/actions-package-logto-artifact@v2
         with:
           artifact-name: alteration-integration-test-${{ github.sha }}
           branch: ${{github.base_ref}}
@@ -68,7 +68,7 @@ jobs:
       DB_URL: postgres://postgres:postgres@localhost:5432/postgres
 
     steps:
-      - uses: logto-io/actions-run-logto-integration-tests@v1.1.0
+      - uses: logto-io/actions-run-logto-integration-tests@v2
         with:
           branch: ${{github.base_ref}}
           logto_artifact: alteration-integration-test-${{ github.sha }}
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index ecc733d7904..0ee63394e9e 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -24,7 +24,8 @@ jobs:
         uses: silverhand-io/actions-node-pnpm-run-steps@v4
 
       - name: Commitlint
-        run: npx commitlint --from HEAD~${{ github.event.pull_request.commits }} --to HEAD
+        # Credit to https://stackoverflow.com/a/67365254/12514940
+        run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
 
       - name: Commitlint on PR title
         run: echo '${{ github.event.pull_request.title }}' | npx commitlint
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
index 65b2bdfe414..6fcd3f321cd 100644
--- a/.github/workflows/integration-test.yml
+++ b/.github/workflows/integration-test.yml
@@ -18,7 +18,7 @@ jobs:
       INTEGRATION_TEST: true
 
     steps:
-      - uses: logto-io/actions-package-logto-artifact@v1.1.0
+      - uses: logto-io/actions-package-logto-artifact@v2
         with:
           artifact-name: integration-test-${{ github.sha }}
 
@@ -34,7 +34,7 @@ jobs:
       DB_URL: postgres://postgres:postgres@localhost:5432/postgres
 
     steps:
-      - uses: logto-io/actions-run-logto-integration-tests@v1.1.0
+      - uses: logto-io/actions-run-logto-integration-tests@v2
         with:
           logto_artifact: integration-test-${{ github.sha }}
           test_target: ${{ matrix.target }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 85383075915..b4f6eb2b88b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -118,7 +118,7 @@ jobs:
         run: ./.scripts/package.sh
 
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.BOT_PAT }}
           body: ""
diff --git a/.gitignore b/.gitignore
index 0c3f3abc97e..a95d6581e74 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,3 +35,6 @@ dump.rdb
 
 # connectors
 /packages/core/connectors
+
+# console auto generated files
+/packages/console/src/consts/jwt-customizer-type-definition.ts
diff --git a/.gitpod.yml b/.gitpod.yml
index 0974dbdc813..31dcc8e32d6 100644
--- a/.gitpod.yml
+++ b/.gitpod.yml
@@ -12,7 +12,7 @@ tasks:
       cd packages/core
       pnpm build
       cd -
-      pnpm connectors:build
+      pnpm connectors build
       pnpm cli connector link
     command: |
       gp ports await 5432
diff --git a/README.md b/README.md
index ae1e1281029..98fe9a272bd 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,6 @@ Logto uses the [default browserslist config](https://github.com/browserslist/bro
 - About other bug reports, feature requests, and feedback, you can:
   - Directly 🙋 [open an issue](https://github.com/logto-io/logto/issues/new) on GitHub;
   - 💬 [join our Discord server](https://discord.gg/vRvwuwgpVX) to have a live chat;
-  - Engage in our 📍 [public roadmap](https://github.com/logto-io/logto/issues/1937).
 
 ## Licensing
 
diff --git a/commitlint.config.cjs b/commitlint.config.ts
similarity index 65%
rename from commitlint.config.cjs
rename to commitlint.config.ts
index a46859ab2f3..5f44c75e5e8 100644
--- a/commitlint.config.cjs
+++ b/commitlint.config.ts
@@ -1,15 +1,17 @@
-const { rules } = require('@commitlint/config-conventional');
+import conventional from '@commitlint/config-conventional';
+import { UserConfig } from '@commitlint/types';
 
 const isCi = process.env.CI === 'true';
 
-/** @type {import('@commitlint/types').UserConfig} **/
-module.exports = {
+const config: UserConfig = {
   extends: ['@commitlint/config-conventional'],
   rules: {
-    'type-enum': [2, 'always', [...rules['type-enum'][2], 'api', 'release']],
+    'type-enum': [2, 'always', [...conventional.rules['type-enum'][2], 'api', 'release']],
     'scope-enum': [2, 'always', ['connector', 'console', 'core', 'demo-app', 'test', 'phrases', 'schemas', 'shared', 'experience', 'deps', 'deps-dev', 'cli', 'toolkit', 'cloud', 'app-insights']],
     // Slightly increase the tolerance to allow the appending PR number
     ...(isCi && { 'header-max-length': [2, 'always', 110] }),
     'body-max-line-length': [2, 'always', 110],
   },
 };
+
+export default config;
diff --git a/package.json b/package.json
index 292c0aa6989..d64d30c2cb7 100644
--- a/package.json
+++ b/package.json
@@ -15,7 +15,7 @@
     "cli": "logto",
     "changeset": "changeset",
     "alteration": "logto db alt",
-    "connectors:build": "pnpm -r --filter \"./packages/connectors/connector-*\" build",
+    "connectors": "pnpm -r --filter \"./packages/connectors/connector-*\"",
     "//": "# `changeset version` won't run version lifecycle scripts, see https://github.com/changesets/changesets/issues/860",
     "ci:version": "changeset version && pnpm -r version",
     "ci:build": "pnpm -r build",
@@ -25,9 +25,9 @@
   },
   "devDependencies": {
     "@changesets/cli": "^2.26.2",
-    "@commitlint/cli": "^18.0.0",
-    "@commitlint/config-conventional": "^18.0.0",
-    "@commitlint/types": "^18.0.0",
+    "@commitlint/cli": "^19.0.0",
+    "@commitlint/config-conventional": "^19.0.0",
+    "@commitlint/types": "^19.0.0",
     "@types/pg": "^8.6.6",
     "husky": "^9.0.0",
     "pg": "^8.8.0",
diff --git a/packages/app-insights/jest.config.js b/packages/app-insights/jest.config.js
deleted file mode 100644
index 5656d33479a..00000000000
--- a/packages/app-insights/jest.config.js
+++ /dev/null
@@ -1,13 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/app-insights/package.json b/packages/app-insights/package.json
index 948f80f26bd..dc5229948e2 100644
--- a/packages/app-insights/package.json
+++ b/packages/app-insights/package.json
@@ -24,12 +24,12 @@
   "scripts": {
     "precommit": "lint-staged",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json",
-    "build:test": "rm -rf lib/ && tsc -p tsconfig.test.json --sourcemap",
+    "build:test": "pnpm build",
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepack": "pnpm build"
   },
   "devDependencies": {
@@ -37,17 +37,16 @@
     "@silverhand/eslint-config-react": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
     "@silverhand/ts-config-react": "5.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
     "@types/react": "^18.0.31",
+    "@vitest/coverage-v8": "^1.4.0",
     "eslint": "^8.44.0",
     "history": "^5.3.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "prettier": "^3.0.0",
     "react": "^18.0.0",
-    "tslib": "^2.4.1",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "engines": {
     "node": "^20.9.0"
diff --git a/packages/app-insights/src/normalize-error.test.ts b/packages/app-insights/src/normalize-error.test.ts
index 798d7cac663..ab60124a021 100644
--- a/packages/app-insights/src/normalize-error.test.ts
+++ b/packages/app-insights/src/normalize-error.test.ts
@@ -1,3 +1,5 @@
+import { describe, expect, it } from 'vitest';
+
 import { normalizeError } from './normalize-error.js';
 
 describe('normalizeError()', () => {
diff --git a/packages/app-insights/tsconfig.json b/packages/app-insights/tsconfig.json
index 83eac9c0ac5..2e988e53b2f 100644
--- a/packages/app-insights/tsconfig.json
+++ b/packages/app-insights/tsconfig.json
@@ -2,7 +2,7 @@
   "extends": "@silverhand/ts-config-react/tsconfig.base",
   "compilerOptions": {
     "outDir": "lib",
-    "types": ["node", "jest"],
+    "types": ["node"],
   },
   "include": [
     "src"
diff --git a/packages/app-insights/tsconfig.test.json b/packages/app-insights/tsconfig.test.json
deleted file mode 100644
index f30817b04be..00000000000
--- a/packages/app-insights/tsconfig.test.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig.build",
-  "compilerOptions": {
-    "isolatedModules": false,
-    "allowJs": true,
-  },
-  "include": ["src"]
-}
diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md
index 25981db9de4..44a57e0f0c3 100644
--- a/packages/cli/CHANGELOG.md
+++ b/packages/cli/CHANGELOG.md
@@ -1,5 +1,26 @@
 # Change Log
 
+## 1.15.0
+
+### Patch Changes
+
+- Updated dependencies [5758f84f5]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [abffb9f95]
+- Updated dependencies [746483c49]
+- Updated dependencies [2cbc591ff]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [cc01acbd0]
+- Updated dependencies [951865859]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/phrases@1.10.0
+  - @logto/connector-kit@3.0.0
+  - @logto/core-kit@2.4.0
+  - @logto/schemas@1.15.0
+  - @logto/phrases-experience@1.6.1
+  - @logto/shared@3.1.0
+
 ## 1.14.0
 
 ### Patch Changes
diff --git a/packages/cli/jest.config.js b/packages/cli/jest.config.js
deleted file mode 100644
index 5656d33479a..00000000000
--- a/packages/cli/jest.config.js
+++ /dev/null
@@ -1,13 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/cli/package.json b/packages/cli/package.json
index ea0cec92490..be66801bc57 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/cli",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "description": "Logto CLI.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
@@ -25,15 +25,14 @@
     "precommit": "lint-staged",
     "prepare:package-json": "node -p \"'export const packageJson = ' + JSON.stringify(require('./package.json'), undefined, 2) + ';'\" > src/package-json.ts",
     "build": "rm -rf lib && pnpm prepare:package-json && tsc -p tsconfig.build.json",
-    "build:test": "rm -rf lib/ && pnpm prepare:package-json && tsc -p tsconfig.test.json --sourcemap",
+    "build:test": "pnpm build",
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "start": "node .",
     "start:dev": "pnpm build && node .",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepack": "pnpm build"
   },
   "engines": {
@@ -43,14 +42,15 @@
     "url": "https://github.com/logto-io/logto/issues"
   },
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/language-kit": "workspace:^1.1.0",
-    "@logto/phrases": "workspace:^1.9.0",
-    "@logto/phrases-experience": "workspace:^1.6.0",
-    "@logto/schemas": "workspace:1.14.0",
+    "@logto/phrases": "workspace:^1.10.0",
+    "@logto/phrases-experience": "workspace:^1.6.1",
+    "@logto/schemas": "workspace:1.15.0",
     "@logto/shared": "workspace:^3.1.0",
     "@silverhand/essentials": "^2.9.0",
+    "@silverhand/slonik": "31.0.0-beta.2",
     "chalk": "^5.0.0",
     "decamelize": "^6.0.0",
     "dotenv": "^16.0.0",
@@ -65,9 +65,6 @@
     "pg-protocol": "^1.6.0",
     "roarr": "^7.11.0",
     "semver": "^7.3.8",
-    "slonik": "^30.0.0",
-    "slonik-interceptor-preset": "^1.2.10",
-    "slonik-sql-tag-raw": "^1.1.4",
     "tar": "^6.1.11",
     "typescript": "^5.3.3",
     "yargs": "^17.6.0",
@@ -76,19 +73,19 @@
   "devDependencies": {
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
-    "@withtyped/server": "^0.12.9",
     "@types/inquirer": "^9.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
     "@types/semver": "^7.3.12",
     "@types/sinon": "^17.0.0",
     "@types/tar": "^6.1.2",
     "@types/yargs": "^17.0.13",
+    "@vitest/coverage-v8": "^1.4.0",
+    "@withtyped/server": "^0.13.3",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "prettier": "^3.0.0",
-    "sinon": "^17.0.0"
+    "sinon": "^17.0.0",
+    "vitest": "^1.4.0"
   },
   "eslintConfig": {
     "extends": "@silverhand",
diff --git a/packages/cli/src/commands/database/alteration/index.test.ts b/packages/cli/src/commands/database/alteration/index.test.ts
index db289c21a7a..47dbcf02a5e 100644
--- a/packages/cli/src/commands/database/alteration/index.test.ts
+++ b/packages/cli/src/commands/database/alteration/index.test.ts
@@ -1,14 +1,11 @@
-import { createMockUtils } from '@logto/shared/esm';
+import { createMockPool } from '@silverhand/slonik';
 import Sinon from 'sinon';
-import { createMockPool } from 'slonik';
+import { vi, expect, afterAll, describe, it } from 'vitest';
 
 import { chooseAlterationsByVersion } from './version.js';
 
-const { jest } = import.meta;
-const { mockEsmWithActual } = createMockUtils(jest);
-
 const pool = createMockPool({
-  query: jest.fn(),
+  query: vi.fn(),
 });
 
 const files = Object.freeze([
@@ -17,16 +14,19 @@ const files = Object.freeze([
   { filename: '1.0.0-1663923772-c.js', path: '/alterations-js/1.0.0-1663923772-c.js' },
 ]);
 
-await mockEsmWithActual('./utils.js', () => ({
+vi.mock('./utils.js', async (importOriginal) => ({
+  // eslint-disable-next-line @typescript-eslint/ban-types
+  ...(await importOriginal<object>()),
   getAlterationFiles: async () => files,
 }));
 
-const { getCurrentDatabaseAlterationTimestamp } = await mockEsmWithActual(
-  '../../../queries/system.js',
-  () => ({
-    getCurrentDatabaseAlterationTimestamp: jest.fn(),
-  })
-);
+const getCurrentDatabaseAlterationTimestamp = vi.fn();
+
+vi.doMock('../../../queries/system.js', async (importOriginal) => ({
+  // eslint-disable-next-line @typescript-eslint/ban-types
+  ...(await importOriginal<object>()),
+  getCurrentDatabaseAlterationTimestamp,
+}));
 
 const { getAvailableAlterations } = await import('./index.js');
 
diff --git a/packages/cli/src/commands/database/alteration/index.ts b/packages/cli/src/commands/database/alteration/index.ts
index 03a10324376..16b47bd533f 100644
--- a/packages/cli/src/commands/database/alteration/index.ts
+++ b/packages/cli/src/commands/database/alteration/index.ts
@@ -1,7 +1,7 @@
 import type { AlterationScript } from '@logto/schemas/lib/types/alteration.js';
 import { conditionalString } from '@silverhand/essentials';
+import type { DatabasePool } from '@silverhand/slonik';
 import chalk from 'chalk';
-import type { DatabasePool } from 'slonik';
 import type { CommandModule } from 'yargs';
 
 import { createPoolFromConfig } from '../../../database.js';
diff --git a/packages/cli/src/commands/database/ogcio/applications.ts b/packages/cli/src/commands/database/ogcio/applications.ts
index 59446af2df9..a6630977417 100644
--- a/packages/cli/src/commands/database/ogcio/applications.ts
+++ b/packages/cli/src/commands/database/ogcio/applications.ts
@@ -4,7 +4,7 @@
 /* eslint-disable @silverhand/fp/no-mutation */
 import { ApplicationType } from '@logto/schemas';
 import { generateStandardSecret } from '@logto/shared';
-import { sql, type DatabaseTransactionConnection } from 'slonik';
+import { sql, type DatabaseTransactionConnection } from '@silverhand/slonik';
 
 import { type OgcioParams } from './index.js';
 import { createItem } from './queries.js';
diff --git a/packages/cli/src/commands/database/ogcio/ogcio.ts b/packages/cli/src/commands/database/ogcio/ogcio.ts
index 11b2edbae7a..e88e2d12141 100644
--- a/packages/cli/src/commands/database/ogcio/ogcio.ts
+++ b/packages/cli/src/commands/database/ogcio/ogcio.ts
@@ -3,7 +3,7 @@
 /* eslint-disable @silverhand/fp/no-let */
 
 import { defaultTenantId } from '@logto/schemas';
-import type { CommonQueryMethods, DatabaseTransactionConnection } from 'slonik';
+import type { CommonQueryMethods, DatabaseTransactionConnection } from '@silverhand/slonik';
 
 import { seedApplications } from './applications.js';
 import { type OgcioParams } from './index.js';
diff --git a/packages/cli/src/commands/database/ogcio/organizations-rbac.ts b/packages/cli/src/commands/database/ogcio/organizations-rbac.ts
index 60829a8da04..c82c6697a2b 100644
--- a/packages/cli/src/commands/database/ogcio/organizations-rbac.ts
+++ b/packages/cli/src/commands/database/ogcio/organizations-rbac.ts
@@ -3,7 +3,7 @@
 /* eslint-disable @silverhand/fp/no-mutating-methods */
 /* eslint-disable @silverhand/fp/no-mutation */
 import { OrganizationScopes, OrganizationRoles } from '@logto/schemas';
-import { sql, type DatabaseTransactionConnection } from 'slonik';
+import { sql, type DatabaseTransactionConnection } from '@silverhand/slonik';
 
 import { createItem, createItemWithoutId } from './queries.js';
 
diff --git a/packages/cli/src/commands/database/ogcio/organizations.ts b/packages/cli/src/commands/database/ogcio/organizations.ts
index b06fea5e686..ca3a85e6951 100644
--- a/packages/cli/src/commands/database/ogcio/organizations.ts
+++ b/packages/cli/src/commands/database/ogcio/organizations.ts
@@ -1,4 +1,4 @@
-import { type DatabaseTransactionConnection, sql } from 'slonik';
+import { type DatabaseTransactionConnection, sql } from '@silverhand/slonik';
 
 import { createItem } from './queries.js';
 
diff --git a/packages/cli/src/commands/database/ogcio/queries.ts b/packages/cli/src/commands/database/ogcio/queries.ts
index 76dd668506c..6db110c4672 100644
--- a/packages/cli/src/commands/database/ogcio/queries.ts
+++ b/packages/cli/src/commands/database/ogcio/queries.ts
@@ -9,7 +9,7 @@ import {
   type QueryResult,
   sql,
   type ValueExpression,
-} from 'slonik';
+} from '@silverhand/slonik';
 
 import { insertInto } from '../../../database.js';
 import { consoleLog } from '../../../utils.js';
diff --git a/packages/cli/src/commands/database/ogcio/resources-rbac.ts b/packages/cli/src/commands/database/ogcio/resources-rbac.ts
index f9c2daf809a..05f0f4b2a0a 100644
--- a/packages/cli/src/commands/database/ogcio/resources-rbac.ts
+++ b/packages/cli/src/commands/database/ogcio/resources-rbac.ts
@@ -2,7 +2,7 @@
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 /* eslint-disable @silverhand/fp/no-mutating-methods */
 /* eslint-disable @silverhand/fp/no-mutation */
-import { sql, type DatabaseTransactionConnection } from 'slonik';
+import { sql, type DatabaseTransactionConnection } from '@silverhand/slonik';
 
 import { createItem } from './queries.js';
 
diff --git a/packages/cli/src/commands/database/ogcio/resources.ts b/packages/cli/src/commands/database/ogcio/resources.ts
index d61de195a8e..6210bfcd14d 100644
--- a/packages/cli/src/commands/database/ogcio/resources.ts
+++ b/packages/cli/src/commands/database/ogcio/resources.ts
@@ -1,6 +1,6 @@
 /* eslint-disable eslint-comments/disable-enable-pair */
 
-import { sql, type DatabaseTransactionConnection } from 'slonik';
+import { sql, type DatabaseTransactionConnection } from '@silverhand/slonik';
 
 import { createItem } from './queries.js';
 
diff --git a/packages/cli/src/commands/database/seed/cloud.ts b/packages/cli/src/commands/database/seed/cloud.ts
index a6cc6446d60..9dc8194a9a4 100644
--- a/packages/cli/src/commands/database/seed/cloud.ts
+++ b/packages/cli/src/commands/database/seed/cloud.ts
@@ -9,8 +9,8 @@ import {
 } from '@logto/schemas';
 import { GlobalValues } from '@logto/shared';
 import { appendPath } from '@silverhand/essentials';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { insertInto } from '../../../database.js';
 import { consoleLog } from '../../../utils.js';
diff --git a/packages/cli/src/commands/database/seed/index.ts b/packages/cli/src/commands/database/seed/index.ts
index 282c1708754..84042b5ae70 100644
--- a/packages/cli/src/commands/database/seed/index.ts
+++ b/packages/cli/src/commands/database/seed/index.ts
@@ -1,4 +1,4 @@
-import type { DatabasePool } from 'slonik';
+import type { DatabasePool } from '@silverhand/slonik';
 import type { CommandModule } from 'yargs';
 
 import { createPoolAndDatabaseIfNeeded } from '../../../database.js';
diff --git a/packages/cli/src/commands/database/seed/oidc-config.ts b/packages/cli/src/commands/database/seed/oidc-config.ts
index 40334222845..bc0308ef701 100644
--- a/packages/cli/src/commands/database/seed/oidc-config.ts
+++ b/packages/cli/src/commands/database/seed/oidc-config.ts
@@ -4,8 +4,8 @@ import type { LogtoOidcConfigType } from '@logto/schemas';
 import { LogtoOidcConfigKey, logtoConfigGuards } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { getEnvAsStringArray } from '@silverhand/essentials';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
 import chalk from 'chalk';
-import type { DatabaseTransactionConnection } from 'slonik';
 import { z } from 'zod';
 
 import { getRowsByKeys, updateValueByKey } from '../../../queries/logto-config.js';
diff --git a/packages/cli/src/commands/database/seed/tables.ts b/packages/cli/src/commands/database/seed/tables.ts
index 33723c08081..de4dc07f84c 100644
--- a/packages/cli/src/commands/database/seed/tables.ts
+++ b/packages/cli/src/commands/database/seed/tables.ts
@@ -28,14 +28,14 @@ import {
 } from '@logto/schemas';
 import { getTenantRole } from '@logto/schemas';
 import { Tenants } from '@logto/schemas/models';
-import { convertToIdentifiers, generateStandardId } from '@logto/shared';
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
-import { raw } from 'slonik-sql-tag-raw';
+import { generateStandardId } from '@logto/shared';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { insertInto } from '../../../database.js';
 import { getDatabaseName } from '../../../queries/database.js';
 import { updateDatabaseTimestamp } from '../../../queries/system.js';
+import { convertToIdentifiers } from '../../../sql.js';
 import { consoleLog, getPathInModule } from '../../../utils.js';
 
 import { appendAdminConsoleRedirectUris, seedTenantCloudServiceApplication } from './cloud.js';
@@ -104,7 +104,7 @@ export const createTables = async (
 
     if (query) {
       await connection.query(
-        sql`${raw(
+        sql`${sql.raw(
           /* eslint-disable no-template-curly-in-string */
           query
             .replaceAll('${name}', parameters.name ?? '')
@@ -128,7 +128,7 @@ export const createTables = async (
 
   /* eslint-disable no-await-in-loop */
   for (const [file, query] of sorted) {
-    await connection.query(sql`${raw(query)}`);
+    await connection.query(sql`${sql.raw(query)}`);
 
     if (!query.includes('/* no_after_each */')) {
       await runLifecycleQuery('after_each', { name: file.split('.')[0], database });
@@ -168,7 +168,12 @@ export const seedTables = async (
     adminTenantId,
     applicationRole.id,
     ...cloudAdditionalScopes
-      .filter(({ name }) => name === CloudScope.SendSms || name === CloudScope.SendEmail)
+      .filter(
+        ({ name }) =>
+          name === CloudScope.SendSms ||
+          name === CloudScope.SendEmail ||
+          name === CloudScope.FetchCustomJwt
+      )
       .map(({ id }) => id)
   );
 
@@ -186,11 +191,18 @@ export const seedTables = async (
     ),
     connection.query(insertInto(createAdminTenantSignInExperience(), SignInExperiences.table)),
     connection.query(insertInto(createDefaultAdminConsoleApplication(), Applications.table)),
-    updateDatabaseTimestamp(connection, latestTimestamp),
+  ]);
+
+  // The below seed data is for the Logto Cloud only. We put it here for the sack of simplicity.
+  // The data is not harmful for OSS, since they are all admin tenant data. OSS will not use them
+  // and they cannot be seen by the Console.
+  await Promise.all([
     seedTenantOrganizations(connection),
     seedManagementApiProxyApplications(connection),
   ]);
 
+  await updateDatabaseTimestamp(connection, latestTimestamp);
+
   consoleLog.succeed('Seed data');
 };
 
diff --git a/packages/cli/src/commands/database/seed/tenant-organizations.ts b/packages/cli/src/commands/database/seed/tenant-organizations.ts
index 01c99a1b967..ab6a4aaa127 100644
--- a/packages/cli/src/commands/database/seed/tenant-organizations.ts
+++ b/packages/cli/src/commands/database/seed/tenant-organizations.ts
@@ -12,7 +12,7 @@ import {
   getTenantOrganizationCreateData,
   Organizations,
 } from '@logto/schemas';
-import type { DatabaseTransactionConnection } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
 
 import { insertInto } from '../../../database.js';
 import { consoleLog } from '../../../utils.js';
diff --git a/packages/cli/src/commands/database/seed/tenant.ts b/packages/cli/src/commands/database/seed/tenant.ts
index 0a2f9ca470e..092fe3a8a40 100644
--- a/packages/cli/src/commands/database/seed/tenant.ts
+++ b/packages/cli/src/commands/database/seed/tenant.ts
@@ -17,9 +17,8 @@ import {
 } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { assert } from '@silverhand/essentials';
-import type { CommonQueryMethods, DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
-import { raw } from 'slonik-sql-tag-raw';
+import type { CommonQueryMethods, DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { insertInto } from '../../../database.js';
 import { getDatabaseName } from '../../../queries/database.js';
@@ -37,7 +36,7 @@ export const createTenant = async (pool: CommonQueryMethods, tenantId: string) =
   await pool.query(insertInto(createTenant, 'tenants'));
   await pool.query(sql`
     create role ${sql.identifier([role])} with inherit login
-      password '${raw(password)}'
+      password '${sql.raw(password)}'
       in role ${sql.identifier([parentRole])};
   `);
 };
diff --git a/packages/cli/src/commands/translate/openai.ts b/packages/cli/src/commands/translate/openai.ts
index 551465d459a..26e30efb20d 100644
--- a/packages/cli/src/commands/translate/openai.ts
+++ b/packages/cli/src/commands/translate/openai.ts
@@ -14,7 +14,7 @@ export const createOpenaiApi = () => {
   const proxy = getProxy();
 
   return got.extend({
-    prefixUrl: 'https://api.openai.com/v1',
+    prefixUrl: process.env.OPENAI_API_PROXY_ENDPOINT ?? 'https://api.openai.com/v1',
     headers: {
       Authorization: `Bearer ${process.env.OPENAI_API_KEY ?? ''}`,
     },
@@ -50,7 +50,8 @@ export const translate = async ({
     api
       .post('chat/completions', {
         json: {
-          model: 'gpt-3.5-turbo-1106',
+          // The full list of OPENAI model can be found at https://platform.openai.com/docs/models.
+          model: process.env.OPENAI_MODEL_NAME ?? 'gpt-3.5-turbo-0125',
           messages: getTranslationPromptMessages({
             sourceFileContent,
             targetLanguage,
diff --git a/packages/cli/src/connector/factories.ts b/packages/cli/src/connector/factories.ts
index 50281a72673..f907657edb8 100644
--- a/packages/cli/src/connector/factories.ts
+++ b/packages/cli/src/connector/factories.ts
@@ -8,8 +8,9 @@ import { loadConnector } from './loader.js';
 import type { ConnectorFactory, ConnectorPackage } from './types.js';
 import { parseMetadata, validateConnectorModule } from './utils.js';
 
-// eslint-disable-next-line @silverhand/fp/no-let, @typescript-eslint/no-explicit-any
-let cachedConnectorFactories: Array<ConnectorFactory<Router<any, BaseRoutes, string>>> | undefined;
+// eslint-disable-next-line @silverhand/fp/no-let
+let cachedConnectorFactories: // eslint-disable-next-line @typescript-eslint/no-explicit-any
+Array<ConnectorFactory<Router<any, any, BaseRoutes, string>>> | undefined;
 
 export const loadConnectorFactories = async (
   connectorPackages: ConnectorPackage[],
@@ -49,8 +50,10 @@ export const loadConnectorFactories = async (
 
   // eslint-disable-next-line @silverhand/fp/no-mutation
   cachedConnectorFactories = connectorFactories.filter(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    (connectorFactory): connectorFactory is ConnectorFactory<Router<any, BaseRoutes, string>> =>
+    (
+      connectorFactory
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    ): connectorFactory is ConnectorFactory<Router<any, any, BaseRoutes, string>> =>
       connectorFactory !== undefined
   );
 
diff --git a/packages/cli/src/connector/types.ts b/packages/cli/src/connector/types.ts
index 2c296f545c8..e6c1287dbb5 100644
--- a/packages/cli/src/connector/types.ts
+++ b/packages/cli/src/connector/types.ts
@@ -6,7 +6,7 @@ import type { BaseRoutes, Router } from '@withtyped/server';
  */
 export type ConnectorFactory<
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  T extends Router<any, BaseRoutes, string>,
+  T extends Router<any, any, BaseRoutes, string>,
   U extends AllConnector = AllConnector,
 > = Pick<U, 'type' | 'metadata' | 'configGuard'> & {
   createConnector: CreateConnector<U, T>;
diff --git a/packages/cli/src/connector/utils.ts b/packages/cli/src/connector/utils.ts
index c0f2c4ca666..7a1c612069b 100644
--- a/packages/cli/src/connector/utils.ts
+++ b/packages/cli/src/connector/utils.ts
@@ -93,7 +93,7 @@ export const parseMetadata = async (
 
 export const buildRawConnector = async <
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  T extends Router<any, BaseRoutes, string>,
+  T extends Router<any, any, BaseRoutes, string>,
   U extends AllConnector = AllConnector,
 >(
   connectorFactory: ConnectorFactory<T, U>,
diff --git a/packages/cli/src/database.ts b/packages/cli/src/database.ts
index 26ca45a733d..f639ce8231a 100644
--- a/packages/cli/src/database.ts
+++ b/packages/cli/src/database.ts
@@ -1,11 +1,16 @@
 import type { SchemaLike } from '@logto/schemas';
-import { convertToPrimitiveOrSql } from '@logto/shared';
 import { assert } from '@silverhand/essentials';
+import {
+  createPool,
+  parseDsn,
+  sql,
+  stringifyDsn,
+  createInterceptorsPreset,
+} from '@silverhand/slonik';
 import decamelize from 'decamelize';
 import { DatabaseError } from 'pg-protocol';
-import { createPool, parseDsn, sql, stringifyDsn } from 'slonik';
-import { createInterceptors } from 'slonik-interceptor-preset';
 
+import { convertToPrimitiveOrSql } from './sql.js';
 import { ConfigKey, consoleLog, getCliConfigWithPrompt } from './utils.js';
 
 export const defaultDatabaseUrl = 'postgresql://localhost:5432/logto';
@@ -22,7 +27,7 @@ export const createPoolFromConfig = async () => {
   assert(parseDsn(databaseUrl).databaseName, new Error('Database name is required in URL'));
 
   return createPool(databaseUrl, {
-    interceptors: createInterceptors(),
+    interceptors: createInterceptorsPreset(),
   });
 };
 
@@ -49,7 +54,7 @@ export const createPoolAndDatabaseIfNeeded = async () => {
     // - It will throw error when creating database using '?'
     const databaseName = dsn.databaseName ?? '?';
     const maintenancePool = await createPool(stringifyDsn({ ...dsn, databaseName: 'postgres' }), {
-      interceptors: createInterceptors(),
+      interceptors: createInterceptorsPreset(),
     });
     await maintenancePool.query(sql`
       create database ${sql.identifier([databaseName])}
diff --git a/packages/cli/src/include.d/import-meta.d.ts b/packages/cli/src/include.d/import-meta.d.ts
deleted file mode 100644
index 7a1591f98d2..00000000000
--- a/packages/cli/src/include.d/import-meta.d.ts
+++ /dev/null
@@ -1,5 +0,0 @@
-interface ImportMeta {
-  // By TypeScript design we must use `import()`
-  // eslint-disable-next-line @typescript-eslint/consistent-type-imports
-  jest: typeof jest & import('@logto/shared/esm').WithEsmMock;
-}
diff --git a/packages/cli/src/include.d/slonik-interceptor-preset.d.ts b/packages/cli/src/include.d/slonik-interceptor-preset.d.ts
deleted file mode 100644
index 778cb40c066..00000000000
--- a/packages/cli/src/include.d/slonik-interceptor-preset.d.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-declare module 'slonik-interceptor-preset' {
-  import type { Interceptor } from 'slonik';
-
-  export const createInterceptors: (config?: {
-    benchmarkQueries: boolean;
-    logQueries: boolean;
-    normaliseQueries: boolean;
-    transformFieldNames: boolean;
-  }) => readonly Interceptor[];
-}
diff --git a/packages/cli/src/queries/database.ts b/packages/cli/src/queries/database.ts
index 5ba83752cc2..2f8f715a43c 100644
--- a/packages/cli/src/queries/database.ts
+++ b/packages/cli/src/queries/database.ts
@@ -1,5 +1,5 @@
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 export const getDatabaseName = async (pool: CommonQueryMethods, normalized = false) => {
   const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
diff --git a/packages/cli/src/queries/logto-config.ts b/packages/cli/src/queries/logto-config.ts
index a0912711b0d..1abca8fb196 100644
--- a/packages/cli/src/queries/logto-config.ts
+++ b/packages/cli/src/queries/logto-config.ts
@@ -1,11 +1,12 @@
 import type { LogtoConfig, LogtoConfigKey, logtoConfigGuards } from '@logto/schemas';
 import { LogtoConfigs } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
 import type { Nullable } from '@silverhand/essentials';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 import type { z } from 'zod';
 
+import { convertToIdentifiers } from '../sql.js';
+
 const { table, fields } = convertToIdentifiers(LogtoConfigs);
 
 export const doesConfigsTableExist = async (pool: CommonQueryMethods) => {
diff --git a/packages/cli/src/queries/system.test.ts b/packages/cli/src/queries/system.test.ts
index 8eda604e29d..15058d322fd 100644
--- a/packages/cli/src/queries/system.test.ts
+++ b/packages/cli/src/queries/system.test.ts
@@ -1,16 +1,15 @@
 import { AlterationStateKey, Systems } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 import { DatabaseError } from 'pg-protocol';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { describe, it, expect, vi, type MockedFunction, afterAll, beforeAll } from 'vitest';
 
+import { convertToIdentifiers } from '../sql.js';
 import type { QueryType } from '../test-utils.js';
 import { expectSqlAssert } from '../test-utils.js';
 
 import { updateDatabaseTimestamp, getCurrentDatabaseAlterationTimestamp } from './system.js';
 
-const { jest } = import.meta;
-
-const mockQuery: jest.MockedFunction<QueryType> = jest.fn();
+const mockQuery: MockedFunction<QueryType> = vi.fn();
 
 const pool = createMockPool({
   query: async (sql, values) => {
@@ -94,12 +93,12 @@ describe('updateDatabaseTimestamp()', () => {
   const updatedAt = '2022-09-21T06:32:46.583Z';
 
   beforeAll(() => {
-    jest.useFakeTimers();
-    jest.setSystemTime(new Date(updatedAt));
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(updatedAt));
   });
 
   afterAll(() => {
-    jest.useRealTimers();
+    vi.useRealTimers();
   });
 
   it('sends upsert sql with timestamp and updatedAt', async () => {
diff --git a/packages/cli/src/queries/system.ts b/packages/cli/src/queries/system.ts
index 9b54907eb63..e6d274bcc24 100644
--- a/packages/cli/src/queries/system.ts
+++ b/packages/cli/src/queries/system.ts
@@ -1,12 +1,13 @@
 import type { AlterationState, System, SystemKey } from '@logto/schemas';
 import { systemGuards, Systems, AlterationStateKey } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
 import type { Nullable } from '@silverhand/essentials';
+import type { CommonQueryMethods, DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 import { DatabaseError } from 'pg-protocol';
-import type { CommonQueryMethods, DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
 import type { z } from 'zod';
 
+import { convertToIdentifiers } from '../sql.js';
+
 const { fields, table } = convertToIdentifiers(Systems);
 
 const doesTableExist = async (pool: CommonQueryMethods, table: string) => {
diff --git a/packages/cli/src/sql.ts b/packages/cli/src/sql.ts
new file mode 100644
index 00000000000..a7f23157ac4
--- /dev/null
+++ b/packages/cli/src/sql.ts
@@ -0,0 +1,75 @@
+/**
+ * @fileoverview Copied from `@logto/core`. Originally we put them in `@logto/shared` but it
+ * requires `slonik` which makes the package too heavy.
+ *
+ * Since `@logto/cli` only use these functions in a stable manner, we copy them here for now. If
+ * the number of functions grows, we should consider moving them to a separate package. (Actually,
+ * we should remove the dependency on `slonik` at all, and this may not be an issue then.)
+ */
+
+import { type SchemaValue, type SchemaValuePrimitive, type Table } from '@logto/shared';
+import { type IdentifierSqlToken, type SqlToken, sql } from '@silverhand/slonik';
+
+/**
+ * Note `undefined` is removed from the acceptable list,
+ * since you should NOT call this function if ignoring the field is the desired behavior.
+ * Calling this function with `null` means an explicit `null` setting in database is expected.
+ * @param key The key of value. Will treat as `timestamp` if it ends with `_at` or 'At' AND value is a number;
+ * @param value The value to convert.
+ * @returns A primitive that can be saved into database.
+ */
+export const convertToPrimitiveOrSql = (
+  key: string,
+  value: SchemaValue
+  // eslint-disable-next-line @typescript-eslint/ban-types
+): NonNullable<SchemaValuePrimitive> | SqlToken | null => {
+  if (value === null) {
+    return null;
+  }
+
+  if (typeof value === 'object') {
+    return JSON.stringify(value);
+  }
+
+  if (
+    (['_at', 'At'].some((value) => key.endsWith(value)) || key === 'date') &&
+    typeof value === 'number'
+  ) {
+    return sql`to_timestamp(${value}::double precision / 1000)`;
+  }
+
+  if (typeof value === 'number' || typeof value === 'boolean') {
+    return value;
+  }
+
+  if (typeof value === 'string') {
+    if (value === '') {
+      return null;
+    }
+
+    return value;
+  }
+
+  throw new Error(`Cannot convert ${key} to primitive`);
+};
+
+type FieldIdentifiers<Key extends string> = {
+  [key in Key]: IdentifierSqlToken;
+};
+
+export const convertToIdentifiers = <Key extends string>(
+  { table, fields }: Table<Key>,
+  withPrefix = false
+) => {
+  const fieldsIdentifiers = Object.entries<string>(fields).map<[Key, IdentifierSqlToken]>(
+    // eslint-disable-next-line no-restricted-syntax -- Object.entries can only return string keys
+    ([key, value]) => [key as Key, sql.identifier(withPrefix ? [table, value] : [value])]
+  );
+
+  return {
+    table: sql.identifier([table]),
+    // Key value inferred from the original fields directly
+    // eslint-disable-next-line no-restricted-syntax
+    fields: Object.fromEntries(fieldsIdentifiers) as FieldIdentifiers<Key>,
+  };
+};
diff --git a/packages/cli/src/test-utils.ts b/packages/cli/src/test-utils.ts
index ce1310ed334..67dfee35f18 100644
--- a/packages/cli/src/test-utils.ts
+++ b/packages/cli/src/test-utils.ts
@@ -1,7 +1,8 @@
 // Copied from core
 
-import type { QueryResult, QueryResultRow } from 'slonik';
-import type { PrimitiveValueExpression } from 'slonik/dist/src/types.js';
+import type { QueryResult, QueryResultRow } from '@silverhand/slonik';
+import type { PrimitiveValueExpression } from '@silverhand/slonik/dist/src/types.js';
+import { expect } from 'vitest';
 
 export type QueryType = (
   sql: string,
diff --git a/packages/cli/tsconfig.json b/packages/cli/tsconfig.json
index 561ecb995f0..c4b6045bf6f 100644
--- a/packages/cli/tsconfig.json
+++ b/packages/cli/tsconfig.json
@@ -2,7 +2,7 @@
   "extends": "@silverhand/ts-config/tsconfig.base",
   "compilerOptions": {
     "outDir": "lib",
-    "types": ["node", "jest"]
+    "types": ["node"]
   },
   "include": [
     "src"
diff --git a/packages/cli/tsconfig.test.json b/packages/cli/tsconfig.test.json
deleted file mode 100644
index 55de18c33aa..00000000000
--- a/packages/cli/tsconfig.test.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig",
-  "compilerOptions": {
-    "isolatedModules": false,
-    "allowJs": true
-  },
-  "include": ["src"]
-}
diff --git a/packages/connectors/.gitignore b/packages/connectors/.gitignore
index 35dfa630e50..65245801929 100644
--- a/packages/connectors/.gitignore
+++ b/packages/connectors/.gitignore
@@ -1,8 +1,7 @@
 # generated files
-/*/types
 /*/tsconfig.*
-/*/jest.config.*
 /*/rollup.config.*
+/*/vitest.config.*
 
 # keep templates
 !/templates/**
diff --git a/packages/connectors/connector-alipay-native/CHANGELOG.md b/packages/connectors/connector-alipay-native/CHANGELOG.md
index ca6de109843..6e84bd0e814 100644
--- a/packages/connectors/connector-alipay-native/CHANGELOG.md
+++ b/packages/connectors/connector-alipay-native/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-alipay-native
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-alipay-native/package.json b/packages/connectors/connector-alipay-native/package.json
index df22a902b7c..b490e627503 100644
--- a/packages/connectors/connector-alipay-native/package.json
+++ b/packages/connectors/connector-alipay-native/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-alipay-native",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Alipay Native implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "dayjs": "^1.10.5",
     "iconv-lite": "^0.6.3"
   },
@@ -29,9 +29,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-alipay-native/src/index.test.ts b/packages/connectors/connector-alipay-native/src/index.test.ts
index 4ec5f4c426d..634a41e6b4e 100644
--- a/packages/connectors/connector-alipay-native/src/index.test.ts
+++ b/packages/connectors/connector-alipay-native/src/index.test.ts
@@ -6,13 +6,11 @@ import { alipayEndpoint } from './constant.js';
 import createConnector, { getAccessToken } from './index.js';
 import { mockedAlipayNativeConfigWithValidPrivateKey } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedAlipayNativeConfigWithValidPrivateKey);
+const getConfig = vi.fn().mockResolvedValue(mockedAlipayNativeConfigWithValidPrivateKey);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by state', async () => {
@@ -26,7 +24,7 @@ describe('getAuthorizationUri', () => {
         jti: 'dummy-jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toBe('alipay://?app_id=2021000000000000&state=dummy-state');
   });
@@ -35,7 +33,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const alipayEndpointUrl = new URL(alipayEndpoint);
@@ -72,7 +70,7 @@ describe('getAccessToken', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, '{}')
     );
   });
@@ -93,7 +91,7 @@ describe('getAccessToken', () => {
       });
     await expect(
       getAccessToken('code', mockedAlipayNativeConfigWithValidPrivateKey)
-    ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+    ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
   });
 
   it('should fail with wrong code', async () => {
@@ -110,7 +108,7 @@ describe('getAccessToken', () => {
       });
     await expect(
       getAccessToken('wrong_code', mockedAlipayNativeConfigWithValidPrivateKey)
-    ).rejects.toMatchError(
+    ).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'Invalid code')
     );
   });
@@ -136,7 +134,7 @@ describe('getUserInfo', () => {
 
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const alipayEndpointUrl = new URL(alipayEndpoint);
@@ -156,10 +154,23 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    const { id, name, avatar } = await connector.getUserInfo({ auth_code: 'code' }, jest.fn());
+    const { id, name, avatar, rawData } = await connector.getUserInfo(
+      { auth_code: 'code' },
+      vi.fn()
+    );
     expect(id).toEqual('2088000000000000');
     expect(name).toEqual('PlayboyEric');
     expect(avatar).toEqual('https://www.alipay.com/xxx.jpg');
+    expect(rawData).toEqual({
+      alipay_user_info_share_response: {
+        code: '10000',
+        msg: 'Success',
+        user_id: '2088000000000000',
+        nick_name: 'PlayboyEric',
+        avatar: 'https://www.alipay.com/xxx.jpg',
+      },
+      sign: '<signature>',
+    });
   });
 
   it('should throw SocialAccessTokenInvalid with code 20001', async () => {
@@ -176,9 +187,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid, 'Invalid auth token')
     );
   });
@@ -197,9 +206,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'Invalid auth code')
     );
   });
@@ -218,9 +225,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'Invalid parameter',
         code: '40002',
@@ -245,14 +250,14 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.InvalidResponse));
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
+      new ConnectorError(ConnectorErrorCodes.InvalidResponse)
+    );
   });
 
   it('should throw with other request errors', async () => {
     nock(alipayEndpointUrl.origin).post(alipayEndpointUrl.pathname).query(true).reply(500);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())).rejects.toThrow();
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toThrow();
   });
 });
diff --git a/packages/connectors/connector-alipay-native/src/index.ts b/packages/connectors/connector-alipay-native/src/index.ts
index fa412d68fab..dc7d216ebbd 100644
--- a/packages/connectors/connector-alipay-native/src/index.ts
+++ b/packages/connectors/connector-alipay-native/src/index.ts
@@ -131,8 +131,8 @@ const getUserInfo =
       searchParams: signedSearchParameters,
       timeout: { request: defaultTimeout },
     });
-
-    const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+    const rawData = parseJson(httpResponse.body);
+    const result = userInfoResponseGuard.safeParse(rawData);
 
     if (!result.success) {
       throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -148,7 +148,7 @@ const getUserInfo =
       throw new ConnectorError(ConnectorErrorCodes.InvalidResponse);
     }
 
-    return { id, avatar, name };
+    return { id, avatar, name, rawData };
   };
 
 const errorHandler: ErrorHandler = ({ code, msg, sub_code, sub_msg }) => {
diff --git a/packages/connectors/connector-alipay-native/src/utils.test.ts b/packages/connectors/connector-alipay-native/src/utils.test.ts
index 727f1d52cd0..053a18b8216 100644
--- a/packages/connectors/connector-alipay-native/src/utils.test.ts
+++ b/packages/connectors/connector-alipay-native/src/utils.test.ts
@@ -5,14 +5,12 @@ import {
 } from './mock.js';
 import { signingParameters } from './utils.js';
 
-const { jest } = import.meta;
-
-const listenJSONParse = jest.spyOn(JSON, 'parse');
-const listenJSONStringify = jest.spyOn(JSON, 'stringify');
+const listenJSONParse = vi.spyOn(JSON, 'parse');
+const listenJSONStringify = vi.spyOn(JSON, 'stringify');
 
 describe('signingParameters', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const testingParameters = {
diff --git a/packages/connectors/connector-alipay-web/CHANGELOG.md b/packages/connectors/connector-alipay-web/CHANGELOG.md
index af8302d3896..d2682545a91 100644
--- a/packages/connectors/connector-alipay-web/CHANGELOG.md
+++ b/packages/connectors/connector-alipay-web/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-alipay-web
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-alipay-web/package.json b/packages/connectors/connector-alipay-web/package.json
index b23babe622f..2dcc0397c42 100644
--- a/packages/connectors/connector-alipay-web/package.json
+++ b/packages/connectors/connector-alipay-web/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@logto/connector-alipay-web",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Alipay implementation.",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "dayjs": "^1.10.5",
     "iconv-lite": "^0.6.3"
   },
@@ -28,9 +28,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-alipay-web/src/index.test.ts b/packages/connectors/connector-alipay-web/src/index.test.ts
index 2e0ad24fa52..caef90e611a 100644
--- a/packages/connectors/connector-alipay-web/src/index.test.ts
+++ b/packages/connectors/connector-alipay-web/src/index.test.ts
@@ -6,13 +6,11 @@ import { alipayEndpoint, authorizationEndpoint } from './constant.js';
 import createConnector, { getAccessToken } from './index.js';
 import { mockedAlipayConfigWithValidPrivateKey } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedAlipayConfigWithValidPrivateKey);
+const getConfig = vi.fn().mockResolvedValue(mockedAlipayConfigWithValidPrivateKey);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
@@ -26,7 +24,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toEqual(
       `${authorizationEndpoint}?app_id=2021000000000000&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback&scope=auth_user&state=some_state`
@@ -37,7 +35,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const alipayEndpointUrl = new URL(alipayEndpoint);
@@ -78,7 +76,7 @@ describe('getAccessToken', () => {
 
     await expect(
       getAccessToken('code', mockedAlipayConfigWithValidPrivateKey)
-    ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+    ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
   });
 
   it('should fail with wrong code', async () => {
@@ -96,7 +94,7 @@ describe('getAccessToken', () => {
 
     await expect(
       getAccessToken('wrong_code', mockedAlipayConfigWithValidPrivateKey)
-    ).rejects.toMatchError(
+    ).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'Invalid code')
     );
   });
@@ -105,7 +103,7 @@ describe('getAccessToken', () => {
 describe('getUserInfo', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   beforeEach(() => {
@@ -142,15 +140,28 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    const { id, name, avatar } = await connector.getUserInfo({ auth_code: 'code' }, jest.fn());
+    const { id, name, avatar, rawData } = await connector.getUserInfo(
+      { auth_code: 'code' },
+      vi.fn()
+    );
     expect(id).toEqual('2088000000000000');
     expect(name).toEqual('PlayboyEric');
     expect(avatar).toEqual('https://www.alipay.com/xxx.jpg');
+    expect(rawData).toEqual({
+      alipay_user_info_share_response: {
+        code: '10000',
+        msg: 'Success',
+        user_id: '2088000000000000',
+        nick_name: 'PlayboyEric',
+        avatar: 'https://www.alipay.com/xxx.jpg',
+      },
+      sign: '<signature>',
+    });
   });
 
   it('throw General error if auth_code not provided in input', async () => {
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.InvalidResponse, '{}')
     );
   });
@@ -169,9 +180,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid, 'Invalid auth token')
     );
   });
@@ -190,9 +199,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'Invalid auth code')
     );
   });
@@ -211,9 +218,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(
-      connector.getUserInfo({ auth_code: 'wrong_code' }, jest.fn())
-    ).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'wrong_code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'Invalid parameter',
         code: '40002',
@@ -238,7 +243,7 @@ describe('getUserInfo', () => {
         sign: '<signature>',
       });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ auth_code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ auth_code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.InvalidResponse)
     );
   });
@@ -246,6 +251,6 @@ describe('getUserInfo', () => {
   it('should throw with other request errors', async () => {
     nock(alipayEndpointUrl.origin).post(alipayEndpointUrl.pathname).query(true).reply(500);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ auth_code: 'code' }, jest.fn())).rejects.toThrow();
+    await expect(connector.getUserInfo({ auth_code: 'code' }, vi.fn())).rejects.toThrow();
   });
 });
diff --git a/packages/connectors/connector-alipay-web/src/index.ts b/packages/connectors/connector-alipay-web/src/index.ts
index 0329e5a4e55..c3f592e444b 100644
--- a/packages/connectors/connector-alipay-web/src/index.ts
+++ b/packages/connectors/connector-alipay-web/src/index.ts
@@ -130,10 +130,8 @@ const getUserInfo =
       searchParams: signedSearchParameters,
       timeout: { request: defaultTimeout },
     });
-
-    const { body: rawBody } = httpResponse;
-
-    const result = userInfoResponseGuard.safeParse(parseJson(rawBody));
+    const rawData = parseJson(httpResponse.body);
+    const result = userInfoResponseGuard.safeParse(rawData);
 
     if (!result.success) {
       throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -149,7 +147,7 @@ const getUserInfo =
       throw new ConnectorError(ConnectorErrorCodes.InvalidResponse);
     }
 
-    return { id, avatar, name };
+    return { id, avatar, name, rawData };
   };
 
 const errorHandler: ErrorHandler = ({ code, msg, sub_code, sub_msg }) => {
diff --git a/packages/connectors/connector-alipay-web/src/utils.test.ts b/packages/connectors/connector-alipay-web/src/utils.test.ts
index 1b4a3338ca1..a285af53fb9 100644
--- a/packages/connectors/connector-alipay-web/src/utils.test.ts
+++ b/packages/connectors/connector-alipay-web/src/utils.test.ts
@@ -2,14 +2,12 @@ import { methodForAccessToken } from './constant.js';
 import { mockedAlipayConfigWithValidPrivateKey, mockedAlipayPublicParameters } from './mock.js';
 import { signingParameters } from './utils.js';
 
-const { jest } = import.meta;
-
-const listenJSONParse = jest.spyOn(JSON, 'parse');
-const listenJSONStringify = jest.spyOn(JSON, 'stringify');
+const listenJSONParse = vi.spyOn(JSON, 'parse');
+const listenJSONStringify = vi.spyOn(JSON, 'stringify');
 
 describe('signingParameters', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const testingParameters = {
diff --git a/packages/connectors/connector-aliyun-dm/CHANGELOG.md b/packages/connectors/connector-aliyun-dm/CHANGELOG.md
index c2e3311bcd8..425189c294e 100644
--- a/packages/connectors/connector-aliyun-dm/CHANGELOG.md
+++ b/packages/connectors/connector-aliyun-dm/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-aliyun-dm
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-aliyun-dm/package.json b/packages/connectors/connector-aliyun-dm/package.json
index 1e8af3bbb8d..1871c95491c 100644
--- a/packages/connectors/connector-aliyun-dm/package.json
+++ b/packages/connectors/connector-aliyun-dm/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@logto/connector-aliyun-dm",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Aliyun DM connector implementation.",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -23,9 +23,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-aliyun-dm/src/index.test.ts b/packages/connectors/connector-aliyun-dm/src/index.test.ts
index 9c8d0ea1a9f..89c6495f5ae 100644
--- a/packages/connectors/connector-aliyun-dm/src/index.test.ts
+++ b/packages/connectors/connector-aliyun-dm/src/index.test.ts
@@ -2,16 +2,14 @@ import { TemplateType } from '@logto/connector-kit';
 
 import { mockedConfigWithAllRequiredTemplates } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConfigWithAllRequiredTemplates);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConfigWithAllRequiredTemplates);
-
-const singleSendMail = jest.fn(() => ({
+const singleSendMail = vi.fn(() => ({
   body: JSON.stringify({ EnvId: 'env-id', RequestId: 'request-id' }),
   statusCode: 200,
 }));
 
-jest.unstable_mockModule('./single-send-mail.js', () => ({
+vi.mock('./single-send-mail.js', () => ({
   singleSendMail,
 }));
 
@@ -19,7 +17,7 @@ const { default: createConnector } = await import('./index.js');
 
 describe('sendMessage()', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should call singleSendMail() with correct template and content', async () => {
diff --git a/packages/connectors/connector-aliyun-dm/src/single-send-mail.test.ts b/packages/connectors/connector-aliyun-dm/src/single-send-mail.test.ts
index 4804ad8e78a..1162b5d3210 100644
--- a/packages/connectors/connector-aliyun-dm/src/single-send-mail.test.ts
+++ b/packages/connectors/connector-aliyun-dm/src/single-send-mail.test.ts
@@ -1,8 +1,6 @@
-const { jest } = import.meta;
+const request = vi.fn();
 
-const request = jest.fn();
-
-jest.unstable_mockModule('./utils.js', () => ({
+vi.mock('./utils.js', () => ({
   request,
 }));
 
diff --git a/packages/connectors/connector-aliyun-dm/src/utils.test.ts b/packages/connectors/connector-aliyun-dm/src/utils.test.ts
index 87d18dfad40..24da02e7a88 100644
--- a/packages/connectors/connector-aliyun-dm/src/utils.test.ts
+++ b/packages/connectors/connector-aliyun-dm/src/utils.test.ts
@@ -1,10 +1,8 @@
 import { mockedParameters } from './mock.js';
 
-const { jest } = import.meta;
+const post = vi.fn();
 
-const post = jest.fn();
-
-jest.unstable_mockModule('got', () => ({
+vi.mock('got', () => ({
   got: { post },
 }));
 
diff --git a/packages/connectors/connector-aliyun-sms/CHANGELOG.md b/packages/connectors/connector-aliyun-sms/CHANGELOG.md
index b2ab91a5a5c..952eb8f9155 100644
--- a/packages/connectors/connector-aliyun-sms/CHANGELOG.md
+++ b/packages/connectors/connector-aliyun-sms/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-aliyun-sms
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-aliyun-sms/package.json b/packages/connectors/connector-aliyun-sms/package.json
index 82f36fc3ea7..5bd96d213fa 100644
--- a/packages/connectors/connector-aliyun-sms/package.json
+++ b/packages/connectors/connector-aliyun-sms/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@logto/connector-aliyun-sms",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Aliyun SMS connector implementation.",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -23,9 +23,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-aliyun-sms/src/index.test.ts b/packages/connectors/connector-aliyun-sms/src/index.test.ts
index 10dba3ed0d8..bfbacf15b66 100644
--- a/packages/connectors/connector-aliyun-sms/src/index.test.ts
+++ b/packages/connectors/connector-aliyun-sms/src/index.test.ts
@@ -2,16 +2,14 @@ import { TemplateType } from '@logto/connector-kit';
 
 import { mockedConnectorConfig, phoneTest, codeTest } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConnectorConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConnectorConfig);
-
-const sendSms = jest.fn().mockResolvedValue({
+const sendSms = vi.fn().mockResolvedValue({
   body: JSON.stringify({ Code: 'OK', RequestId: 'request-id', Message: 'OK' }),
   statusCode: 200,
 });
 
-jest.unstable_mockModule('./single-send-text.js', () => ({
+vi.mock('./single-send-text.js', () => ({
   sendSms,
 }));
 
@@ -19,7 +17,7 @@ const { default: createConnector } = await import('./index.js');
 
 describe('sendMessage()', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should call singleSendMail() and replace code in content', async () => {
diff --git a/packages/connectors/connector-aliyun-sms/src/single-send-text.test.ts b/packages/connectors/connector-aliyun-sms/src/single-send-text.test.ts
index 64d269e98a8..ec7da921964 100644
--- a/packages/connectors/connector-aliyun-sms/src/single-send-text.test.ts
+++ b/packages/connectors/connector-aliyun-sms/src/single-send-text.test.ts
@@ -1,10 +1,8 @@
 import { mockedRandomCode } from './mock.js';
 
-const { jest } = import.meta;
+const request = vi.fn();
 
-const request = jest.fn();
-
-jest.unstable_mockModule('./utils.js', () => ({ request }));
+vi.mock('./utils.js', () => ({ request }));
 
 const { sendSms } = await import('./single-send-text.js');
 
diff --git a/packages/connectors/connector-aliyun-sms/src/utils.test.ts b/packages/connectors/connector-aliyun-sms/src/utils.test.ts
index 87d18dfad40..24da02e7a88 100644
--- a/packages/connectors/connector-aliyun-sms/src/utils.test.ts
+++ b/packages/connectors/connector-aliyun-sms/src/utils.test.ts
@@ -1,10 +1,8 @@
 import { mockedParameters } from './mock.js';
 
-const { jest } = import.meta;
+const post = vi.fn();
 
-const post = jest.fn();
-
-jest.unstable_mockModule('got', () => ({
+vi.mock('got', () => ({
   got: { post },
 }));
 
diff --git a/packages/connectors/connector-apple/CHANGELOG.md b/packages/connectors/connector-apple/CHANGELOG.md
index 5a016939923..56904be0ab1 100644
--- a/packages/connectors/connector-apple/CHANGELOG.md
+++ b/packages/connectors/connector-apple/CHANGELOG.md
@@ -1,5 +1,20 @@
 # @logto/connector-apple
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+  - @logto/shared@3.1.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-apple/package.json b/packages/connectors/connector-apple/package.json
index 084b811a137..cb9ae15e3a0 100644
--- a/packages/connectors/connector-apple/package.json
+++ b/packages/connectors/connector-apple/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@logto/connector-apple",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Apple web connector implementation.",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "@logto/shared": "workspace:^3.1.0",
     "jose": "^5.0.0"
   },
@@ -25,9 +25,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-apple/src/index.test.ts b/packages/connectors/connector-apple/src/index.test.ts
index fdf8c77716b..7671330055d 100644
--- a/packages/connectors/connector-apple/src/index.test.ts
+++ b/packages/connectors/connector-apple/src/index.test.ts
@@ -2,15 +2,13 @@ import { ConnectorError, ConnectorErrorCodes } from '@logto/connector-kit';
 
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const jwtVerify = vi.fn();
 
-const jwtVerify = jest.fn();
-
-jest.unstable_mockModule('jose', () => ({
+vi.mock('jose', () => ({
   jwtVerify,
-  createRemoteJWKSet: jest.fn(),
+  createRemoteJWKSet: vi.fn(),
 }));
 
 const { authorizationEndpoint } = await import('./constant.js');
@@ -18,12 +16,12 @@ const { default: createConnector } = await import('./index.js');
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
     const connector = await createConnector({ getConfig });
-    const setSession = jest.fn();
+    const setSession = vi.fn();
     const authorizationUri = await connector.getAuthorizationUri(
       {
         state: 'some_state',
@@ -50,7 +48,7 @@ describe('getAuthorizationUri', () => {
 
 describe('getUserInfo', () => {
   afterAll(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get user info from id token payload', async () => {
@@ -59,8 +57,12 @@ describe('getUserInfo', () => {
       payload: { sub: userId, email: 'foo@bar.com', email_verified: true },
     }));
     const connector = await createConnector({ getConfig });
-    const userInfo = await connector.getUserInfo({ id_token: 'idToken' }, jest.fn());
-    expect(userInfo).toEqual({ id: userId, email: 'foo@bar.com' });
+    const userInfo = await connector.getUserInfo({ id_token: 'idToken' }, vi.fn());
+    expect(userInfo).toEqual({
+      id: userId,
+      email: 'foo@bar.com',
+      rawData: { id_token: 'idToken' },
+    });
   });
 
   it('should ignore unverified email', async () => {
@@ -68,8 +70,8 @@ describe('getUserInfo', () => {
       payload: { sub: 'userId', email: 'foo@bar.com' },
     }));
     const connector = await createConnector({ getConfig });
-    const userInfo = await connector.getUserInfo({ id_token: 'idToken' }, jest.fn());
-    expect(userInfo).toEqual({ id: 'userId' });
+    const userInfo = await connector.getUserInfo({ id_token: 'idToken' }, vi.fn());
+    expect(userInfo).toEqual({ id: 'userId', rawData: { id_token: 'idToken' } });
   });
 
   it('should get user info from the `user` field', async () => {
@@ -86,15 +88,26 @@ describe('getUserInfo', () => {
           name: { firstName: 'foo', lastName: 'bar' },
         }),
       },
-      jest.fn()
+      vi.fn()
     );
     // Should use info from `user` field first
-    expect(userInfo).toEqual({ id: userId, email: 'foo2@bar.com', name: 'foo bar' });
+    expect(userInfo).toEqual({
+      id: userId,
+      email: 'foo2@bar.com',
+      name: 'foo bar',
+      rawData: {
+        id_token: 'idToken',
+        user: JSON.stringify({
+          email: 'foo2@bar.com',
+          name: { firstName: 'foo', lastName: 'bar' },
+        }),
+      },
+    });
   });
 
   it('should throw if id token is missing', async () => {
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, '{}')
     );
   });
@@ -104,7 +117,7 @@ describe('getUserInfo', () => {
       throw new Error('jwtVerify failed');
     });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ id_token: 'id_token' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ id_token: 'id_token' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialIdTokenInvalid)
     );
   });
@@ -114,7 +127,7 @@ describe('getUserInfo', () => {
       payload: { iat: 123_456 },
     }));
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ id_token: 'id_token' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ id_token: 'id_token' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialIdTokenInvalid)
     );
   });
diff --git a/packages/connectors/connector-apple/src/index.ts b/packages/connectors/connector-apple/src/index.ts
index fa699aab4e3..bbd23d2d699 100644
--- a/packages/connectors/connector-apple/src/index.ts
+++ b/packages/connectors/connector-apple/src/index.ts
@@ -12,6 +12,7 @@ import {
   ConnectorErrorCodes,
   validateConfig,
   ConnectorType,
+  jsonGuard,
 } from '@logto/connector-kit';
 import { generateStandardId } from '@logto/shared/universal';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
@@ -112,6 +113,7 @@ const getUserInfo =
           user?.email ??
           (payload.email && payload.email_verified === true ? String(payload.email) : undefined),
         name: [user?.name?.firstName, user?.name?.lastName].filter(Boolean).join(' ') || undefined,
+        rawData: jsonGuard.parse(data),
       };
     } catch {
       throw new ConnectorError(ConnectorErrorCodes.SocialIdTokenInvalid);
diff --git a/packages/connectors/connector-aws-ses/CHANGELOG.md b/packages/connectors/connector-aws-ses/CHANGELOG.md
index dd6073d1c8b..eb0337e4ede 100644
--- a/packages/connectors/connector-aws-ses/CHANGELOG.md
+++ b/packages/connectors/connector-aws-ses/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-aws-ses
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-aws-ses/package.json b/packages/connectors/connector-aws-ses/package.json
index 558304d7b96..bfc993a75d5 100644
--- a/packages/connectors/connector-aws-ses/package.json
+++ b/packages/connectors/connector-aws-ses/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-aws-ses",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Logto Connector for Amazon SES",
   "author": "Jeff <admin@breadth.app>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "@aws-sdk/client-sesv2": "^3.224.0",
     "@aws-sdk/types": "^3.226.0"
   },
@@ -26,9 +26,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-aws-ses/src/index.test.ts b/packages/connectors/connector-aws-ses/src/index.test.ts
index f95720a70fc..408b6de163d 100644
--- a/packages/connectors/connector-aws-ses/src/index.test.ts
+++ b/packages/connectors/connector-aws-ses/src/index.test.ts
@@ -4,11 +4,9 @@ import { TemplateType } from '@logto/connector-kit';
 import createConnector from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
-
-jest.spyOn(SESv2Client.prototype, 'send').mockResolvedValue({
+vi.spyOn(SESv2Client.prototype, 'send').mockResolvedValue({
   MessageId: 'mocked-message-id',
   $metadata: {
     httpStatusCode: 200,
@@ -17,7 +15,7 @@ jest.spyOn(SESv2Client.prototype, 'send').mockResolvedValue({
 
 describe('sendMessage()', () => {
   afterAll(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should call SendMail() with correct template and content', async () => {
diff --git a/packages/connectors/connector-azuread/CHANGELOG.md b/packages/connectors/connector-azuread/CHANGELOG.md
index 3044ce85d77..f24cfea3574 100644
--- a/packages/connectors/connector-azuread/CHANGELOG.md
+++ b/packages/connectors/connector-azuread/CHANGELOG.md
@@ -1,5 +1,24 @@
 # @logto/connector-azuread
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- 5cde35ec1: Update the Microsoft social connector integration guide.
+
+  - Reorganize the content to make it more readable.
+  - Exclusively explained the different access types and their corresponding tenant IDs in the Azure Portal.
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-azuread/README.md b/packages/connectors/connector-azuread/README.md
index 6578b956eb3..ac09b62863a 100644
--- a/packages/connectors/connector-azuread/README.md
+++ b/packages/connectors/connector-azuread/README.md
@@ -3,6 +3,7 @@
 The Microsoft Azure AD connector provides a succinct way for your application to use Azure’s OAuth 2.0 authentication system.
 
 **Table of contents**
+
 - [Microsoft Azure AD connector](#microsoft-azure-ad-connector)
   - [Set up Microsoft Azure AD in the Azure Portal](#set-up-microsoft-azure-ad-in-the-azure-portal)
   - [Fill in the configuration](#fill-in-the-configuration)
@@ -14,34 +15,42 @@ The Microsoft Azure AD connector provides a succinct way for your application to
 
 - Visit the [Azure Portal](https://portal.azure.com/#home) and sign in with your Azure account. You need to have an active subscription to access Microsoft Azure AD.
 - Click the **Azure Active Directory** from the services they offer, and click the **App Registrations** from the left menu.
-- Click **New Registration** at the top and enter a description, select your **access type** and add your **Redirect URI**, which redirect the user to the application after logging in. In our case, this will be `${your_logto_endpoint}/callback/${connector_id}`. e.g. `https://foo.logto.app/callback/${connector_id}`. (The `connector_id` can be also found on the top bar of the Logto Admin Console connector details page)
-- You need to select Web as Platform.
-  - If you select **Sign in users of a specific organization only** for access type then you need to enter **TenantID**.
-  - If you select **Sign in users with work and school accounts or personal Microsoft accounts** for access type then you need to enter **common**.
-  - If you select **Sign in users with work and school accounts** for access type then you need to enter **organizations**.
-  - If you select **Sign in users with personal Microsoft accounts (MSA) only** for access type then you need to enter **consumers**.
+- Click **New Registration** at the top, enter a description, select your **access type** and add your **Redirect URI**, which will redirect the user to the application after logging in. In our case, this will be `${your_logto_endpoint}/callback/${connector_id}`. e.g. `https://foo.logto.app/callback/${connector_id}`. (The `connector_id` can be also found on the top bar of the Logto Admin Console connector details page)
+  > You can copy the `Callback URI` in the configuration section.
+- Select Web as Platform.
 
-> You can copy the `Callback URI` in the configuration section.
+## Fill in the configuration in Logto
 
-## Fill in the configuration
+| Name          | Type   |
+| ------------- | ------ |
+| clientId      | string |
+| clientSecret  | string |
+| tenantId      | string |
+| cloudInstance | string |
 
-In details page of the newly registered app, you can find the **Application (client) ID** and **Directory (tenant) ID**.
+### Client ID
 
-For **Cloud Instance**, usually it is `https://login.microsoftonline.com/`. See [Azure AD authentication endpoints](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud#azure-ad-authentication-endpoints) for more information.
+You may find the **Application (client) ID** in the **Overview** section of your newly created application in the Azure Portal.
+
+### Client Secret
 
-## Configure your client secret
 - In your newly created application, click the **Certificates & Secrets** to get a client secret, and click the **New client secret** from the top.
 - Enter a description and an expiration.
 - This will only show your client secret once. Fill the **value** to the Logto connector configuration and save it to a secure location.
 
-## Config types
+### Cloud Instance
 
-| Name          | Type   |
-| ------------- | ------ |
-| clientId      | string |
-| clientSecret  | string |
-| tenantId      | string |
-| cloudInstance | string |
+Usually, it is `https://login.microsoftonline.com/`. See [Azure AD authentication endpoints](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud#azure-ad-authentication-endpoints) for more information.
+
+### Tenant ID
+
+Logto will use this field to construct the authorization endpoints. This value is dependent on the **access type** you selected when creating the application in the Azure Portal.
+
+- If you select **Accounts in this organizational directory only** for access type then you need to enter your **{TenantID}**. You can find the tenant ID in the **Overview** section of your Azure Active Directory.
+- If you select **Accounts in any organizational directory** for access type then you need to enter **organizations**.
+- If you select **Accounts in any organizational directory or personal Microsoft accounts** for access type then you need to enter **common**.
+- If you select **Personal Microsoft accounts only** for access type then you need to enter **consumers**.
 
 ## References
-* [Web app that signs in users](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview)
+
+- [Web app that signs in users](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview)
diff --git a/packages/connectors/connector-azuread/package.json b/packages/connectors/connector-azuread/package.json
index fdb999b7561..236885e7cc9 100644
--- a/packages/connectors/connector-azuread/package.json
+++ b/packages/connectors/connector-azuread/package.json
@@ -1,11 +1,11 @@
 {
   "name": "@logto/connector-azuread",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Microsoft Azure AD connector implementation.",
   "author": "Mobilist Inc. <info@mobilist.com.tr>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
-    "@azure/msal-node": "^2.0.0"
+    "@azure/msal-node": "^2.0.0",
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -25,9 +25,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
@@ -48,5 +47,9 @@
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "publishConfig": {
     "access": "public"
+  },
+  "devDependencies": {
+    "@vitest/coverage-v8": "^1.4.0",
+    "vitest": "^1.4.0"
   }
 }
diff --git a/packages/connectors/connector-azuread/src/index.test.ts b/packages/connectors/connector-azuread/src/index.test.ts
index 0be0dd8f691..1368f85b64b 100644
--- a/packages/connectors/connector-azuread/src/index.test.ts
+++ b/packages/connectors/connector-azuread/src/index.test.ts
@@ -1,13 +1,76 @@
-import type { GetConnectorConfig } from '@logto/connector-kit';
+import nock from 'nock';
 
+import { vi, describe, beforeAll, it, expect } from 'vitest';
+
+import { graphAPIEndpoint } from './constant.js';
 import createConnector from './index.js';
 
-const { jest } = import.meta;
+vi.mock('@azure/msal-node', async () => ({
+  ConfidentialClientApplication: class {
+    async acquireTokenByCode() {
+      return {
+        accessToken: 'accessToken',
+        scopes: ['scopes'],
+        tokenType: 'tokenType',
+      };
+    }
+  },
+}));
 
-const getConnectorConfig = jest.fn() as GetConnectorConfig;
+const getConnectorConfig = vi.fn().mockResolvedValue({
+  clientId: 'clientId',
+  clientSecret: 'clientSecret',
+  cloudInstance: 'https://login.microsoftonline.com',
+  tenantId: 'tenantId',
+});
 
 describe('Azure AD connector', () => {
   it('init without exploding', () => {
     expect(async () => createConnector({ getConfig: getConnectorConfig })).not.toThrow();
   });
 });
+
+describe('getUserInfo', () => {
+  beforeAll(async () => {
+    const graphMeUrl = new URL(graphAPIEndpoint);
+    nock(graphMeUrl.origin).get(graphMeUrl.pathname).reply(200, {
+      id: 'id',
+      displayName: 'displayName',
+      mail: 'mail',
+      userPrincipalName: 'userPrincipalName',
+    });
+  });
+
+  it('should get user info from graph api', async () => {
+    const connector = await createConnector({ getConfig: getConnectorConfig });
+    const userInfo = await connector.getUserInfo(
+      { code: 'code', redirectUri: 'redirectUri' },
+      vi.fn()
+    );
+    expect(userInfo).toEqual({
+      id: 'id',
+      name: 'displayName',
+      email: 'mail',
+      rawData: {
+        id: 'id',
+        displayName: 'displayName',
+        mail: 'mail',
+        userPrincipalName: 'userPrincipalName',
+      },
+    });
+  });
+
+  it('should throw if graph api response has no id', async () => {
+    const graphMeUrl = new URL(graphAPIEndpoint);
+    nock(graphMeUrl.origin).get(graphMeUrl.pathname).reply(200, {
+      displayName: 'displayName',
+      mail: 'mail',
+      userPrincipalName: 'userPrincipalName',
+    });
+
+    const connector = await createConnector({ getConfig: getConnectorConfig });
+    const userInfo = connector.getUserInfo({ code: 'code', redirectUri: 'redirectUri' }, vi.fn());
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+    await expect(userInfo).rejects.toThrow(expect.objectContaining({ code: 'invalid_response' }));
+  });
+});
diff --git a/packages/connectors/connector-azuread/src/index.ts b/packages/connectors/connector-azuread/src/index.ts
index 91c95332da8..eec02121a34 100644
--- a/packages/connectors/connector-azuread/src/index.ts
+++ b/packages/connectors/connector-azuread/src/index.ts
@@ -3,7 +3,7 @@ import { got, HTTPError } from 'got';
 import path from 'node:path';
 
 import type { AuthorizationCodeRequest, AuthorizationUrlRequest } from '@azure/msal-node';
-import { ConfidentialClientApplication, CryptoProvider } from '@azure/msal-node';
+import { ConfidentialClientApplication } from '@azure/msal-node';
 import type {
   GetAuthorizationUri,
   GetUserInfo,
@@ -31,10 +31,6 @@ import {
 // eslint-disable-next-line @silverhand/fp/no-let
 let authCodeRequest: AuthorizationCodeRequest;
 
-// This `cryptoProvider` seems not used.
-// Temporarily keep this as this is a refactor, which should not change the logics.
-const cryptoProvider = new CryptoProvider();
-
 const getAuthorizationUri =
   (getConfig: GetConnectorConfig): GetAuthorizationUri =>
   async ({ state, redirectUri }) => {
@@ -85,7 +81,6 @@ const getAccessToken = async (config: AzureADConfig, code: string, redirectUri:
   });
 
   const authResult = await clientApplication.acquireTokenByCode(codeRequest);
-
   const result = accessTokenResponseGuard.safeParse(authResult);
 
   if (!result.success) {
@@ -117,8 +112,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -130,6 +125,7 @@ const getUserInfo =
         id,
         email: conditional(mail),
         name: conditional(displayName),
+        rawData,
       };
     } catch (error: unknown) {
       if (error instanceof HTTPError) {
diff --git a/packages/connectors/connector-discord/CHANGELOG.md b/packages/connectors/connector-discord/CHANGELOG.md
index 6fa918aead1..7a1db6bf874 100644
--- a/packages/connectors/connector-discord/CHANGELOG.md
+++ b/packages/connectors/connector-discord/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-discord
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-discord/package.json b/packages/connectors/connector-discord/package.json
index 3cfe00c2916..c1c148df7f5 100644
--- a/packages/connectors/connector-discord/package.json
+++ b/packages/connectors/connector-discord/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-discord",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Discord connector implementation.",
   "author": "ZR3SYSTEMS. <https://github.com/FlurryNight>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-discord/src/index.test.ts b/packages/connectors/connector-discord/src/index.test.ts
index 31a20641a07..45664a11d50 100644
--- a/packages/connectors/connector-discord/src/index.test.ts
+++ b/packages/connectors/connector-discord/src/index.test.ts
@@ -6,14 +6,12 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('Discord connector', () => {
   describe('getAuthorizationUri', () => {
     afterEach(() => {
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get a valid authorizationUri with redirectUri and state', async () => {
@@ -27,7 +25,7 @@ describe('Discord connector', () => {
           jti: 'some_jti',
           headers: {},
         },
-        jest.fn()
+        vi.fn()
       );
       expect(authorizationUri).toEqual(
         `${authorizationEndpoint}?client_id=%3Cclient-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=identify+email&state=some_state`
@@ -38,7 +36,7 @@ describe('Discord connector', () => {
   describe('getAccessToken', () => {
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get an accessToken by exchanging with code', async () => {
@@ -66,7 +64,7 @@ describe('Discord connector', () => {
 
       await expect(
         getAccessToken(mockedConfig, { code: 'code', redirectUri: 'dummyRedirectUri' })
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
     });
   });
 
@@ -82,7 +80,7 @@ describe('Discord connector', () => {
 
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get valid SocialUserInfo', async () => {
@@ -99,13 +97,20 @@ describe('Discord connector', () => {
           code: 'code',
           redirectUri: 'dummyRedirectUri',
         },
-        jest.fn()
+        vi.fn()
       );
-      expect(socialUserInfo).toMatchObject({
+      expect(socialUserInfo).toStrictEqual({
         id: '1234567890',
         name: 'Whumpus',
         avatar: 'https://cdn.discordapp.com/avatars/1234567890/avatar_id',
         email: 'whumpus@discord.com',
+        rawData: {
+          id: '1234567890',
+          username: 'Whumpus',
+          avatar: 'avatar_id',
+          email: 'whumpus@discord.com',
+          verified: true,
+        },
       });
     });
 
@@ -113,15 +118,15 @@ describe('Discord connector', () => {
       nock(userInfoEndpoint).get('').reply(401);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: 'dummyRedirectUri' }, jest.fn())
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
+        connector.getUserInfo({ code: 'code', redirectUri: 'dummyRedirectUri' }, vi.fn())
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
     });
 
     it('throws unrecognized error', async () => {
       nock(userInfoEndpoint).get('').reply(500);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: 'dummyRedirectUri' }, jest.fn())
+        connector.getUserInfo({ code: 'code', redirectUri: 'dummyRedirectUri' }, vi.fn())
       ).rejects.toThrow();
     });
   });
diff --git a/packages/connectors/connector-discord/src/index.ts b/packages/connectors/connector-discord/src/index.ts
index 224543952e3..4483cc2e9a9 100644
--- a/packages/connectors/connector-discord/src/index.ts
+++ b/packages/connectors/connector-discord/src/index.ts
@@ -102,8 +102,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -124,7 +124,7 @@ const getUserInfo =
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, userInfoResult.error);
       }
 
-      return userInfoResult.data;
+      return { ...userInfoResult.data, rawData };
     } catch (error: unknown) {
       if (error instanceof HTTPError) {
         const { statusCode, body: rawBody } = error.response;
diff --git a/packages/connectors/connector-facebook/CHANGELOG.md b/packages/connectors/connector-facebook/CHANGELOG.md
index 0114694dcb8..9e5e7bcf628 100644
--- a/packages/connectors/connector-facebook/CHANGELOG.md
+++ b/packages/connectors/connector-facebook/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-facebook
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-facebook/package.json b/packages/connectors/connector-facebook/package.json
index ad43c9f85d9..ec63896d6a5 100644
--- a/packages/connectors/connector-facebook/package.json
+++ b/packages/connectors/connector-facebook/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-facebook",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Facebook web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-facebook/src/index.test.ts b/packages/connectors/connector-facebook/src/index.test.ts
index d0919328928..69df5e0d076 100644
--- a/packages/connectors/connector-facebook/src/index.test.ts
+++ b/packages/connectors/connector-facebook/src/index.test.ts
@@ -6,14 +6,12 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { clientId, clientSecret, code, dummyRedirectUri, fields, mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('Facebook connector', () => {
   describe('getAuthorizationUri', () => {
     afterEach(() => {
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get a valid authorizationUri with redirectUri and state', async () => {
@@ -29,7 +27,7 @@ describe('Facebook connector', () => {
           jti: 'some_jti',
           headers: {},
         },
-        jest.fn()
+        vi.fn()
       );
 
       const encodedRedirectUri = encodeURIComponent(redirectUri);
@@ -42,7 +40,7 @@ describe('Facebook connector', () => {
   describe('getAccessToken', () => {
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get an accessToken by exchanging with code', async () => {
@@ -86,7 +84,7 @@ describe('Facebook connector', () => {
 
       await expect(
         getAccessToken(mockedConfig, { code, redirectUri: dummyRedirectUri })
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
     });
   });
 
@@ -110,7 +108,7 @@ describe('Facebook connector', () => {
 
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get valid SocialUserInfo', async () => {
@@ -130,13 +128,19 @@ describe('Facebook connector', () => {
           code,
           redirectUri: dummyRedirectUri,
         },
-        jest.fn()
+        vi.fn()
       );
-      expect(socialUserInfo).toMatchObject({
+      expect(socialUserInfo).toStrictEqual({
         id: '1234567890',
         avatar,
         name: 'monalisa octocat',
         email: 'octocat@facebook.com',
+        rawData: {
+          id: '1234567890',
+          name: 'monalisa octocat',
+          email: 'octocat@facebook.com',
+          picture: { data: { url: avatar } },
+        },
       });
     });
 
@@ -144,8 +148,8 @@ describe('Facebook connector', () => {
       nock(userInfoEndpoint).get('').query({ fields }).reply(400);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code, redirectUri: dummyRedirectUri }, jest.fn())
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
+        connector.getUserInfo({ code, redirectUri: dummyRedirectUri }, vi.fn())
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
     });
 
     it('throws AuthorizationFailed error if error is access_denied', async () => {
@@ -168,9 +172,9 @@ describe('Facebook connector', () => {
             error_description: 'Permissions error.',
             error_reason: 'user_denied',
           },
-          jest.fn()
+          vi.fn()
         )
-      ).rejects.toMatchError(
+      ).rejects.toStrictEqual(
         new ConnectorError(ConnectorErrorCodes.AuthorizationFailed, 'Permissions error.')
       );
     });
@@ -195,9 +199,9 @@ describe('Facebook connector', () => {
             error_description: 'General error encountered.',
             error_reason: 'user_denied',
           },
-          jest.fn()
+          vi.fn()
         )
-      ).rejects.toMatchError(
+      ).rejects.toStrictEqual(
         new ConnectorError(ConnectorErrorCodes.General, {
           error: 'general_error',
           error_code: 200,
@@ -211,7 +215,7 @@ describe('Facebook connector', () => {
       nock(userInfoEndpoint).get('').reply(500);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code, redirectUri: dummyRedirectUri }, jest.fn())
+        connector.getUserInfo({ code, redirectUri: dummyRedirectUri }, vi.fn())
       ).rejects.toThrow();
     });
   });
diff --git a/packages/connectors/connector-facebook/src/index.ts b/packages/connectors/connector-facebook/src/index.ts
index 7cb622c0ff0..0aa677a247a 100644
--- a/packages/connectors/connector-facebook/src/index.ts
+++ b/packages/connectors/connector-facebook/src/index.ts
@@ -105,8 +105,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -119,6 +119,7 @@ const getUserInfo =
         avatar: picture?.data.url,
         email,
         name,
+        rawData,
       };
     } catch (error: unknown) {
       if (error instanceof HTTPError) {
diff --git a/packages/connectors/connector-feishu-web/CHANGELOG.md b/packages/connectors/connector-feishu-web/CHANGELOG.md
index c83ecc53428..69fca21a6ae 100644
--- a/packages/connectors/connector-feishu-web/CHANGELOG.md
+++ b/packages/connectors/connector-feishu-web/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-feishu-web
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-feishu-web/package.json b/packages/connectors/connector-feishu-web/package.json
index 1d552351d1b..7fc99edaaef 100644
--- a/packages/connectors/connector-feishu-web/package.json
+++ b/packages/connectors/connector-feishu-web/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-feishu-web",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Feishu web connector.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-feishu-web/src/index.test.ts b/packages/connectors/connector-feishu-web/src/index.test.ts
index dc9871c97b7..7a20668fc71 100644
--- a/packages/connectors/connector-feishu-web/src/index.test.ts
+++ b/packages/connectors/connector-feishu-web/src/index.test.ts
@@ -6,13 +6,11 @@ import { accessTokenEndpoint, codeEndpoint, userInfoEndpoint } from './constant.
 import createConnector, { buildAuthorizationUri, getAccessToken } from './index.js';
 import { mockedFeishuConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedFeishuConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedFeishuConfig);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should build authorization uri', function () {
@@ -33,7 +31,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toEqual(
       `${codeEndpoint}?client_id=1112233&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback&response_type=code&state=some_state`
@@ -44,7 +42,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const accessTokenUrl = new URL(accessTokenEndpoint);
@@ -73,7 +71,7 @@ describe('getAccessToken', () => {
 
     await expect(
       getAccessToken('code', '123', '123', 'http://localhost:3000')
-    ).rejects.toMatchError(
+    ).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'access_token is empty')
     );
   });
@@ -86,7 +84,7 @@ describe('getAccessToken', () => {
 
     await expect(
       getAccessToken('code', '123', '123', 'http://localhost:3000')
-    ).rejects.toMatchError(
+    ).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'invalid code')
     );
   });
@@ -95,7 +93,7 @@ describe('getAccessToken', () => {
 describe('getUserInfo', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   beforeEach(() => {
@@ -112,7 +110,7 @@ describe('getUserInfo', () => {
   const accessTokenUrl = new URL(accessTokenEndpoint);
 
   it('should get userInfo with accessToken', async () => {
-    nock(userInfoUrl.origin).get(userInfoUrl.pathname).query(true).once().reply(200, {
+    const jsonResponse = Object.freeze({
       sub: 'ou_caecc734c2e3328a62489fe0648c4b98779515d3',
       name: '李雷',
       picture: 'https://www.feishu.cn/avatar',
@@ -129,23 +127,25 @@ describe('getUserInfo', () => {
       employee_no: '111222333',
       mobile: '+86130xxxx0000',
     });
+    nock(userInfoUrl.origin).get(userInfoUrl.pathname).query(true).once().reply(200, jsonResponse);
 
     const connector = await createConnector({ getConfig });
-    const { id, name, avatar } = await connector.getUserInfo(
+    const { id, name, avatar, rawData } = await connector.getUserInfo(
       {
         code: 'code',
         redirectUri: 'http://localhost:3000',
       },
-      jest.fn()
+      vi.fn()
     );
     expect(id).toEqual('ou_caecc734c2e3328a62489fe0648c4b98779515d3');
     expect(name).toEqual('李雷');
     expect(avatar).toEqual('www.feishu.cn/avatar/icon');
+    expect(rawData).toEqual(jsonResponse);
   });
 
   it('throw General error if code not provided in input', async () => {
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.InvalidResponse, '{}')
     );
   });
@@ -157,8 +157,8 @@ describe('getUserInfo', () => {
     });
     const connector = await createConnector({ getConfig });
     await expect(
-      connector.getUserInfo({ code: 'error_code', redirectUri: 'http://localhost:3000' }, jest.fn())
-    ).rejects.toMatchError(
+      connector.getUserInfo({ code: 'error_code', redirectUri: 'http://localhost:3000' }, vi.fn())
+    ).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid, 'invalid access token')
     );
   });
@@ -169,8 +169,8 @@ describe('getUserInfo', () => {
     });
     const connector = await createConnector({ getConfig });
     await expect(
-      connector.getUserInfo({ code: 'code', redirectUri: 'http://localhost:3000' }, jest.fn())
-    ).rejects.toMatchError(
+      connector.getUserInfo({ code: 'code', redirectUri: 'http://localhost:3000' }, vi.fn())
+    ).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.InvalidResponse, 'invalid user response')
     );
   });
@@ -179,7 +179,7 @@ describe('getUserInfo', () => {
     nock(userInfoUrl.origin).get(userInfoUrl.pathname).query(true).reply(500);
     const connector = await createConnector({ getConfig });
     await expect(
-      connector.getUserInfo({ code: 'code', redirectUri: 'http://localhost:3000' }, jest.fn())
+      connector.getUserInfo({ code: 'code', redirectUri: 'http://localhost:3000' }, vi.fn())
     ).rejects.toThrow();
   });
 });
diff --git a/packages/connectors/connector-feishu-web/src/index.ts b/packages/connectors/connector-feishu-web/src/index.ts
index d5c8f36f7f9..a2b25b2f929 100644
--- a/packages/connectors/connector-feishu-web/src/index.ts
+++ b/packages/connectors/connector-feishu-web/src/index.ts
@@ -13,6 +13,7 @@ import {
   ConnectorErrorCodes,
   ConnectorPlatform,
   ConnectorType,
+  jsonGuard,
   validateConfig,
 } from '@logto/connector-kit';
 
@@ -153,6 +154,7 @@ export function getUserInfo(getConfig: GetConnectorConfig): GetUserInfo {
         email: conditional(email),
         userId: conditional(user_id),
         phone: conditional(mobile),
+        rawData: jsonGuard.parse(response.body),
       };
     } catch (error: unknown) {
       if (error instanceof ConnectorError) {
diff --git a/packages/connectors/connector-github/CHANGELOG.md b/packages/connectors/connector-github/CHANGELOG.md
index ca98e8abd7a..73b8a2eb0ee 100644
--- a/packages/connectors/connector-github/CHANGELOG.md
+++ b/packages/connectors/connector-github/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-github
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-github/package.json b/packages/connectors/connector-github/package.json
index 63295f5c46a..30bd1beaee2 100644
--- a/packages/connectors/connector-github/package.json
+++ b/packages/connectors/connector-github/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-github",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Github web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "query-string": "^9.0.0"
   },
   "main": "./lib/index.js",
@@ -25,9 +25,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-github/src/index.test.ts b/packages/connectors/connector-github/src/index.test.ts
index 6a5df4cf557..0656245e073 100644
--- a/packages/connectors/connector-github/src/index.test.ts
+++ b/packages/connectors/connector-github/src/index.test.ts
@@ -7,13 +7,11 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
@@ -27,7 +25,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toEqual(
       `${authorizationEndpoint}?client_id=%3Cclient-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&state=some_state&scope=read%3Auser`
@@ -38,7 +36,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get an accessToken by exchanging with code', async () => {
@@ -60,7 +58,7 @@ describe('getAccessToken', () => {
     nock(accessTokenEndpoint)
       .post('')
       .reply(200, qs.stringify({ access_token: '', scope: 'scope', token_type: 'token_type' }));
-    await expect(getAccessToken(mockedConfig, { code: 'code' })).rejects.toMatchError(
+    await expect(getAccessToken(mockedConfig, { code: 'code' })).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid)
     );
   });
@@ -82,7 +80,7 @@ describe('getUserInfo', () => {
 
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get valid SocialUserInfo', async () => {
@@ -91,14 +89,22 @@ describe('getUserInfo', () => {
       avatar_url: 'https://github.com/images/error/octocat_happy.gif',
       name: 'monalisa octocat',
       email: 'octocat@github.com',
+      foo: 'bar',
     });
     const connector = await createConnector({ getConfig });
-    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, jest.fn());
-    expect(socialUserInfo).toMatchObject({
+    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, vi.fn());
+    expect(socialUserInfo).toStrictEqual({
       id: '1',
       avatar: 'https://github.com/images/error/octocat_happy.gif',
       name: 'monalisa octocat',
       email: 'octocat@github.com',
+      rawData: {
+        id: 1,
+        avatar_url: 'https://github.com/images/error/octocat_happy.gif',
+        name: 'monalisa octocat',
+        email: 'octocat@github.com',
+        foo: 'bar',
+      },
     });
   });
 
@@ -110,16 +116,22 @@ describe('getUserInfo', () => {
       email: null,
     });
     const connector = await createConnector({ getConfig });
-    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, jest.fn());
+    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, vi.fn());
     expect(socialUserInfo).toMatchObject({
       id: '1',
+      rawData: {
+        id: 1,
+        avatar_url: null,
+        name: null,
+        email: null,
+      },
     });
   });
 
   it('throws SocialAccessTokenInvalid error if remote response code is 401', async () => {
     nock(userInfoEndpoint).get('').reply(401);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid)
     );
   });
@@ -140,9 +152,9 @@ describe('getUserInfo', () => {
           error_uri:
             'https://docs.github.com/apps/troubleshooting-authorization-request-errors#access-denied',
         },
-        jest.fn()
+        vi.fn()
       )
-    ).rejects.toMatchError(
+    ).rejects.toStrictEqual(
       new ConnectorError(
         ConnectorErrorCodes.AuthorizationFailed,
         'The user has denied your application access.'
@@ -164,9 +176,9 @@ describe('getUserInfo', () => {
           error: 'general_error',
           error_description: 'General error encountered.',
         },
-        jest.fn()
+        vi.fn()
       )
-    ).rejects.toMatchError(
+    ).rejects.toStrictEqual(
       new ConnectorError(
         ConnectorErrorCodes.General,
         '{"error":"general_error","error_description":"General error encountered."}'
@@ -177,6 +189,6 @@ describe('getUserInfo', () => {
   it('throws unrecognized error', async () => {
     nock(userInfoEndpoint).get('').reply(500);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toThrow();
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toThrow();
   });
 });
diff --git a/packages/connectors/connector-github/src/index.ts b/packages/connectors/connector-github/src/index.ts
index 547ce396452..52a0e97f182 100644
--- a/packages/connectors/connector-github/src/index.ts
+++ b/packages/connectors/connector-github/src/index.ts
@@ -117,8 +117,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -131,6 +131,7 @@ const getUserInfo =
         avatar: conditional(avatar),
         email: conditional(email),
         name: conditional(name),
+        rawData,
       };
     } catch (error: unknown) {
       if (error instanceof HTTPError) {
diff --git a/packages/connectors/connector-google/CHANGELOG.md b/packages/connectors/connector-google/CHANGELOG.md
index 2a7f2b638f1..2f79c263150 100644
--- a/packages/connectors/connector-google/CHANGELOG.md
+++ b/packages/connectors/connector-google/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-google
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-google/package.json b/packages/connectors/connector-google/package.json
index 2148928fb6c..cb5dee0d232 100644
--- a/packages/connectors/connector-google/package.json
+++ b/packages/connectors/connector-google/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-google",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Google web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-google/src/index.test.ts b/packages/connectors/connector-google/src/index.test.ts
index 21560f0ad8d..4b258f02144 100644
--- a/packages/connectors/connector-google/src/index.test.ts
+++ b/packages/connectors/connector-google/src/index.test.ts
@@ -6,14 +6,12 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('google connector', () => {
   describe('getAuthorizationUri', () => {
     afterEach(() => {
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get a valid authorizationUri with redirectUri and state', async () => {
@@ -27,7 +25,7 @@ describe('google connector', () => {
           jti: 'some_jti',
           headers: {},
         },
-        jest.fn()
+        vi.fn()
       );
       expect(authorizationUri).toEqual(
         `${authorizationEndpoint}?client_id=%3Cclient-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&state=some_state&scope=openid+profile+email`
@@ -38,7 +36,7 @@ describe('google connector', () => {
   describe('getAccessToken', () => {
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get an accessToken by exchanging with code', async () => {
@@ -60,7 +58,7 @@ describe('google connector', () => {
         .reply(200, { access_token: '', scope: 'scope', token_type: 'token_type' });
       await expect(
         getAccessToken(mockedConfig, { code: 'code', redirectUri: 'dummyRedirectUri' })
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
     });
   });
 
@@ -75,11 +73,11 @@ describe('google connector', () => {
 
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get valid SocialUserInfo', async () => {
-      nock(userInfoEndpoint).post('').reply(200, {
+      const jsonResponse = Object.freeze({
         sub: '1234567890',
         name: 'monalisa octocat',
         given_name: 'monalisa',
@@ -89,19 +87,21 @@ describe('google connector', () => {
         email_verified: true,
         locale: 'en',
       });
+      nock(userInfoEndpoint).post('').reply(200, jsonResponse);
       const connector = await createConnector({ getConfig });
       const socialUserInfo = await connector.getUserInfo(
         {
           code: 'code',
           redirectUri: 'redirectUri',
         },
-        jest.fn()
+        vi.fn()
       );
-      expect(socialUserInfo).toMatchObject({
+      expect(socialUserInfo).toStrictEqual({
         id: '1234567890',
         avatar: 'https://github.com/images/error/octocat_happy.gif',
         name: 'monalisa octocat',
         email: 'octocat@google.com',
+        rawData: jsonResponse,
       });
     });
 
@@ -109,8 +109,8 @@ describe('google connector', () => {
       nock(userInfoEndpoint).post('').reply(401);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: '' }, jest.fn())
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
+        connector.getUserInfo({ code: 'code', redirectUri: '' }, vi.fn())
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
     });
 
     it('throws General error', async () => {
@@ -131,9 +131,9 @@ describe('google connector', () => {
             error: 'general_error',
             error_description: 'General error encountered.',
           },
-          jest.fn()
+          vi.fn()
         )
-      ).rejects.toMatchError(
+      ).rejects.toStrictEqual(
         new ConnectorError(
           ConnectorErrorCodes.General,
           '{"error":"general_error","error_description":"General error encountered."}'
@@ -145,7 +145,7 @@ describe('google connector', () => {
       nock(userInfoEndpoint).post('').reply(500);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: '' }, jest.fn())
+        connector.getUserInfo({ code: 'code', redirectUri: '' }, vi.fn())
       ).rejects.toThrow();
     });
   });
diff --git a/packages/connectors/connector-google/src/index.ts b/packages/connectors/connector-google/src/index.ts
index db6a6ad0990..19c8fd9a273 100644
--- a/packages/connectors/connector-google/src/index.ts
+++ b/packages/connectors/connector-google/src/index.ts
@@ -101,8 +101,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -115,6 +115,7 @@ const getUserInfo =
         avatar,
         email: conditional(email_verified && email),
         name,
+        rawData,
       };
     } catch (error: unknown) {
       return getUserInfoErrorHandler(error);
diff --git a/packages/connectors/connector-kakao/CHANGELOG.md b/packages/connectors/connector-kakao/CHANGELOG.md
index 786b8f9b1e1..341fe977229 100644
--- a/packages/connectors/connector-kakao/CHANGELOG.md
+++ b/packages/connectors/connector-kakao/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-kakao
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-kakao/package.json b/packages/connectors/connector-kakao/package.json
index 6da7db82f49..b89bdb04999 100644
--- a/packages/connectors/connector-kakao/package.json
+++ b/packages/connectors/connector-kakao/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-kakao",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Kakao connector implementation.",
   "author": "Kyungyoon Kim. <ruddbs5302@gmail.com>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-kakao/src/index.test.ts b/packages/connectors/connector-kakao/src/index.test.ts
index 90db9c0cd8f..830897ebd5a 100644
--- a/packages/connectors/connector-kakao/src/index.test.ts
+++ b/packages/connectors/connector-kakao/src/index.test.ts
@@ -6,14 +6,12 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('kakao connector', () => {
   describe('getAuthorizationUri', () => {
     afterEach(() => {
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get a valid authorizationUri with redirectUri and state', async () => {
@@ -27,7 +25,7 @@ describe('kakao connector', () => {
           jti: 'some_jti',
           headers: {},
         },
-        jest.fn()
+        vi.fn()
       );
       expect(authorizationUri).toEqual(
         `${authorizationEndpoint}?client_id=%3Cclient-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&state=some_state`
@@ -38,7 +36,7 @@ describe('kakao connector', () => {
   describe('getAccessToken', () => {
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get an accessToken by exchanging with code', async () => {
@@ -60,7 +58,7 @@ describe('kakao connector', () => {
         .reply(200, { access_token: '', scope: 'scope', token_type: 'token_type' });
       await expect(
         getAccessToken(mockedConfig, { code: 'code', redirectUri: 'dummyRedirectUri' })
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
     });
   });
 
@@ -75,37 +73,37 @@ describe('kakao connector', () => {
 
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get valid SocialUserInfo', async () => {
-      nock(userInfoEndpoint)
-        .post('')
-        .reply(200, {
-          id: 1_234_567_890,
-          kakao_account: {
-            is_email_valid: true,
-            email: 'ruddbs5302@gmail.com',
-            profile: {
-              nickname: 'pemassi',
-              profile_image_url: 'https://github.com/images/error/octocat_happy.gif',
-              is_default_image: false,
-            },
+      const jsonResponse = Object.freeze({
+        id: 1_234_567_890,
+        kakao_account: {
+          is_email_valid: true,
+          email: 'ruddbs5302@gmail.com',
+          profile: {
+            nickname: 'pemassi',
+            profile_image_url: 'https://github.com/images/error/octocat_happy.gif',
+            is_default_image: false,
           },
-        });
+        },
+      });
+      nock(userInfoEndpoint).post('').reply(200, jsonResponse);
       const connector = await createConnector({ getConfig });
       const socialUserInfo = await connector.getUserInfo(
         {
           code: 'code',
           redirectUri: 'redirectUri',
         },
-        jest.fn()
+        vi.fn()
       );
-      expect(socialUserInfo).toMatchObject({
+      expect(socialUserInfo).toStrictEqual({
         id: '1234567890',
         avatar: 'https://github.com/images/error/octocat_happy.gif',
         name: 'pemassi',
         email: 'ruddbs5302@gmail.com',
+        rawData: jsonResponse,
       });
     });
 
@@ -113,8 +111,8 @@ describe('kakao connector', () => {
       nock(userInfoEndpoint).post('').reply(401);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: '' }, jest.fn())
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
+        connector.getUserInfo({ code: 'code', redirectUri: '' }, vi.fn())
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
     });
 
     it('throws General error', async () => {
@@ -135,9 +133,9 @@ describe('kakao connector', () => {
             error: 'general_error',
             error_description: 'General error encountered.',
           },
-          jest.fn()
+          vi.fn()
         )
-      ).rejects.toMatchError(
+      ).rejects.toStrictEqual(
         new ConnectorError(
           ConnectorErrorCodes.General,
           '{"error":"general_error","error_description":"General error encountered."}'
@@ -149,7 +147,7 @@ describe('kakao connector', () => {
       nock(userInfoEndpoint).post('').reply(500);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: '' }, jest.fn())
+        connector.getUserInfo({ code: 'code', redirectUri: '' }, vi.fn())
       ).rejects.toThrow();
     });
   });
diff --git a/packages/connectors/connector-kakao/src/index.ts b/packages/connectors/connector-kakao/src/index.ts
index 1c8dbf72620..a07eadb8d0c 100644
--- a/packages/connectors/connector-kakao/src/index.ts
+++ b/packages/connectors/connector-kakao/src/index.ts
@@ -99,8 +99,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -118,6 +118,7 @@ const getUserInfo =
         avatar: conditional(profile && !profile.is_default_image && profile.profile_image_url),
         email: conditional(is_email_valid && email),
         name: conditional(profile?.nickname),
+        rawData,
       };
     } catch (error: unknown) {
       return getUserInfoErrorHandler(error);
diff --git a/packages/connectors/connector-logto-email/CHANGELOG.md b/packages/connectors/connector-logto-email/CHANGELOG.md
index b859f7ceb51..0742b6e2d83 100644
--- a/packages/connectors/connector-logto-email/CHANGELOG.md
+++ b/packages/connectors/connector-logto-email/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-logto-email
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-logto-email/package.json b/packages/connectors/connector-logto-email/package.json
index db0a66b2fc9..fb5f6d8a668 100644
--- a/packages/connectors/connector-logto-email/package.json
+++ b/packages/connectors/connector-logto-email/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-logto-email",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Logto email connector.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
@@ -49,6 +48,6 @@
     "access": "public"
   },
   "devDependencies": {
-    "@logto/cloud": "0.2.5-faca9a9"
+    "@logto/cloud": "0.2.5-ab8a489"
   }
 }
diff --git a/packages/connectors/connector-logto-email/src/index.test.ts b/packages/connectors/connector-logto-email/src/index.test.ts
index e38af0d89ec..084e461100d 100644
--- a/packages/connectors/connector-logto-email/src/index.test.ts
+++ b/packages/connectors/connector-logto-email/src/index.test.ts
@@ -6,16 +6,14 @@ import { TemplateType } from '@logto/connector-kit';
 import { emailEndpoint, usageEndpoint } from './constant.js';
 import createConnector from './index.js';
 
-const { jest } = import.meta;
-
 const endpoint = 'http://localhost:3003';
 
 const api = got.extend({ prefixUrl: endpoint });
 const dropLeadingSlash = (path: string) => path.replace(/^\//, '');
 const buildUrl = (path: string, endpoint: string) => new URL(`${endpoint}/api${path}`);
 
-const getConfig = jest.fn().mockResolvedValue({});
-const getCloudServiceClient = jest.fn().mockResolvedValue({
+const getConfig = vi.fn().mockResolvedValue({});
+const getCloudServiceClient = vi.fn().mockResolvedValue({
   post: async (path: string, payload: { body: unknown }) => {
     return api(dropLeadingSlash(path), {
       method: 'POST',
diff --git a/packages/connectors/connector-logto-email/src/index.ts b/packages/connectors/connector-logto-email/src/index.ts
index 1a7451bd622..2e64e7f2385 100644
--- a/packages/connectors/connector-logto-email/src/index.ts
+++ b/packages/connectors/connector-logto-email/src/index.ts
@@ -38,7 +38,16 @@ const sendMessage =
     try {
       await client.post(`/api${emailEndpoint}`, {
         body: {
-          data: { to, type, payload: { ...payload, senderName, companyInformation, appLogo } },
+          data: {
+            to,
+            type,
+            payload: {
+              ...payload,
+              ...conditional(senderName && { senderName }),
+              ...conditional(companyInformation && { companyInformation }),
+              ...conditional(appLogo && { appLogo }),
+            },
+          },
         },
       });
     } catch (error: unknown) {
diff --git a/packages/connectors/connector-logto-sms/CHANGELOG.md b/packages/connectors/connector-logto-sms/CHANGELOG.md
index 1265cc0cb1c..cdb1dcb483d 100644
--- a/packages/connectors/connector-logto-sms/CHANGELOG.md
+++ b/packages/connectors/connector-logto-sms/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-logto-sms
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-logto-sms/package.json b/packages/connectors/connector-logto-sms/package.json
index 6113e8b022a..2a81c137182 100644
--- a/packages/connectors/connector-logto-sms/package.json
+++ b/packages/connectors/connector-logto-sms/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-logto-sms",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Logto SMS connector.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-logto-sms/src/index.test.ts b/packages/connectors/connector-logto-sms/src/index.test.ts
index 740d7b34fd1..95d1ed10ee5 100644
--- a/packages/connectors/connector-logto-sms/src/index.test.ts
+++ b/packages/connectors/connector-logto-sms/src/index.test.ts
@@ -5,9 +5,7 @@ import { TemplateType } from '@logto/connector-kit';
 import { smsEndpoint } from './constant.js';
 import { mockedAccessTokenResponse, mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 const { default: createConnector } = await import('./index.js');
 
diff --git a/packages/connectors/connector-logto-social-demo/CHANGELOG.md b/packages/connectors/connector-logto-social-demo/CHANGELOG.md
index 20666c2e121..ba7962448b0 100644
--- a/packages/connectors/connector-logto-social-demo/CHANGELOG.md
+++ b/packages/connectors/connector-logto-social-demo/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-logto-social-demo
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-logto-social-demo/package.json b/packages/connectors/connector-logto-social-demo/package.json
index 8fdd8495858..0a12e00a09b 100644
--- a/packages/connectors/connector-logto-social-demo/package.json
+++ b/packages/connectors/connector-logto-social-demo/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-logto-social-demo",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "OAuth standard connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-logto-social-demo/src/index.test.ts b/packages/connectors/connector-logto-social-demo/src/index.test.ts
index 63aaf3990e4..0bce8984e6c 100644
--- a/packages/connectors/connector-logto-social-demo/src/index.test.ts
+++ b/packages/connectors/connector-logto-social-demo/src/index.test.ts
@@ -2,14 +2,12 @@ import createConnector from './index.js';
 import type { SocialDemoConfig } from './types.js';
 import { SocialProvider } from './types.js';
 
-const { jest } = import.meta;
-
 const mockedConfig: SocialDemoConfig = {
   provider: SocialProvider.GitHub,
   clientId: 'client-id',
   redirectUri: 'http://localhost:3000/callback',
 };
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('getAuthorizationUri', () => {
   it('should get a valid uri by redirectUri and state', async () => {
@@ -23,7 +21,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toContain(encodeURIComponent(mockedConfig.redirectUri));
     expect(authorizationUri).toContain(
diff --git a/packages/connectors/connector-mailgun/CHANGELOG.md b/packages/connectors/connector-mailgun/CHANGELOG.md
index 61946f1a55b..2820a1bb633 100644
--- a/packages/connectors/connector-mailgun/CHANGELOG.md
+++ b/packages/connectors/connector-mailgun/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-mailgun
 
+## 1.2.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-mailgun/package.json b/packages/connectors/connector-mailgun/package.json
index af66a5b2366..9345a26c89e 100644
--- a/packages/connectors/connector-mailgun/package.json
+++ b/packages/connectors/connector-mailgun/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-mailgun",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Mailgun connector for Logto.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-mailgun/src/index.test.ts b/packages/connectors/connector-mailgun/src/index.test.ts
index 50468ce537c..ac1b4d03456 100644
--- a/packages/connectors/connector-mailgun/src/index.test.ts
+++ b/packages/connectors/connector-mailgun/src/index.test.ts
@@ -5,9 +5,7 @@ import { TemplateType } from '@logto/connector-kit';
 import createMailgunConnector from './index.js';
 import { type MailgunConfig } from './types.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn();
+const getConfig = vi.fn();
 
 const domain = 'example.com';
 const apiKey = 'apiKey';
@@ -210,7 +208,7 @@ describe('Maligun connector', () => {
           code: '123456',
         },
       })
-    ).rejects.toThrowErrorMatchingInlineSnapshot('"ConnectorError: template_not_found"');
+    ).rejects.toThrowErrorMatchingInlineSnapshot('[Error: ConnectorError: template_not_found]');
 
     await expect(
       connector.sendMessage({
@@ -221,7 +219,7 @@ describe('Maligun connector', () => {
           code: '123456',
         },
       })
-    ).rejects.toThrowErrorMatchingInlineSnapshot('"ConnectorError: template_not_found"');
+    ).rejects.toThrowErrorMatchingInlineSnapshot('[Error: ConnectorError: template_not_found]');
   });
 
   it('should throw error if mailgun returns error', async () => {
@@ -247,7 +245,7 @@ describe('Maligun connector', () => {
         },
       })
     ).rejects.toThrowErrorMatchingInlineSnapshot(
-      '"ConnectorError: {"statusCode":400,"body":"{\\"message\\":\\"error\\"}"}"'
+      '[Error: ConnectorError: {"statusCode":400,"body":"{\\"message\\":\\"error\\"}"}]'
     );
   });
 });
diff --git a/packages/connectors/connector-mock-email-alternative/CHANGELOG.md b/packages/connectors/connector-mock-email-alternative/CHANGELOG.md
index cda777eea55..a1142990d04 100644
--- a/packages/connectors/connector-mock-email-alternative/CHANGELOG.md
+++ b/packages/connectors/connector-mock-email-alternative/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-mock-standard-email
 
+## 2.0.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 2.0.0
 
 ### Major Changes
diff --git a/packages/connectors/connector-mock-email-alternative/package.json b/packages/connectors/connector-mock-email-alternative/package.json
index 63fa84fd9a9..b44be9b87ea 100644
--- a/packages/connectors/connector-mock-email-alternative/package.json
+++ b/packages/connectors/connector-mock-email-alternative/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-mock-standard-email",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Mock Standard Email Service connector implementation for integration tests only.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "scripts": {
     "precommit": "lint-staged",
@@ -13,9 +13,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "main": "./lib/index.js",
diff --git a/packages/connectors/connector-mock-email/CHANGELOG.md b/packages/connectors/connector-mock-email/CHANGELOG.md
index bea9665a940..4ad35a91007 100644
--- a/packages/connectors/connector-mock-email/CHANGELOG.md
+++ b/packages/connectors/connector-mock-email/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-mock-email
 
+## 2.0.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 2.0.0
 
 ### Major Changes
diff --git a/packages/connectors/connector-mock-email/package.json b/packages/connectors/connector-mock-email/package.json
index 96e5f94c2d0..937c34f1580 100644
--- a/packages/connectors/connector-mock-email/package.json
+++ b/packages/connectors/connector-mock-email/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-mock-email",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Mock Email Service connector implementation for integration tests only.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "scripts": {
     "precommit": "lint-staged",
@@ -13,9 +13,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "main": "./lib/index.js",
diff --git a/packages/connectors/connector-mock-sms/CHANGELOG.md b/packages/connectors/connector-mock-sms/CHANGELOG.md
index 59b928d4db8..a72ac350823 100644
--- a/packages/connectors/connector-mock-sms/CHANGELOG.md
+++ b/packages/connectors/connector-mock-sms/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-mock-sms
 
+## 2.0.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 2.0.0
 
 ### Major Changes
diff --git a/packages/connectors/connector-mock-sms/package.json b/packages/connectors/connector-mock-sms/package.json
index 9678d8e704e..46a0a74bb2d 100644
--- a/packages/connectors/connector-mock-sms/package.json
+++ b/packages/connectors/connector-mock-sms/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-mock-sms",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Mock SMS connector implementation for integration tests only.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "scripts": {
     "precommit": "lint-staged",
@@ -13,9 +13,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "main": "./lib/index.js",
diff --git a/packages/connectors/connector-mock-social/CHANGELOG.md b/packages/connectors/connector-mock-social/CHANGELOG.md
index 202d3db7f54..57dcf6d62ec 100644
--- a/packages/connectors/connector-mock-social/CHANGELOG.md
+++ b/packages/connectors/connector-mock-social/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-mock-social
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-mock-social/package.json b/packages/connectors/connector-mock-social/package.json
index 1b49bbaf661..4726bd25e47 100644
--- a/packages/connectors/connector-mock-social/package.json
+++ b/packages/connectors/connector-mock-social/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-mock-social",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Social mock connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "scripts": {
     "precommit": "lint-staged",
@@ -13,9 +13,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "main": "./lib/index.js",
diff --git a/packages/connectors/connector-mock-social/src/index.ts b/packages/connectors/connector-mock-social/src/index.ts
index 2b6d0d4663e..b9c76058c35 100644
--- a/packages/connectors/connector-mock-social/src/index.ts
+++ b/packages/connectors/connector-mock-social/src/index.ts
@@ -7,7 +7,12 @@ import type {
   CreateConnector,
   SocialConnector,
 } from '@logto/connector-kit';
-import { ConnectorError, ConnectorErrorCodes, ConnectorType } from '@logto/connector-kit';
+import {
+  ConnectorError,
+  ConnectorErrorCodes,
+  ConnectorType,
+  jsonGuard,
+} from '@logto/connector-kit';
 
 import { defaultMetadata } from './constant.js';
 import { mockSocialConfigGuard } from './types.js';
@@ -35,6 +40,7 @@ const getUserInfo: GetUserInfo = async (data) => {
   return {
     id: userId ?? `mock-social-sub-${randomUUID()}`,
     ...rest,
+    rawData: jsonGuard.parse(data),
   };
 };
 
diff --git a/packages/connectors/connector-naver/CHANGELOG.md b/packages/connectors/connector-naver/CHANGELOG.md
index 90ae66b8ab8..978f2a4c883 100644
--- a/packages/connectors/connector-naver/CHANGELOG.md
+++ b/packages/connectors/connector-naver/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-naver
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-naver/package.json b/packages/connectors/connector-naver/package.json
index 66154e9c50c..09fa173db46 100644
--- a/packages/connectors/connector-naver/package.json
+++ b/packages/connectors/connector-naver/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-naver",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Naver connector implementation.",
   "author": "Kyungyoon Kim. <ruddbs5302@gmail.com>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-naver/src/index.test.ts b/packages/connectors/connector-naver/src/index.test.ts
index e4191463768..03268914c75 100644
--- a/packages/connectors/connector-naver/src/index.test.ts
+++ b/packages/connectors/connector-naver/src/index.test.ts
@@ -6,14 +6,12 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('naver connector', () => {
   describe('getAuthorizationUri', () => {
     afterEach(() => {
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get a valid authorizationUri with redirectUri and state', async () => {
@@ -27,7 +25,7 @@ describe('naver connector', () => {
           jti: 'some_jti',
           headers: {},
         },
-        jest.fn()
+        vi.fn()
       );
       expect(authorizationUri).toEqual(
         `${authorizationEndpoint}?client_id=%3Cclient-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&state=some_state`
@@ -38,7 +36,7 @@ describe('naver connector', () => {
   describe('getAccessToken', () => {
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get an accessToken by exchanging with code', async () => {
@@ -60,7 +58,7 @@ describe('naver connector', () => {
         .reply(200, { access_token: '', scope: 'scope', token_type: 'token_type' });
       await expect(
         getAccessToken(mockedConfig, { code: 'code', redirectUri: 'dummyRedirectUri' })
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid));
     });
   });
 
@@ -75,39 +73,39 @@ describe('naver connector', () => {
 
     afterEach(() => {
       nock.cleanAll();
-      jest.clearAllMocks();
+      vi.clearAllMocks();
     });
 
     it('should get valid SocialUserInfo', async () => {
-      nock(userInfoEndpoint)
-        .post('')
-        .reply(200, {
-          resultcode: '00',
-          message: 'success',
-          response: {
-            email: 'openapi@naver.com',
-            nickname: 'OpenAPI',
-            profile_image: 'https://ssl.pstatic.net/static/pwe/address/nodata_33x33.gif',
-            age: '40-49',
-            gender: 'F',
-            id: '32742776',
-            name: '오픈 API',
-            birthday: '10-01',
-          },
-        });
+      const jsonResponse = Object.freeze({
+        resultcode: '00',
+        message: 'success',
+        response: {
+          email: 'openapi@naver.com',
+          nickname: 'OpenAPI',
+          profile_image: 'https://ssl.pstatic.net/static/pwe/address/nodata_33x33.gif',
+          age: '40-49',
+          gender: 'F',
+          id: '32742776',
+          name: '오픈 API',
+          birthday: '10-01',
+        },
+      });
+      nock(userInfoEndpoint).post('').reply(200, jsonResponse);
       const connector = await createConnector({ getConfig });
       const socialUserInfo = await connector.getUserInfo(
         {
           code: 'code',
           redirectUri: 'redirectUri',
         },
-        jest.fn()
+        vi.fn()
       );
       expect(socialUserInfo).toMatchObject({
         id: '32742776',
         avatar: 'https://ssl.pstatic.net/static/pwe/address/nodata_33x33.gif',
         name: 'OpenAPI',
         email: 'openapi@naver.com',
+        rawData: jsonResponse,
       });
     });
 
@@ -115,8 +113,8 @@ describe('naver connector', () => {
       nock(userInfoEndpoint).post('').reply(401);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: '' }, jest.fn())
-      ).rejects.toMatchError(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
+        connector.getUserInfo({ code: 'code', redirectUri: '' }, vi.fn())
+      ).rejects.toStrictEqual(new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid));
     });
 
     it('throws General error', async () => {
@@ -137,9 +135,9 @@ describe('naver connector', () => {
             error: 'general_error',
             error_description: 'General error encountered.',
           },
-          jest.fn()
+          vi.fn()
         )
-      ).rejects.toMatchError(
+      ).rejects.toStrictEqual(
         new ConnectorError(
           ConnectorErrorCodes.General,
           '{"error":"general_error","error_description":"General error encountered."}'
@@ -151,7 +149,7 @@ describe('naver connector', () => {
       nock(userInfoEndpoint).post('').reply(500);
       const connector = await createConnector({ getConfig });
       await expect(
-        connector.getUserInfo({ code: 'code', redirectUri: '' }, jest.fn())
+        connector.getUserInfo({ code: 'code', redirectUri: '' }, vi.fn())
       ).rejects.toThrow();
     });
   });
diff --git a/packages/connectors/connector-naver/src/index.ts b/packages/connectors/connector-naver/src/index.ts
index 0a85a9c312b..3e553e4bd88 100644
--- a/packages/connectors/connector-naver/src/index.ts
+++ b/packages/connectors/connector-naver/src/index.ts
@@ -99,8 +99,8 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -114,6 +114,7 @@ const getUserInfo =
         avatar: conditional(profile_image),
         email: conditional(email),
         name: conditional(nickname),
+        rawData,
       };
     } catch (error: unknown) {
       return getUserInfoErrorHandler(error);
diff --git a/packages/connectors/connector-oauth2/CHANGELOG.md b/packages/connectors/connector-oauth2/CHANGELOG.md
index 84ea166ddcb..b8f64dd545f 100644
--- a/packages/connectors/connector-oauth2/CHANGELOG.md
+++ b/packages/connectors/connector-oauth2/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-oauth
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-oauth2/package.json b/packages/connectors/connector-oauth2/package.json
index eaa3cec19a8..7b73b7e8b90 100644
--- a/packages/connectors/connector-oauth2/package.json
+++ b/packages/connectors/connector-oauth2/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-oauth",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "OAuth standard connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "query-string": "^9.0.0"
   },
   "main": "./lib/index.js",
@@ -25,9 +25,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-oauth2/src/index.test.ts b/packages/connectors/connector-oauth2/src/index.test.ts
index d99681876cb..e242fe579f0 100644
--- a/packages/connectors/connector-oauth2/src/index.test.ts
+++ b/packages/connectors/connector-oauth2/src/index.test.ts
@@ -2,20 +2,18 @@ import nock from 'nock';
 
 import { mockConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockConfig);
+const getConfig = vi.fn().mockResolvedValue(mockConfig);
 
 const { default: createConnector } = await import('./index.js');
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
     const connector = await createConnector({ getConfig });
-    const setSession = jest.fn();
+    const setSession = vi.fn();
     const authorizationUri = await connector.getAuthorizationUri(
       {
         state: 'some_state',
@@ -40,7 +38,7 @@ describe('getAuthorizationUri', () => {
 describe('getUserInfo', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get valid userInfo', async () => {
@@ -59,14 +57,15 @@ describe('getUserInfo', () => {
     const userInfoEndpointUrl = new URL(mockConfig.userInfoEndpoint);
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(true).reply(200, {
       sub: userId,
+      foo: 'bar',
     });
     const connector = await createConnector({ getConfig });
     const userInfo = await connector.getUserInfo(
       { code: 'code' },
-      jest.fn().mockImplementationOnce(() => {
+      vi.fn().mockImplementationOnce(() => {
         return { redirectUri: 'http://localhost:3001/callback' };
       })
     );
-    expect(userInfo).toEqual({ id: userId });
+    expect(userInfo).toStrictEqual({ id: userId, rawData: { sub: userId, foo: 'bar' } });
   });
 });
diff --git a/packages/connectors/connector-oauth2/src/index.ts b/packages/connectors/connector-oauth2/src/index.ts
index 4d952dc58b1..f2b1c274b1c 100644
--- a/packages/connectors/connector-oauth2/src/index.ts
+++ b/packages/connectors/connector-oauth2/src/index.ts
@@ -71,8 +71,9 @@ const getUserInfo =
         },
         timeout: { request: defaultTimeout },
       });
+      const rawData = parseJsonObject(httpResponse.body);
 
-      return userProfileMapping(parseJsonObject(httpResponse.body), parsedConfig.profileMap);
+      return { ...userProfileMapping(rawData, parsedConfig.profileMap), rawData };
     } catch (error: unknown) {
       if (error instanceof HTTPError) {
         throw new ConnectorError(ConnectorErrorCodes.General, JSON.stringify(error.response.body));
diff --git a/packages/connectors/connector-oidc/CHANGELOG.md b/packages/connectors/connector-oidc/CHANGELOG.md
index 31c4366b148..028aa310b9a 100644
--- a/packages/connectors/connector-oidc/CHANGELOG.md
+++ b/packages/connectors/connector-oidc/CHANGELOG.md
@@ -1,5 +1,20 @@
 # @logto/connector-oidc
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+  - @logto/shared@3.1.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-oidc/package.json b/packages/connectors/connector-oidc/package.json
index f84a7b44c99..bd8871732c9 100644
--- a/packages/connectors/connector-oidc/package.json
+++ b/packages/connectors/connector-oidc/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@logto/connector-oidc",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "OIDC standard connector implementation.",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "@logto/shared": "workspace:^3.1.0",
     "jose": "^5.0.0",
     "nanoid": "^5.0.1"
@@ -26,9 +26,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-oidc/src/index.test.ts b/packages/connectors/connector-oidc/src/index.test.ts
index be4033678a2..b54bc311fdd 100644
--- a/packages/connectors/connector-oidc/src/index.test.ts
+++ b/packages/connectors/connector-oidc/src/index.test.ts
@@ -2,22 +2,20 @@ import nock from 'nock';
 
 import { mockConfig } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockConfig);
+const jwtVerify = vi.fn();
 
-const jwtVerify = jest.fn();
-
-jest.unstable_mockModule('jose', () => ({
+vi.mock('jose', () => ({
   jwtVerify,
-  createRemoteJWKSet: jest.fn(),
+  createRemoteJWKSet: vi.fn(),
 }));
 
 const { default: createConnector } = await import('./index.js');
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
@@ -31,7 +29,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
 
     const { origin, pathname, searchParams } = new URL(authorizationUri);
@@ -48,7 +46,7 @@ describe('getAuthorizationUri', () => {
 describe('getUserInfo', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get valid userInfo', async () => {
@@ -65,10 +63,10 @@ describe('getUserInfo', () => {
     const connector = await createConnector({ getConfig });
     const userInfo = await connector.getUserInfo(
       { code: 'code' },
-      jest.fn().mockImplementationOnce(() => {
+      vi.fn().mockImplementationOnce(() => {
         return { nonce: 'nonce', redirectUri: 'http://localhost:3001/callback' };
       })
     );
-    expect(userInfo).toEqual({ id: userId });
+    expect(userInfo).toMatchObject({ id: userId, rawData: { sub: userId, nonce: 'nonce' } });
   });
 });
diff --git a/packages/connectors/connector-oidc/src/index.ts b/packages/connectors/connector-oidc/src/index.ts
index ae8e6d749dd..a413a26c06f 100644
--- a/packages/connectors/connector-oidc/src/index.ts
+++ b/packages/connectors/connector-oidc/src/index.ts
@@ -14,6 +14,7 @@ import {
   ConnectorErrorCodes,
   validateConfig,
   ConnectorType,
+  jsonGuard,
 } from '@logto/connector-kit';
 import { generateStandardId } from '@logto/shared/universal';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
@@ -137,6 +138,7 @@ const getUserInfo =
         avatar: conditional(picture),
         email: conditional(email_verified && email),
         phone: conditional(phone_verified && phone),
+        rawData: jsonGuard.parse(payload),
       };
     } catch (error: unknown) {
       if (error instanceof HTTPError) {
diff --git a/packages/connectors/connector-saml/CHANGELOG.md b/packages/connectors/connector-saml/CHANGELOG.md
index 6549a3914db..3abfe03a9d0 100644
--- a/packages/connectors/connector-saml/CHANGELOG.md
+++ b/packages/connectors/connector-saml/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-saml
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-saml/package.json b/packages/connectors/connector-saml/package.json
index aa92eec856b..76dbad1e125 100644
--- a/packages/connectors/connector-saml/package.json
+++ b/packages/connectors/connector-saml/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-saml",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "SAML standard connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "fast-xml-parser": "^4.2.5",
     "samlify": "2.8.10"
   },
@@ -26,9 +26,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-saml/src/index.test.ts b/packages/connectors/connector-saml/src/index.test.ts
index 1f564dd2d90..289af187860 100644
--- a/packages/connectors/connector-saml/src/index.test.ts
+++ b/packages/connectors/connector-saml/src/index.test.ts
@@ -1,18 +1,16 @@
 import createConnector, { validateSamlAssertion } from './index.js';
 import { mockAttributes, mockedConfig, mockSamlResponse } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
-
-const setSession = jest.fn();
-const getSession = jest.fn();
+const setSession = vi.fn();
+const getSession = vi.fn();
 
 const connector = await createConnector({ getConfig });
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri and save required information to storage', async () => {
@@ -39,11 +37,11 @@ describe('getAuthorizationUri', () => {
 
 describe('validateSamlAssertion', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('Should return right redirectUri', async () => {
-    jest.useFakeTimers().setSystemTime(new Date('2023-01-18T14:55:45.406Z'));
+    vi.useFakeTimers().setSystemTime(new Date('2023-01-18T14:55:45.406Z'));
     getSession.mockResolvedValue({
       connectorFactoryId: 'saml',
       state: 'some_state',
@@ -61,13 +59,13 @@ describe('validateSamlAssertion', () => {
     );
     expect(setSession).toHaveBeenCalledWith(expect.anything());
     expect(redirectUri).toEqual('http://localhost:3000/callback?state=some_state');
-    jest.useRealTimers();
+    vi.useRealTimers();
   });
 });
 
 describe('getUserInfo', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('get right profile', async () => {
diff --git a/packages/connectors/connector-saml/src/utils.test.ts b/packages/connectors/connector-saml/src/utils.test.ts
index 828471f1e86..5b9ef7a7363 100644
--- a/packages/connectors/connector-saml/src/utils.test.ts
+++ b/packages/connectors/connector-saml/src/utils.test.ts
@@ -1,10 +1,8 @@
 import { userProfileMapping } from './utils.js';
 
-const { jest } = import.meta;
-
 describe('userProfileMapping', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should return right user profile', () => {
diff --git a/packages/connectors/connector-sendgrid-email/CHANGELOG.md b/packages/connectors/connector-sendgrid-email/CHANGELOG.md
index 1c1de07b679..a6c4d6730db 100644
--- a/packages/connectors/connector-sendgrid-email/CHANGELOG.md
+++ b/packages/connectors/connector-sendgrid-email/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-sendgrid-email
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-sendgrid-email/package.json b/packages/connectors/connector-sendgrid-email/package.json
index 2f7650c7078..650f4b88050 100644
--- a/packages/connectors/connector-sendgrid-email/package.json
+++ b/packages/connectors/connector-sendgrid-email/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-sendgrid-email",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "SendGrid Email Service connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-sendgrid-email/src/index.test.ts b/packages/connectors/connector-sendgrid-email/src/index.test.ts
index 9f518865ce4..1062b215985 100644
--- a/packages/connectors/connector-sendgrid-email/src/index.test.ts
+++ b/packages/connectors/connector-sendgrid-email/src/index.test.ts
@@ -1,9 +1,7 @@
 import createConnector from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('SendGrid connector', () => {
   it('init without throwing errors', async () => {
diff --git a/packages/connectors/connector-smsaero/CHANGELOG.md b/packages/connectors/connector-smsaero/CHANGELOG.md
index 651102d641a..72813750cc4 100644
--- a/packages/connectors/connector-smsaero/CHANGELOG.md
+++ b/packages/connectors/connector-smsaero/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-smsaero
 
+## 1.2.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-smsaero/package.json b/packages/connectors/connector-smsaero/package.json
index 2465fdefe94..da34f59e820 100644
--- a/packages/connectors/connector-smsaero/package.json
+++ b/packages/connectors/connector-smsaero/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-smsaero",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "SMSAero connector implementation.",
   "author": "Danil Tankov <danil.tankoff@yandex.ru>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-smsaero/src/index.test.ts b/packages/connectors/connector-smsaero/src/index.test.ts
index 253b7ada79e..dd1e579457d 100644
--- a/packages/connectors/connector-smsaero/src/index.test.ts
+++ b/packages/connectors/connector-smsaero/src/index.test.ts
@@ -1,9 +1,7 @@
 import createConnector from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('SMSAero SMS connector', () => {
   it('init without throwing errors', async () => {
diff --git a/packages/connectors/connector-smtp/CHANGELOG.md b/packages/connectors/connector-smtp/CHANGELOG.md
index c0d3cf643c0..2543676bcd0 100644
--- a/packages/connectors/connector-smtp/CHANGELOG.md
+++ b/packages/connectors/connector-smtp/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-smtp
 
+## 1.1.2
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.1
 
 ### Patch Changes
diff --git a/packages/connectors/connector-smtp/package.json b/packages/connectors/connector-smtp/package.json
index 0cf61efa87a..7c07a29ee35 100644
--- a/packages/connectors/connector-smtp/package.json
+++ b/packages/connectors/connector-smtp/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-smtp",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "SMTP connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "nodemailer": "^6.9.9"
   },
   "devDependencies": {
@@ -28,9 +28,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-smtp/src/index.test.ts b/packages/connectors/connector-smtp/src/index.test.ts
index ad442604557..a28137dd32d 100644
--- a/packages/connectors/connector-smtp/src/index.test.ts
+++ b/packages/connectors/connector-smtp/src/index.test.ts
@@ -16,18 +16,16 @@ import {
 } from './mock.js';
 import { smtpConfigGuard } from './types.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
-
-const sendMail = jest.fn();
+const sendMail = vi.fn();
 
 // @ts-expect-error for testing
-jest.spyOn(nodemailer, 'createTransport').mockReturnValue({ sendMail } as Transporter);
+vi.spyOn(nodemailer, 'createTransport').mockReturnValue({ sendMail } as Transporter);
 
 describe('SMTP connector', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('init without throwing errors', async () => {
diff --git a/packages/connectors/connector-tencent-sms/CHANGELOG.md b/packages/connectors/connector-tencent-sms/CHANGELOG.md
index 36b37f5da0a..9e296ec2754 100644
--- a/packages/connectors/connector-tencent-sms/CHANGELOG.md
+++ b/packages/connectors/connector-tencent-sms/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-tencent-sms
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-tencent-sms/package.json b/packages/connectors/connector-tencent-sms/package.json
index 9f0b2ef411f..60614fab7d5 100644
--- a/packages/connectors/connector-tencent-sms/package.json
+++ b/packages/connectors/connector-tencent-sms/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-tencent-sms",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Tencent SMS connector implementation.",
   "author": "StringKe",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-tencent-sms/src/index.test.ts b/packages/connectors/connector-tencent-sms/src/index.test.ts
index a30b51fed2f..06e60445a37 100644
--- a/packages/connectors/connector-tencent-sms/src/index.test.ts
+++ b/packages/connectors/connector-tencent-sms/src/index.test.ts
@@ -2,11 +2,9 @@ import { TemplateType } from '@logto/connector-kit';
 
 import { codeTest, mockedConnectorConfig, mockedTemplateCode, phoneTest } from './mock.js';
 
-const { jest } = import.meta;
+const getConfig = vi.fn().mockResolvedValue(mockedConnectorConfig);
 
-const getConfig = jest.fn().mockResolvedValue(mockedConnectorConfig);
-
-const sendSmsRequest = jest.fn(() => {
+const sendSmsRequest = vi.fn(() => {
   return {
     body: {
       Response: {
@@ -27,10 +25,10 @@ const sendSmsRequest = jest.fn(() => {
   };
 });
 
-jest.unstable_mockModule('./http.js', () => {
+vi.mock('./http.js', () => {
   return {
     sendSmsRequest,
-    isSmsErrorResponse: jest.fn((response) => {
+    isSmsErrorResponse: vi.fn((response) => {
       return response.Response.Error !== undefined;
     }),
   };
@@ -40,7 +38,7 @@ const { default: createConnector } = await import('./index.js');
 
 describe('sendMessage()', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should call sendSmsRequest() and replace code in content', async () => {
diff --git a/packages/connectors/connector-twilio-sms/CHANGELOG.md b/packages/connectors/connector-twilio-sms/CHANGELOG.md
index 00869b4705c..bafc7348638 100644
--- a/packages/connectors/connector-twilio-sms/CHANGELOG.md
+++ b/packages/connectors/connector-twilio-sms/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-twilio-sms
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-twilio-sms/package.json b/packages/connectors/connector-twilio-sms/package.json
index 3fc3c5c665b..91bd74d1796 100644
--- a/packages/connectors/connector-twilio-sms/package.json
+++ b/packages/connectors/connector-twilio-sms/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-twilio-sms",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Twilio SMS connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-twilio-sms/src/index.test.ts b/packages/connectors/connector-twilio-sms/src/index.test.ts
index f7f61febb5e..937403c0f1e 100644
--- a/packages/connectors/connector-twilio-sms/src/index.test.ts
+++ b/packages/connectors/connector-twilio-sms/src/index.test.ts
@@ -1,9 +1,7 @@
 import createConnector from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('Twilio SMS connector', () => {
   it('init without throwing errors', async () => {
diff --git a/packages/connectors/connector-wechat-native/CHANGELOG.md b/packages/connectors/connector-wechat-native/CHANGELOG.md
index 41b0a5a7481..a8b63c8afc6 100644
--- a/packages/connectors/connector-wechat-native/CHANGELOG.md
+++ b/packages/connectors/connector-wechat-native/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-wechat-native
 
+## 1.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-wechat-native/package.json b/packages/connectors/connector-wechat-native/package.json
index 6a9e9986efc..ffb01ca21db 100644
--- a/packages/connectors/connector-wechat-native/package.json
+++ b/packages/connectors/connector-wechat-native/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-wechat-native",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "WeChat native connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-wechat-native/src/index.test.ts b/packages/connectors/connector-wechat-native/src/index.test.ts
index 15a5f449ef5..b4bde0fb283 100644
--- a/packages/connectors/connector-wechat-native/src/index.test.ts
+++ b/packages/connectors/connector-wechat-native/src/index.test.ts
@@ -6,13 +6,11 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri', async () => {
@@ -26,7 +24,7 @@ describe('getAuthorizationUri', () => {
         jti: 'dummy-jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toEqual(
       `${authorizationEndpoint}?app_id=%3Capp-id%3E&state=dummy-state`
@@ -37,7 +35,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const accessTokenEndpointUrl = new URL(accessTokenEndpoint);
@@ -66,7 +64,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(parameters)
       .reply(200, { errcode: 40_029, errmsg: 'invalid code' });
-    await expect(getAccessToken('code', mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken('code', mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'invalid code')
     );
   });
@@ -76,7 +74,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(true)
       .reply(200, { errcode: 40_163, errmsg: 'code been used' });
-    await expect(getAccessToken('code', mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken('code', mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'code been used')
     );
   });
@@ -86,7 +84,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(true)
       .reply(200, { errcode: -1, errmsg: 'system error' });
-    await expect(getAccessToken('wrong_code', mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken('wrong_code', mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'system error',
         errcode: -1,
@@ -132,30 +130,35 @@ describe('getUserInfo', () => {
 
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const userInfoEndpointUrl = new URL(userInfoEndpoint);
   const parameters = new URLSearchParams({ access_token: 'access_token', openid: 'openid' });
 
   it('should get valid SocialUserInfo', async () => {
-    nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(0, {
+    const jsonResponse = Object.freeze({
       unionid: 'this_is_an_arbitrary_wechat_union_id',
       headimgurl: 'https://github.com/images/error/octocat_happy.gif',
       nickname: 'wechat bot',
     });
+    nock(userInfoEndpointUrl.origin)
+      .get(userInfoEndpointUrl.pathname)
+      .query(parameters)
+      .reply(0, jsonResponse);
     const connector = await createConnector({ getConfig });
-    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, jest.fn());
+    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, vi.fn());
     expect(socialUserInfo).toMatchObject({
       id: 'this_is_an_arbitrary_wechat_union_id',
       avatar: 'https://github.com/images/error/octocat_happy.gif',
       name: 'wechat bot',
+      rawData: jsonResponse,
     });
   });
 
   it('throws General error if code not provided in input', async () => {
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, '{}')
     );
   });
@@ -170,7 +173,7 @@ describe('getUserInfo', () => {
         errmsg: 'missing openid',
       });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'missing openid',
         errcode: 41_009,
@@ -184,7 +187,7 @@ describe('getUserInfo', () => {
       .query(parameters)
       .reply(200, { errcode: 40_001, errmsg: 'invalid credential' });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid, 'invalid credential')
     );
   });
@@ -192,7 +195,7 @@ describe('getUserInfo', () => {
   it('throws unrecognized error', async () => {
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(500);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toThrow();
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toThrow();
   });
 
   it('throws Error if request failed and errcode is not 40001', async () => {
@@ -201,7 +204,7 @@ describe('getUserInfo', () => {
       .query(parameters)
       .reply(200, { errcode: 40_003, errmsg: 'invalid openid' });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'invalid openid',
         errcode: 40_003,
@@ -212,7 +215,7 @@ describe('getUserInfo', () => {
   it('throws SocialAccessTokenInvalid error if response code is 401', async () => {
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(401);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid)
     );
   });
diff --git a/packages/connectors/connector-wechat-native/src/index.ts b/packages/connectors/connector-wechat-native/src/index.ts
index fc976cc0931..e2fe4f9ec26 100644
--- a/packages/connectors/connector-wechat-native/src/index.ts
+++ b/packages/connectors/connector-wechat-native/src/index.ts
@@ -100,8 +100,8 @@ const getUserInfo =
         searchParams: { access_token: accessToken, openid },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -114,7 +114,7 @@ const getUserInfo =
       // 'errmsg' and 'errcode' turn to non-empty values or empty values at the same time. Hence, if 'errmsg' is non-empty then 'errcode' should be non-empty.
       userInfoResponseMessageParser(result.data);
 
-      return { id: unionid ?? openid, avatar: headimgurl, name: nickname };
+      return { id: unionid ?? openid, avatar: headimgurl, name: nickname, rawData };
     } catch (error: unknown) {
       return getUserInfoErrorHandler(error);
     }
diff --git a/packages/connectors/connector-wechat-web/CHANGELOG.md b/packages/connectors/connector-wechat-web/CHANGELOG.md
index 136c82791e3..c30b52bafe5 100644
--- a/packages/connectors/connector-wechat-web/CHANGELOG.md
+++ b/packages/connectors/connector-wechat-web/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @logto/connector-wechat-web
 
+## 1.3.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-wechat-web/package.json b/packages/connectors/connector-wechat-web/package.json
index e05743e9121..d14d5c9b49c 100644
--- a/packages/connectors/connector-wechat-web/package.json
+++ b/packages/connectors/connector-wechat-web/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-wechat-web",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Wechat Web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-wechat-web/src/index.test.ts b/packages/connectors/connector-wechat-web/src/index.test.ts
index 6d03e72b000..3906fed7e31 100644
--- a/packages/connectors/connector-wechat-web/src/index.test.ts
+++ b/packages/connectors/connector-wechat-web/src/index.test.ts
@@ -6,13 +6,11 @@ import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
@@ -26,7 +24,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     expect(authorizationUri).toEqual(
       `${authorizationEndpoint}?appid=%3Capp-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback&response_type=code&scope=snsapi_login&state=some_state`
@@ -37,7 +35,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const accessTokenEndpointUrl = new URL(accessTokenEndpoint);
@@ -66,7 +64,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(parameters)
       .reply(200, { errcode: 40_029, errmsg: 'invalid code' });
-    await expect(getAccessToken('code', mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken('code', mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'invalid code')
     );
   });
@@ -76,7 +74,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(true)
       .reply(200, { errcode: 40_163, errmsg: 'code been used' });
-    await expect(getAccessToken('code', mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken('code', mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'code been used')
     );
   });
@@ -86,7 +84,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(true)
       .reply(200, { errcode: -1, errmsg: 'system error' });
-    await expect(getAccessToken('wrong_code', mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken('wrong_code', mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'system error',
         errcode: -1,
@@ -123,35 +121,40 @@ describe('getUserInfo', () => {
 
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const userInfoEndpointUrl = new URL(userInfoEndpoint);
   const parameters = new URLSearchParams({ access_token: 'access_token', openid: 'openid' });
 
   it('should get valid SocialUserInfo', async () => {
-    nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(0, {
+    const jsonResponse = Object.freeze({
       unionid: 'this_is_an_arbitrary_wechat_union_id',
       headimgurl: 'https://github.com/images/error/octocat_happy.gif',
       nickname: 'wechat bot',
     });
+    nock(userInfoEndpointUrl.origin)
+      .get(userInfoEndpointUrl.pathname)
+      .query(parameters)
+      .reply(0, jsonResponse);
     const connector = await createConnector({ getConfig });
     const socialUserInfo = await connector.getUserInfo(
       {
         code: 'code',
       },
-      jest.fn()
+      vi.fn()
     );
     expect(socialUserInfo).toMatchObject({
       id: 'this_is_an_arbitrary_wechat_union_id',
       avatar: 'https://github.com/images/error/octocat_happy.gif',
       name: 'wechat bot',
+      rawData: jsonResponse,
     });
   });
 
   it('throws General error if code not provided in input', async () => {
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, '{}')
     );
   });
@@ -166,7 +169,7 @@ describe('getUserInfo', () => {
         errmsg: 'missing openid',
       });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'missing openid',
         errcode: 41_009,
@@ -180,7 +183,7 @@ describe('getUserInfo', () => {
       .query(parameters)
       .reply(200, { errcode: 40_001, errmsg: 'invalid credential' });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid, 'invalid credential')
     );
   });
@@ -188,7 +191,7 @@ describe('getUserInfo', () => {
   it('throws unrecognized error', async () => {
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(500);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toThrow();
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toThrow();
   });
 
   it('throws Error if request failed and errcode is not 40001', async () => {
@@ -197,7 +200,7 @@ describe('getUserInfo', () => {
       .query(parameters)
       .reply(200, { errcode: 40_003, errmsg: 'invalid openid' });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'invalid openid',
         errcode: 40_003,
@@ -208,7 +211,7 @@ describe('getUserInfo', () => {
   it('throws SocialAccessTokenInvalid error if response code is 401', async () => {
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(401);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid)
     );
   });
diff --git a/packages/connectors/connector-wechat-web/src/index.ts b/packages/connectors/connector-wechat-web/src/index.ts
index 7e1d96ff472..49541457264 100644
--- a/packages/connectors/connector-wechat-web/src/index.ts
+++ b/packages/connectors/connector-wechat-web/src/index.ts
@@ -101,8 +101,8 @@ const getUserInfo =
         searchParams: { access_token: accessToken, openid },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -115,7 +115,7 @@ const getUserInfo =
       // 'errmsg' and 'errcode' turn to non-empty values or empty values at the same time. Hence, if 'errmsg' is non-empty then 'errcode' should be non-empty.
       userInfoResponseMessageParser(result.data);
 
-      return { id: unionid ?? openid, avatar: headimgurl, name: nickname };
+      return { id: unionid ?? openid, avatar: headimgurl, name: nickname, rawData };
     } catch (error: unknown) {
       return getUserInfoErrorHandler(error);
     }
diff --git a/packages/connectors/connector-wecom/CHANGELOG.md b/packages/connectors/connector-wecom/CHANGELOG.md
new file mode 100644
index 00000000000..b96f0187cdd
--- /dev/null
+++ b/packages/connectors/connector-wecom/CHANGELOG.md
@@ -0,0 +1,15 @@
+# @logto/connector-wecom
+
+## 0.2.0
+
+### Minor Changes
+
+- 57d97a4df: return and store social connector raw data
+
+### Patch Changes
+
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/connector-kit@3.0.0
diff --git a/packages/connectors/connector-wecom/package.json b/packages/connectors/connector-wecom/package.json
index 622de5d67a5..40ca4af76aa 100644
--- a/packages/connectors/connector-wecom/package.json
+++ b/packages/connectors/connector-wecom/package.json
@@ -1,10 +1,10 @@
 {
   "name": "@logto/connector-wecom",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Wecom connector implementation.",
   "author": "Dove<dove@feegr.cc> fork from Wechat Web connector",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.0.0"
+    "@logto/connector-kit": "workspace:^3.0.0"
   },
   "main": "./lib/index.js",
   "module": "./lib/index.js",
@@ -24,9 +24,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "engines": {
diff --git a/packages/connectors/connector-wecom/src/index.test.ts b/packages/connectors/connector-wecom/src/index.test.ts
index 474b1949df3..7f4d3a1a226 100644
--- a/packages/connectors/connector-wecom/src/index.test.ts
+++ b/packages/connectors/connector-wecom/src/index.test.ts
@@ -11,13 +11,11 @@ import {
 import createConnector, { getAccessToken } from './index.js';
 import { mockedConfig } from './mock.js';
 
-const { jest } = import.meta;
-
-const getConfig = jest.fn().mockResolvedValue(mockedConfig);
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
 
 describe('getAuthorizationUri', () => {
   afterEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   it('should get a valid uri by redirectUri and state', async () => {
@@ -31,7 +29,7 @@ describe('getAuthorizationUri', () => {
         jti: 'some_jti',
         headers: {},
       },
-      jest.fn()
+      vi.fn()
     );
     const userAgent = 'some_UA';
     const isWecom = userAgent.toLowerCase().includes('wxwork');
@@ -48,7 +46,7 @@ describe('getAuthorizationUri', () => {
 describe('getAccessToken', () => {
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const accessTokenEndpointUrl = new URL(accessTokenEndpoint);
@@ -74,7 +72,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(parameters)
       .reply(200, { errcode: 40_029, errmsg: 'invalid code' });
-    await expect(getAccessToken(mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken(mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'invalid code')
     );
   });
@@ -84,7 +82,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(true)
       .reply(200, { errcode: 40_163, errmsg: 'code been used' });
-    await expect(getAccessToken(mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken(mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAuthCodeInvalid, 'code been used')
     );
   });
@@ -94,7 +92,7 @@ describe('getAccessToken', () => {
       .get(accessTokenEndpointUrl.pathname)
       .query(true)
       .reply(200, { errcode: -1, errmsg: 'system error' });
-    await expect(getAccessToken(mockedConfig)).rejects.toMatchError(
+    await expect(getAccessToken(mockedConfig)).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'system error',
         errcode: -1,
@@ -128,33 +126,39 @@ describe('getUserInfo', () => {
 
   afterEach(() => {
     nock.cleanAll();
-    jest.clearAllMocks();
+    vi.clearAllMocks();
   });
 
   const userInfoEndpointUrl = new URL(userInfoEndpoint);
   const parameters = new URLSearchParams({ access_token: 'access_token', code: 'code' });
 
   it('should get valid SocialUserInfo', async () => {
-    nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(0, {
+    const jsonResponse = Object.freeze({
       userid: 'wecom_id',
+      foo: 'bar',
     });
+    nock(userInfoEndpointUrl.origin)
+      .get(userInfoEndpointUrl.pathname)
+      .query(parameters)
+      .reply(0, jsonResponse);
     const connector = await createConnector({ getConfig });
     const socialUserInfo = await connector.getUserInfo(
       {
         code: 'code',
       },
-      jest.fn()
+      vi.fn()
     );
     expect(socialUserInfo).toMatchObject({
       id: 'wecom_id',
       avatar: '',
       name: 'wecom_id',
+      rawData: jsonResponse,
     });
   });
 
   it('throws General error if code not provided in input', async () => {
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({}, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({}, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, '{}')
     );
   });
@@ -169,7 +173,7 @@ describe('getUserInfo', () => {
         errmsg: 'missing openid',
       });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'missing openid',
         errcode: 41_009,
@@ -183,7 +187,7 @@ describe('getUserInfo', () => {
       .query(parameters)
       .reply(200, { errcode: 40_001, errmsg: 'invalid credential' });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid, 'invalid credential')
     );
   });
@@ -191,7 +195,7 @@ describe('getUserInfo', () => {
   it('throws unrecognized error', async () => {
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(500);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toThrow();
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toThrow();
   });
 
   it('throws Error if request failed and errcode is not 40001', async () => {
@@ -200,7 +204,7 @@ describe('getUserInfo', () => {
       .query(parameters)
       .reply(200, { errcode: 40_003, errmsg: 'invalid openid' });
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.General, {
         errorDescription: 'invalid openid',
         errcode: 40_003,
@@ -211,7 +215,7 @@ describe('getUserInfo', () => {
   it('throws SocialAccessTokenInvalid error if response code is 401', async () => {
     nock(userInfoEndpointUrl.origin).get(userInfoEndpointUrl.pathname).query(parameters).reply(401);
     const connector = await createConnector({ getConfig });
-    await expect(connector.getUserInfo({ code: 'code' }, jest.fn())).rejects.toMatchError(
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toStrictEqual(
       new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid)
     );
   });
diff --git a/packages/connectors/connector-wecom/src/index.ts b/packages/connectors/connector-wecom/src/index.ts
index 1f8ee1114c8..266f2be8453 100644
--- a/packages/connectors/connector-wecom/src/index.ts
+++ b/packages/connectors/connector-wecom/src/index.ts
@@ -106,8 +106,8 @@ const getUserInfo =
         searchParams: { access_token: accessToken, code },
         timeout: { request: defaultTimeout },
       });
-
-      const result = userInfoResponseGuard.safeParse(parseJson(httpResponse.body));
+      const rawData = parseJson(httpResponse.body);
+      const result = userInfoResponseGuard.safeParse(rawData);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
@@ -118,15 +118,18 @@ const getUserInfo =
       errorResponseHandler(result.data);
       //
       const { userid, openid } = result.data;
+      const id = userid ?? openid;
 
-      if (userid) {
-        return { id: userid, avatar: '', name: userid };
-      }
-      if (openid) {
-        return { id: openid, avatar: '', name: openid };
+      if (!id) {
+        throw new Error('Both userid and openid are undefined or null.');
       }
-      throw new Error('Both userid and openid are undefined or null.');
-      // Both userid and openid are null
+
+      return {
+        id,
+        avatar: '',
+        name: id,
+        rawData,
+      };
     } catch (error: unknown) {
       return getUserInfoErrorHandler(error);
     }
diff --git a/packages/connectors/templates/package.json b/packages/connectors/templates/package.json
index a74f8dcdd08..d750610fe60 100644
--- a/packages/connectors/templates/package.json
+++ b/packages/connectors/templates/package.json
@@ -17,38 +17,35 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only --silent --coverage",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
     "prepublishOnly": "pnpm build"
   },
   "dependencies": {
     "@silverhand/essentials": "^2.9.0",
     "got": "^14.0.0",
-    "snakecase-keys": "^6.0.0",
+    "snakecase-keys": "^7.0.0",
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@jest/types": "^29.5.0",
     "@rollup/plugin-commonjs": "^25.0.0",
     "@rollup/plugin-json": "^6.0.0",
     "@rollup/plugin-node-resolve": "^15.0.1",
     "@rollup/plugin-typescript": "^11.0.0",
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
     "@types/supertest": "^6.0.0",
+    "@vitest/coverage-v8": "^1.4.0",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
-    "jest-matcher-specific-error": "^1.0.0",
     "lint-staged": "^15.0.0",
     "nock": "^13.2.2",
     "prettier": "^3.0.0",
     "rollup": "^4.0.0",
-    "rollup-plugin-summary": "^2.0.0",
+    "rollup-plugin-output-size": "^1.3.0",
     "supertest": "^6.2.2",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "engines": {
     "node": "^20.9.0"
diff --git a/packages/connectors/templates/preset/jest.config.js b/packages/connectors/templates/preset/jest.config.js
deleted file mode 100644
index 6ca9a171124..00000000000
--- a/packages/connectors/templates/preset/jest.config.js
+++ /dev/null
@@ -1,7 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  setupFilesAfterEnv: ['jest-matcher-specific-error'],
-  roots: ['lib'],
-};
-
-export default config;
diff --git a/packages/connectors/templates/preset/rollup.config.js b/packages/connectors/templates/preset/rollup.config.js
index 29a81ed5d06..df98e6a1c1b 100644
--- a/packages/connectors/templates/preset/rollup.config.js
+++ b/packages/connectors/templates/preset/rollup.config.js
@@ -2,7 +2,7 @@ import commonjs from '@rollup/plugin-commonjs';
 import json from '@rollup/plugin-json';
 import { nodeResolve } from '@rollup/plugin-node-resolve';
 import typescript from '@rollup/plugin-typescript';
-import { summary } from 'rollup-plugin-summary';
+import outputSize from 'rollup-plugin-output-size';
 
 /**
  * @type {import('rollup').RollupOptions}
@@ -14,10 +14,10 @@ const configs = [
     external: ['zod', 'got', '@logto/connector-kit'],
     plugins: [
       typescript({ tsconfig: 'tsconfig.build.json' }),
-      nodeResolve({ exportConditions: ['node'] }),
+      nodeResolve({ exportConditions: ['node'], preferBuiltins: true }),
       commonjs(),
       json(),
-      summary(),
+      outputSize(),
     ],
   },
 ];
diff --git a/packages/connectors/templates/preset/tsconfig.json b/packages/connectors/templates/preset/tsconfig.json
index 40492907f59..4fa2dd684aa 100644
--- a/packages/connectors/templates/preset/tsconfig.json
+++ b/packages/connectors/templates/preset/tsconfig.json
@@ -1,7 +1,7 @@
 {
   "extends": "./tsconfig.base",
   "compilerOptions": {
-    "types": ["node", "jest", "jest-matcher-specific-error"]
+    "types": ["node", "vitest/globals"]
   },
   "include": ["src", "types"]
 }
diff --git a/packages/connectors/templates/preset/types/import-meta.d.ts b/packages/connectors/templates/preset/types/import-meta.d.ts
deleted file mode 100644
index e016debb586..00000000000
--- a/packages/connectors/templates/preset/types/import-meta.d.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-interface ImportMeta {
-  jest: typeof jest & {
-    // Almost same as `jest.mock()`, but factory is required
-    unstable_mockModule: <T = unknown>(
-      moduleName: string,
-      factory: () => T,
-      options?: jest.MockOptions
-    ) => typeof jest;
-  };
-}
diff --git a/packages/connectors/templates/preset/vitest.config.ts b/packages/connectors/templates/preset/vitest.config.ts
new file mode 100644
index 00000000000..32ae898f000
--- /dev/null
+++ b/packages/connectors/templates/preset/vitest.config.ts
@@ -0,0 +1,7 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+  },
+})
diff --git a/packages/connectors/templates/sync-preset.js b/packages/connectors/templates/sync-preset.js
index 1c4294d198f..65225ca181d 100644
--- a/packages/connectors/templates/sync-preset.js
+++ b/packages/connectors/templates/sync-preset.js
@@ -15,6 +15,11 @@ const templateJson = Object.fromEntries(
 );
 const templateKeys = Object.keys(templateJson);
 
+/**
+ * An object that contains exceptions for scripts that are allowed to be different from the template.
+ */
+const scriptExceptions = {};
+
 const sync = async () => {
   const packagesDirectory = './';
   const packages = await fs.readdir(packagesDirectory);
@@ -42,9 +47,23 @@ const sync = async () => {
           );
         }
 
+        const scriptOverrides = scriptExceptions[packageName]
+          ? Object.fromEntries(
+              scriptExceptions[packageName].map((key) => [key, current.scripts[key]])
+            )
+          : {};
+
         await fs.writeFile(
           packageJsonPath,
-          JSON.stringify({ ...current, ...templateJson }, undefined, 2) + '\n'
+          JSON.stringify(
+            {
+              ...current,
+              ...templateJson,
+              scripts: { ...templateJson.scripts, ...scriptOverrides },
+            },
+            undefined,
+            2
+          ) + '\n'
         );
 
         // Copy preset
diff --git a/packages/console/CHANGELOG.md b/packages/console/CHANGELOG.md
index 5cf1630705e..1d632565e22 100644
--- a/packages/console/CHANGELOG.md
+++ b/packages/console/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Change Log
 
+## 1.13.0
+
+### Minor Changes
+
+- 5758f84f5: feat(console): support signing-key rotation
+
+### Patch Changes
+
+- 746483c49: api resource indicator must be a valid absolute uri
+
+  An invalid indicator will make Console crash without this check.
+
+  Note: We don't mark it as a breaking change as the api behavior has not changed, only adding the check on Console.
+
 ## 1.12.1
 
 ### Patch Changes
diff --git a/packages/console/generate.sh b/packages/console/generate.sh
new file mode 100755
index 00000000000..d54dcf99a7d
--- /dev/null
+++ b/packages/console/generate.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Clean up
+rm -rf scripts-js/
+# build the jwt-customizer-type-definition generate script
+pnpm exec tsc -p tsconfig.scripts.gen.json
+# clean up the existing generated jwt-customizer-type-definition file
+rm -f src/consts/jwt-customizer-type-definition.ts
+# run script
+node scripts-js/generate-jwt-customizer-type-definition.js
+# Clean up
+rm -rf scripts-js/
diff --git a/packages/console/package.json b/packages/console/package.json
index 64626cda817..d614198b90c 100644
--- a/packages/console/package.json
+++ b/packages/console/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/console",
-  "version": "1.12.1",
+  "version": "1.13.0",
   "description": "> TODO: description",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
@@ -11,11 +11,13 @@
     "dist"
   ],
   "scripts": {
+    "prepack": "pnpm generate",
+    "generate": "./generate.sh",
     "precommit": "lint-staged",
     "start": "parcel src/index.html",
     "dev": "cross-env PORT=5002 parcel src/index.html --public-url ${CONSOLE_PUBLIC_URL:-/console} --no-cache --hmr-port 6002",
     "check": "tsc --noEmit",
-    "build": "pnpm check && rm -rf dist && parcel build src/index.html --no-autoinstall --no-cache --public-url ${CONSOLE_PUBLIC_URL:-/console}",
+    "build": "pnpm generate && pnpm check && rm -rf dist && parcel build src/index.html --no-autoinstall --no-cache --public-url ${CONSOLE_PUBLIC_URL:-/console}",
     "lint": "eslint --ext .ts --ext .tsx src",
     "lint:report": "pnpm lint --format json --output-file report.json",
     "stylelint": "stylelint \"src/**/*.scss\"",
@@ -26,16 +28,17 @@
     "@fontsource/roboto-mono": "^5.0.0",
     "@jest/types": "^29.5.0",
     "@logto/app-insights": "workspace:^1.4.0",
-    "@logto/cloud": "0.2.5-faca9a9",
-    "@logto/connector-kit": "workspace:^2.1.0",
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/cloud": "0.2.5-ab8a489",
+    "@logto/connector-kit": "workspace:^3.0.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/language-kit": "workspace:^1.1.0",
-    "@logto/phrases": "workspace:^1.9.0",
-    "@logto/phrases-experience": "workspace:^1.6.0",
-    "@logto/react": "^3.0.0",
-    "@logto/schemas": "workspace:^1.13.1",
+    "@logto/phrases": "workspace:^1.10.0",
+    "@logto/phrases-experience": "workspace:^1.6.1",
+    "@logto/react": "^3.0.5",
+    "@logto/schemas": "workspace:^1.15.0",
     "@logto/shared": "workspace:^3.1.0",
     "@mdx-js/react": "^1.6.22",
+    "@monaco-editor/react": "^4.6.0",
     "@parcel/compressor-brotli": "2.9.3",
     "@parcel/compressor-gzip": "2.9.3",
     "@parcel/core": "2.9.3",
@@ -60,7 +63,7 @@
     "@types/react-helmet": "^6.1.6",
     "@types/react-modal": "^3.13.1",
     "@types/react-syntax-highlighter": "^15.5.1",
-    "@withtyped/client": "^0.7.22",
+    "@withtyped/client": "^0.8.4",
     "buffer": "^5.7.1",
     "classnames": "^2.3.1",
     "clean-deep": "^3.4.0",
@@ -81,7 +84,7 @@
     "jest-transform-stub": "^2.0.0",
     "jest-transformer-svg": "^2.0.0",
     "just-kebab-case": "^4.2.0",
-    "ky": "^1.0.0",
+    "ky": "^1.2.3",
     "libphonenumber-js": "^1.10.51",
     "lint-staged": "^15.0.0",
     "nanoid": "^5.0.1",
@@ -120,7 +123,8 @@
     "ts-node": "^10.9.2",
     "tslib": "^2.4.1",
     "typescript": "^5.3.3",
-    "zod": "^3.22.4"
+    "zod": "^3.22.4",
+    "zod-to-ts": "^1.2.0"
   },
   "engines": {
     "node": "^20.9.0"
@@ -140,6 +144,12 @@
   },
   "eslintConfig": {
     "extends": "@silverhand/react",
+    "parserOptions": {
+      "project": [
+        "./tsconfig.json",
+        "./tsconfig.scripts.gen.json"
+      ]
+    },
     "rules": {
       "react/function-component-definition": [
         "error",
diff --git a/packages/console/scripts/generate-jwt-customizer-type-definition.ts b/packages/console/scripts/generate-jwt-customizer-type-definition.ts
new file mode 100644
index 00000000000..9b25077a20b
--- /dev/null
+++ b/packages/console/scripts/generate-jwt-customizer-type-definition.ts
@@ -0,0 +1,75 @@
+import fs from 'node:fs';
+
+import {
+  accessTokenPayloadGuard,
+  clientCredentialsPayloadGuard,
+  jwtCustomizerUserContextGuard,
+} from '@logto/schemas';
+import prettier from 'prettier';
+import { type ZodTypeAny } from 'zod';
+import { printNode, zodToTs } from 'zod-to-ts';
+
+const filePath = 'src/consts/jwt-customizer-type-definition.ts';
+
+const typeIdentifiers = `export enum JwtCustomizerTypeDefinitionKey {
+  JwtCustomizerUserContext = 'JwtCustomizerUserContext',
+  AccessTokenPayload = 'AccessTokenPayload',
+  ClientCredentialsPayload = 'ClientCredentialsPayload',
+  EnvironmentVariables = 'EnvironmentVariables',
+};`;
+
+const inferTsDefinitionFromZod = (zodSchema: ZodTypeAny, identifier: string): string => {
+  /**
+   * We have z.lazy() used for defining Json objects in the zod schemas.
+   * @see https://zod.dev/?id=json-type
+   * zod-to-ts does not support z.lazy() yet. It will use the root type of the lazy schema. Which will be the identifier we pass to the function.
+   * @see https://github.com/sachinraja/zod-to-ts?tab=readme-ov-file#zlazy
+   *
+   * The second argument is the root type identifier for the schema.
+   * Here we use 'Record<string, unknown>' as the root type identifier. So all the Json objects will be inferred as Record<string, unknown>.
+   * This is a limitation of zod-to-ts. We can't infer the exact type of the Json objects.
+   * This solution is hacky but it works for now. The impact is it will always define the type identifer as Record<string, unknown>.
+   */
+  const { node } = zodToTs(zodSchema, 'Record<string, unknown>', { nativeEnums: 'union' });
+  const typeDefinition = printNode(node);
+
+  return `type ${identifier} = ${typeDefinition};`;
+};
+
+// Create the jwt-customizer-type-definition.ts file
+const createJwtCustomizerTypeDefinitions = async () => {
+  const jwtCustomizerUserContextTypeDefinition = inferTsDefinitionFromZod(
+    jwtCustomizerUserContextGuard,
+    'JwtCustomizerUserContext'
+  );
+
+  const accessTokenPayloadTypeDefinition = inferTsDefinitionFromZod(
+    accessTokenPayloadGuard,
+    'AccessTokenPayload'
+  );
+
+  const clientCredentialsPayloadTypeDefinition = inferTsDefinitionFromZod(
+    clientCredentialsPayloadGuard,
+    'ClientCredentialsPayload'
+  );
+
+  const fileContent = `/* This file is auto-generated. Do not modify it manually. */
+${typeIdentifiers}
+
+export const jwtCustomizerUserContextTypeDefinition = \`${jwtCustomizerUserContextTypeDefinition}\`;
+
+export const accessTokenPayloadTypeDefinition = \`${accessTokenPayloadTypeDefinition}\`;
+
+export const clientCredentialsPayloadTypeDefinition = \`${clientCredentialsPayloadTypeDefinition}\`;
+`;
+
+  const formattedFileContent = await prettier.format(fileContent, {
+    parser: 'typescript',
+    tabWidth: 2,
+    singleQuote: true,
+  });
+
+  fs.writeFileSync(filePath, formattedFileContent);
+};
+
+void createJwtCustomizerTypeDefinitions();
diff --git a/packages/console/src/App.tsx b/packages/console/src/App.tsx
index 007f035a99b..451560e44fb 100644
--- a/packages/console/src/App.tsx
+++ b/packages/console/src/App.tsx
@@ -1,6 +1,6 @@
 import { AppInsightsBoundary } from '@logto/app-insights/react';
 import { UserScope } from '@logto/core-kit';
-import { LogtoProvider, useLogto } from '@logto/react';
+import { LogtoProvider, Prompt, useLogto } from '@logto/react';
 import {
   adminConsoleApplicationId,
   defaultTenantId,
@@ -22,11 +22,12 @@ import CloudAppRoutes from '@/cloud/AppRoutes';
 import AppLoading from '@/components/AppLoading';
 import { isCloud } from '@/consts/env';
 import { cloudApi, getManagementApi, meApi } from '@/consts/resources';
+import { ConsoleRoutes } from '@/containers/ConsoleRoutes';
 import useTrackUserId from '@/hooks/use-track-user-id';
 import { OnboardingRoutes } from '@/onboarding';
 import useUserOnboardingData from '@/onboarding/hooks/use-user-onboarding-data';
-import { ConsoleRoutes } from '@/pages/ConsoleRoutes';
 
+import { GlobalScripts } from './components/Conversion';
 import { adminTenantEndpoint, mainTitle } from './consts';
 import ErrorBoundary from './containers/ErrorBoundary';
 import LogtoErrorBoundary from './containers/LogtoErrorBoundary';
@@ -109,6 +110,7 @@ function Providers() {
         appId: adminConsoleApplicationId,
         resources,
         scopes,
+        prompt: [Prompt.Login, Prompt.Consent],
       }}
     >
       <AppThemeProvider>
@@ -153,5 +155,10 @@ function AppRoutes() {
     return <AppLoading />;
   }
 
-  return isAuthenticated && isOnboarding ? <OnboardingRoutes /> : <ConsoleRoutes />;
+  return (
+    <>
+      <GlobalScripts />
+      {isAuthenticated && isOnboarding ? <OnboardingRoutes /> : <ConsoleRoutes />}
+    </>
+  );
 }
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/README.mdx b/packages/console/src/assets/docs/single-sign-on/azure-oidc/README.mdx
new file mode 100644
index 00000000000..0245fe9393d
--- /dev/null
+++ b/packages/console/src/assets/docs/single-sign-on/azure-oidc/README.mdx
@@ -0,0 +1,78 @@
+import OidcCallbackUri from '@/mdx-components/OidcCallbackUri';
+import Step from '@/mdx-components/Step';
+
+import createApplication from './assets/create_application.webp';
+import configApplication from './assets/config_application.webp';
+import applicationDetails from './assets/application_details.webp';
+import createSecret from './assets/create_secret.webp';
+import endpoints from './assets/endpoints.webp';
+
+<Step index={0} title="Create an Microsoft EntraID OIDC application">
+
+1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/) and sign in as an administrator.
+
+2. Browse to Identity > Applications > App registrations.
+
+<center>
+  <img src={createApplication} alt="Create Application" />
+</center>
+
+3. Select `New registration`.
+
+4. Enter the application name and select the appropriate account type for your application.
+
+5. Select `Web` as the application platform. Enter the redirect URI for the application. The redirect URI is the URL where the user is redirected after they have authenticated with Microsoft Entra ID.
+
+<OidcCallbackUri />
+
+<center>
+  <img src={configApplication} alt="Configure Application" />
+</center>
+
+6. Click `Register` to create the application.
+
+</Step>
+
+<Step index={1} title="Configure SSO connector on Logto">
+
+After successfully creating an Microsoft Entra OIDC application, you will need to provide the IdP configurations back to Logto. Navigate to the `Connection` tab at Logto console, and fill in the following configurations:
+
+1. **Client ID**: A unique identifier assigned to your OIDC application by the Microsoft Entra. This identifier is used by Logto to identify and authenticate the application during the OIDC flow. You can find it in the application overview page as `Application (client) ID`.
+
+<center>
+  <img src={applicationDetails} alt="Application Details" />
+</center>
+
+2. **Client Secret**: Create a new client secret and copy the value to Logto. This secret is used to authenticate the OIDC application and secure the communication between Logto and the IdP.
+
+<center>
+  <img src={createSecret} alt="Create Secret" />
+</center>
+
+3. **Issuer**: The issuer URL, a unique identifier for the IdP, specifying the location where the OIDC identity provider can be found. It is a crucial part of the OIDC configuration as it helps Logto discover the necessary endpoints.
+
+   Instead of manually provide all these OIDC endpoints, Logto fetch all the required configurations and IdP endpoints automatically. This is done by utilizing the issuer url you provided and making a call to the IdP's discover endpoint.
+
+   To get the issuer URL, you can find it in the `Endpoints` section of the application overview page.
+
+   Locate the `OpenID Connect metadata document` endpoint and copy the URL **WITHOUT** the trailing path `.well-known/openid-configuration`. This is because Logto will automatically append the `.well-known/openid-configuration` to the issuer URL when fetching the OIDC configurations.
+
+<center>
+  <img src={endpoints} alt="Endpoints" />
+</center>
+
+4. **Scope**: A space-separated list of strings defining the desired permissions or access levels requested by Logto during the OIDC authentication process. The scope parameter allows you to specify what information and access Logto is requesting from the IdP.
+
+The scope parameter is optional. Regardless of the custom scope settings, Logto will always send the `openid`, `profile` and `email` scopes to the IdP.
+
+Click `Save` to finish the configuration process
+
+</Step>
+
+<Step index={2} title="Set email domains and enable the SSO connector">
+
+Provide the email `domains` of your organization on the connector `experience` tab. This will enabled the SSO connector as an authentication method for those users.
+
+Users with email addresses in the specified domains will be exclusively limited to use your SSO connector as their only authentication method.
+
+</Step>
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/application_details.webp b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/application_details.webp
new file mode 100644
index 00000000000..909c0626c8d
Binary files /dev/null and b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/application_details.webp differ
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/config_application.webp b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/config_application.webp
new file mode 100644
index 00000000000..9bd2bd5c9c9
Binary files /dev/null and b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/config_application.webp differ
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/create_application.webp b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/create_application.webp
new file mode 100644
index 00000000000..af39e2607f2
Binary files /dev/null and b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/create_application.webp differ
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/create_secret.webp b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/create_secret.webp
new file mode 100644
index 00000000000..1151663fbec
Binary files /dev/null and b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/create_secret.webp differ
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/endpoints.webp b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/endpoints.webp
new file mode 100644
index 00000000000..895866cb3a3
Binary files /dev/null and b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/endpoints.webp differ
diff --git a/packages/console/src/assets/docs/single-sign-on/index.ts b/packages/console/src/assets/docs/single-sign-on/index.ts
index 130fc3da02b..775e05e21f0 100644
--- a/packages/console/src/assets/docs/single-sign-on/index.ts
+++ b/packages/console/src/assets/docs/single-sign-on/index.ts
@@ -1,6 +1,6 @@
 import { SsoProviderName } from '@logto/schemas';
 import { type MDXProps } from 'mdx/types';
-import { lazy, type LazyExoticComponent, type FunctionComponent } from 'react';
+import { lazy, type FunctionComponent, type LazyExoticComponent } from 'react';
 
 type GuideComponentType = LazyExoticComponent<FunctionComponent<MDXProps>>;
 
@@ -10,6 +10,7 @@ const ssoConnectorGuides: Readonly<{ [key in SsoProviderName]?: GuideComponentTy
   [SsoProviderName.AZURE_AD]: lazy(async () => import('./azure-ad/README.mdx')),
   [SsoProviderName.GOOGLE_WORKSPACE]: lazy(async () => import('./google-workspace/README.mdx')),
   [SsoProviderName.OKTA]: lazy(async () => import('./okta/README.mdx')),
+  [SsoProviderName.AZURE_AD_OIDC]: lazy(async () => import('./azure-oidc/README.mdx')),
 };
 
 export default ssoConnectorGuides;
diff --git a/packages/console/src/assets/icons/book.svg b/packages/console/src/assets/icons/book.svg
new file mode 100644
index 00000000000..d91a3473790
--- /dev/null
+++ b/packages/console/src/assets/icons/book.svg
@@ -0,0 +1,4 @@
+<svg width="17" height="17" viewBox="0 0 17 17" fill="none"
+  xmlns="http://www.w3.org/2000/svg">
+  <path d="M11.7944 1.74365H3.79435C3.61754 1.74365 3.44797 1.81389 3.32295 1.93891C3.19792 2.06394 3.12769 2.23351 3.12769 2.41032V14.4103C3.12769 14.5871 3.19792 14.7567 3.32295 14.8817C3.44797 15.0067 3.61754 15.077 3.79435 15.077H11.7944C12.3248 15.077 12.8335 14.8663 13.2086 14.4912C13.5836 14.1161 13.7944 13.6074 13.7944 13.077V3.74365C13.7944 3.21322 13.5836 2.70451 13.2086 2.32944C12.8335 1.95437 12.3248 1.74365 11.7944 1.74365ZM5.79435 13.7437H4.46102V3.07699H5.79435V13.7437ZM12.461 13.077C12.461 13.2538 12.3908 13.4234 12.2658 13.5484C12.1407 13.6734 11.9712 13.7437 11.7944 13.7437H7.12769V3.07699H11.7944C11.9712 3.07699 12.1407 3.14722 12.2658 3.27225C12.3908 3.39727 12.461 3.56684 12.461 3.74365V13.077Z" fill="currentcolor" />
+</svg>
diff --git a/packages/console/src/assets/icons/conical-flask.svg b/packages/console/src/assets/icons/conical-flask.svg
new file mode 100644
index 00000000000..2059208bd87
--- /dev/null
+++ b/packages/console/src/assets/icons/conical-flask.svg
@@ -0,0 +1,4 @@
+<svg width="17" height="16" viewBox="0 0 17 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M13.5676 11.6599L10.1609 5.81992V2.66659H10.8276C11.0044 2.66659 11.174 2.59635 11.299 2.47132C11.424 2.3463 11.4942 2.17673 11.4942 1.99992C11.4942 1.82311 11.424 1.65354 11.299 1.52851C11.174 1.40349 11.0044 1.33325 10.8276 1.33325H5.49424C5.31743 1.33325 5.14786 1.40349 5.02283 1.52851C4.89781 1.65354 4.82757 1.82311 4.82757 1.99992C4.82757 2.17673 4.89781 2.3463 5.02283 2.47132C5.14786 2.59635 5.31743 2.66659 5.49424 2.66659H6.1609V5.81992L2.75424 11.6599C2.57727 11.9637 2.48351 12.3088 2.48243 12.6604C2.48135 13.012 2.57297 13.3577 2.74807 13.6626C2.92317 13.9675 3.17555 14.2208 3.47977 14.3971C3.78399 14.5734 4.12931 14.6663 4.4809 14.6666H11.8142C12.1658 14.6663 12.5111 14.5734 12.8154 14.3971C13.1196 14.2208 13.372 13.9675 13.5471 13.6626C13.7222 13.3577 13.8138 13.012 13.8127 12.6604C13.8116 12.3088 13.7179 11.9637 13.5409 11.6599H13.5676ZM7.4009 6.32659C7.4597 6.22758 7.49186 6.11504 7.49424 5.99992V2.66659H8.82757V5.99992C8.82879 6.11731 8.86099 6.2323 8.9209 6.33325L9.49424 7.33325H6.82757L7.4009 6.32659ZM12.4142 12.9933C12.3561 13.094 12.2725 13.1778 12.172 13.2363C12.0714 13.2947 11.9572 13.3259 11.8409 13.3266H4.50757C4.39123 13.3259 4.2771 13.2947 4.17651 13.2363C4.07593 13.1778 3.99241 13.094 3.93424 12.9933C3.87573 12.8919 3.84492 12.7769 3.84492 12.6599C3.84492 12.5429 3.87573 12.4279 3.93424 12.3266L6.04757 8.66659H10.2809L12.4142 12.3333C12.4727 12.4346 12.5036 12.5496 12.5036 12.6666C12.5036 12.7836 12.4727 12.8986 12.4142 12.9999V12.9933ZM6.82757 9.99992C6.69572 9.99992 6.56682 10.039 6.45719 10.1123C6.34756 10.1855 6.26211 10.2896 6.21165 10.4115C6.16119 10.5333 6.14799 10.6673 6.17371 10.7966C6.19944 10.926 6.26293 11.0448 6.35617 11.138C6.4494 11.2312 6.56819 11.2947 6.69751 11.3204C6.82683 11.3462 6.96088 11.333 7.08269 11.2825C7.20451 11.232 7.30863 11.1466 7.38188 11.037C7.45514 10.9273 7.49424 10.7984 7.49424 10.6666C7.49424 10.4898 7.424 10.3202 7.29897 10.1952C7.17395 10.0702 7.00438 9.99992 6.82757 9.99992ZM9.49424 10.6666C9.36238 10.6666 9.23349 10.7057 9.12386 10.7789C9.01422 10.8522 8.92878 10.9563 8.87832 11.0781C8.82786 11.1999 8.81466 11.334 8.84038 11.4633C8.8661 11.5926 8.9296 11.7114 9.02283 11.8047C9.11607 11.8979 9.23486 11.9614 9.36418 11.9871C9.4935 12.0128 9.62754 11.9996 9.74936 11.9492C9.87118 11.8987 9.9753 11.8133 10.0485 11.7036C10.1218 11.594 10.1609 11.4651 10.1609 11.3333C10.1609 11.1564 10.0907 10.9869 9.96564 10.8618C9.84062 10.7368 9.67105 10.6666 9.49424 10.6666Z" fill="currentcolor"/>
+</svg>
+  
\ No newline at end of file
diff --git a/packages/console/src/assets/icons/invitation.svg b/packages/console/src/assets/icons/invitation.svg
new file mode 100644
index 00000000000..2c245c59f2e
--- /dev/null
+++ b/packages/console/src/assets/icons/invitation.svg
@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M13.6667 9.33335C13.4899 9.33335 13.3203 9.40358 13.1953 9.52861C13.0702 9.65363 13 9.8232 13 10V12.6667C13 12.8435 12.9298 13.0131 12.8047 13.1381C12.6797 13.2631 12.5101 13.3333 12.3333 13.3333H3C2.82319 13.3333 2.65362 13.2631 2.5286 13.1381C2.40357 13.0131 2.33333 12.8435 2.33333 12.6667V6.27335L6.25333 10.2C6.62833 10.5745 7.13666 10.7849 7.66667 10.7849C8.19667 10.7849 8.705 10.5745 9.08 10.2L10.1733 9.10668C10.2989 8.98114 10.3694 8.81088 10.3694 8.63335C10.3694 8.45581 10.2989 8.28555 10.1733 8.16001C10.0478 8.03448 9.87753 7.96395 9.7 7.96395C9.52247 7.96395 9.3522 8.03448 9.22667 8.16001L8.13333 9.25335C8.00871 9.3755 7.84117 9.44392 7.66667 9.44392C7.49216 9.44392 7.32462 9.3755 7.2 9.25335L3.27333 5.33335H7.66667C7.84348 5.33335 8.01305 5.26311 8.13807 5.13808C8.26309 5.01306 8.33333 4.84349 8.33333 4.66668C8.33333 4.48987 8.26309 4.3203 8.13807 4.19527C8.01305 4.07025 7.84348 4.00001 7.66667 4.00001H3C2.46957 4.00001 1.96086 4.21073 1.58579 4.5858C1.21071 4.96087 1 5.46958 1 6.00001V12.6667C1 13.1971 1.21071 13.7058 1.58579 14.0809C1.96086 14.456 2.46957 14.6667 3 14.6667H12.3333C12.8638 14.6667 13.3725 14.456 13.7475 14.0809C14.1226 13.7058 14.3333 13.1971 14.3333 12.6667V10C14.3333 9.8232 14.2631 9.65363 14.1381 9.52861C14.013 9.40358 13.8435 9.33335 13.6667 9.33335ZM14.8067 3.52668L12.8067 1.52668C12.7433 1.46599 12.6685 1.41841 12.5867 1.38668C12.4244 1.32 12.2423 1.32 12.08 1.38668C11.9982 1.41841 11.9234 1.46599 11.86 1.52668L9.86 3.52668C9.73446 3.65221 9.66394 3.82248 9.66394 4.00001C9.66394 4.17755 9.73446 4.34781 9.86 4.47335C9.98554 4.59888 10.1558 4.66941 10.3333 4.66941C10.5109 4.66941 10.6811 4.59888 10.8067 4.47335L11.6667 3.60668V7.33335C11.6667 7.51016 11.7369 7.67973 11.8619 7.80475C11.987 7.92977 12.1565 8.00001 12.3333 8.00001C12.5101 8.00001 12.6797 7.92977 12.8047 7.80475C12.9298 7.67973 13 7.51016 13 7.33335V3.60668L13.86 4.47335C13.922 4.53583 13.9957 4.58543 14.0769 4.61927C14.1582 4.65312 14.2453 4.67054 14.3333 4.67054C14.4213 4.67054 14.5085 4.65312 14.5897 4.61927C14.671 4.58543 14.7447 4.53583 14.8067 4.47335C14.8692 4.41137 14.9187 4.33764 14.9526 4.2564C14.9864 4.17516 15.0039 4.08802 15.0039 4.00001C15.0039 3.912 14.9864 3.82487 14.9526 3.74363C14.9187 3.66239 14.8692 3.58865 14.8067 3.52668Z" fill="currentColor"/>
+</svg>
diff --git a/packages/console/src/assets/icons/jwt-claims.svg b/packages/console/src/assets/icons/jwt-claims.svg
new file mode 100644
index 00000000000..82fb6e07c37
--- /dev/null
+++ b/packages/console/src/assets/icons/jwt-claims.svg
@@ -0,0 +1,4 @@
+<svg width="17" height="18" viewBox="0 0 17 18" fill="none"
+  xmlns="http://www.w3.org/2000/svg">
+  <path d="M10.1276 8.16645H9.2943V7.33312C9.2943 7.11211 9.2065 6.90014 9.05022 6.74386C8.89394 6.58758 8.68198 6.49979 8.46097 6.49979C8.23995 6.49979 8.02799 6.58758 7.87171 6.74386C7.71543 6.90014 7.62764 7.11211 7.62764 7.33312V8.16645H6.7943C6.57329 8.16645 6.36133 8.25425 6.20505 8.41053C6.04877 8.56681 5.96097 8.77877 5.96097 8.99979C5.96097 9.2208 6.04877 9.43276 6.20505 9.58904C6.36133 9.74532 6.57329 9.83312 6.7943 9.83312H7.62764V10.6665C7.62764 10.8875 7.71543 11.0994 7.87171 11.2557C8.02799 11.412 8.23995 11.4998 8.46097 11.4998C8.68198 11.4998 8.89394 11.412 9.05022 11.2557C9.2065 11.0994 9.2943 10.8875 9.2943 10.6665V9.83312H10.1276C10.3486 9.83312 10.5606 9.74532 10.7169 9.58904C10.8732 9.43276 10.961 9.2208 10.961 8.99979C10.961 8.77877 10.8732 8.56681 10.7169 8.41053C10.5606 8.25425 10.3486 8.16645 10.1276 8.16645ZM16.5526 8.40812L14.5943 6.49979V3.69979C14.5943 3.47877 14.5065 3.26681 14.3502 3.11053C14.1939 2.95425 13.982 2.86645 13.761 2.86645H11.0026L9.05264 0.90812C8.97517 0.830013 8.883 0.768017 8.78145 0.72571C8.6799 0.683403 8.57098 0.661621 8.46097 0.661621C8.35096 0.661621 8.24204 0.683403 8.14049 0.72571C8.03894 0.768017 7.94677 0.830013 7.8693 0.90812L5.96097 2.86645H3.16097C2.93995 2.86645 2.72799 2.95425 2.57171 3.11053C2.41543 3.26681 2.32763 3.47877 2.32763 3.69979V6.49979L0.369301 8.40812C0.291194 8.48559 0.229199 8.57776 0.186892 8.67931C0.144585 8.78086 0.122803 8.88978 0.122803 8.99979C0.122803 9.1098 0.144585 9.21872 0.186892 9.32027C0.229199 9.42182 0.291194 9.51398 0.369301 9.59145L2.32763 11.5415V14.2998C2.32763 14.5208 2.41543 14.7328 2.57171 14.889C2.72799 15.0453 2.93995 15.1331 3.16097 15.1331H5.96097L7.91097 17.0915C7.98844 17.1696 8.08061 17.2316 8.18215 17.2739C8.2837 17.3162 8.39263 17.338 8.50264 17.338C8.61265 17.338 8.72157 17.3162 8.82312 17.2739C8.92467 17.2316 9.01683 17.1696 9.0943 17.0915L11.0443 15.1331H13.8026C14.0236 15.1331 14.2356 15.0453 14.3919 14.889C14.5482 14.7328 14.636 14.5208 14.636 14.2998V11.5415L16.5943 9.59145C16.6697 9.51127 16.7285 9.41693 16.7673 9.31388C16.8061 9.21084 16.8241 9.10113 16.8202 8.9911C16.8163 8.88107 16.7907 8.7729 16.7447 8.67284C16.6988 8.57277 16.6335 8.4828 16.5526 8.40812ZM13.1776 10.6081C13.0989 10.6853 13.0363 10.7773 12.9933 10.8789C12.9504 10.9805 12.9281 11.0895 12.9276 11.1998V13.4665H10.661C10.5507 13.4669 10.4416 13.4892 10.3401 13.5322C10.2385 13.5751 10.1465 13.6377 10.0693 13.7165L8.46097 15.3248L6.85263 13.7165C6.77546 13.6377 6.68342 13.5751 6.58186 13.5322C6.48029 13.4892 6.37122 13.4669 6.26097 13.4665H3.9943V11.1998C3.99384 11.0895 3.97151 10.9805 3.9286 10.8789C3.88568 10.7773 3.82304 10.6853 3.7443 10.6081L2.13597 8.99979L3.7443 7.39145C3.82304 7.31427 3.88568 7.22224 3.9286 7.12067C3.97151 7.01911 3.99384 6.91004 3.9943 6.79979V4.53312H6.26097C6.37122 4.53266 6.48029 4.51033 6.58186 4.46742C6.68342 4.4245 6.77546 4.36186 6.85263 4.28312L8.46097 2.67479L10.0693 4.28312C10.1465 4.36186 10.2385 4.4245 10.3401 4.46742C10.4416 4.51033 10.5507 4.53266 10.661 4.53312H12.9276V6.79979C12.9281 6.91004 12.9504 7.01911 12.9933 7.12067C13.0363 7.22224 13.0989 7.31427 13.1776 7.39145L14.786 8.99979L13.1776 10.6081Z" fill="currentcolor"/>
+</svg>
diff --git a/packages/console/src/assets/icons/key.svg b/packages/console/src/assets/icons/key.svg
new file mode 100644
index 00000000000..821b2ce867f
--- /dev/null
+++ b/packages/console/src/assets/icons/key.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M17.4998 3.66675L18.0832 3.08341C18.4165 2.75008 18.4165 2.25008 18.0832 1.91675C17.7498 1.58341 17.2498 1.58341 16.9165 1.91675L8.1665 10.6667C7.49984 10.2501 6.6665 10.0001 5.83317 10.0001C3.49984 10.0001 1.6665 11.8334 1.6665 14.1667C1.6665 16.5001 3.49984 18.3334 5.83317 18.3334C8.1665 18.3334 9.99984 16.5001 9.99984 14.1667C9.99984 13.3334 9.74984 12.5001 9.33317 11.8334L13.9998 7.16675L15.7498 8.91675C16.0832 9.25008 16.5832 9.25008 16.9165 8.91675C17.2498 8.58342 17.2498 8.08342 16.9165 7.75008L15.1665 6.00008L16.3332 4.83342L16.9165 5.41675C17.2498 5.75008 17.7498 5.75008 18.0832 5.41675C18.4165 5.08341 18.4165 4.58341 18.0832 4.25008L17.4998 3.66675ZM5.83317 16.6667C4.4165 16.6667 3.33317 15.5834 3.33317 14.1667C3.33317 12.7501 4.4165 11.6667 5.83317 11.6667C7.24984 11.6667 8.33317 12.7501 8.33317 14.1667C8.33317 15.5834 7.24984 16.6667 5.83317 16.6667Z" fill="#78767F"/>
+</svg>
diff --git a/packages/console/src/assets/icons/members.svg b/packages/console/src/assets/icons/members.svg
new file mode 100644
index 00000000000..be8a9de010d
--- /dev/null
+++ b/packages/console/src/assets/icons/members.svg
@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M8.20002 8.14671C8.55574 7.8388 8.84105 7.45796 9.0366 7.03006C9.23215 6.60215 9.33336 6.13718 9.33335 5.66671C9.33335 4.78265 8.98216 3.93481 8.35704 3.30968C7.73192 2.68456 6.88408 2.33337 6.00002 2.33337C5.11597 2.33337 4.26812 2.68456 3.643 3.30968C3.01788 3.93481 2.66669 4.78265 2.66669 5.66671C2.66668 6.13718 2.76789 6.60215 2.96344 7.03006C3.15899 7.45796 3.4443 7.8388 3.80002 8.14671C2.86678 8.5693 2.075 9.25173 1.51934 10.1124C0.963684 10.9731 0.667668 11.9756 0.666687 13C0.666687 13.1769 0.736925 13.3464 0.861949 13.4714C0.986973 13.5965 1.15654 13.6667 1.33335 13.6667C1.51016 13.6667 1.67973 13.5965 1.80476 13.4714C1.92978 13.3464 2.00002 13.1769 2.00002 13C2.00002 11.9392 2.42145 10.9218 3.17159 10.1716C3.92174 9.42147 4.93915 9.00004 6.00002 9.00004C7.06089 9.00004 8.0783 9.42147 8.82845 10.1716C9.57859 10.9218 10 11.9392 10 13C10 13.1769 10.0703 13.3464 10.1953 13.4714C10.3203 13.5965 10.4899 13.6667 10.6667 13.6667C10.8435 13.6667 11.0131 13.5965 11.1381 13.4714C11.2631 13.3464 11.3334 13.1769 11.3334 13C11.3324 11.9756 11.0364 10.9731 10.4807 10.1124C9.92504 9.25173 9.13326 8.5693 8.20002 8.14671ZM6.00002 7.66671C5.60446 7.66671 5.21778 7.54941 4.88888 7.32965C4.55998 7.10988 4.30364 6.79753 4.15226 6.43207C4.00089 6.06662 3.96128 5.66449 4.03845 5.27653C4.11562 4.88856 4.3061 4.5322 4.58581 4.25249C4.86551 3.97279 5.22188 3.78231 5.60984 3.70514C5.9978 3.62797 6.39994 3.66757 6.76539 3.81895C7.13084 3.97032 7.4432 4.22667 7.66296 4.55557C7.88272 4.88447 8.00002 5.27114 8.00002 5.66671C8.00002 6.19714 7.78931 6.70585 7.41423 7.08092C7.03916 7.45599 6.53045 7.66671 6.00002 7.66671ZM12.4934 7.88004C12.92 7.39959 13.1987 6.80608 13.2959 6.17093C13.3931 5.53579 13.3046 4.88609 13.0412 4.30004C12.7778 3.71399 12.3505 3.21657 11.811 2.86766C11.2715 2.51874 10.6426 2.3332 10 2.33337C9.82321 2.33337 9.65364 2.40361 9.52862 2.52864C9.40359 2.65366 9.33335 2.82323 9.33335 3.00004C9.33335 3.17685 9.40359 3.34642 9.52862 3.47145C9.65364 3.59647 9.82321 3.66671 10 3.66671C10.5305 3.66671 11.0392 3.87742 11.4142 4.25249C11.7893 4.62757 12 5.13627 12 5.66671C11.9991 6.01687 11.9062 6.36064 11.7307 6.66365C11.5552 6.96667 11.3033 7.21829 11 7.39337C10.9012 7.45039 10.8186 7.53182 10.7603 7.62987C10.7019 7.72792 10.6697 7.83931 10.6667 7.95337C10.6639 8.06655 10.69 8.17857 10.7425 8.27888C10.7949 8.37919 10.8721 8.46448 10.9667 8.52671L11.2267 8.70004L11.3134 8.74671C12.117 9.12785 12.7949 9.7307 13.2673 10.4843C13.7398 11.2378 13.9871 12.1107 13.98 13C13.98 13.1769 14.0503 13.3464 14.1753 13.4714C14.3003 13.5965 14.4699 13.6667 14.6467 13.6667C14.8235 13.6667 14.9931 13.5965 15.1181 13.4714C15.2431 13.3464 15.3134 13.1769 15.3134 13C15.3188 11.977 15.0626 10.9695 14.569 10.0734C14.0754 9.17729 13.3609 8.42225 12.4934 7.88004Z" fill="currentColor"/>
+</svg>
diff --git a/packages/console/src/assets/icons/research.svg b/packages/console/src/assets/icons/research.svg
new file mode 100644
index 00000000000..89105ca6de1
--- /dev/null
+++ b/packages/console/src/assets/icons/research.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M17.5585 14.0248L15.8335 12.2582C15.4624 11.9055 14.9944 11.6718 14.4895 11.5871C13.9846 11.5025 13.4659 11.5707 13.0002 11.7832L12.2502 11.0332C13.134 9.85226 13.5376 8.38039 13.3798 6.91386C13.222 5.44732 12.5145 4.09502 11.3997 3.12916C10.2849 2.16331 8.8456 1.65563 7.37154 1.70832C5.89748 1.76101 4.49811 2.37015 3.45513 3.41314C2.41215 4.45612 1.803 5.85549 1.75031 7.32955C1.69762 8.80361 2.2053 10.2429 3.17115 11.3577C4.13701 12.4725 5.48932 13.18 6.95585 13.3378C8.42239 13.4956 9.89425 13.092 11.0752 12.2082L11.8168 12.9498C11.5794 13.4162 11.4943 13.9453 11.5735 14.4626C11.6528 14.9799 11.8924 15.4593 12.2585 15.8332L14.0252 17.5998C14.4939 18.068 15.1293 18.331 15.7918 18.331C16.4543 18.331 17.0897 18.068 17.5585 17.5998C17.7966 17.367 17.9858 17.0889 18.115 16.782C18.2441 16.475 18.3107 16.1454 18.3107 15.8123C18.3107 15.4793 18.2441 15.1496 18.115 14.8427C17.9858 14.5357 17.7966 14.2577 17.5585 14.0248ZM10.4918 10.4915C9.90868 11.0732 9.16624 11.469 8.35827 11.6289C7.55031 11.7888 6.71307 11.7057 5.95232 11.39C5.19158 11.0743 4.54146 10.5403 4.08408 9.85528C3.62671 9.1703 3.3826 8.36514 3.3826 7.5415C3.3826 6.71786 3.62671 5.91269 4.08408 5.22771C4.54146 4.54274 5.19158 4.00868 5.95232 3.69301C6.71307 3.37733 7.55031 3.2942 8.35827 3.45412C9.16624 3.61404 9.90868 4.00983 10.4918 4.5915C10.8798 4.97854 11.1877 5.43834 11.3978 5.94455C11.6078 6.45076 11.7159 6.99343 11.7159 7.5415C11.7159 8.08956 11.6078 8.63223 11.3978 9.13844C11.1877 9.64465 10.8798 10.1044 10.4918 10.4915ZM16.3835 16.3832C16.306 16.4613 16.2139 16.5233 16.1123 16.5656C16.0108 16.6079 15.9018 16.6297 15.7918 16.6297C15.6818 16.6297 15.5729 16.6079 15.4713 16.5656C15.3698 16.5233 15.2776 16.4613 15.2002 16.3832L13.4335 14.6165C13.3554 14.539 13.2934 14.4469 13.2511 14.3453C13.2088 14.2438 13.187 14.1348 13.187 14.0248C13.187 13.9148 13.2088 13.8059 13.2511 13.7043C13.2934 13.6028 13.3554 13.5106 13.4335 13.4332C13.511 13.3551 13.6031 13.2931 13.7047 13.2508C13.8062 13.2084 13.9151 13.1867 14.0252 13.1867C14.1352 13.1867 14.2441 13.2084 14.3456 13.2508C14.4472 13.2931 14.5394 13.3551 14.6168 13.4332L16.3835 15.1998C16.4616 15.2773 16.5236 15.3695 16.5659 15.471C16.6082 15.5726 16.63 15.6815 16.63 15.7915C16.63 15.9015 16.6082 16.0104 16.5659 16.112C16.5236 16.2135 16.4616 16.3057 16.3835 16.3832Z" fill="#5D34F2"/>
+</svg>
diff --git a/packages/console/src/assets/icons/start.svg b/packages/console/src/assets/icons/start.svg
new file mode 100644
index 00000000000..8be0c28ffdc
--- /dev/null
+++ b/packages/console/src/assets/icons/start.svg
@@ -0,0 +1,4 @@
+<svg width="16" height="17" viewBox="0 0 16 17" fill="none"
+  xmlns="http://www.w3.org/2000/svg">
+  <path d="M12.3599 6.72788L5.9199 3.03455C5.57142 2.83332 5.1759 2.72791 4.77349 2.72901C4.37109 2.73012 3.97615 2.8377 3.62878 3.04084C3.28142 3.24398 2.994 3.53543 2.79573 3.8856C2.59746 4.23577 2.49539 4.63217 2.4999 5.03455V12.4479C2.4999 13.0526 2.74011 13.6325 3.1677 14.0601C3.59528 14.4877 4.17521 14.7279 4.7799 14.7279C5.18019 14.7272 5.57329 14.6215 5.9199 14.4212L12.3599 10.7279C12.7059 10.5276 12.9932 10.2399 13.193 9.89351C13.3927 9.54715 13.4978 9.15436 13.4978 8.75455C13.4978 8.35473 13.3927 7.96195 13.193 7.61559C12.9932 7.26924 12.7059 6.98149 12.3599 6.78122V6.72788ZM11.6932 9.52121L5.25323 13.2679C5.10889 13.3497 4.94581 13.3927 4.7799 13.3927C4.61399 13.3927 4.45091 13.3497 4.30657 13.2679C4.16263 13.1848 4.04311 13.0653 3.96002 12.9213C3.87693 12.7774 3.8332 12.6141 3.83323 12.4479V5.00788C3.8332 4.84168 3.87693 4.6784 3.96002 4.53446C4.04311 4.39051 4.16263 4.27098 4.30657 4.18788C4.4515 4.10732 4.6141 4.06381 4.7799 4.06122C4.94559 4.06462 5.10799 4.10808 5.25323 4.18788L11.6932 7.90788C11.8372 7.99095 11.9568 8.11046 12.0399 8.25441C12.1231 8.39835 12.1668 8.56165 12.1668 8.72788C12.1668 8.89411 12.1231 9.05741 12.0399 9.20136C11.9568 9.3453 11.8372 9.46482 11.6932 9.54788V9.52121Z" fill="currentcolor"/>
+</svg>
diff --git a/packages/console/src/assets/icons/token-file-icon.svg b/packages/console/src/assets/icons/token-file-icon.svg
new file mode 100644
index 00000000000..8860e4bf2c2
--- /dev/null
+++ b/packages/console/src/assets/icons/token-file-icon.svg
@@ -0,0 +1,5 @@
+<svg width="16" height="17" viewBox="0 0 16 17" fill="none"
+  xmlns="http://www.w3.org/2000/svg">
+  <path d="M12.6666 1.93677H3.33325C2.80282 1.93677 2.29411 2.14748 1.91904 2.52255C1.54397 2.89763 1.33325 3.40633 1.33325 3.93677V13.2701C1.33325 13.8005 1.54397 14.3092 1.91904 14.6843C2.29411 15.0594 2.80282 15.2701 3.33325 15.2701H12.6666C13.197 15.2701 13.7057 15.0594 14.0808 14.6843C14.4559 14.3092 14.6666 13.8005 14.6666 13.2701V3.93677C14.6666 3.40633 14.4559 2.89763 14.0808 2.52255C13.7057 2.14748 13.197 1.93677 12.6666 1.93677ZM13.3333 13.2701C13.3333 13.4469 13.263 13.6165 13.138 13.7415C13.013 13.8665 12.8434 13.9368 12.6666 13.9368H3.33325C3.15644 13.9368 2.98687 13.8665 2.86185 13.7415C2.73682 13.6165 2.66659 13.4469 2.66659 13.2701V3.93677C2.66659 3.75996 2.73682 3.59039 2.86185 3.46536C2.98687 3.34034 3.15644 3.2701 3.33325 3.2701H12.6666C12.8434 3.2701 13.013 3.34034 13.138 3.46536C13.263 3.59039 13.3333 3.75996 13.3333 3.93677V13.2701Z" fill="currentcolor"/>
+  <path d="M7.91675 12.6561C7.48412 12.6561 7.13341 12.3053 7.13341 11.8727V6.65977H5.3615C4.9778 6.65977 4.66675 6.34872 4.66675 5.96502C4.66675 5.58132 4.9778 5.27026 5.3615 5.27026H10.4899C10.8736 5.27026 11.1846 5.58132 11.1846 5.96502C11.1846 6.34872 10.8736 6.65977 10.4899 6.65977H8.70008V11.8727C8.70008 12.3053 8.34937 12.6561 7.91675 12.6561Z" fill="currentcolor"/>
+</svg>
diff --git a/packages/console/src/assets/icons/user-file-icon.svg b/packages/console/src/assets/icons/user-file-icon.svg
new file mode 100644
index 00000000000..2e2da53803e
--- /dev/null
+++ b/packages/console/src/assets/icons/user-file-icon.svg
@@ -0,0 +1,4 @@
+<svg width="16" height="17" viewBox="0 0 16 17" fill="none"
+  xmlns="http://www.w3.org/2000/svg">
+  <path d="M7.99995 1.93677C6.70694 1.93922 5.44254 2.31764 4.36077 3.02593C3.279 3.73421 2.42655 4.74179 1.90725 5.92595C1.38794 7.1101 1.2242 8.41971 1.43597 9.69527C1.64774 10.9708 2.22587 12.1573 3.09995 13.1101C3.72423 13.7868 4.48191 14.3269 5.32524 14.6962C6.16857 15.0656 7.07927 15.2563 7.99995 15.2563C8.92063 15.2563 9.83133 15.0656 10.6747 14.6962C11.518 14.3269 12.2757 13.7868 12.9 13.1101C13.774 12.1573 14.3522 10.9708 14.5639 9.69527C14.7757 8.41971 14.612 7.1101 14.0927 5.92595C13.5734 4.74179 12.7209 3.73421 11.6391 3.02593C10.5574 2.31764 9.29297 1.93922 7.99995 1.93677ZM7.99995 13.9368C6.61893 13.9347 5.29256 13.397 4.29995 12.4368C4.60131 11.7031 5.11397 11.0756 5.77279 10.634C6.4316 10.1924 7.20682 9.95664 7.99995 9.95664C8.79308 9.95664 9.5683 10.1924 10.2271 10.634C10.8859 11.0756 11.3986 11.7031 11.7 12.4368C10.7073 13.397 9.38097 13.9347 7.99995 13.9368ZM6.66662 7.2701C6.66662 7.00639 6.74482 6.74861 6.89132 6.52934C7.03783 6.31008 7.24607 6.13918 7.48971 6.03826C7.73334 5.93734 8.00143 5.91094 8.26007 5.96239C8.51871 6.01383 8.75629 6.14082 8.94276 6.32729C9.12923 6.51376 9.25622 6.75134 9.30766 7.00998C9.35911 7.26862 9.33271 7.53671 9.23179 7.78035C9.13087 8.02398 8.95998 8.23222 8.74071 8.37873C8.52145 8.52524 8.26366 8.60343 7.99995 8.60343C7.64633 8.60343 7.30719 8.46296 7.05714 8.21291C6.80709 7.96286 6.66662 7.62372 6.66662 7.2701ZM12.6066 11.2701C12.011 10.2513 11.0942 9.45879 9.99995 9.01677C10.3394 8.63187 10.5606 8.15721 10.6369 7.64973C10.7133 7.14225 10.6416 6.62351 10.4305 6.15577C10.2193 5.68802 9.87767 5.29114 9.44656 5.01274C9.01544 4.73435 8.51314 4.58627 7.99995 4.58627C7.48676 4.58627 6.98446 4.73435 6.55335 5.01274C6.12223 5.29114 5.7806 5.68802 5.56945 6.15577C5.3583 6.62351 5.28661 7.14225 5.36297 7.64973C5.43933 8.15721 5.66051 8.63187 5.99995 9.01677C4.90568 9.45879 3.98893 10.2513 3.39328 11.2701C2.91858 10.4615 2.66776 9.54108 2.66662 8.60343C2.66662 7.18895 3.22852 5.83239 4.22872 4.8322C5.22891 3.832 6.58546 3.2701 7.99995 3.2701C9.41444 3.2701 10.771 3.832 11.7712 4.8322C12.7714 5.83239 13.3333 7.18895 13.3333 8.60343C13.3321 9.54108 13.0813 10.4615 12.6066 11.2701Z" fill="currentcolor"/>
+</svg>
diff --git a/packages/console/src/assets/icons/user.svg b/packages/console/src/assets/icons/user.svg
index d86997a3186..ee2e0136f84 100644
--- a/packages/console/src/assets/icons/user.svg
+++ b/packages/console/src/assets/icons/user.svg
@@ -1,3 +1,4 @@
-<svg width="26" height="28" viewBox="0 0 26 28" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path id="Union" fill-rule="evenodd" clip-rule="evenodd" d="M12.9999 0C9.97432 0 7.52162 2.4527 7.52162 5.47826V6.69565C7.52162 9.72121 9.97432 12.1739 12.9999 12.1739C16.0254 12.1739 18.4781 9.72122 18.4781 6.69566V5.47826C18.4781 2.4527 16.0254 0 12.9999 0ZM13 28C25.1739 28 25.1739 24.0427 25.1739 24.0427C25.1739 18.9098 22.6263 14.1252 16.0434 14C16.0155 13.9995 15.8255 14.1844 15.5499 14.4524C14.8266 15.156 13.5144 16.4324 13 16.4324C12.4855 16.4324 11.1733 15.156 10.45 14.4524C10.1745 14.1844 9.98439 13.9995 9.95648 14C3.37365 14.1252 0.82605 18.9098 0.82605 24.0427C0.82605 24.0427 0.82605 28 13 28Z" fill="currentColor"/>
+<svg width="26" height="28" viewBox="0 0 26 28" fill="none"
+  xmlns="http://www.w3.org/2000/svg">
+  <path id="Union" fill-rule="evenodd" clip-rule="evenodd" d="M12.9999 0C9.97432 0 7.52162 2.4527 7.52162 5.47826V6.69565C7.52162 9.72121 9.97432 12.1739 12.9999 12.1739C16.0254 12.1739 18.4781 9.72122 18.4781 6.69566V5.47826C18.4781 2.4527 16.0254 0 12.9999 0ZM13 28C25.1739 28 25.1739 24.0427 25.1739 24.0427C25.1739 18.9098 22.6263 14.1252 16.0434 14C16.0155 13.9995 15.8255 14.1844 15.5499 14.4524C14.8266 15.156 13.5144 16.4324 13 16.4324C12.4855 16.4324 11.1733 15.156 10.45 14.4524C10.1745 14.1844 9.98439 13.9995 9.95648 14C3.37365 14.1252 0.82605 18.9098 0.82605 24.0427C0.82605 24.0427 0.82605 28 13 28Z" fill="currentColor"/>
 </svg>
diff --git a/packages/console/src/cloud/AppRoutes.tsx b/packages/console/src/cloud/AppRoutes.tsx
index e133831edac..3230e90cc91 100644
--- a/packages/console/src/cloud/AppRoutes.tsx
+++ b/packages/console/src/cloud/AppRoutes.tsx
@@ -1,7 +1,9 @@
 import { Route, Routes } from 'react-router-dom';
 
+import { isCloud } from '@/consts/env';
 import ProtectedRoutes from '@/containers/ProtectedRoutes';
 import { GlobalAnonymousRoute, GlobalRoute } from '@/contexts/TenantsProvider';
+import AcceptInvitation from '@/pages/AcceptInvitation';
 import Callback from '@/pages/Callback';
 import CheckoutSuccessCallback from '@/pages/CheckoutSuccessCallback';
 
@@ -17,6 +19,12 @@ function AppRoutes() {
         <Route path={GlobalAnonymousRoute.Callback} element={<Callback />} />
         <Route path={GlobalAnonymousRoute.SocialDemoCallback} element={<SocialDemoCallback />} />
         <Route element={<ProtectedRoutes />}>
+          {isCloud && (
+            <Route
+              path={`${GlobalRoute.AcceptInvitation}/:invitationId`}
+              element={<AcceptInvitation />}
+            />
+          )}
           <Route path={GlobalRoute.CheckoutSuccessCallback} element={<CheckoutSuccessCallback />} />
           <Route index element={<Main />} />
         </Route>
diff --git a/packages/console/src/cloud/hooks/use-cloud-api.ts b/packages/console/src/cloud/hooks/use-cloud-api.ts
index 56c9b9cf2bb..350928b7184 100644
--- a/packages/console/src/cloud/hooks/use-cloud-api.ts
+++ b/packages/console/src/cloud/hooks/use-cloud-api.ts
@@ -1,12 +1,15 @@
 import type router from '@logto/cloud/routes';
+import { type tenantAuthRouter } from '@logto/cloud/routes';
 import { useLogto } from '@logto/react';
+import { getTenantOrganizationId } from '@logto/schemas';
 import { conditional, trySafe } from '@silverhand/essentials';
 import Client, { ResponseError } from '@withtyped/client';
-import { useMemo } from 'react';
+import { useContext, useMemo } from 'react';
 import { toast } from 'react-hot-toast';
 import { z } from 'zod';
 
 import { cloudApi } from '@/consts';
+import { TenantsContext } from '@/contexts/TenantsProvider';
 
 const responseErrorBodyGuard = z.object({
   message: z.string(),
@@ -57,3 +60,34 @@ export const useCloudApi = ({ hideErrorToast = false }: UseCloudApiProps = {}):
 
   return api;
 };
+
+/**
+ * This hook is used to request the cloud `tenantAuthRouter` endpoints, with an organization token.
+ */
+export const useAuthedCloudApi = ({ hideErrorToast = false }: UseCloudApiProps = {}): Client<
+  typeof tenantAuthRouter
+> => {
+  const { currentTenantId } = useContext(TenantsContext);
+  const { isAuthenticated, getOrganizationToken } = useLogto();
+  const api = useMemo(
+    () =>
+      new Client<typeof tenantAuthRouter>({
+        baseUrl: window.location.origin,
+        headers: async () => {
+          if (isAuthenticated) {
+            return {
+              Authorization: `Bearer ${
+                (await getOrganizationToken(getTenantOrganizationId(currentTenantId))) ?? ''
+              }`,
+            };
+          }
+        },
+        before: {
+          ...conditional(!hideErrorToast && { error: toastResponseError }),
+        },
+      }),
+    [currentTenantId, getOrganizationToken, hideErrorToast, isAuthenticated]
+  );
+
+  return api;
+};
diff --git a/packages/console/src/cloud/pages/Main/InvitationList/index.module.scss b/packages/console/src/cloud/pages/Main/InvitationList/index.module.scss
new file mode 100644
index 00000000000..3f223613fc5
--- /dev/null
+++ b/packages/console/src/cloud/pages/Main/InvitationList/index.module.scss
@@ -0,0 +1,71 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+  min-height: 600px;
+  background: var(--color-base);
+  align-items: center;
+  justify-content: center;
+  overflow-y: auto;
+
+  .wrapper {
+    display: flex;
+    flex-direction: column;
+    width: 540px;
+    padding: _.unit(20) _.unit(17.5);
+    gap: _.unit(6);
+    background: var(--color-layer-1);
+    border-radius: 16px;
+    box-shadow: var(--shadow-1);
+    white-space: pre-wrap;
+
+    .title {
+      font: var(--font-headline-2);
+    }
+
+    .description {
+      font: var(--font-body-2);
+      color: var(--color-text-secondary);
+    }
+
+    .tenant {
+      display: flex;
+      align-items: center;
+      padding: _.unit(3) _.unit(4);
+      gap: _.unit(3);
+      border-radius: 12px;
+      border: 1px solid var(--color-divider);
+
+      .name {
+        @include _.multi-line-ellipsis(2);
+      }
+
+      .tag {
+        margin-left: _.unit(-2);
+      }
+    }
+
+    .separator {
+      display: flex;
+      align-items: center;
+      gap: _.unit(4);
+
+      span {
+        font: var(--font-body-2);
+        color: var(--color-text-secondary);
+      }
+
+      hr {
+        flex: 1;
+        border: none;
+        border-top: 1px solid var(--color-divider);
+      }
+    }
+
+    .createTenantButton {
+      width: 100%;
+    }
+  }
+}
diff --git a/packages/console/src/cloud/pages/Main/InvitationList/index.tsx b/packages/console/src/cloud/pages/Main/InvitationList/index.tsx
new file mode 100644
index 00000000000..db7bd5317dc
--- /dev/null
+++ b/packages/console/src/cloud/pages/Main/InvitationList/index.tsx
@@ -0,0 +1,90 @@
+import { OrganizationInvitationStatus, getTenantIdFromOrganizationId } from '@logto/schemas';
+import { useContext, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import OrganizationIcon from '@/assets/icons/organization-preview.svg';
+import { useCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type InvitationListResponse } from '@/cloud/types/router';
+import TenantEnvTag from '@/components/TenantEnvTag';
+import ThemedIcon from '@/components/ThemedIcon';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import Button from '@/ds-components/Button';
+import Spacer from '@/ds-components/Spacer';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+import useUserOnboardingData from '@/onboarding/hooks/use-user-onboarding-data';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  invitations: InvitationListResponse;
+};
+
+function InvitationList({ invitations }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const cloudApi = useCloudApi();
+  const { navigateTenant, resetTenants } = useContext(TenantsContext);
+  const { navigate } = useTenantPathname();
+  const [isJoining, setIsJoining] = useState(false);
+  const [isUpdatingOnboardingStatus, setIsUpdatingOnboardingStatus] = useState(false);
+  const { update } = useUserOnboardingData();
+
+  return (
+    <div className={styles.container}>
+      <div className={styles.wrapper}>
+        <div className={styles.title}>{t('invitation.find_your_tenants')}</div>
+        <div className={styles.description}>{t('invitation.find_tenants_description')}</div>
+        {invitations.map(({ id, organizationId, tenantName, tenantTag }) => (
+          <div key={id} className={styles.tenant}>
+            <ThemedIcon for={OrganizationIcon} size={40} />
+            <span className={styles.name}>{tenantName}</span>
+            <TenantEnvTag isAbbreviated className={styles.tag} tag={tenantTag} />
+            <Spacer />
+            <Button
+              size="small"
+              type="primary"
+              title="general.join"
+              isLoading={isJoining}
+              onClick={async () => {
+                setIsJoining(true);
+                try {
+                  await cloudApi.patch(`/api/invitations/:invitationId/status`, {
+                    params: { invitationId: id },
+                    body: { status: OrganizationInvitationStatus.Accepted },
+                  });
+                  const data = await cloudApi.get('/api/tenants');
+                  resetTenants(data);
+                  navigateTenant(getTenantIdFromOrganizationId(organizationId));
+                } finally {
+                  setIsJoining(false);
+                }
+              }}
+            />
+          </div>
+        ))}
+        <div className={styles.separator}>
+          <hr />
+          <span>{t('general.or')}</span>
+          <hr />
+        </div>
+        <Button
+          size="large"
+          type="outline"
+          className={styles.createTenantButton}
+          isLoading={isUpdatingOnboardingStatus}
+          title="invitation.create_new_tenant"
+          onClick={async () => {
+            setIsUpdatingOnboardingStatus(true);
+            try {
+              await update({ isOnboardingDone: false });
+              navigate('/');
+            } finally {
+              setIsUpdatingOnboardingStatus(false);
+            }
+          }}
+        />
+      </div>
+    </div>
+  );
+}
+
+export default InvitationList;
diff --git a/packages/console/src/cloud/pages/Main/index.tsx b/packages/console/src/cloud/pages/Main/index.tsx
index 51cc2de313f..42947a5562d 100644
--- a/packages/console/src/cloud/pages/Main/index.tsx
+++ b/packages/console/src/cloud/pages/Main/index.tsx
@@ -1,9 +1,14 @@
+import { OrganizationInvitationStatus } from '@logto/schemas';
+
 import AppLoading from '@/components/AppLoading';
+import { isCloud } from '@/consts/env';
 import useCurrentUser from '@/hooks/use-current-user';
 import useUserDefaultTenantId from '@/hooks/use-user-default-tenant-id';
+import useUserInvitations from '@/hooks/use-user-invitations';
 import useUserOnboardingData from '@/onboarding/hooks/use-user-onboarding-data';
 
 import AutoCreateTenant from './AutoCreateTenant';
+import InvitationList from './InvitationList';
 import Redirect from './Redirect';
 import TenantLandingPage from './TenantLandingPage';
 
@@ -11,6 +16,7 @@ export default function Main() {
   const { isLoaded } = useCurrentUser();
   const { isOnboarding } = useUserOnboardingData();
   const { defaultTenantId } = useUserDefaultTenantId();
+  const { data } = useUserInvitations(OrganizationInvitationStatus.Pending);
 
   if (!isLoaded) {
     return <AppLoading />;
@@ -26,6 +32,11 @@ export default function Main() {
     return <AutoCreateTenant />;
   }
 
+  // If user has pending invitations (onboarding will be skipped), show the invitation list and allow them to quick join.
+  if (isCloud && data?.length) {
+    return <InvitationList invitations={data} />;
+  }
+
   // If user has completed onboarding and still has no tenant, redirect to a special landing page.
   return <TenantLandingPage />;
 }
diff --git a/packages/console/src/cloud/types/router.ts b/packages/console/src/cloud/types/router.ts
index f741b0abd93..ed175b7afda 100644
--- a/packages/console/src/cloud/types/router.ts
+++ b/packages/console/src/cloud/types/router.ts
@@ -1,7 +1,9 @@
 import type router from '@logto/cloud/routes';
+import { type tenantAuthRouter } from '@logto/cloud/routes';
 import { type GuardedResponse, type RouterRoutes } from '@withtyped/client';
 
 type GetRoutes = RouterRoutes<typeof router>['get'];
+type GetTenantAuthRoutes = RouterRoutes<typeof tenantAuthRouter>['get'];
 
 export type GetArrayElementType<T> = T extends Array<infer U> ? U : never;
 
@@ -15,5 +17,19 @@ export type SubscriptionUsage = GuardedResponse<GetRoutes['/api/tenants/:tenantI
 
 export type InvoicesResponse = GuardedResponse<GetRoutes['/api/tenants/:tenantId/invoices']>;
 
+export type InvitationResponse = GuardedResponse<GetRoutes['/api/invitations/:invitationId']>;
+
+export type InvitationListResponse = GuardedResponse<GetRoutes['/api/invitations']>;
+
 // The response of GET /api/tenants is TenantResponse[].
 export type TenantResponse = GetArrayElementType<GuardedResponse<GetRoutes['/api/tenants']>>;
+
+// Start of the auth routes types. Accessing the auth routes requires an organization token.
+export type TenantMemberResponse = GetArrayElementType<
+  GuardedResponse<GetTenantAuthRoutes['/api/tenants/:tenantId/members']>
+>;
+
+export type TenantInvitationResponse = GetArrayElementType<
+  GuardedResponse<GetTenantAuthRoutes['/api/tenants/:tenantId/invitations']>
+>;
+// End of the auth routes types
diff --git a/packages/console/src/components/ActionsButton/index.tsx b/packages/console/src/components/ActionsButton/index.tsx
index 65f4c698e4c..41d6bac0e8b 100644
--- a/packages/console/src/components/ActionsButton/index.tsx
+++ b/packages/console/src/components/ActionsButton/index.tsx
@@ -13,8 +13,10 @@ import useActionTranslation from '@/hooks/use-action-translation';
 import * as styles from './index.module.scss';
 
 type Props = {
-  /** A function that will be called when the user confirms the deletion. */
-  onDelete: () => void | Promise<void>;
+  /** A function that will be called when the user confirms the deletion. If not provided,
+   * the delete button will not be displayed.
+   */
+  onDelete?: () => void | Promise<void>;
   /**
    * A function that will be called when the user clicks the edit button. If not provided,
    * the edit button will not be displayed.
@@ -48,6 +50,10 @@ function ActionsButton({ onDelete, onEdit, deleteConfirmation, fieldName, textOv
   const [isDeleting, setIsDeleting] = useState(false);
 
   const handleDelete = useCallback(async () => {
+    if (!onDelete) {
+      return;
+    }
+
     setIsDeleting(true);
     try {
       await onDelete();
@@ -69,31 +75,35 @@ function ActionsButton({ onDelete, onEdit, deleteConfirmation, fieldName, textOv
             )}
           </ActionMenuItem>
         )}
-        <ActionMenuItem
-          icon={<Delete />}
-          type="danger"
-          onClick={() => {
-            setIsModalOpen(true);
+        {onDelete && (
+          <ActionMenuItem
+            icon={<Delete />}
+            type="danger"
+            onClick={() => {
+              setIsModalOpen(true);
+            }}
+          >
+            {textOverrides?.delete ? (
+              <DynamicT forKey={textOverrides.delete} />
+            ) : (
+              tAction('delete', fieldName)
+            )}
+          </ActionMenuItem>
+        )}
+      </ActionMenu>
+      {onDelete && (
+        <ConfirmModal
+          isOpen={isModalOpen}
+          confirmButtonText={textOverrides?.deleteConfirmation ?? 'general.delete'}
+          isLoading={isDeleting}
+          onCancel={() => {
+            setIsModalOpen(false);
           }}
+          onConfirm={handleDelete}
         >
-          {textOverrides?.delete ? (
-            <DynamicT forKey={textOverrides.delete} />
-          ) : (
-            tAction('delete', fieldName)
-          )}
-        </ActionMenuItem>
-      </ActionMenu>
-      <ConfirmModal
-        isOpen={isModalOpen}
-        confirmButtonText={textOverrides?.deleteConfirmation ?? 'general.delete'}
-        isLoading={isDeleting}
-        onCancel={() => {
-          setIsModalOpen(false);
-        }}
-        onConfirm={handleDelete}
-      >
-        <DynamicT forKey={deleteConfirmation} />
-      </ConfirmModal>
+          <DynamicT forKey={deleteConfirmation} />
+        </ConfirmModal>
+      )}
     </>
   );
 }
diff --git a/packages/console/src/components/Conversion/index.tsx b/packages/console/src/components/Conversion/index.tsx
new file mode 100644
index 00000000000..450249c1c25
--- /dev/null
+++ b/packages/console/src/components/Conversion/index.tsx
@@ -0,0 +1,117 @@
+import { useEffect, useState } from 'react';
+import { Helmet } from 'react-helmet';
+
+import useCurrentUser from '@/hooks/use-current-user';
+
+import { useRetry } from './use-retry';
+import {
+  shouldReport,
+  gtagAwTrackingId,
+  redditPixelId,
+  hashEmail,
+  type GtagConversionId,
+  type RedditReportType,
+  reportToGoogle,
+  reportToReddit,
+} from './utils';
+
+type ScriptProps = {
+  userEmailHash?: string;
+};
+
+function GoogleScripts({ userEmailHash }: ScriptProps) {
+  if (!userEmailHash) {
+    return null;
+  }
+
+  return (
+    <Helmet>
+      <script
+        async
+        crossOrigin="anonymous"
+        src={`https://www.googletagmanager.com/gtag/js?id=${gtagAwTrackingId}`}
+      />
+      <script>{`
+        window.dataLayer = window.dataLayer || [];
+        function gtag(){dataLayer.push(arguments);}
+        gtag('js', new Date());
+        gtag('config', '${gtagAwTrackingId}', { 'allow_enhanced_conversions': true });
+        gtag('set', 'user_data', { 'sha256_email_address': '${userEmailHash}' });
+      `}</script>
+    </Helmet>
+  );
+}
+
+function RedditScripts({ userEmailHash }: ScriptProps) {
+  if (!userEmailHash) {
+    return null;
+  }
+
+  return (
+    <Helmet>
+      <script>{`
+        !function(w,d){if(!w.rdt){var p=w.rdt=function(){p.sendEvent?p.sendEvent.apply(p,arguments):p.callQueue.push(arguments)};p.callQueue=[];var t=d.createElement("script");t.src="https://www.redditstatic.com/ads/pixel.js",t.async=!0;var s=d.getElementsByTagName("script")[0];s.parentNode.insertBefore(t,s)}}(window,document);
+        rdt('init', '${redditPixelId}', {
+          optOut: false,
+          useDecimalCurrencyValues: true,
+          email: '${userEmailHash}'
+        });
+      `}</script>
+    </Helmet>
+  );
+}
+
+/**
+ * Renders global scripts for conversion tracking.
+ */
+export function GlobalScripts() {
+  const { user, isLoaded } = useCurrentUser();
+  const [userEmailHash, setUserEmailHash] = useState<string>();
+
+  /**
+   * Use user email to prevent duplicate conversion, and it is hashed before sending
+   * to protect user privacy.
+   */
+  useEffect(() => {
+    const init = async () => {
+      setUserEmailHash(await hashEmail(user?.primaryEmail ?? undefined));
+    };
+
+    if (isLoaded) {
+      void init();
+    }
+  }, [user, isLoaded]);
+
+  if (!shouldReport) {
+    return null;
+  }
+
+  return (
+    <>
+      <GoogleScripts userEmailHash={userEmailHash} />
+      <RedditScripts userEmailHash={userEmailHash} />
+    </>
+  );
+}
+
+type ReportConversionOptions = {
+  transactionId?: string;
+  gtagId?: GtagConversionId;
+  redditType?: RedditReportType;
+};
+
+export const useReportConversion = ({
+  gtagId,
+  redditType,
+  transactionId,
+}: ReportConversionOptions) => {
+  useRetry({
+    precondition: Boolean(shouldReport && gtagId),
+    execute: () => (gtagId ? reportToGoogle(gtagId, { transactionId }) : false),
+  });
+
+  useRetry({
+    precondition: Boolean(shouldReport && redditType),
+    execute: () => (redditType ? reportToReddit(redditType) : false),
+  });
+};
diff --git a/packages/console/src/components/Conversion/use-retry.ts b/packages/console/src/components/Conversion/use-retry.ts
new file mode 100644
index 00000000000..da7c73f0d00
--- /dev/null
+++ b/packages/console/src/components/Conversion/use-retry.ts
@@ -0,0 +1,52 @@
+import { useEffect } from 'react';
+
+type UseRetryOptions = {
+  /** The precondition to check before executing the function. */
+  precondition: boolean;
+  /** The function to execute when the precondition is not met. */
+  onPreconditionFailed?: () => void;
+  /** The function to execute. If it returns `true`, the retry will stop. */
+  execute: () => boolean;
+  /**
+   * The maximum number of retries.
+   *
+   * @default 3
+   */
+  maxRetry?: number;
+};
+
+/**
+ * A hook to retry a function until the condition is met. The retry interval is 1 second.
+ */
+export const useRetry = ({
+  precondition,
+  onPreconditionFailed,
+  execute,
+  maxRetry = 3,
+}: UseRetryOptions) => {
+  useEffect(() => {
+    if (!precondition) {
+      onPreconditionFailed?.();
+    }
+  }, [onPreconditionFailed, precondition]);
+
+  useEffect(() => {
+    if (!precondition) {
+      return;
+    }
+
+    // eslint-disable-next-line @silverhand/fp/no-let
+    let retry = 0;
+    const interval = setInterval(() => {
+      if (execute() || retry >= maxRetry) {
+        clearInterval(interval);
+      }
+      // eslint-disable-next-line @silverhand/fp/no-mutation
+      retry += 1;
+    }, 1000);
+
+    return () => {
+      clearInterval(interval);
+    };
+  }, [execute, maxRetry, precondition]);
+};
diff --git a/packages/console/src/components/ReportConversion/utils.test.ts b/packages/console/src/components/Conversion/utils.test.ts
similarity index 100%
rename from packages/console/src/components/ReportConversion/utils.test.ts
rename to packages/console/src/components/Conversion/utils.test.ts
diff --git a/packages/console/src/components/Conversion/utils.ts b/packages/console/src/components/Conversion/utils.ts
new file mode 100644
index 00000000000..16b73f467af
--- /dev/null
+++ b/packages/console/src/components/Conversion/utils.ts
@@ -0,0 +1,106 @@
+import { cond } from '@silverhand/essentials';
+
+import { isProduction } from '@/consts/env';
+
+export const gtagAwTrackingId = 'AW-11124811245';
+export enum GtagConversionId {
+  /** This ID indicates a user has truly signed up for Logto Cloud. */
+  SignUp = 'AW-11192640559/ZuqUCLvNpasYEK_IiNkp',
+  /** This ID indicates a user has created a production tenant. */
+  CreateProductionTenant = 'AW-11192640559/m04fCMDrxI0ZEK_IiNkp',
+  /** This ID indicates a user has purchased a Pro plan. */
+  PurchaseProPlan = 'AW-11192640559/WjCtCKHCtpgZEK_IiNkp',
+}
+
+export const redditPixelId = 't2_ggt11omdo';
+
+const logtoProductionHostname = 'logto.io';
+
+/**
+ * Due to the special of conversion reporting, it should be `true` only in the
+ * Logto Cloud production environment.
+ * Add the leading '.' to make it safer (ignore hostnames like "foologto.io").
+ */
+export const shouldReport = window.location.hostname.endsWith('.' + logtoProductionHostname);
+
+const sha256 = async (message: string) => {
+  const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(message));
+  // https://stackoverflow.com/questions/40031688/javascript-arraybuffer-to-hex
+  return [...new Uint8Array(hash)].map((value) => value.toString(16).padStart(2, '0')).join('');
+};
+
+/**
+ * This function will do the following things:
+ *
+ * 1. Canonicalize the given email by Reddit's rule: lowercase, trim,
+ * remove dots, remove everything after the first '+'.
+ * 2. Hash the canonicalized email by SHA256.
+ */
+export const hashEmail = async (email?: string) => {
+  if (!email) {
+    return;
+  }
+
+  const splitEmail = email.toLocaleLowerCase().trim().split('@');
+  const [localPart, domain] = splitEmail;
+
+  if (!localPart || !domain || splitEmail.length > 2) {
+    return;
+  }
+
+  // eslint-disable-next-line unicorn/prefer-string-replace-all
+  const canonicalizedEmail = `${localPart.replace(/\./g, '').replace(/\+.*/, '')}@${domain}`;
+  return sha256(canonicalizedEmail);
+};
+
+/** Print debug message if not in production. */
+const debug = (...args: Parameters<(typeof console)['debug']>) => {
+  if (!isProduction) {
+    console.debug(...args);
+  }
+};
+
+/**
+ * Add more if needed: https://reddit.my.site.com/helpcenter/s/article/Install-the-Reddit-Pixel-on-your-website
+ */
+export type RedditReportType =
+  | 'PageVisit'
+  | 'ViewContent'
+  | 'Search'
+  | 'Purchase'
+  | 'Lead'
+  | 'SignUp';
+
+export const reportToReddit = (redditType: RedditReportType) => {
+  if (!window.rdt) {
+    return false;
+  }
+
+  debug('report:', 'redditType =', redditType);
+  window.rdt('track', redditType);
+
+  return true;
+};
+
+export const reportToGoogle = (
+  gtagId: GtagConversionId,
+  { transactionId }: { transactionId?: string } = {}
+) => {
+  if (!window.gtag) {
+    return false;
+  }
+
+  const run = async () => {
+    const transaction = cond(transactionId && { transaction_id: await sha256(transactionId) });
+
+    debug('report:', 'gtagId =', gtagId, 'transaction =', transaction);
+    window.gtag?.('event', 'conversion', {
+      send_to: gtagId,
+      ...transaction,
+    });
+  };
+
+  void run();
+
+  return true;
+};
diff --git a/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/PlanCardItem/FeaturedPlanContent/use-featured-plan-content.ts b/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/PlanCardItem/FeaturedPlanContent/use-featured-plan-content.ts
index 88fbed207f8..6c4e73559b6 100644
--- a/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/PlanCardItem/FeaturedPlanContent/use-featured-plan-content.ts
+++ b/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/PlanCardItem/FeaturedPlanContent/use-featured-plan-content.ts
@@ -3,6 +3,15 @@ import { cond } from '@silverhand/essentials';
 import { useMemo } from 'react';
 import { useTranslation } from 'react-i18next';
 
+import {
+  freePlanAuditLogsRetentionDays,
+  freePlanM2mLimit,
+  freePlanMauLimit,
+  freePlanPermissionsLimit,
+  freePlanRoleLimit,
+  proPlanAuditLogsRetentionDays,
+} from '@/consts/subscriptions';
+
 type ContentData = {
   title: string;
   isAvailable: boolean;
@@ -19,11 +28,11 @@ const useFeaturedPlanContent = (planId: string) => {
 
     return [
       {
-        title: t(`mau.${planPhraseKey}`, { ...cond(isFreePlan && { count: 50_000 }) }),
+        title: t(`mau.${planPhraseKey}`, { ...cond(isFreePlan && { count: freePlanMauLimit }) }),
         isAvailable: true,
       },
       {
-        title: t(`m2m.${planPhraseKey}`, { ...cond(isFreePlan && { count: 1 }) }),
+        title: t(`m2m.${planPhraseKey}`, { ...cond(isFreePlan && { count: freePlanM2mLimit }) }),
         isAvailable: true,
       },
       {
@@ -42,8 +51,8 @@ const useFeaturedPlanContent = (planId: string) => {
         title: t(`role_and_permissions.${planPhraseKey}`, {
           ...cond(
             isFreePlan && {
-              roleCount: 1,
-              permissionCount: 1,
+              roleCount: freePlanRoleLimit,
+              permissionCount: freePlanPermissionsLimit,
             }
           ),
         }),
@@ -54,7 +63,9 @@ const useFeaturedPlanContent = (planId: string) => {
         isAvailable: !isFreePlan,
       },
       {
-        title: t('audit_logs', { count: isFreePlan ? 3 : 14 }),
+        title: t('audit_logs', {
+          count: isFreePlan ? freePlanAuditLogsRetentionDays : proPlanAuditLogsRetentionDays,
+        }),
         isAvailable: true,
       },
     ];
diff --git a/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/index.tsx b/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/index.tsx
index 7c4fc8ccfa3..8609fede8b7 100644
--- a/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/index.tsx
+++ b/packages/console/src/components/CreateTenantModal/SelectTenantPlanModal/index.tsx
@@ -5,6 +5,7 @@ import Modal from 'react-modal';
 
 import { useCloudApi, toastResponseError } from '@/cloud/hooks/use-cloud-api';
 import { type TenantResponse } from '@/cloud/types/router';
+import { GtagConversionId, reportToGoogle } from '@/components/Conversion/utils';
 import { pricingLink } from '@/consts';
 import DangerousRaw from '@/ds-components/DangerousRaw';
 import ModalLayout from '@/ds-components/ModalLayout';
@@ -43,6 +44,7 @@ function SelectTenantPlanModal({ tenantData, onClose }: Props) {
         const { name, tag } = tenantData;
         const newTenant = await cloudApi.post('/api/tenants', { body: { name, tag } });
 
+        reportToGoogle(GtagConversionId.CreateProductionTenant, { transactionId: newTenant.id });
         onClose(newTenant);
         return;
       }
diff --git a/packages/console/src/components/ItemPreview/UserPreview.tsx b/packages/console/src/components/ItemPreview/UserPreview.tsx
index 7f16a3d490e..357e74fb0ed 100644
--- a/packages/console/src/components/ItemPreview/UserPreview.tsx
+++ b/packages/console/src/components/ItemPreview/UserPreview.tsx
@@ -1,4 +1,4 @@
-import { type User } from '@logto/schemas';
+import { type UserInfo } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 
 import SuspendedTag from '@/pages/Users/components/SuspendedTag';
@@ -9,17 +9,32 @@ import UserAvatar from '../UserAvatar';
 import ItemPreview from '.';
 
 type Props = {
-  user: User;
+  /**
+   * A subset of User schema type that is used in the preview component.
+   */
+  user: {
+    id: UserInfo['id'];
+    avatar?: UserInfo['avatar'];
+    name?: UserInfo['name'];
+    primaryEmail?: UserInfo['primaryEmail'];
+    primaryPhone?: UserInfo['primaryPhone'];
+    username?: UserInfo['username'];
+    isSuspended?: UserInfo['isSuspended'];
+  };
+  /**
+   * Whether to provide a link to user details page. Explicitly set to `false` to hide it.
+   */
+  hasUserDetailsLink?: false;
 };
 
 /** A component that renders a preview of a user. It's useful for displaying a user in a list. */
-function UserPreview({ user }: Props) {
+function UserPreview({ user, hasUserDetailsLink }: Props) {
   return (
     <ItemPreview
       title={getUserTitle(user)}
       subtitle={getUserSubtitle(user)}
       icon={<UserAvatar size="large" user={user} />}
-      to={`/users/${user.id}`}
+      to={conditional(hasUserDetailsLink !== false && `/users/${user.id}`)}
       suffix={conditional(user.isSuspended && <SuspendedTag />)}
     />
   );
diff --git a/packages/console/src/components/ItemPreview/index.module.scss b/packages/console/src/components/ItemPreview/index.module.scss
index 3a09bf4d61c..ee9ce986c92 100644
--- a/packages/console/src/components/ItemPreview/index.module.scss
+++ b/packages/console/src/components/ItemPreview/index.module.scss
@@ -31,9 +31,12 @@
       .title {
         display: block;
         font: var(--font-body-2);
-        color: var(--color-text-link);
         text-decoration: none;
         @include _.text-ellipsis;
+
+        &.withLink {
+          color: var(--color-text-link);
+        }
       }
 
       .subtitle {
diff --git a/packages/console/src/components/ItemPreview/index.tsx b/packages/console/src/components/ItemPreview/index.tsx
index 5e6d4544f52..ae29ac65697 100644
--- a/packages/console/src/components/ItemPreview/index.tsx
+++ b/packages/console/src/components/ItemPreview/index.tsx
@@ -27,7 +27,7 @@ function ItemPreview({ title, subtitle, icon, to, size = 'default', suffix, toTa
         <div className={styles.meta}>
           {to && (
             <Link
-              className={styles.title}
+              className={classNames(styles.title, styles.withLink)}
               to={getTo(to)}
               target={toTarget}
               onClick={(event) => {
diff --git a/packages/console/src/components/ManageOrganizationPermissionModal/index.tsx b/packages/console/src/components/ManageOrganizationPermissionModal/index.tsx
new file mode 100644
index 00000000000..d8c5ce1a8ec
--- /dev/null
+++ b/packages/console/src/components/ManageOrganizationPermissionModal/index.tsx
@@ -0,0 +1,114 @@
+import { type OrganizationScope } from '@logto/schemas';
+import { cond, type Nullable } from '@silverhand/essentials';
+import { useForm } from 'react-hook-form';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+import ReactModal from 'react-modal';
+
+import Button from '@/ds-components/Button';
+import FormField from '@/ds-components/FormField';
+import ModalLayout from '@/ds-components/ModalLayout';
+import TextInput from '@/ds-components/TextInput';
+import useApi from '@/hooks/use-api';
+import * as modalStyles from '@/scss/modal.module.scss';
+import { trySubmitSafe } from '@/utils/form';
+
+type Props = {
+  /**
+   * The organization permission data to edit. If null, the modal will be in create mode.
+   */
+  data: Nullable<OrganizationScope>;
+  onClose: () => void;
+};
+
+type FormData = Pick<OrganizationScope, 'name' | 'description'>;
+
+const organizationScopesPath = 'api/organization-scopes';
+
+/** A modal that allows users to create or edit an organization permission. */
+function ManageOrganizationPermissionModal({ data, onClose }: Props) {
+  const isCreateMode = data === null;
+
+  const { t } = useTranslation(undefined, {
+    keyPrefix: 'admin_console',
+  });
+
+  const api = useApi();
+
+  const {
+    register,
+    formState: { errors, isSubmitting },
+    handleSubmit,
+  } = useForm<FormData>(cond(data && { defaultValues: data }));
+
+  const submit = handleSubmit(
+    trySubmitSafe(async (json) => {
+      await (isCreateMode
+        ? api.post(organizationScopesPath, {
+            json,
+          })
+        : api.patch(`${organizationScopesPath}/${data.id}`, {
+            json,
+          }));
+      toast.success(
+        t(isCreateMode ? 'organization_template.permissions.created' : 'general.saved', {
+          name: json.name,
+        })
+      );
+      onClose();
+    })
+  );
+
+  return (
+    <ReactModal
+      isOpen
+      className={modalStyles.content}
+      overlayClassName={modalStyles.overlay}
+      onRequestClose={onClose}
+    >
+      <ModalLayout
+        title={`organization_template.permissions.${isCreateMode ? 'create' : 'edit'}_title`}
+        footer={
+          <>
+            {!isCreateMode && (
+              <Button title="general.cancel" isLoading={isSubmitting} onClick={onClose} />
+            )}
+            <Button
+              type="primary"
+              title={
+                isCreateMode
+                  ? 'organization_template.permissions.create_permission'
+                  : 'general.save'
+              }
+              isLoading={isSubmitting}
+              onClick={submit}
+            />
+          </>
+        }
+        onClose={onClose}
+      >
+        <FormField isRequired title="organization_template.permissions.permission_field_name">
+          <TextInput
+            // eslint-disable-next-line jsx-a11y/no-autofocus
+            autoFocus={isCreateMode}
+            readOnly={!isCreateMode}
+            placeholder="read:appointment"
+            error={Boolean(errors.name)}
+            {...register('name', { required: true })}
+          />
+        </FormField>
+        <FormField title="organization_template.permissions.description_field_name">
+          <TextInput
+            // eslint-disable-next-line jsx-a11y/no-autofocus
+            autoFocus={!isCreateMode}
+            placeholder={t('organization_template.permissions.description_field_placeholder')}
+            error={Boolean(errors.description)}
+            {...register('description')}
+          />
+        </FormField>
+      </ModalLayout>
+    </ReactModal>
+  );
+}
+
+export default ManageOrganizationPermissionModal;
diff --git a/packages/console/src/components/PermissionsTable/EditPermissionModal.tsx b/packages/console/src/components/PermissionsTable/EditPermissionModal.tsx
new file mode 100644
index 00000000000..040a1e30330
--- /dev/null
+++ b/packages/console/src/components/PermissionsTable/EditPermissionModal.tsx
@@ -0,0 +1,79 @@
+import { type ScopeResponse } from '@logto/schemas';
+import { useForm } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+import ReactModal from 'react-modal';
+
+import Button from '@/ds-components/Button';
+import FormField from '@/ds-components/FormField';
+import ModalLayout from '@/ds-components/ModalLayout';
+import TextInput from '@/ds-components/TextInput';
+import * as modalStyles from '@/scss/modal.module.scss';
+import { trySubmitSafe } from '@/utils/form';
+
+type Props = {
+  data: ScopeResponse;
+  onClose: () => void;
+  onSubmit: (scope: ScopeResponse) => Promise<void>;
+};
+
+function EditPermissionModal({ data, onClose, onSubmit }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const {
+    handleSubmit,
+    register,
+    formState: { isSubmitting },
+  } = useForm<ScopeResponse>({ defaultValues: data });
+
+  const onSubmitHandler = handleSubmit(
+    trySubmitSafe(async (formData) => {
+      await onSubmit({ ...data, ...formData });
+      onClose();
+    })
+  );
+
+  return (
+    <ReactModal
+      shouldCloseOnEsc
+      isOpen={Boolean(data)}
+      className={modalStyles.content}
+      overlayClassName={modalStyles.overlay}
+      onRequestClose={() => {
+        onClose();
+      }}
+    >
+      <ModalLayout
+        title="permissions.edit_title"
+        footer={
+          <>
+            <Button isLoading={isSubmitting} title="general.cancel" onClick={onClose} />
+            <Button
+              isLoading={isSubmitting}
+              title="general.save"
+              type="primary"
+              htmlType="submit"
+              onClick={onSubmitHandler}
+            />
+          </>
+        }
+        onClose={onClose}
+      >
+        <form>
+          <FormField title="api_resource_details.permission.name">
+            <TextInput readOnly value={data.name} />
+          </FormField>
+          <FormField title="api_resource_details.permission.description">
+            <TextInput
+              // eslint-disable-next-line jsx-a11y/no-autofocus
+              autoFocus
+              placeholder={t('api_resource_details.permission.description_placeholder')}
+              {...register('description')}
+            />
+          </FormField>
+        </form>
+      </ModalLayout>
+    </ReactModal>
+  );
+}
+
+export default EditPermissionModal;
diff --git a/packages/console/src/components/PermissionsTable/index.module.scss b/packages/console/src/components/PermissionsTable/index.module.scss
index 7db73134487..147a324bd01 100644
--- a/packages/console/src/components/PermissionsTable/index.module.scss
+++ b/packages/console/src/components/PermissionsTable/index.module.scss
@@ -24,7 +24,7 @@
     @include _.text-ellipsis;
   }
 
-  .deleteColumn {
+  .actionColumn {
     text-align: right;
   }
 }
diff --git a/packages/console/src/components/PermissionsTable/index.tsx b/packages/console/src/components/PermissionsTable/index.tsx
index c0e89bb4d9e..350d57b5569 100644
--- a/packages/console/src/components/PermissionsTable/index.tsx
+++ b/packages/console/src/components/PermissionsTable/index.tsx
@@ -1,16 +1,15 @@
 import type { AdminConsoleKey } from '@logto/phrases';
 import type { ScopeResponse } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
+import { useState } from 'react';
+import { toast } from 'react-hot-toast';
 import { useTranslation } from 'react-i18next';
 
-import Delete from '@/assets/icons/delete.svg';
 import Plus from '@/assets/icons/plus.svg';
 import PermissionsEmptyDark from '@/assets/images/permissions-empty-dark.svg';
 import PermissionsEmpty from '@/assets/images/permissions-empty.svg';
 import { ApiResourceDetailsTabs } from '@/consts/page-tabs';
 import Button from '@/ds-components/Button';
-import DynamicT from '@/ds-components/DynamicT';
-import IconButton from '@/ds-components/IconButton';
 import type { Props as PaginationProps } from '@/ds-components/Pagination';
 import Search from '@/ds-components/Search';
 import Table from '@/ds-components/Table';
@@ -18,11 +17,13 @@ import TablePlaceholder from '@/ds-components/Table/TablePlaceholder';
 import type { Column } from '@/ds-components/Table/types';
 import Tag from '@/ds-components/Tag';
 import TextLink from '@/ds-components/TextLink';
-import { Tooltip } from '@/ds-components/Tip';
+import useApi from '@/hooks/use-api';
 import useDocumentationUrl from '@/hooks/use-documentation-url';
 
+import ActionsButton from '../ActionsButton';
 import EmptyDataPlaceholder from '../EmptyDataPlaceholder';
 
+import EditPermissionModal from './EditPermissionModal';
 import * as styles from './index.module.scss';
 
 type SearchProps = {
@@ -32,19 +33,47 @@ type SearchProps = {
 };
 
 type Props = {
+  /** List of permissions to be displayed in the table. */
   scopes?: ScopeResponse[];
+  /** Whether the table is loading data or not. */
   isLoading: boolean;
+  /** Error message to be displayed when the table fails to load data. */
   errorMessage?: string;
+  /** The translation key of the create button. */
   createButtonTitle: AdminConsoleKey;
-  deleteButtonTitle?: AdminConsoleKey;
+  /** Whether the table is read-only or not.
+   *  If true, the table will not display the create button and action buttons (editing & deletion).
+   */
   isReadOnly?: boolean;
+  /** Whether the API column is visible or not.
+   * The API column displays the API resource that the permission belongs to.
+   */
   isApiColumnVisible?: boolean;
+  /** Whether the create guide is visible or not.
+   * If true, the table will display a placeholder guiding the user to create a new permission if no permissions are found.
+   */
   isCreateGuideVisible?: boolean;
+  /** Pagination related props, used to navigate through the permissions in the table. */
   pagination?: PaginationProps;
+  /** Search related props, used to filter the permissions in the table. */
   search: SearchProps;
+  /** Function that will be called when the create button is clicked. */
   createHandler: () => void;
-  deleteHandler: (ScopeResponse: ScopeResponse) => void;
+  /** Callback function that will be called when a permission is going to be deleted. */
+  deleteHandler: (scope: ScopeResponse) => void;
+  /** Function that will be called when the retry button is click. */
   retryHandler: () => void;
+  /** Callback function that will be called when the permission is updated (edited). */
+  onPermissionUpdated: () => void;
+  /** Specify deletion related text */
+  deletionText: {
+    /** Delete button title in the action list */
+    actionButton: AdminConsoleKey;
+    /** Confirmation content in the deletion confirmation modal */
+    confirmation: AdminConsoleKey;
+    /** Confirmation button title in the deletion confirmation modal */
+    confirmButton: AdminConsoleKey;
+  };
 };
 
 function PermissionsTable({
@@ -52,7 +81,6 @@ function PermissionsTable({
   isLoading,
   errorMessage,
   createButtonTitle,
-  deleteButtonTitle = 'general.delete',
   isReadOnly = false,
   isApiColumnVisible = false,
   isCreateGuideVisible = false,
@@ -61,9 +89,21 @@ function PermissionsTable({
   createHandler,
   deleteHandler,
   retryHandler,
+  onPermissionUpdated,
+  deletionText,
 }: Props) {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
   const { getDocumentationUrl } = useDocumentationUrl();
+  const [editingScope, setEditingScope] = useState<ScopeResponse>();
+
+  const api = useApi();
+
+  const handleEdit = async (scope: ScopeResponse) => {
+    const patchApiEndpoint = `api/resources/${scope.resourceId}/scopes/${scope.id}`;
+    await api.patch(patchApiEndpoint, { json: scope });
+    toast.success(t('permissions.updated'));
+    onPermissionUpdated();
+  };
 
   const nameColumn: Column<ScopeResponse> = {
     title: t('permissions.name_column'),
@@ -86,32 +126,38 @@ function PermissionsTable({
     render: ({ resource }) => (
       <TextLink
         className={styles.link}
-        to={`/api-resources/${resource.id}/${ApiResourceDetailsTabs.Settings}`}
+        to={`/api-resources/${resource.id}/${ApiResourceDetailsTabs.General}`}
       >
         {resource.name}
       </TextLink>
     ),
   };
 
-  const deleteColumn: Column<ScopeResponse> = {
+  const actionColumn: Column<ScopeResponse> = {
     title: null,
-    dataIndex: 'delete',
-    colSpan: 2,
-    className: styles.deleteColumn,
+    dataIndex: 'action',
+    colSpan: 1,
+    className: styles.actionColumn,
     render: (scope) =>
       /**
        * When the table is read-only, hide the delete button rather than the whole column to keep the table column spaces.
        */
       isReadOnly ? null : (
-        <Tooltip content={<DynamicT forKey={deleteButtonTitle} />}>
-          <IconButton
-            onClick={() => {
-              deleteHandler(scope);
-            }}
-          >
-            <Delete />
-          </IconButton>
-        </Tooltip>
+        <ActionsButton
+          fieldName="permissions.name_column"
+          deleteConfirmation={deletionText.confirmation}
+          textOverrides={{
+            edit: 'permissions.edit',
+            delete: deletionText.actionButton,
+            deleteConfirmation: deletionText.confirmButton,
+          }}
+          onDelete={() => {
+            deleteHandler(scope);
+          }}
+          onEdit={() => {
+            setEditingScope(scope);
+          }}
+        />
       ),
   };
 
@@ -119,59 +165,34 @@ function PermissionsTable({
     nameColumn,
     descriptionColumn,
     conditional(isApiColumnVisible && apiColumn),
-    deleteColumn,
+    actionColumn,
     // eslint-disable-next-line unicorn/prefer-native-coercion-functions
   ].filter((column): column is Column<ScopeResponse> => Boolean(column));
 
   return (
-    <Table
-      className={styles.permissionTable}
-      rowIndexKey="id"
-      rowGroups={[{ key: 'scopes', data: scopes }]}
-      columns={columns}
-      filter={
-        <div className={styles.filter}>
-          <Search
-            defaultValue={keyword}
-            isClearable={Boolean(keyword)}
-            placeholder={t(
-              isApiColumnVisible
-                ? 'permissions.search_placeholder'
-                : 'permissions.search_placeholder_without_api'
-            )}
-            onSearch={searchHandler}
-            onClearSearch={clearSearchHandler}
-          />
-          {!isReadOnly && (
-            <Button
-              title={createButtonTitle}
-              className={styles.createButton}
-              type="primary"
-              size="large"
-              icon={<Plus />}
-              onClick={() => {
-                createHandler();
-              }}
+    <>
+      <Table
+        className={styles.permissionTable}
+        rowIndexKey="id"
+        rowGroups={[{ key: 'scopes', data: scopes }]}
+        columns={columns}
+        filter={
+          <div className={styles.filter}>
+            <Search
+              defaultValue={keyword}
+              isClearable={Boolean(keyword)}
+              placeholder={t(
+                isApiColumnVisible
+                  ? 'permissions.search_placeholder'
+                  : 'permissions.search_placeholder_without_api'
+              )}
+              onSearch={searchHandler}
+              onClearSearch={clearSearchHandler}
             />
-          )}
-        </div>
-      }
-      isLoading={isLoading}
-      pagination={pagination}
-      placeholder={
-        !isReadOnly && isCreateGuideVisible ? (
-          <TablePlaceholder
-            image={<PermissionsEmpty />}
-            imageDark={<PermissionsEmptyDark />}
-            title="permissions.placeholder_title"
-            description="permissions.placeholder_description"
-            learnMoreLink={{
-              href: getDocumentationUrl('/docs/recipes/rbac/manage-permissions-and-roles'),
-              targetBlank: 'noopener',
-            }}
-            action={
+            {!isReadOnly && (
               <Button
                 title={createButtonTitle}
+                className={styles.createButton}
                 type="primary"
                 size="large"
                 icon={<Plus />}
@@ -179,15 +200,51 @@ function PermissionsTable({
                   createHandler();
                 }}
               />
-            }
-          />
-        ) : (
-          <EmptyDataPlaceholder />
-        )
-      }
-      errorMessage={errorMessage}
-      onRetry={retryHandler}
-    />
+            )}
+          </div>
+        }
+        isLoading={isLoading}
+        pagination={pagination}
+        placeholder={
+          !isReadOnly && isCreateGuideVisible ? (
+            <TablePlaceholder
+              image={<PermissionsEmpty />}
+              imageDark={<PermissionsEmptyDark />}
+              title="permissions.placeholder_title"
+              description="permissions.placeholder_description"
+              learnMoreLink={{
+                href: getDocumentationUrl('/docs/recipes/rbac/manage-permissions-and-roles'),
+                targetBlank: 'noopener',
+              }}
+              action={
+                <Button
+                  title={createButtonTitle}
+                  type="primary"
+                  size="large"
+                  icon={<Plus />}
+                  onClick={() => {
+                    createHandler();
+                  }}
+                />
+              }
+            />
+          ) : (
+            <EmptyDataPlaceholder />
+          )
+        }
+        errorMessage={errorMessage}
+        onRetry={retryHandler}
+      />
+      {editingScope && (
+        <EditPermissionModal
+          data={editingScope}
+          onClose={() => {
+            setEditingScope(undefined);
+          }}
+          onSubmit={handleEdit}
+        />
+      )}
+    </>
   );
 }
 
diff --git a/packages/console/src/components/ReportConversion/index.tsx b/packages/console/src/components/ReportConversion/index.tsx
deleted file mode 100644
index 6fc8a209d69..00000000000
--- a/packages/console/src/components/ReportConversion/index.tsx
+++ /dev/null
@@ -1,85 +0,0 @@
-import { useEffect } from 'react';
-import { Helmet } from 'react-helmet';
-
-import useCurrentUser from '@/hooks/use-current-user';
-
-import {
-  shouldReport,
-  lintrk,
-  gtagAwTrackingId,
-  linkedInConversionId,
-  gtag,
-  gtagSignUpConversionId,
-  rdt,
-  redditPixelId,
-  hashEmail,
-} from './utils';
-
-/**
- * In cloud production environment, this component initiates gtag.js and LinkedIn
- * Insight Tag, then reports a sign-up conversion to them.
- */
-export default function ReportConversion() {
-  const { user, isLoading } = useCurrentUser();
-
-  /**
-   * Initiate Reddit Pixel and report a sign-up conversion to it when user is loaded.
-   * Use user email to prevent duplicate conversion, and it is hashed before sending
-   * to protect user privacy.
-   */
-  useEffect(() => {
-    const report = async () => {
-      rdt('init', redditPixelId, {
-        optOut: false,
-        useDecimalCurrencyValues: true,
-        email: await hashEmail(user?.primaryEmail ?? undefined),
-      });
-      rdt('track', 'SignUp');
-    };
-
-    if (shouldReport && !isLoading) {
-      void report();
-    }
-  }, [user, isLoading]);
-
-  /**
-   * This `useEffect()` initiates Google Tag and report a sign-up conversion to it.
-   * It may run multiple times (e.g. a user visit multiple times to finish the onboarding process,
-   * which rarely happens), but it'll be okay since we've set conversion's "Count" to "One"
-   * which means only the first interaction is valuable.
-   *
-   * Track this conversion in the backend has been considered, but Google does not provide
-   * a clear guideline for it and marks the [Node library](https://developers.google.com/tag-platform/tag-manager/api/v2/libraries)
-   * as "alpha" which looks unreliable.
-   */
-  useEffect(() => {
-    if (shouldReport) {
-      gtag('js', new Date());
-      gtag('config', gtagAwTrackingId);
-      gtag('event', 'conversion', {
-        send_to: gtagSignUpConversionId,
-      });
-
-      lintrk('track', { conversion_id: linkedInConversionId });
-      console.debug('Have a good day!');
-    } else {
-      console.debug("Not reporting conversion because it's not production");
-    }
-  }, []);
-
-  if (shouldReport) {
-    return (
-      <Helmet>
-        <script
-          async
-          crossOrigin="anonymous"
-          src={`https://www.googletagmanager.com/gtag/js?id=${gtagAwTrackingId}`}
-        />
-        <script async src="https://snap.licdn.com/li.lms-analytics/insight.min.js" />
-        <script async src="https://www.redditstatic.com/ads/pixel.js" />
-      </Helmet>
-    );
-  }
-
-  return null;
-}
diff --git a/packages/console/src/components/ReportConversion/utils.ts b/packages/console/src/components/ReportConversion/utils.ts
deleted file mode 100644
index 7490fb0ea0e..00000000000
--- a/packages/console/src/components/ReportConversion/utils.ts
+++ /dev/null
@@ -1,88 +0,0 @@
-import { trySafe } from '@silverhand/essentials';
-
-export const gtagAwTrackingId = 'AW-11124811245';
-/** This ID indicates a user has truly signed up for Logto Cloud. */
-export const gtagSignUpConversionId = `AW-11192640559/ZuqUCLvNpasYEK_IiNkp`;
-const logtoProductionHostname = 'logto.io';
-const linkedInPartnerId = '5096172';
-export const linkedInConversionId = '13374828';
-
-/**
- * Due to the special of conversion reporting, it should be `true` only in the
- * Logto Cloud production environment.
- * Add the leading '.' to make it safer (ignore hostnames like "foologto.io").
- */
-export const shouldReport = window.location.hostname.endsWith('.' + logtoProductionHostname);
-
-/* eslint-disable @silverhand/fp/no-mutation, @silverhand/fp/no-mutating-methods, prefer-rest-params */
-
-/** This function is edited from the Google Tag official code snippet. */
-export function gtag(..._: unknown[]) {
-  trySafe(() => {
-    // We cannot use rest params here since gtag has some internal logic about `arguments` for data transpiling
-    if (!window.dataLayer) {
-      window.dataLayer = [];
-    }
-
-    window.dataLayer.push(arguments);
-  });
-}
-
-/** This function is edited from the LinkedIn Tag official code snippet. */
-export function lintrk(..._: unknown[]) {
-  // Init LinkedIn tag if needed
-  if (!window._linkedin_data_partner_ids) {
-    window._linkedin_data_partner_ids = [];
-    window._linkedin_data_partner_ids.push(linkedInPartnerId);
-  }
-
-  trySafe(() => {
-    if (!window.lintrk) {
-      window.lintrk = { q: [] };
-    }
-
-    window.lintrk.q.push(arguments);
-  });
-}
-
-/**
- * This function will do the following things:
- *
- * 1. Canonicalize the given email by Reddit's rule: lowercase, trim,
- * remove dots, remove everything after the first '+'.
- * 2. Hash the canonicalized email by SHA256.
- */
-export const hashEmail = async (email?: string) => {
-  if (!email) {
-    return;
-  }
-
-  const splitEmail = email.toLocaleLowerCase().trim().split('@');
-  const [localPart, domain] = splitEmail;
-
-  if (!localPart || !domain || splitEmail.length > 2) {
-    return;
-  }
-
-  // eslint-disable-next-line unicorn/prefer-string-replace-all
-  const canonicalizedEmail = `${localPart.replace(/\./g, '').replace(/\+.*/, '')}@${domain}`;
-  const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(canonicalizedEmail));
-
-  // https://stackoverflow.com/questions/40031688/javascript-arraybuffer-to-hex
-  return [...new Uint8Array(hash)].map((value) => value.toString(16).padStart(2, '0')).join('');
-};
-
-export const redditPixelId = 't2_ggt11omdo';
-
-/** Report Reddit conversion events. */
-export function rdt(..._: unknown[]) {
-  trySafe(() => {
-    if (!window.rdt) {
-      window.rdt = { callQueue: [] };
-    }
-
-    window.rdt.callQueue.push(arguments);
-  });
-}
-
-/* eslint-enable @silverhand/fp/no-mutation, @silverhand/fp/no-mutating-methods, prefer-rest-params */
diff --git a/packages/console/src/components/SubmitFormChangesActionBar/index.tsx b/packages/console/src/components/SubmitFormChangesActionBar/index.tsx
index 54b4a80825d..d403c323508 100644
--- a/packages/console/src/components/SubmitFormChangesActionBar/index.tsx
+++ b/packages/console/src/components/SubmitFormChangesActionBar/index.tsx
@@ -1,3 +1,4 @@
+import { type AdminConsoleKey } from '@logto/phrases';
 import classNames from 'classnames';
 
 import Button from '@/ds-components/Button';
@@ -9,11 +10,20 @@ type Props = {
   isSubmitting: boolean;
   onSubmit: () => Promise<void>;
   onDiscard: () => void;
+  confirmText?: AdminConsoleKey;
+  className?: string;
 };
 
-function SubmitFormChangesActionBar({ isOpen, isSubmitting, onSubmit, onDiscard }: Props) {
+function SubmitFormChangesActionBar({
+  isOpen,
+  isSubmitting,
+  confirmText = 'general.save_changes',
+  onSubmit,
+  onDiscard,
+  className,
+}: Props) {
   return (
-    <div className={classNames(styles.container, isOpen && styles.active)}>
+    <div className={classNames(styles.container, isOpen && styles.active, className)}>
       <div className={styles.actionBar}>
         <Button
           size="medium"
@@ -27,7 +37,7 @@ function SubmitFormChangesActionBar({ isOpen, isSubmitting, onSubmit, onDiscard
           isLoading={isSubmitting}
           type="primary"
           size="medium"
-          title="general.save_changes"
+          title={confirmText}
           onClick={async () => onSubmit()}
         />
       </div>
diff --git a/packages/console/src/components/Topbar/TenantSelector/TenantInvitationDropdownItem/index.module.scss b/packages/console/src/components/Topbar/TenantSelector/TenantInvitationDropdownItem/index.module.scss
new file mode 100644
index 00000000000..fa2a78575e3
--- /dev/null
+++ b/packages/console/src/components/Topbar/TenantSelector/TenantInvitationDropdownItem/index.module.scss
@@ -0,0 +1,26 @@
+@use '@/scss/underscore' as _;
+
+.item {
+  display: flex;
+  align-items: center;
+  padding: _.unit(2.5) _.unit(4);
+  margin: _.unit(1);
+  border-radius: 6px;
+  transition: background-color 0.2s ease-in-out;
+  justify-content: space-between;
+
+  &:hover {
+    background: var(--color-hover);
+  }
+
+  .meta {
+    display: flex;
+    align-items: center;
+    gap: _.unit(2);
+
+    .name {
+      font: var(--font-body-2);
+      @include _.text-ellipsis;
+    }
+  }
+}
diff --git a/packages/console/src/components/Topbar/TenantSelector/TenantInvitationDropdownItem/index.tsx b/packages/console/src/components/Topbar/TenantSelector/TenantInvitationDropdownItem/index.tsx
new file mode 100644
index 00000000000..db01a0a2572
--- /dev/null
+++ b/packages/console/src/components/Topbar/TenantSelector/TenantInvitationDropdownItem/index.tsx
@@ -0,0 +1,53 @@
+import {
+  OrganizationInvitationStatus,
+  getTenantIdFromOrganizationId,
+  type TenantTag,
+} from '@logto/schemas';
+import { useContext } from 'react';
+
+import { useCloudApi } from '@/cloud/hooks/use-cloud-api';
+import TenantEnvTag from '@/components/TenantEnvTag';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import Button from '@/ds-components/Button';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  data: {
+    id: string;
+    organizationId: string;
+    tenantName: string;
+    tenantTag: TenantTag;
+  };
+};
+
+function TenantInvitationDropdownItem({ data }: Props) {
+  const cloudApi = useCloudApi();
+  const { navigateTenant, resetTenants } = useContext(TenantsContext);
+  const { id, organizationId, tenantName, tenantTag } = data;
+
+  return (
+    <div className={styles.item}>
+      <div className={styles.meta}>
+        <div className={styles.name}>{tenantName}</div>
+        <TenantEnvTag tag={tenantTag} />
+      </div>
+      <Button
+        size="small"
+        type="outline"
+        title="general.join"
+        onClick={async () => {
+          await cloudApi.patch(`/api/invitations/:invitationId/status`, {
+            params: { invitationId: id },
+            body: { status: OrganizationInvitationStatus.Accepted },
+          });
+          const data = await cloudApi.get('/api/tenants');
+          resetTenants(data);
+          navigateTenant(getTenantIdFromOrganizationId(organizationId));
+        }}
+      />
+    </div>
+  );
+}
+
+export default TenantInvitationDropdownItem;
diff --git a/packages/console/src/components/Topbar/TenantSelector/index.module.scss b/packages/console/src/components/Topbar/TenantSelector/index.module.scss
index f06ff2128af..8697a8b955c 100644
--- a/packages/console/src/components/Topbar/TenantSelector/index.module.scss
+++ b/packages/console/src/components/Topbar/TenantSelector/index.module.scss
@@ -19,6 +19,7 @@ $dropdown-item-height: 40px;
   position: relative;
   border: none;
   background-color: transparent;
+  gap: _.unit(2);
 
   &:hover {
     cursor: pointer;
@@ -31,12 +32,14 @@ $dropdown-item-height: 40px;
 
   .name {
     font: var(--font-title-2);
-    margin-right: _.unit(1.5);
     @include _.text-ellipsis;
   }
 
-  .tag {
-    margin-right: _.unit(2);
+  .redDot {
+    width: 10px;
+    height: 10px;
+    border-radius: 50%;
+    background-color: var(--color-on-error-container);
   }
 
   .arrowIcon {
diff --git a/packages/console/src/components/Topbar/TenantSelector/index.tsx b/packages/console/src/components/Topbar/TenantSelector/index.tsx
index 274500ae18b..07555f0effc 100644
--- a/packages/console/src/components/Topbar/TenantSelector/index.tsx
+++ b/packages/console/src/components/Topbar/TenantSelector/index.tsx
@@ -1,3 +1,4 @@
+import { OrganizationInvitationStatus } from '@logto/schemas';
 import { useContext, useRef, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 
@@ -11,9 +12,11 @@ import Divider from '@/ds-components/Divider';
 import Dropdown from '@/ds-components/Dropdown';
 import OverlayScrollbar from '@/ds-components/OverlayScrollbar';
 import useUserDefaultTenantId from '@/hooks/use-user-default-tenant-id';
+import useUserInvitations from '@/hooks/use-user-invitations';
 import { onKeyDownHandler } from '@/utils/a11y';
 
 import TenantDropdownItem from './TenantDropdownItem';
+import TenantInvitationDropdownItem from './TenantInvitationDropdownItem';
 import * as styles from './index.module.scss';
 
 export default function TenantSelector() {
@@ -25,6 +28,7 @@ export default function TenantSelector() {
     currentTenantId,
     navigateTenant,
   } = useContext(TenantsContext);
+  const { data: pendingInvitations } = useUserInvitations(OrganizationInvitationStatus.Pending);
 
   const anchorRef = useRef<HTMLDivElement>(null);
   const [showDropdown, setShowDropdown] = useState(false);
@@ -50,7 +54,8 @@ export default function TenantSelector() {
         }}
       >
         <div className={styles.name}>{currentTenantInfo.name}</div>
-        <TenantEnvTag className={styles.tag} tag={currentTenantInfo.tag} />
+        <TenantEnvTag tag={currentTenantInfo.tag} />
+        {Boolean(pendingInvitations?.length) && <div className={styles.redDot} />}
         <KeyboardArrowDown className={styles.arrowIcon} />
       </div>
       <Dropdown
@@ -76,6 +81,9 @@ export default function TenantSelector() {
               }}
             />
           ))}
+          {pendingInvitations?.map((invitation) => (
+            <TenantInvitationDropdownItem key={invitation.id} data={invitation} />
+          ))}
         </OverlayScrollbar>
         <Divider />
         <button
diff --git a/packages/console/src/components/UserAccountInformation/index.tsx b/packages/console/src/components/UserAccountInformation/index.tsx
index ad4fc6676a1..e1260b99887 100644
--- a/packages/console/src/components/UserAccountInformation/index.tsx
+++ b/packages/console/src/components/UserAccountInformation/index.tsx
@@ -1,5 +1,5 @@
 import type { AdminConsoleKey } from '@logto/phrases';
-import type { User } from '@logto/schemas';
+import type { UserProfileResponse } from '@logto/schemas';
 import { conditionalArray } from '@silverhand/essentials';
 import { useState } from 'react';
 import { toast } from 'react-hot-toast';
@@ -15,7 +15,7 @@ import * as modalStyles from '@/scss/modal.module.scss';
 import * as styles from './index.module.scss';
 
 type Props = {
-  user: User;
+  user: UserProfileResponse;
   password: string;
   title: AdminConsoleKey;
   onClose: () => void;
diff --git a/packages/console/src/consts/env.ts b/packages/console/src/consts/env.ts
index 0cc64d28128..fcdd528d1ee 100644
--- a/packages/console/src/consts/env.ts
+++ b/packages/console/src/consts/env.ts
@@ -1,9 +1,8 @@
 import { yes } from '@silverhand/essentials';
 
-// eslint-disable-next-line import/no-unused-modules
 export const isProduction = process.env.NODE_ENV === 'production';
 export const isCloud = yes(process.env.IS_CLOUD);
 export const adminEndpoint = process.env.ADMIN_ENDPOINT;
-// eslint-disable-next-line import/no-unused-modules
+
 export const isDevFeaturesEnabled =
   !isProduction || yes(process.env.DEV_FEATURES_ENABLED) || yes(process.env.INTEGRATION_TEST);
diff --git a/packages/console/src/consts/external-links.ts b/packages/console/src/consts/external-links.ts
index f86437c5c52..5d000a63f3e 100644
--- a/packages/console/src/consts/external-links.ts
+++ b/packages/console/src/consts/external-links.ts
@@ -23,3 +23,10 @@ export const logtoThirdPartyGuideLink = '/docs/recipes/logto-as-idp/';
 export const logtoThirdPartyAppPermissionsLink =
   '/docs/recipes/logto-as-idp/permissions-management/';
 export const logtoThirdPartyAppBrandingLink = '/docs/recipes/logto-as-idp/branding-customization/';
+export const signingKeysLink = '/docs/recipes/openid-connect/signing-keys-rotation/';
+export const organizationTemplateLink =
+  '/docs/recipes/organizations/understand-how-it-works/#organization-template';
+export const organizationRoleLink =
+  '/docs/recipes/organizations/understand-how-it-works/#organization-role';
+export const organizationPermissionLink =
+  '/docs/recipes/organizations/understand-how-it-works/#organization-permission';
diff --git a/packages/console/src/consts/logs.ts b/packages/console/src/consts/logs.ts
index c4c256833dc..0156bf85266 100644
--- a/packages/console/src/consts/logs.ts
+++ b/packages/console/src/consts/logs.ts
@@ -1,4 +1,4 @@
-import type { AuditLogKey, LogKey, WebhookLogKey } from '@logto/schemas';
+import type { AuditLogKey, WebhookLogKey, JwtCustomizerLogKey, LogKey } from '@logto/schemas';
 import { type Optional } from '@silverhand/essentials';
 
 export const auditLogEventTitle: Record<string, Optional<string>> &
@@ -86,7 +86,14 @@ const webhookLogEventTitle: Record<string, Optional<string>> &
   'TriggerHook.PostSignIn': undefined,
 });
 
+const jwtCustomizerLogEventTitle: Record<string, Optional<string>> &
+  Record<JwtCustomizerLogKey, Optional<string>> = Object.freeze({
+  'JwtCustomizer.AccessToken': undefined,
+  'JwtCustomizer.ClientCredentials': undefined,
+});
+
 export const logEventTitle: Record<string, Optional<string>> & Record<LogKey, Optional<string>> = {
   ...auditLogEventTitle,
   ...webhookLogEventTitle,
+  ...jwtCustomizerLogEventTitle,
 };
diff --git a/packages/console/src/consts/page-tabs.ts b/packages/console/src/consts/page-tabs.ts
index 5a2803434c0..3a3524b5fc8 100644
--- a/packages/console/src/consts/page-tabs.ts
+++ b/packages/console/src/consts/page-tabs.ts
@@ -7,8 +7,8 @@ export enum ApplicationDetailsTabs {
 }
 
 export enum ApiResourceDetailsTabs {
-  Settings = 'settings',
   Permissions = 'permissions',
+  General = 'general',
 }
 
 export enum ConnectorsTabs {
@@ -37,6 +37,7 @@ export enum RoleDetailsTabs {
 
 export enum TenantSettingsTabs {
   Settings = 'settings',
+  Members = 'members',
   Domains = 'domains',
   Subscription = 'subscription',
   BillingHistory = 'billing-history',
@@ -46,3 +47,13 @@ export enum EnterpriseSsoDetailsTabs {
   Connection = 'connection',
   Experience = 'experience',
 }
+
+export enum OrganizationTemplateTabs {
+  OrganizationRoles = 'organization-roles',
+  OrganizationPermissions = 'organization-permissions',
+}
+
+export enum OrganizationRoleDetailsTabs {
+  Permissions = 'permissions',
+  General = 'general',
+}
diff --git a/packages/console/src/consts/quota-item-phrases.ts b/packages/console/src/consts/quota-item-phrases.ts
index 41ae37a204c..a4ade8a7a40 100644
--- a/packages/console/src/consts/quota-item-phrases.ts
+++ b/packages/console/src/consts/quota-item-phrases.ts
@@ -26,6 +26,7 @@ export const quotaItemPhrasesMap: Record<
   mfaEnabled: 'mfa_enabled.name',
   organizationsEnabled: 'organizations_enabled.name',
   ssoEnabled: 'sso_enabled.name',
+  tenantMembersLimit: 'tenant_members_limit.name',
 };
 
 export const quotaItemUnlimitedPhrasesMap: Record<
@@ -52,6 +53,7 @@ export const quotaItemUnlimitedPhrasesMap: Record<
   mfaEnabled: 'mfa_enabled.unlimited',
   organizationsEnabled: 'organizations_enabled.unlimited',
   ssoEnabled: 'sso_enabled.unlimited',
+  tenantMembersLimit: 'tenant_members_limit.unlimited',
 };
 
 export const quotaItemLimitedPhrasesMap: Record<
@@ -78,6 +80,7 @@ export const quotaItemLimitedPhrasesMap: Record<
   mfaEnabled: 'mfa_enabled.limited',
   organizationsEnabled: 'organizations_enabled.limited',
   ssoEnabled: 'sso_enabled.limited',
+  tenantMembersLimit: 'tenant_members_limit.limited',
 };
 
 export const quotaItemNotEligiblePhrasesMap: Record<
@@ -104,4 +107,5 @@ export const quotaItemNotEligiblePhrasesMap: Record<
   mfaEnabled: 'mfa_enabled.not_eligible',
   organizationsEnabled: 'organizations_enabled.not_eligible',
   ssoEnabled: 'sso_enabled.not_eligible',
+  tenantMembersLimit: 'tenant_members_limit.not_eligible',
 };
diff --git a/packages/console/src/consts/subscriptions.ts b/packages/console/src/consts/subscriptions.ts
index 4fa7610ff94..5327059e1fd 100644
--- a/packages/console/src/consts/subscriptions.ts
+++ b/packages/console/src/consts/subscriptions.ts
@@ -1,5 +1,15 @@
 import { ReservedPlanId } from '@logto/schemas';
 
+/**
+ * Shared quota limits between the featured plan content in the `CreateTenantModal` and the `PlanComparisonTable`.
+ */
+export const freePlanMauLimit = 50_000;
+export const freePlanM2mLimit = 1;
+export const freePlanRoleLimit = 1;
+export const freePlanPermissionsLimit = 1;
+export const freePlanAuditLogsRetentionDays = 3;
+export const proPlanAuditLogsRetentionDays = 14;
+
 /**
  * In console, only featured plans are shown in the plan selection component.
  */
diff --git a/packages/console/src/consts/tenants.ts b/packages/console/src/consts/tenants.ts
index fc54f4c983a..119a2678bf7 100644
--- a/packages/console/src/consts/tenants.ts
+++ b/packages/console/src/consts/tenants.ts
@@ -66,6 +66,7 @@ export const defaultSubscriptionPlan: SubscriptionPlan = {
     ssoEnabled: true,
     ticketSupportResponseTime: 48,
     thirdPartyApplicationsLimit: null,
+    tenantMembersLimit: null,
   },
 };
 
diff --git a/packages/console/src/containers/ConsoleContent/Sidebar/hook.tsx b/packages/console/src/containers/ConsoleContent/Sidebar/hook.tsx
index 627521ccc4c..064cb034b2e 100644
--- a/packages/console/src/containers/ConsoleContent/Sidebar/hook.tsx
+++ b/packages/console/src/containers/ConsoleContent/Sidebar/hook.tsx
@@ -8,6 +8,8 @@ import Box from '@/assets/icons/box.svg';
 import Connection from '@/assets/icons/connection.svg';
 import Gear from '@/assets/icons/gear.svg';
 import Hook from '@/assets/icons/hook.svg';
+import JwtClaims from '@/assets/icons/jwt-claims.svg';
+import Key from '@/assets/icons/key.svg';
 import List from '@/assets/icons/list.svg';
 import Organization from '@/assets/icons/organization.svg';
 import UserProfile from '@/assets/icons/profile.svg';
@@ -16,7 +18,7 @@ import Role from '@/assets/icons/role.svg';
 import SecurityLock from '@/assets/icons/security-lock.svg';
 import EnterpriseSso from '@/assets/icons/single-sign-on.svg';
 import Web from '@/assets/icons/web.svg';
-import { isCloud } from '@/consts/env';
+import { isCloud, isDevFeaturesEnabled } from '@/consts/env';
 
 type SidebarItem = {
   Icon: FC;
@@ -61,16 +63,13 @@ export const useSidebarMenuItems = (): {
       ],
     },
     {
-      title: 'resources',
+      title: 'authentication',
       items: [
         {
           Icon: Box,
           title: 'applications',
         },
-        {
-          Icon: ResourceIcon,
-          title: 'api_resources',
-        },
+
         {
           Icon: Web,
           title: 'sign_in_experience',
@@ -89,6 +88,24 @@ export const useSidebarMenuItems = (): {
         },
       ],
     },
+    {
+      title: 'authorization',
+      items: [
+        {
+          Icon: ResourceIcon,
+          title: 'api_resources',
+        },
+        {
+          Icon: Role,
+          title: 'roles',
+        },
+        {
+          Icon: Role,
+          title: 'organization_template',
+          isHidden: !isDevFeaturesEnabled,
+        },
+      ],
+    },
     {
       title: 'users',
       items: [
@@ -100,23 +117,28 @@ export const useSidebarMenuItems = (): {
           Icon: UserProfile,
           title: 'users',
         },
-        {
-          Icon: List,
-          title: 'audit_logs',
-        },
-        {
-          Icon: Role,
-          title: 'roles',
-        },
       ],
     },
     {
-      title: 'automation',
+      title: 'developer',
       items: [
+        {
+          Icon: Key,
+          title: 'signing_keys',
+        },
+        {
+          Icon: JwtClaims,
+          title: 'customize_jwt',
+          isHidden: !(isCloud && isDevFeaturesEnabled),
+        },
         {
           Icon: Hook,
           title: 'webhooks',
         },
+        {
+          Icon: List,
+          title: 'audit_logs',
+        },
       ],
     },
     {
diff --git a/packages/console/src/containers/ConsoleContent/index.tsx b/packages/console/src/containers/ConsoleContent/index.tsx
index a1e63ad5cc3..f61e28011a9 100644
--- a/packages/console/src/containers/ConsoleContent/index.tsx
+++ b/packages/console/src/containers/ConsoleContent/index.tsx
@@ -2,21 +2,20 @@ import { useContext } from 'react';
 import { Navigate, Route, Routes, useOutletContext } from 'react-router-dom';
 
 import {
-  ApiResourceDetailsTabs,
+  ApplicationDetailsTabs,
   ConnectorsTabs,
-  UserDetailsTabs,
+  EnterpriseSsoDetailsTabs,
+  OrganizationTemplateTabs,
   RoleDetailsTabs,
-  WebhookDetailsTabs,
   TenantSettingsTabs,
-  ApplicationDetailsTabs,
-  EnterpriseSsoDetailsTabs,
+  UserDetailsTabs,
+  WebhookDetailsTabs,
 } from '@/consts';
-import { isCloud } from '@/consts/env';
+import { isCloud, isDevFeaturesEnabled } from '@/consts/env';
 import { TenantsContext } from '@/contexts/TenantsProvider';
 import OverlayScrollbar from '@/ds-components/OverlayScrollbar';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
 import ApiResourceDetails from '@/pages/ApiResourceDetails';
-import ApiResourcePermissions from '@/pages/ApiResourceDetails/ApiResourcePermissions';
-import ApiResourceSettings from '@/pages/ApiResourceDetails/ApiResourceSettings';
 import ApiResources from '@/pages/ApiResources';
 import ApplicationDetails from '@/pages/ApplicationDetails';
 import Applications from '@/pages/Applications';
@@ -24,6 +23,8 @@ import AuditLogDetails from '@/pages/AuditLogDetails';
 import AuditLogs from '@/pages/AuditLogs';
 import ConnectorDetails from '@/pages/ConnectorDetails';
 import Connectors from '@/pages/Connectors';
+import CustomizeJwt from '@/pages/CustomizeJwt';
+import CustomizeJwtDetails from '@/pages/CustomizeJwtDetails';
 import Dashboard from '@/pages/Dashboard';
 import EnterpriseSsoConnectors from '@/pages/EnterpriseSso';
 import EnterpriseSsoConnectorDetails from '@/pages/EnterpriseSsoDetails';
@@ -31,6 +32,10 @@ import GetStarted from '@/pages/GetStarted';
 import Mfa from '@/pages/Mfa';
 import NotFound from '@/pages/NotFound';
 import OrganizationDetails from '@/pages/OrganizationDetails';
+import OrganizationRoleDetails from '@/pages/OrganizationRoleDetails';
+import OrganizationTemplate from '@/pages/OrganizationTemplate';
+import OrganizationPermissions from '@/pages/OrganizationTemplate/OrganizationPermissions';
+import OrganizationRoles from '@/pages/OrganizationTemplate/OrganizationRoles';
 import Organizations from '@/pages/Organizations';
 import OrganizationGuide from '@/pages/Organizations/Guide';
 import Profile from '@/pages/Profile';
@@ -46,11 +51,13 @@ import RoleUsers from '@/pages/RoleDetails/RoleUsers';
 import Roles from '@/pages/Roles';
 import SignInExperience from '@/pages/SignInExperience';
 import { SignInExperienceTab } from '@/pages/SignInExperience/types';
+import SigningKeys from '@/pages/SigningKeys';
 import TenantSettings from '@/pages/TenantSettings';
 import BillingHistory from '@/pages/TenantSettings/BillingHistory';
 import Subscription from '@/pages/TenantSettings/Subscription';
 import TenantBasicSettings from '@/pages/TenantSettings/TenantBasicSettings';
 import TenantDomainSettings from '@/pages/TenantSettings/TenantDomainSettings';
+import TenantMembers from '@/pages/TenantSettings/TenantMembers';
 import UserDetails from '@/pages/UserDetails';
 import UserLogs from '@/pages/UserDetails/UserLogs';
 import UserOrganizations from '@/pages/UserDetails/UserOrganizations';
@@ -70,6 +77,7 @@ import * as styles from './index.module.scss';
 function ConsoleContent() {
   const { scrollableContent } = useOutletContext<AppContentOutletContext>();
   const { isDevTenant } = useContext(TenantsContext);
+  const { canManageTenant } = useCurrentTenantScopes();
 
   return (
     <div className={styles.content}>
@@ -101,14 +109,7 @@ function ConsoleContent() {
               <Route index element={<ApiResources />} />
               <Route path="create" element={<ApiResources />} />
               <Route path=":id/guide/:guideId" element={<ApiResourceDetails />} />
-              <Route path=":id" element={<ApiResourceDetails />}>
-                <Route index element={<Navigate replace to={ApiResourceDetailsTabs.Settings} />} />
-                <Route path={ApiResourceDetailsTabs.Settings} element={<ApiResourceSettings />} />
-                <Route
-                  path={ApiResourceDetailsTabs.Permissions}
-                  element={<ApiResourcePermissions />}
-                />
-              </Route>
+              <Route path=":id/*" element={<ApiResourceDetails />} />
             </Route>
             <Route path="sign-in-experience">
               <Route index element={<Navigate replace to={SignInExperienceTab.Branding} />} />
@@ -176,6 +177,28 @@ function ConsoleContent() {
                 <Route path={RoleDetailsTabs.M2mApps} element={<RoleApplications />} />
               </Route>
             </Route>
+            {isDevFeaturesEnabled && (
+              <>
+                <Route path="organization-template" element={<OrganizationTemplate />}>
+                  <Route
+                    index
+                    element={<Navigate replace to={OrganizationTemplateTabs.OrganizationRoles} />}
+                  />
+                  <Route
+                    path={OrganizationTemplateTabs.OrganizationRoles}
+                    element={<OrganizationRoles />}
+                  />
+                  <Route
+                    path={OrganizationTemplateTabs.OrganizationPermissions}
+                    element={<OrganizationPermissions />}
+                  />
+                </Route>
+                <Route
+                  path={`organization-template/${OrganizationTemplateTabs.OrganizationRoles}/:id/*`}
+                  element={<OrganizationRoleDetails />}
+                />
+              </>
+            )}
             <Route path="organizations">
               <Route index element={<Organizations />} />
               <Route path="create" element={<Organizations />} />
@@ -190,12 +213,24 @@ function ConsoleContent() {
               <Route path="link-email" element={<LinkEmailModal />} />
               <Route path="verification-code" element={<VerificationCodeModal />} />
             </Route>
+            <Route path="signing-keys" element={<SigningKeys />} />
             {isCloud && (
               <Route path="tenant-settings" element={<TenantSettings />}>
-                <Route index element={<Navigate replace to={TenantSettingsTabs.Settings} />} />
+                <Route
+                  index
+                  element={
+                    <Navigate
+                      replace
+                      to={
+                        canManageTenant ? TenantSettingsTabs.Settings : TenantSettingsTabs.Members
+                      }
+                    />
+                  }
+                />
                 <Route path={TenantSettingsTabs.Settings} element={<TenantBasicSettings />} />
+                <Route path={`${TenantSettingsTabs.Members}/*`} element={<TenantMembers />} />
                 <Route path={TenantSettingsTabs.Domains} element={<TenantDomainSettings />} />
-                {!isDevTenant && (
+                {!isDevTenant && canManageTenant && (
                   <>
                     <Route path={TenantSettingsTabs.Subscription} element={<Subscription />} />
                     <Route path={TenantSettingsTabs.BillingHistory} element={<BillingHistory />} />
@@ -203,6 +238,12 @@ function ConsoleContent() {
                 )}
               </Route>
             )}
+            {isCloud && isDevFeaturesEnabled && (
+              <Route path="customize-jwt">
+                <Route index element={<CustomizeJwt />} />
+                <Route path=":tokenType/:action" element={<CustomizeJwtDetails />} />
+              </Route>
+            )}
           </Routes>
         </div>
       </OverlayScrollbar>
diff --git a/packages/console/src/pages/ConsoleRoutes/index.tsx b/packages/console/src/containers/ConsoleRoutes/index.tsx
similarity index 93%
rename from packages/console/src/pages/ConsoleRoutes/index.tsx
rename to packages/console/src/containers/ConsoleRoutes/index.tsx
index 56acf88531a..ec49548bc1a 100644
--- a/packages/console/src/pages/ConsoleRoutes/index.tsx
+++ b/packages/console/src/containers/ConsoleRoutes/index.tsx
@@ -14,12 +14,11 @@ import { GlobalRoute } from '@/contexts/TenantsProvider';
 import Toast from '@/ds-components/Toast';
 import useSwrOptions from '@/hooks/use-swr-options';
 import Callback from '@/pages/Callback';
+import CheckoutSuccessCallback from '@/pages/CheckoutSuccessCallback';
+import HandleSocialCallback from '@/pages/Profile/containers/HandleSocialCallback';
 import Welcome from '@/pages/Welcome';
 import { dropLeadingSlash } from '@/utils/url';
 
-import CheckoutSuccessCallback from '../CheckoutSuccessCallback';
-import HandleSocialCallback from '../Profile/containers/HandleSocialCallback';
-
 function Layout() {
   const swrOptions = useSwrOptions();
 
diff --git a/packages/console/src/containers/ProtectedRoutes/index.tsx b/packages/console/src/containers/ProtectedRoutes/index.tsx
index c2e7d520579..cdc445b77ea 100644
--- a/packages/console/src/containers/ProtectedRoutes/index.tsx
+++ b/packages/console/src/containers/ProtectedRoutes/index.tsx
@@ -1,7 +1,7 @@
 import { useLogto } from '@logto/react';
 import { yes, conditional } from '@silverhand/essentials';
 import { useContext, useEffect } from 'react';
-import { Outlet, useSearchParams } from 'react-router-dom';
+import { Outlet, useMatch, useSearchParams } from 'react-router-dom';
 
 import { useCloudApi } from '@/cloud/hooks/use-cloud-api';
 import AppLoading from '@/components/AppLoading';
@@ -35,14 +35,16 @@ export default function ProtectedRoutes() {
   const { isAuthenticated, isLoading, signIn } = useLogto();
   const { isInitComplete, resetTenants } = useContext(TenantsContext);
   const redirectUri = useRedirectUri();
+  const match = useMatch('/accept/:invitationId');
 
   useEffect(() => {
     if (!isLoading && !isAuthenticated) {
       saveRedirect();
-      const isSignUpMode = yes(searchParameters.get(searchKeys.signUp));
+      const isInvitationLink = Boolean(match?.pathname.startsWith('/accept/'));
+      const isSignUpMode = yes(searchParameters.get(searchKeys.signUp)) || isInvitationLink;
       void signIn(redirectUri.href, conditional(isSignUpMode && 'signUp'));
     }
-  }, [redirectUri, isAuthenticated, isLoading, searchParameters, signIn]);
+  }, [redirectUri, isAuthenticated, isLoading, searchParameters, signIn, match?.pathname]);
 
   useEffect(() => {
     if (isAuthenticated && !isInitComplete) {
diff --git a/packages/console/src/contexts/TenantsProvider.tsx b/packages/console/src/contexts/TenantsProvider.tsx
index bed76496101..2a99686001a 100644
--- a/packages/console/src/contexts/TenantsProvider.tsx
+++ b/packages/console/src/contexts/TenantsProvider.tsx
@@ -28,6 +28,7 @@ export enum GlobalAnonymousRoute {
  */
 export enum GlobalRoute {
   CheckoutSuccessCallback = '/checkout-success-callback',
+  AcceptInvitation = '/accept',
 }
 
 const reservedRoutes: Readonly<string[]> = Object.freeze([
@@ -101,7 +102,12 @@ function TenantsProvider({ children }: Props) {
       return defaultTenantId;
     }
 
-    if (!match || reservedRoutes.includes(match.pathname)) {
+    if (
+      !match ||
+      reservedRoutes.some(
+        (route) => match.pathname === route || match.pathname.startsWith(route + '/')
+      )
+    ) {
       return '';
     }
 
diff --git a/packages/console/src/ds-components/CardTitle/index.module.scss b/packages/console/src/ds-components/CardTitle/index.module.scss
index 36eec96534c..9258bc9fbeb 100644
--- a/packages/console/src/ds-components/CardTitle/index.module.scss
+++ b/packages/console/src/ds-components/CardTitle/index.module.scss
@@ -21,10 +21,6 @@
     color: var(--color-text-secondary);
   }
 
-  .learnMore:not(:first-child) {
-    margin-left: _.unit(1);
-  }
-
   &.large {
     .title {
       font: var(--font-title-1);
diff --git a/packages/console/src/ds-components/CardTitle/index.tsx b/packages/console/src/ds-components/CardTitle/index.tsx
index 9b0d1e7b260..4910eae0b48 100644
--- a/packages/console/src/ds-components/CardTitle/index.tsx
+++ b/packages/console/src/ds-components/CardTitle/index.tsx
@@ -55,13 +55,14 @@ function CardTitle({
             <span>{typeof subtitle === 'string' ? <DynamicT forKey={subtitle} /> : subtitle}</span>
           )}
           {learnMoreLink?.href && (
-            <TextLink
-              href={learnMoreLink.href}
-              targetBlank={learnMoreLink.targetBlank}
-              className={styles.learnMore}
-            >
-              {t('general.learn_more')}
-            </TextLink>
+            <>
+              {/* Use a space to keep the link and the text separate.
+               * Avoid using `margin-left` since it will cause an unexpected gap when the "learn more" text is at the start of a new line
+               */}{' '}
+              <TextLink href={learnMoreLink.href} targetBlank={learnMoreLink.targetBlank}>
+                {t('general.learn_more')}
+              </TextLink>
+            </>
           )}
         </div>
       )}
diff --git a/packages/console/src/ds-components/ConfirmModal/index.module.scss b/packages/console/src/ds-components/ConfirmModal/index.module.scss
index ac97e390d8c..29165f829dd 100644
--- a/packages/console/src/ds-components/ConfirmModal/index.module.scss
+++ b/packages/console/src/ds-components/ConfirmModal/index.module.scss
@@ -1,5 +1,9 @@
 @use '@/scss/underscore' as _;
 
+.overlay {
+  z-index: 1000;
+}
+
 .content {
   font: var(--font-body-2);
 
diff --git a/packages/console/src/ds-components/ConfirmModal/index.tsx b/packages/console/src/ds-components/ConfirmModal/index.tsx
index ca3ebb9b4f2..b6964f15f77 100644
--- a/packages/console/src/ds-components/ConfirmModal/index.tsx
+++ b/packages/console/src/ds-components/ConfirmModal/index.tsx
@@ -50,8 +50,8 @@ function ConfirmModal({
     <ReactModal
       shouldCloseOnEsc
       isOpen={isOpen}
-      className={modalStyles.content}
-      overlayClassName={modalStyles.overlay}
+      className={classNames(modalStyles.content)}
+      overlayClassName={classNames(modalStyles.overlay, styles.overlay)}
       onRequestClose={onCancel}
     >
       <ModalLayout
diff --git a/packages/console/src/pages/WebhookDetails/WebhookSettings/CustomHeaderField/index.module.scss b/packages/console/src/ds-components/KeyValueInputField/index.module.scss
similarity index 100%
rename from packages/console/src/pages/WebhookDetails/WebhookSettings/CustomHeaderField/index.module.scss
rename to packages/console/src/ds-components/KeyValueInputField/index.module.scss
diff --git a/packages/console/src/ds-components/KeyValueInputField/index.tsx b/packages/console/src/ds-components/KeyValueInputField/index.tsx
new file mode 100644
index 00000000000..1255b09553b
--- /dev/null
+++ b/packages/console/src/ds-components/KeyValueInputField/index.tsx
@@ -0,0 +1,118 @@
+import { type FieldError } from 'react-hook-form';
+
+import CirclePlus from '@/assets/icons/circle-plus.svg';
+import Minus from '@/assets/icons/minus.svg';
+import Button from '@/ds-components/Button';
+import IconButton from '@/ds-components/IconButton';
+import TextInput, { type Props as TextInputProps } from '@/ds-components/TextInput';
+
+import * as styles from './index.module.scss';
+
+type FieldType = {
+  key: string;
+  value: string;
+};
+
+type ErrorType = {
+  [K in keyof FieldType]?: FieldError | string | undefined;
+};
+
+// TextInput props getter
+type InputFieldPropsGetter = {
+  [K in keyof FieldType]: (index: number) => Omit<TextInputProps, 'ref'>;
+};
+
+type ErrorProps = {
+  error?: FieldError | string | undefined;
+};
+function Error({ error }: ErrorProps) {
+  if (!error) {
+    return null;
+  }
+
+  if (typeof error === 'string') {
+    return <div className={styles.error}>{error}</div>;
+  }
+
+  return <div className={styles.error}>{error.message}</div>;
+}
+
+type Props = {
+  className?: string;
+  fields: Array<FieldType & { id: string }>; // Id is required to uniquely identify each field
+  errors?: Array<ErrorType | undefined>;
+  getInputFieldProps: InputFieldPropsGetter;
+  onRemove: (index: number) => void;
+  onAppend: (field: FieldType) => void;
+};
+
+/**
+ * UI component for key-value input field.
+ *
+ * This component is used to add multiple key-value pairs.
+ * For most of the cases, it is designed to be used along with react-hook-form.
+ * All the input properties are registered with react-hook-form.
+ * @param {Props} props - The props for the component.
+ * @param {string} [props.className] - The class name for the container.
+ * @param {FieldType} props.fields - The array of key-value pairs. @see {@link https://react-hook-form.com/docs/usefieldarray}
+ * @param {ErrorType[]} [props.errors] - The array of errors for each field. Accepts both string and FieldError from RHF.
+ * @param {Function} props.onRemove - The function to remove a field. @see {@link https://react-hook-form.com/docs/usefieldarray}
+ * @param {Function} props.onAppend - The function to append a new field. @see {@link https://react-hook-form.com/docs/usefieldarray}
+ * @param {InputFieldPropsGetter} getInputFieldProps - The function bundle to get the input field props for each field. e.g. Use React Hook Form's register method to register the input field.
+ */
+function KeyValueInputField({
+  className,
+  fields,
+  errors,
+  getInputFieldProps,
+  onRemove,
+  onAppend,
+}: Props) {
+  return (
+    <div className={className}>
+      {fields.map((field, index) => {
+        return (
+          // Use id as the element key if it exists (generated by react-hook-form useFieldArray method), otherwise use the key
+          <div key={field.id} className={styles.field}>
+            <div className={styles.input}>
+              <TextInput
+                className={styles.keyInput}
+                placeholder="Key"
+                error={Boolean(errors?.[index]?.key)}
+                {...getInputFieldProps.key(index)}
+              />
+              <TextInput
+                className={styles.valueInput}
+                placeholder="Value"
+                error={Boolean(errors?.[index]?.value)}
+                {...getInputFieldProps.value(index)}
+              />
+              {fields.length > 1 && (
+                <IconButton
+                  onClick={() => {
+                    onRemove(index);
+                  }}
+                >
+                  <Minus />
+                </IconButton>
+              )}
+            </div>
+            <Error error={errors?.[index]?.key} />
+            <Error error={errors?.[index]?.value} />
+          </div>
+        );
+      })}
+      <Button
+        size="small"
+        type="text"
+        title="general.add_another"
+        icon={<CirclePlus />}
+        onClick={() => {
+          onAppend({ key: '', value: '' });
+        }}
+      />
+    </div>
+  );
+}
+
+export default KeyValueInputField;
diff --git a/packages/console/src/ds-components/TextInput/index.module.scss b/packages/console/src/ds-components/TextInput/index.module.scss
index 373703c980d..b4f49b32585 100644
--- a/packages/console/src/ds-components/TextInput/index.module.scss
+++ b/packages/console/src/ds-components/TextInput/index.module.scss
@@ -28,7 +28,7 @@
   transition-duration: 0.2s;
   padding: 0 _.unit(3);
   height: 36px;
-  background-color: inherit;
+  background-color: var(--color-layer-1);
   font: var(--font-body-2);
 
   &.withIcon {
@@ -85,6 +85,7 @@
 
     &[type='number'] {
       -moz-appearance: textfield;
+      appearance: textfield;
 
       &::-webkit-outer-spin-button,
       &::-webkit-inner-spin-button {
diff --git a/packages/console/src/ds-components/TextInput/index.tsx b/packages/console/src/ds-components/TextInput/index.tsx
index 1fb5841765d..65f42aaa6b9 100644
--- a/packages/console/src/ds-components/TextInput/index.tsx
+++ b/packages/console/src/ds-components/TextInput/index.tsx
@@ -18,7 +18,7 @@ import IconButton from '@/ds-components/IconButton';
 
 import * as styles from './index.module.scss';
 
-type Props = Omit<HTMLProps<HTMLInputElement>, 'size'> & {
+export type Props = Omit<HTMLProps<HTMLInputElement>, 'size'> & {
   error?: string | boolean | ReactElement;
   icon?: ReactElement;
   /**
diff --git a/packages/console/src/hooks/use-api.ts b/packages/console/src/hooks/use-api.ts
index 48309fbfdc8..2bb1445595f 100644
--- a/packages/console/src/hooks/use-api.ts
+++ b/packages/console/src/hooks/use-api.ts
@@ -4,6 +4,7 @@ import {
   httpCodeToMessage,
   organizationUrnPrefix,
 } from '@logto/core-kit';
+import { type LogtoErrorCode } from '@logto/phrases';
 import { useLogto } from '@logto/react';
 import {
   getTenantOrganizationId,
@@ -37,21 +38,18 @@ export class RequestError extends Error {
 
 export type StaticApiProps = {
   prefixUrl?: URL;
-  hideErrorToast?: boolean;
+  hideErrorToast?: boolean | LogtoErrorCode[];
   resourceIndicator: string;
 };
 
-export const useStaticApi = ({
-  prefixUrl,
-  hideErrorToast,
-  resourceIndicator,
-}: StaticApiProps): KyInstance => {
-  const { isAuthenticated, getAccessToken, getOrganizationToken, signOut } = useLogto();
-  const { t, i18n } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+const useGlobalRequestErrorHandler = (toastDisabledErrorCodes?: LogtoErrorCode[]) => {
+  const { signOut } = useLogto();
   const { show } = useConfirmModal();
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
   const postSignOutRedirectUri = useRedirectUri('signOut');
 
-  const toastError = useCallback(
+  const handleError = useCallback(
     async (response: Response) => {
       const fallbackErrorMessage = t('errors.unknown_server_error');
 
@@ -81,14 +79,48 @@ export const useStaticApi = ({
           return;
         }
 
+        // Skip showing toast for specific error codes.
+        if (toastDisabledErrorCodes?.includes(data.code)) {
+          return;
+        }
+
         toast.error([data.message, data.details].join('\n') || fallbackErrorMessage);
       } catch {
         toast.error(httpCodeToMessage[response.status] ?? fallbackErrorMessage);
       }
     },
-    [show, signOut, t, postSignOutRedirectUri]
+    [t, toastDisabledErrorCodes, signOut, postSignOutRedirectUri.href, show]
   );
 
+  return {
+    handleError,
+  };
+};
+
+/**
+ *
+ * @param {StaticApiProps} props
+ * @param {URL} props.prefixUrl  The base URL for the API.
+ * @param {boolean} props.hideErrorToast  Whether to disable the global error handling.
+ * @param {string} props.resourceIndicator  The resource indicator for the API. Used by the Logto SDK to validate the access token.
+ *
+ * @returns
+ */
+export const useStaticApi = ({
+  prefixUrl,
+  hideErrorToast,
+  resourceIndicator,
+}: StaticApiProps): KyInstance => {
+  const { isAuthenticated, getAccessToken, getOrganizationToken } = useLogto();
+  const { i18n } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  // Disable global error handling if `hideErrorToast` is true.
+  const disableGlobalErrorHandling = hideErrorToast === true;
+  // Disable toast for specific error codes.
+  const toastDisabledErrorCodes = Array.isArray(hideErrorToast) ? hideErrorToast : undefined;
+
+  const { handleError } = useGlobalRequestErrorHandler(toastDisabledErrorCodes);
+
   const api = useMemo(
     () =>
       ky.create({
@@ -96,9 +128,9 @@ export const useStaticApi = ({
         timeout: requestTimeout,
         hooks: {
           beforeError: conditionalArray(
-            !hideErrorToast &&
+            !disableGlobalErrorHandling &&
               (async (error) => {
-                await toastError(error.response);
+                await handleError(error.response);
                 return error;
               })
           ),
@@ -117,8 +149,8 @@ export const useStaticApi = ({
       }),
     [
       prefixUrl,
-      hideErrorToast,
-      toastError,
+      disableGlobalErrorHandling,
+      handleError,
       isAuthenticated,
       resourceIndicator,
       getOrganizationToken,
diff --git a/packages/console/src/hooks/use-current-tenant-scopes.ts b/packages/console/src/hooks/use-current-tenant-scopes.ts
new file mode 100644
index 00000000000..91fdce9d30d
--- /dev/null
+++ b/packages/console/src/hooks/use-current-tenant-scopes.ts
@@ -0,0 +1,61 @@
+import { useLogto } from '@logto/react';
+import { TenantScope, getTenantOrganizationId } from '@logto/schemas';
+import { useContext, useEffect, useState } from 'react';
+
+import { TenantsContext } from '@/contexts/TenantsProvider';
+
+const useCurrentTenantScopes = () => {
+  const { currentTenantId, isInitComplete } = useContext(TenantsContext);
+  const { isAuthenticated, getOrganizationTokenClaims } = useLogto();
+
+  const [scopes, setScopes] = useState<string[]>([]);
+  const [canInviteMember, setCanInviteMember] = useState(false);
+  const [canRemoveMember, setCanRemoveMember] = useState(false);
+  const [canUpdateMemberRole, setCanUpdateMemberRole] = useState(false);
+  const [canManageTenant, setCanManageTenant] = useState(false);
+
+  useEffect(() => {
+    (async () => {
+      if (isAuthenticated && isInitComplete) {
+        const organizationId = getTenantOrganizationId(currentTenantId);
+        const claims = await getOrganizationTokenClaims(organizationId);
+        const allScopes = claims?.scope?.split(' ') ?? [];
+        setScopes(allScopes);
+
+        for (const scope of allScopes) {
+          switch (scope) {
+            case TenantScope.InviteMember: {
+              setCanInviteMember(true);
+              break;
+            }
+            case TenantScope.RemoveMember: {
+              setCanRemoveMember(true);
+              break;
+            }
+            case TenantScope.UpdateMemberRole: {
+              setCanUpdateMemberRole(true);
+              break;
+            }
+            case TenantScope.ManageTenant: {
+              setCanManageTenant(true);
+              break;
+            }
+            default: {
+              break;
+            }
+          }
+        }
+      }
+    })();
+  }, [currentTenantId, getOrganizationTokenClaims, isAuthenticated, isInitComplete]);
+
+  return {
+    canInviteMember,
+    canRemoveMember,
+    canUpdateMemberRole,
+    canManageTenant,
+    scopes,
+  };
+};
+
+export default useCurrentTenantScopes;
diff --git a/packages/console/src/hooks/use-swr-fetcher.ts b/packages/console/src/hooks/use-swr-fetcher.ts
index 9c278cad3b5..da2acbfa2ae 100644
--- a/packages/console/src/hooks/use-swr-fetcher.ts
+++ b/packages/console/src/hooks/use-swr-fetcher.ts
@@ -1,5 +1,5 @@
-import { HTTPError } from 'ky';
 import type ky from 'ky';
+import { HTTPError } from 'ky';
 import { useCallback } from 'react';
 import { useTranslation } from 'react-i18next';
 import type { Fetcher } from 'swr';
@@ -22,6 +22,7 @@ const useSwrFetcher: UseSwrFetcherHook = <T>(api: KyInstance) => {
     async (resource: string) => {
       try {
         const response = await api.get(resource);
+
         const data = await response.json<T>();
 
         if (typeof resource === 'string' && resource.includes('?')) {
@@ -42,6 +43,7 @@ const useSwrFetcher: UseSwrFetcherHook = <T>(api: KyInstance) => {
       } catch (error: unknown) {
         if (error instanceof HTTPError) {
           const { response } = error;
+
           // See https://stackoverflow.com/questions/53511974/javascript-fetch-failed-to-execute-json-on-response-body-stream-is-locked
           // for why `.clone()` is needed
           throw new RequestError(response.status, await response.clone().json());
diff --git a/packages/console/src/hooks/use-user-invitations.ts b/packages/console/src/hooks/use-user-invitations.ts
new file mode 100644
index 00000000000..cd6830b33ca
--- /dev/null
+++ b/packages/console/src/hooks/use-user-invitations.ts
@@ -0,0 +1,42 @@
+import { type OrganizationInvitationStatus } from '@logto/schemas';
+import { type Optional } from '@silverhand/essentials';
+import { useMemo } from 'react';
+import useSWR from 'swr';
+
+import { useCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type InvitationListResponse } from '@/cloud/types/router';
+
+import { type RequestError } from './use-api';
+
+/**
+ *
+ * @param status Filter invitations by status
+ * @returns The invitations with tenant info, error, and loading status.
+ */
+const useUserInvitations = (
+  status?: OrganizationInvitationStatus
+): {
+  data: Optional<InvitationListResponse>;
+  error: Optional<RequestError>;
+  isLoading: boolean;
+} => {
+  const cloudApi = useCloudApi({ hideErrorToast: true });
+  const { data, isLoading, error } = useSWR<InvitationListResponse, RequestError>(
+    `/api/invitations}`,
+    async () => cloudApi.get('/api/invitations')
+  );
+
+  // Filter invitations by given status
+  const filteredResult = useMemo(
+    () => (status ? data?.filter((invitation) => status === invitation.status) : data),
+    [data, status]
+  );
+
+  return {
+    data: filteredResult,
+    error,
+    isLoading,
+  };
+};
+
+export default useUserInvitations;
diff --git a/packages/console/src/include.d/tags.d.ts b/packages/console/src/include.d/tags.d.ts
index 1fe6b58e70f..e315ba04b4f 100644
--- a/packages/console/src/include.d/tags.d.ts
+++ b/packages/console/src/include.d/tags.d.ts
@@ -1,13 +1,6 @@
 declare interface Window {
   // `gtag.js`
-  dataLayer?: unknown[];
-  // LinkedIn
-  _linkedin_data_partner_ids?: unknown[];
-  lintrk?: {
-    q: unknown[];
-  };
+  gtag?: (...args: unknown[]) => void;
   // Reddit
-  rdt?: {
-    callQueue: unknown[];
-  };
+  rdt?: (...args: unknown[]) => void;
 }
diff --git a/packages/console/src/onboarding/hooks/use-user-onboarding-data.ts b/packages/console/src/onboarding/hooks/use-user-onboarding-data.ts
index 0d4d1979857..7e576a99e57 100644
--- a/packages/console/src/onboarding/hooks/use-user-onboarding-data.ts
+++ b/packages/console/src/onboarding/hooks/use-user-onboarding-data.ts
@@ -1,4 +1,10 @@
-import { adminTenantId } from '@logto/schemas';
+import {
+  adminTenantId,
+  Project,
+  type UserOnboardingData,
+  userOnboardingDataGuard,
+  userOnboardingDataKey,
+} from '@logto/schemas';
 import { useCallback, useContext, useMemo } from 'react';
 import { z } from 'zod';
 
@@ -6,12 +12,15 @@ import { isCloud } from '@/consts/env';
 import { TenantsContext } from '@/contexts/TenantsProvider';
 import useCurrentUser from '@/hooks/use-current-user';
 
-import type { UserOnboardingData } from '../types';
-import { Project, userOnboardingDataGuard } from '../types';
-
-const userOnboardingDataKey = 'onboarding';
-
-const useUserOnboardingData = () => {
+const useUserOnboardingData = (): {
+  data: UserOnboardingData;
+  error: unknown;
+  isLoading: boolean;
+  isLoaded: boolean;
+  isOnboarding: boolean;
+  isBusinessPlan: boolean;
+  update: (data: Partial<UserOnboardingData>) => Promise<void>;
+} => {
   const { customData, error, isLoading, isLoaded, updateCustomData } = useCurrentUser();
   const { currentTenantId } = useContext(TenantsContext);
 
diff --git a/packages/console/src/onboarding/index.tsx b/packages/console/src/onboarding/index.tsx
index aab3cceb0ce..1c60a282f0a 100644
--- a/packages/console/src/onboarding/index.tsx
+++ b/packages/console/src/onboarding/index.tsx
@@ -5,12 +5,14 @@ import { useContext, useEffect } from 'react';
 import { Route, Navigate, Outlet, Routes } from 'react-router-dom';
 import { SWRConfig } from 'swr';
 
-import ReportConversion from '@/components/ReportConversion';
+import { useReportConversion } from '@/components/Conversion';
+import { GtagConversionId } from '@/components/Conversion/utils';
 import AppBoundary from '@/containers/AppBoundary';
 import ProtectedRoutes from '@/containers/ProtectedRoutes';
 import TenantAccess from '@/containers/TenantAccess';
 import { AppThemeContext } from '@/contexts/AppThemeProvider';
 import Toast from '@/ds-components/Toast';
+import useCurrentUser from '@/hooks/use-current-user';
 import useSwrOptions from '@/hooks/use-swr-options';
 import useTenantPathname from '@/hooks/use-tenant-pathname';
 import NotFound from '@/pages/NotFound';
@@ -30,6 +32,23 @@ function Layout() {
   const { setThemeOverride } = useContext(AppThemeContext);
   const { match, getTo } = useTenantPathname();
 
+  // User object should be available at this point as it's rendered by the `<AppRoutes />`
+  // component in `packages/console/src/App.tsx`.
+  const { user } = useCurrentUser();
+
+  /**
+   * Report a sign-up conversion.
+   *
+   * Note it may run multiple times (e.g. a user visit multiple times to finish the onboarding process,
+   * which rarely happens). We should turn on deduplication settings in the provider's dashboard. For
+   * example, in Google, we should set conversion's "Count" to "One".
+   */
+  useReportConversion({
+    gtagId: GtagConversionId.SignUp,
+    redditType: 'SignUp',
+    transactionId: user?.id,
+  });
+
   useEffect(() => {
     setThemeOverride(Theme.Light);
 
@@ -53,7 +72,6 @@ function Layout() {
       <div className={styles.app}>
         <SWRConfig value={swrOptions}>
           <AppBoundary>
-            <ReportConversion />
             <Toast />
             <Outlet />
           </AppBoundary>
diff --git a/packages/console/src/onboarding/pages/Welcome/index.tsx b/packages/console/src/onboarding/pages/Welcome/index.tsx
index 46771bbfa6d..205f743e5d0 100644
--- a/packages/console/src/onboarding/pages/Welcome/index.tsx
+++ b/packages/console/src/onboarding/pages/Welcome/index.tsx
@@ -1,4 +1,5 @@
 import { withAppInsights } from '@logto/app-insights/react';
+import { type Questionnaire, Project } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 import { useEffect } from 'react';
 import { Controller, useForm } from 'react-hook-form';
@@ -17,8 +18,7 @@ import * as pageLayout from '@/onboarding/scss/layout.module.scss';
 import { trySubmitSafe } from '@/utils/form';
 
 import { CardSelector, MultiCardSelector } from '../../components/CardSelector';
-import type { Questionnaire } from '../../types';
-import { OnboardingPage, Project } from '../../types';
+import { OnboardingPage } from '../../types';
 import { getOnboardingPage } from '../../utils';
 
 import * as styles from './index.module.scss';
diff --git a/packages/console/src/onboarding/pages/Welcome/options.tsx b/packages/console/src/onboarding/pages/Welcome/options.tsx
index 3029548b9a6..f2b1a8ad936 100644
--- a/packages/console/src/onboarding/pages/Welcome/options.tsx
+++ b/packages/console/src/onboarding/pages/Welcome/options.tsx
@@ -1,3 +1,5 @@
+import { AdditionalFeatures, Project, Stage } from '@logto/schemas';
+
 import Building from '@/assets/icons/building.svg';
 import Pizza from '@/assets/icons/pizza.svg';
 import type {
@@ -5,8 +7,6 @@ import type {
   MultiCardSelectorOption,
 } from '@/onboarding/components/CardSelector';
 
-import { Project, Stage, AdditionalFeatures } from '../../types';
-
 export const projectOptions: CardSelectorOption[] = [
   {
     icon: <Pizza />,
diff --git a/packages/console/src/onboarding/types.ts b/packages/console/src/onboarding/types.ts
index 2efe3e83acd..f1ff687da07 100644
--- a/packages/console/src/onboarding/types.ts
+++ b/packages/console/src/onboarding/types.ts
@@ -1,5 +1,3 @@
-import { z } from 'zod';
-
 export enum OnboardingRoute {
   Onboarding = 'onboarding',
 }
@@ -12,85 +10,3 @@ export enum OnboardingPage {
   /** @deprecated Remove this to shorten onboarding process. */
   Congrats = 'congrats',
 }
-
-export enum Project {
-  Personal = 'personal',
-  Company = 'company',
-}
-
-/** @deprecated Open-source options was for cloud preview use, no longer needed. Use default `Cloud` value for placeholder. */
-enum DeploymentType {
-  OpenSource = 'open-source',
-  Cloud = 'cloud',
-}
-
-/** @deprecated */
-// eslint-disable-next-line import/no-unused-modules
-export enum Title {
-  Developer = 'developer',
-  TeamLead = 'team-lead',
-  Ceo = 'ceo',
-  Cto = 'cto',
-  Product = 'product',
-  Others = 'others',
-}
-
-/** @deprecated */
-// eslint-disable-next-line import/no-unused-modules
-export enum CompanySize {
-  Scale1 = '1',
-  Scale2 = '2-49',
-  Scale3 = '50-199',
-  Scale4 = '200-999',
-  Scale5 = '1000+',
-}
-
-/** @deprecated */
-// eslint-disable-next-line import/no-unused-modules
-export enum Reason {
-  Passwordless = 'passwordless',
-  Efficiency = 'efficiency',
-  AccessControl = 'access-control',
-  MultiTenancy = 'multi-tenancy',
-  Enterprise = 'enterprise',
-  Others = 'others',
-}
-
-export enum Stage {
-  NewProduct = 'new-product',
-  ExistingProduct = 'existing-product',
-  TargetEnterpriseReady = 'target-enterprise-ready',
-}
-
-export enum AdditionalFeatures {
-  CustomizeUiAndFlow = 'customize-ui-and-flow',
-  Compliance = 'compliance',
-  ExportUserDataFromLogto = 'export-user-data-from-logto',
-  BudgetControl = 'budget-control',
-  BringOwnAuth = 'bring-own-auth',
-  Others = 'others',
-}
-
-const questionnaireGuard = z.object({
-  project: z.nativeEnum(Project).optional(),
-  /** @deprecated Open-source options was for cloud preview use, no longer needed. Use default `Cloud` value for placeholder. */
-  deploymentType: z.nativeEnum(DeploymentType).optional().default(DeploymentType.Cloud),
-  /** @deprecated */
-  titles: z.array(z.nativeEnum(Title)).optional(),
-  companyName: z.string().optional(),
-  /** @deprecated */
-  companySize: z.nativeEnum(CompanySize).optional(),
-  /** @deprecated */
-  reasons: z.array(z.nativeEnum(Reason)).optional(),
-  stage: z.nativeEnum(Stage).optional(),
-  additionalFeatures: z.array(z.nativeEnum(AdditionalFeatures)).optional(),
-});
-
-export type Questionnaire = z.infer<typeof questionnaireGuard>;
-
-export const userOnboardingDataGuard = z.object({
-  questionnaire: questionnaireGuard.optional(),
-  isOnboardingDone: z.boolean().optional(),
-});
-
-export type UserOnboardingData = z.infer<typeof userOnboardingDataGuard>;
diff --git a/packages/console/src/pages/AcceptInvitation/SwitchAccount/index.module.scss b/packages/console/src/pages/AcceptInvitation/SwitchAccount/index.module.scss
new file mode 100644
index 00000000000..378f195acf7
--- /dev/null
+++ b/packages/console/src/pages/AcceptInvitation/SwitchAccount/index.module.scss
@@ -0,0 +1,43 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+  min-height: 600px;
+  background: var(--color-base);
+  align-items: center;
+  justify-content: center;
+  overflow-y: auto;
+
+  .wrapper {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    width: 540px;
+    padding: _.unit(35) _.unit(17.5);
+    gap: _.unit(6);
+    background: var(--color-layer-1);
+    border-radius: 16px;
+    box-shadow: var(--shadow-1);
+    text-align: center;
+    white-space: pre-wrap;
+
+    .logo {
+      height: 36px;
+    }
+
+    .title {
+      font: var(--font-title-2);
+    }
+
+    .description {
+      font: var(--font-body-2);
+      color: var(--color-text-secondary);
+    }
+
+    .button {
+      width: 100%;
+    }
+  }
+}
diff --git a/packages/console/src/pages/AcceptInvitation/SwitchAccount/index.tsx b/packages/console/src/pages/AcceptInvitation/SwitchAccount/index.tsx
new file mode 100644
index 00000000000..5cedc9ad904
--- /dev/null
+++ b/packages/console/src/pages/AcceptInvitation/SwitchAccount/index.tsx
@@ -0,0 +1,46 @@
+import { useTranslation } from 'react-i18next';
+
+import Logo from '@/assets/images/logo.svg';
+import AppLoading from '@/components/AppLoading';
+import Button from '@/ds-components/Button';
+import useCurrentUser from '@/hooks/use-current-user';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  onClickSwitch: () => void;
+};
+
+function SwitchAccount({ onClickSwitch }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { user, isLoading } = useCurrentUser();
+  const { id, primaryEmail, username } = user ?? {};
+
+  if (isLoading) {
+    return <AppLoading />;
+  }
+
+  return (
+    <div className={styles.container}>
+      <div className={styles.wrapper}>
+        <Logo className={styles.logo} />
+        <div className={styles.title}>
+          {/** Since this is a Logto Cloud feature, ideally the primary email should always be available.
+           * However, in case it's not (e.g. in dev env), we fallback to username and then finally the ID.
+           */}
+          {t('invitation.email_not_match_title', { email: primaryEmail ?? username ?? id })}
+        </div>
+        <div className={styles.description}>{t('invitation.email_not_match_description')}</div>
+        <Button
+          type="primary"
+          size="large"
+          className={styles.button}
+          title="invitation.switch_account"
+          onClick={onClickSwitch}
+        />
+      </div>
+    </div>
+  );
+}
+
+export default SwitchAccount;
diff --git a/packages/console/src/pages/AcceptInvitation/index.tsx b/packages/console/src/pages/AcceptInvitation/index.tsx
new file mode 100644
index 00000000000..940548360d4
--- /dev/null
+++ b/packages/console/src/pages/AcceptInvitation/index.tsx
@@ -0,0 +1,79 @@
+import { useLogto } from '@logto/react';
+import { OrganizationInvitationStatus, getTenantIdFromOrganizationId } from '@logto/schemas';
+import { useContext, useEffect } from 'react';
+import { useTranslation } from 'react-i18next';
+import { useParams } from 'react-router-dom';
+import useSWR from 'swr';
+
+import { useCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type InvitationResponse } from '@/cloud/types/router';
+import AppError from '@/components/AppError';
+import AppLoading from '@/components/AppLoading';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import { type RequestError } from '@/hooks/use-api';
+import useRedirectUri from '@/hooks/use-redirect-uri';
+import { saveRedirect } from '@/utils/storage';
+
+import SwitchAccount from './SwitchAccount';
+
+function AcceptInvitation() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { signIn } = useLogto();
+  const redirectUri = useRedirectUri();
+  const { invitationId = '' } = useParams();
+  const cloudApi = useCloudApi();
+  const { navigateTenant, resetTenants } = useContext(TenantsContext);
+
+  // The request is only made when the user has signed-in and the invitation ID is available.
+  // The response data is returned only when the current user matches the invitee email. Otherwise, it returns 404.
+  const { data: invitation, error } = useSWR<InvitationResponse, RequestError>(
+    invitationId && `/api/invitations/${invitationId}`,
+    async () => cloudApi.get('/api/invitations/:invitationId', { params: { invitationId } })
+  );
+
+  useEffect(() => {
+    if (!invitation) {
+      return;
+    }
+    (async () => {
+      const { id, organizationId } = invitation;
+
+      // Accept the invitation and redirect to the tenant page.
+      await cloudApi.patch(`/api/invitations/:invitationId/status`, {
+        params: { invitationId: id },
+        body: { status: OrganizationInvitationStatus.Accepted },
+      });
+
+      const data = await cloudApi.get('/api/tenants');
+      resetTenants(data);
+      navigateTenant(getTenantIdFromOrganizationId(organizationId));
+    })();
+  }, [cloudApi, error, invitation, navigateTenant, resetTenants, t]);
+
+  // No invitation returned, indicating the current signed-in user is not the invitee.
+  if (error?.status === 403) {
+    return (
+      <SwitchAccount
+        onClickSwitch={() => {
+          saveRedirect();
+          void signIn({
+            redirectUri: redirectUri.href,
+            loginHint: `urn:logto:invitation:${invitationId}`,
+          });
+        }}
+      />
+    );
+  }
+
+  if (error?.status === 404) {
+    return <AppError errorMessage={t('invitation.invitation_not_found')} />;
+  }
+
+  if (invitation && invitation.status !== OrganizationInvitationStatus.Pending) {
+    return <AppError errorMessage={t('invitation.invalid_invitation_status')} />;
+  }
+
+  return <AppLoading />;
+}
+
+export default AcceptInvitation;
diff --git a/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/components/CreatePermissionModal/index.tsx b/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/components/CreatePermissionModal/index.tsx
index 4efd0b508b8..39326b11b86 100644
--- a/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/components/CreatePermissionModal/index.tsx
+++ b/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/components/CreatePermissionModal/index.tsx
@@ -1,5 +1,5 @@
 import { noSpaceRegEx } from '@logto/core-kit';
-import type { Scope } from '@logto/schemas';
+import type { Scope, CreateScope } from '@logto/schemas';
 import { useContext } from 'react';
 import { useForm } from 'react-hook-form';
 import { Trans, useTranslation } from 'react-i18next';
@@ -24,7 +24,7 @@ type Props = {
   onClose: (scope?: Scope) => void;
 };
 
-type CreatePermissionFormData = Pick<Scope, 'name' | 'description'>;
+type CreatePermissionFormData = Pick<CreateScope, 'name' | 'description'>;
 
 function CreatePermissionModal({ resourceId, totalResourceCount, onClose }: Props) {
   const { currentPlan } = useContext(SubscriptionDataContext);
@@ -118,10 +118,10 @@ function CreatePermissionModal({ resourceId, totalResourceCount, onClose }: Prop
               error={errors.name?.message}
             />
           </FormField>
-          <FormField isRequired title="api_resource_details.permission.description">
+          <FormField title="api_resource_details.permission.description">
             <TextInput
               placeholder={t('api_resource_details.permission.description_placeholder')}
-              {...register('description', { required: true })}
+              {...register('description')}
               error={Boolean(errors.description)}
             />
           </FormField>
diff --git a/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/index.tsx b/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/index.tsx
index ded6e47c0c9..a586114cf60 100644
--- a/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/index.tsx
+++ b/packages/console/src/pages/ApiResourceDetails/ApiResourcePermissions/index.tsx
@@ -1,30 +1,28 @@
-import type { Scope, ScopeResponse } from '@logto/schemas';
+import { isManagementApi, type Resource, type ScopeResponse } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 import { useState } from 'react';
 import { toast } from 'react-hot-toast';
 import { useTranslation } from 'react-i18next';
-import { useOutletContext } from 'react-router-dom';
 import useSWR from 'swr';
 
 import PermissionsTable from '@/components/PermissionsTable';
 import { defaultPageSize } from '@/consts';
-import ConfirmModal from '@/ds-components/ConfirmModal';
 import type { RequestError } from '@/hooks/use-api';
 import useApi from '@/hooks/use-api';
 import useSearchParametersWatcher from '@/hooks/use-search-parameters-watcher';
 import { buildUrl, formatSearchKeyword } from '@/utils/url';
 
-import type { ApiResourceDetailsOutletContext } from '../types';
-
 import CreatePermissionModal from './components/CreatePermissionModal';
 
 const pageSize = defaultPageSize;
 
-function ApiResourcePermissions() {
-  const {
-    resource: { id: resourceId },
-    isLogtoManagementApiResource,
-  } = useOutletContext<ApiResourceDetailsOutletContext>();
+type Props = {
+  resource: Resource;
+};
+
+function ApiResourcePermissions({ resource }: Props) {
+  const { id: resourceId, indicator } = resource;
+  const isLogtoManagementApiResource = isManagementApi(indicator);
 
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
 
@@ -48,23 +46,11 @@ function ApiResourcePermissions() {
   const api = useApi();
 
   const [isCreateFormOpen, setIsCreateFormOpen] = useState(false);
-  const [scopeToBeDeleted, setScopeToBeDeleted] = useState<Scope>();
-  const [isDeleting, setIsDeleting] = useState(false);
-
-  const handleDelete = async () => {
-    if (!scopeToBeDeleted || isDeleting) {
-      return;
-    }
-    setIsDeleting(true);
 
-    try {
-      await api.delete(`api/resources/${resourceId}/scopes/${scopeToBeDeleted.id}`);
-      toast.success(t('api_resource_details.permission.deleted', { name: scopeToBeDeleted.name }));
-      await mutate();
-      setScopeToBeDeleted(undefined);
-    } finally {
-      setIsDeleting(false);
-    }
+  const handleDelete = async (scopeToBeDeleted: ScopeResponse) => {
+    await api.delete(`api/resources/${resourceId}/scopes/${scopeToBeDeleted.id}`);
+    toast.success(t('api_resource_details.permission.deleted', { name: scopeToBeDeleted.name }));
+    await mutate();
   };
 
   return (
@@ -78,7 +64,12 @@ function ApiResourcePermissions() {
         createHandler={() => {
           setIsCreateFormOpen(true);
         }}
-        deleteHandler={setScopeToBeDeleted}
+        deletionText={{
+          actionButton: 'permissions.delete',
+          confirmation: 'api_resource_details.permission.delete_description',
+          confirmButton: 'general.delete',
+        }}
+        deleteHandler={handleDelete}
         errorMessage={error?.body?.message ?? error?.message}
         retryHandler={async () => mutate(undefined, true)}
         pagination={{
@@ -104,6 +95,7 @@ function ApiResourcePermissions() {
             });
           },
         }}
+        onPermissionUpdated={mutate}
       />
       {isCreateFormOpen && totalCount !== undefined && (
         <CreatePermissionModal
@@ -120,19 +112,6 @@ function ApiResourcePermissions() {
           }}
         />
       )}
-      {scopeToBeDeleted && (
-        <ConfirmModal
-          isOpen
-          isLoading={isDeleting}
-          confirmButtonText="general.delete"
-          onCancel={() => {
-            setScopeToBeDeleted(undefined);
-          }}
-          onConfirm={handleDelete}
-        >
-          {t('api_resource_details.permission.delete_description')}
-        </ConfirmModal>
-      )}
     </>
   );
 }
diff --git a/packages/console/src/pages/ApiResourceDetails/ApiResourceSettings/index.tsx b/packages/console/src/pages/ApiResourceDetails/ApiResourceSettings/index.tsx
index e6f69ed5b06..7b2ff862fee 100644
--- a/packages/console/src/pages/ApiResourceDetails/ApiResourceSettings/index.tsx
+++ b/packages/console/src/pages/ApiResourceDetails/ApiResourceSettings/index.tsx
@@ -1,8 +1,7 @@
-import type { Resource } from '@logto/schemas';
+import { isManagementApi, type Resource } from '@logto/schemas';
 import { useForm } from 'react-hook-form';
 import { toast } from 'react-hot-toast';
 import { Trans, useTranslation } from 'react-i18next';
-import { useOutletContext } from 'react-router-dom';
 
 import DetailsForm from '@/components/DetailsForm';
 import FormCard from '@/components/FormCard';
@@ -15,11 +14,14 @@ import useApi from '@/hooks/use-api';
 import useDocumentationUrl from '@/hooks/use-documentation-url';
 import { trySubmitSafe } from '@/utils/form';
 
-import type { ApiResourceDetailsOutletContext } from '../types';
+type Props = {
+  resource: Resource;
+  isDeleting: boolean;
+  onResourceUpdated: (updatedData: Resource) => void;
+};
 
-function ApiResourceSettings() {
-  const { resource, isDeleting, isLogtoManagementApiResource, onResourceUpdated } =
-    useOutletContext<ApiResourceDetailsOutletContext>();
+function ApiResourceSettings({ resource, isDeleting, onResourceUpdated }: Props) {
+  const isLogtoManagementApiResource = isManagementApi(resource.indicator);
 
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
   const { getDocumentationUrl } = useDocumentationUrl();
diff --git a/packages/console/src/pages/ApiResourceDetails/index.tsx b/packages/console/src/pages/ApiResourceDetails/index.tsx
index 595ed827a94..2c3a48248df 100644
--- a/packages/console/src/pages/ApiResourceDetails/index.tsx
+++ b/packages/console/src/pages/ApiResourceDetails/index.tsx
@@ -6,7 +6,7 @@ import classNames from 'classnames';
 import { useEffect, useState } from 'react';
 import { toast } from 'react-hot-toast';
 import { Trans, useTranslation } from 'react-i18next';
-import { Outlet, useLocation, useParams } from 'react-router-dom';
+import { Navigate, Route, Routes, useLocation, useParams } from 'react-router-dom';
 import useSWR from 'swr';
 
 import ApiResourceDark from '@/assets/icons/api-resource-dark.svg';
@@ -28,11 +28,12 @@ import useDocumentationUrl from '@/hooks/use-documentation-url';
 import useTenantPathname from '@/hooks/use-tenant-pathname';
 import useTheme from '@/hooks/use-theme';
 
+import ApiResourcePermissions from './ApiResourcePermissions';
+import ApiResourceSettings from './ApiResourceSettings';
 import GuideDrawer from './components/GuideDrawer';
 import GuideModal from './components/GuideModal';
 import ManagementApiNotice from './components/ManagementApiNotice';
 import * as styles from './index.module.scss';
-import { type ApiResourceDetailsOutletContext } from './types';
 
 const icons = {
   [Theme.Light]: { ApiIcon: ApiResource, ManagementApiIcon: ManagementApiResource },
@@ -170,25 +171,32 @@ function ApiResourceDetails() {
             </DeleteConfirmModal>
           )}
           <TabNav>
-            <TabNavItem href={`/api-resources/${data.id}/${ApiResourceDetailsTabs.Settings}`}>
-              {t('api_resource_details.settings_tab')}
-            </TabNavItem>
             <TabNavItem href={`/api-resources/${data.id}/${ApiResourceDetailsTabs.Permissions}`}>
               {t('api_resource_details.permissions_tab')}
             </TabNavItem>
+            <TabNavItem href={`/api-resources/${data.id}/${ApiResourceDetailsTabs.General}`}>
+              {t('api_resource_details.general_tab')}
+            </TabNavItem>
           </TabNav>
-          <Outlet
-            context={
-              {
-                resource: data,
-                isDeleting,
-                isLogtoManagementApiResource,
-                onResourceUpdated: (resource: Resource) => {
-                  void mutate(resource);
-                },
-              } satisfies ApiResourceDetailsOutletContext
-            }
-          />
+          <Routes>
+            <Route index element={<Navigate replace to={ApiResourceDetailsTabs.Permissions} />} />
+            <Route
+              path={ApiResourceDetailsTabs.Permissions}
+              element={<ApiResourcePermissions resource={data} />}
+            />
+            <Route
+              path={ApiResourceDetailsTabs.General}
+              element={
+                <ApiResourceSettings
+                  resource={data}
+                  isDeleting={isDeleting}
+                  onResourceUpdated={(updatedData: Resource) => {
+                    void mutate(updatedData);
+                  }}
+                />
+              }
+            />
+          </Routes>
         </>
       )}
     </DetailsPage>
diff --git a/packages/console/src/pages/ApiResourceDetails/types.ts b/packages/console/src/pages/ApiResourceDetails/types.ts
deleted file mode 100644
index 455720bef90..00000000000
--- a/packages/console/src/pages/ApiResourceDetails/types.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-import type { Resource } from '@logto/schemas';
-
-export type ApiResourceDetailsOutletContext = {
-  resource: Resource;
-  isDeleting: boolean;
-  isLogtoManagementApiResource: boolean;
-  onResourceUpdated: (resource: Resource) => void;
-};
diff --git a/packages/console/src/pages/ApiResources/components/CreateForm/index.tsx b/packages/console/src/pages/ApiResources/components/CreateForm/index.tsx
index 677b88b5a3c..c8b15ee106c 100644
--- a/packages/console/src/pages/ApiResources/components/CreateForm/index.tsx
+++ b/packages/console/src/pages/ApiResources/components/CreateForm/index.tsx
@@ -1,3 +1,4 @@
+import { isValidUrl } from '@logto/core-kit';
 import { type Resource } from '@logto/schemas';
 import { useForm } from 'react-hook-form';
 import { toast } from 'react-hot-toast';
@@ -29,7 +30,7 @@ function CreateForm({ onClose }: Props) {
   const {
     handleSubmit,
     register,
-    formState: { isSubmitting },
+    formState: { isSubmitting, errors },
   } = useForm<FormData>();
 
   const api = useApi();
@@ -91,8 +92,13 @@ function CreateForm({ onClose }: Props) {
             )}
           >
             <TextInput
-              {...register('indicator', { required: true })}
+              {...register('indicator', {
+                required: true,
+                validate: (value) =>
+                  isValidUrl(value) || t('api_resources.invalid_resource_indicator_format'),
+              })}
               placeholder={t('api_resources.api_identifier_placeholder')}
+              error={errors.indicator?.message}
             />
           </FormField>
         </form>
diff --git a/packages/console/src/pages/ApiResources/index.tsx b/packages/console/src/pages/ApiResources/index.tsx
index 09b5ae3377e..86b65966ec5 100644
--- a/packages/console/src/pages/ApiResources/index.tsx
+++ b/packages/console/src/pages/ApiResources/index.tsx
@@ -32,7 +32,7 @@ const pageSize = defaultPageSize;
 const apiResourcesPathname = '/api-resources';
 const createApiResourcePathname = `${apiResourcesPathname}/create`;
 const buildDetailsPathname = (id: string) =>
-  `${apiResourcesPathname}/${id}/${ApiResourceDetailsTabs.Settings}`;
+  `${apiResourcesPathname}/${id}/${ApiResourceDetailsTabs.Permissions}`;
 
 const icons = {
   [Theme.Light]: { ApiIcon: ApiResource, ManagementApiIcon: ManagementApiResource },
diff --git a/packages/console/src/pages/Callback/index.tsx b/packages/console/src/pages/Callback/index.tsx
index b82eb8f5ac4..ac1e2cffbe5 100644
--- a/packages/console/src/pages/Callback/index.tsx
+++ b/packages/console/src/pages/Callback/index.tsx
@@ -2,12 +2,10 @@ import { useHandleSignInCallback } from '@logto/react';
 import { useNavigate } from 'react-router-dom';
 
 import AppLoading from '@/components/AppLoading';
-import useTenantPathname from '@/hooks/use-tenant-pathname';
 import { consumeSavedRedirect } from '@/utils/storage';
 
 /** The global callback page for all sign-in redirects from Logto main flow. */
 function Callback() {
-  const { getTo } = useTenantPathname();
   const navigate = useNavigate();
 
   useHandleSignInCallback(() => {
diff --git a/packages/console/src/pages/CheckoutSuccessCallback/index.tsx b/packages/console/src/pages/CheckoutSuccessCallback/index.tsx
index bc90690dd5e..5a7138b4381 100644
--- a/packages/console/src/pages/CheckoutSuccessCallback/index.tsx
+++ b/packages/console/src/pages/CheckoutSuccessCallback/index.tsx
@@ -9,6 +9,7 @@ import useSWR from 'swr';
 
 import { useCloudApi } from '@/cloud/hooks/use-cloud-api';
 import AppLoading from '@/components/AppLoading';
+import { GtagConversionId, reportToGoogle } from '@/components/Conversion/utils';
 import PlanName from '@/components/PlanName';
 import { checkoutStateQueryKey } from '@/consts/subscriptions';
 import { TenantsContext } from '@/contexts/TenantsProvider';
@@ -91,12 +92,20 @@ function CheckoutSuccessCallback() {
         );
       }
 
+      // No need to check `isDowngrade` here, since a downgrade must occur in a tenant with a Pro
+      // plan, and the purchase conversion has already been reported using the same tenant ID. We
+      // use the tenant ID as the transaction ID, so there's no concern about duplicate conversion
+      // reports.
+      reportToGoogle(GtagConversionId.PurchaseProPlan, { transactionId: checkoutTenantId });
+
+      // If the tenant is the current tenant, navigate to the callback page
       if (checkoutTenantId === currentTenantId) {
         navigate(conditional(callbackPage) ?? consoleHomePage, { replace: true });
         return;
       }
 
-      // Note: the tenant is created after checkout.
+      // New tenant created, navigate to the new tenant page
+      reportToGoogle(GtagConversionId.CreateProductionTenant, { transactionId: checkoutTenantId });
       navigateTenant(checkoutTenantId);
     }
   }, [
diff --git a/packages/console/src/pages/CustomizeJwt/CreateButton/index.tsx b/packages/console/src/pages/CustomizeJwt/CreateButton/index.tsx
new file mode 100644
index 00000000000..0391e4d9883
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/CreateButton/index.tsx
@@ -0,0 +1,26 @@
+import { type LogtoJwtTokenKeyType } from '@logto/schemas';
+
+import Button from '@/ds-components/Button';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+import { getPagePath } from '@/pages/CustomizeJwt/utils/path';
+
+type Props = {
+  tokenType: LogtoJwtTokenKeyType;
+};
+
+function CreateButton({ tokenType }: Props) {
+  const link = getPagePath(tokenType, 'create');
+  const { navigate } = useTenantPathname();
+
+  return (
+    <Button
+      type="primary"
+      title="jwt_claims.custom_jwt_create_button"
+      onClick={() => {
+        navigate(link);
+      }}
+    />
+  );
+}
+
+export default CreateButton;
diff --git a/packages/console/src/pages/CustomizeJwt/CustomizerItem/index.module.scss b/packages/console/src/pages/CustomizeJwt/CustomizerItem/index.module.scss
new file mode 100644
index 00000000000..c1c9852af94
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/CustomizerItem/index.module.scss
@@ -0,0 +1,38 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  align-items: center;
+  border: 1px solid var(--color-divider);
+  border-radius: 8px;
+  padding: _.unit(4);
+  gap: _.unit(2);
+
+  .title {
+    flex: 1;
+    font: var(--font-label-2);
+  }
+
+  .actions {
+    display: flex;
+    gap: _.unit(4);
+    align-items: center;
+
+    .icon {
+      max-width: _.unit(4);
+      max-height: _.unit(4);
+    }
+
+    .danger {
+      color: var(--color-error);
+
+      &:focus-visible {
+        outline: 2px solid var(--color-danger-focused);
+      }
+
+      &:not(:disabled):hover {
+        background: var(--color-overlay-danger-hover);
+      }
+    }
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwt/CustomizerItem/index.tsx b/packages/console/src/pages/CustomizeJwt/CustomizerItem/index.tsx
new file mode 100644
index 00000000000..0989305ab3b
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/CustomizerItem/index.tsx
@@ -0,0 +1,77 @@
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import { useCallback } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import DeleteIcon from '@/assets/icons/delete.svg';
+import EditIcon from '@/assets/icons/edit.svg';
+import Button from '@/ds-components/Button';
+import useApi from '@/hooks/use-api';
+import { useConfirmModal } from '@/hooks/use-confirm-modal';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+import { getApiPath, getPagePath } from '@/pages/CustomizeJwt/utils/path';
+
+import useJwtCustomizer from '../use-jwt-customizer';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  tokenType: LogtoJwtTokenKeyType;
+};
+
+function CustomizerItem({ tokenType }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const apiLink = getApiPath(tokenType);
+  const editLink = getPagePath(tokenType, 'edit');
+  const { navigate } = useTenantPathname();
+  const { show } = useConfirmModal();
+  const { mutate } = useJwtCustomizer();
+
+  const api = useApi();
+
+  const onDelete = useCallback(async () => {
+    const [confirm] = await show({
+      title: 'jwt_claims.delete_modal_title',
+      ModalContent: t('jwt_claims.delete_modal_content'),
+      confirmButtonText: 'general.delete',
+    });
+
+    if (confirm) {
+      await api.delete(apiLink);
+      await mutate();
+    }
+  }, [api, apiLink, mutate, show, t]);
+
+  return (
+    <div className={styles.container}>
+      <div className={styles.title}>
+        {t('jwt_claims.custom_jwt_item', {
+          for:
+            tokenType === LogtoJwtTokenKeyType.AccessToken
+              ? t('jwt_claims.user_jwt.for')
+              : t('jwt_claims.machine_to_machine_jwt.for'),
+        })}
+      </div>
+      <div className={styles.actions}>
+        <Button
+          icon={<EditIcon className={styles.icon} />}
+          type="text"
+          size="small"
+          title="general.edit"
+          onClick={() => {
+            navigate(editLink);
+          }}
+        />
+        <Button
+          className={styles.danger}
+          icon={<DeleteIcon className={styles.icon} />}
+          type="text"
+          size="small"
+          title="general.delete"
+          onClick={onDelete}
+        />
+      </div>
+    </div>
+  );
+}
+
+export default CustomizerItem;
diff --git a/packages/console/src/pages/CustomizeJwt/index.module.scss b/packages/console/src/pages/CustomizeJwt/index.module.scss
new file mode 100644
index 00000000000..6551cb09171
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/index.module.scss
@@ -0,0 +1,24 @@
+@use '@/scss/underscore' as _;
+
+.mainContent {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+
+  .header {
+    flex-shrink: 0;
+    margin-bottom: _.unit(4);
+  }
+
+  .container {
+    display: flex;
+    flex-direction: column;
+    gap: _.unit(4);
+  }
+
+  .description {
+    font: var(--font-body-2);
+    color: var(--color-text-secondary);
+    margin-bottom: _.unit(3);
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwt/index.tsx b/packages/console/src/pages/CustomizeJwt/index.tsx
new file mode 100644
index 00000000000..e088c23ca37
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/index.tsx
@@ -0,0 +1,67 @@
+import { withAppInsights } from '@logto/app-insights/react/AppInsightsReact';
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import { useTranslation } from 'react-i18next';
+
+import FormCard, { FormCardSkeleton } from '@/components/FormCard';
+import CardTitle from '@/ds-components/CardTitle';
+import FormField from '@/ds-components/FormField';
+
+import CreateButton from './CreateButton';
+import CustomizerItem from './CustomizerItem';
+import * as styles from './index.module.scss';
+import useJwtCustomizer from './use-jwt-customizer';
+
+function CustomizeJwt() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const { isLoading, accessTokenJwtCustomizer, clientCredentialsJwtCustomizer } =
+    useJwtCustomizer();
+
+  return (
+    <main className={styles.mainContent}>
+      <CardTitle
+        title="jwt_claims.title"
+        subtitle="jwt_claims.description"
+        className={styles.header}
+      />
+      <div className={styles.container}>
+        {isLoading && (
+          <>
+            <FormCardSkeleton formFieldCount={1} />
+            <FormCardSkeleton formFieldCount={1} />
+          </>
+        )}
+        {!isLoading && (
+          <>
+            <FormCard title="jwt_claims.user_jwt.card_title">
+              <FormField title="jwt_claims.user_jwt.card_field">
+                <div className={styles.description}>
+                  {t('jwt_claims.user_jwt.card_description')}
+                </div>
+                {accessTokenJwtCustomizer ? (
+                  <CustomizerItem tokenType={LogtoJwtTokenKeyType.AccessToken} />
+                ) : (
+                  <CreateButton tokenType={LogtoJwtTokenKeyType.AccessToken} />
+                )}
+              </FormField>
+            </FormCard>
+            <FormCard title="jwt_claims.machine_to_machine_jwt.card_title">
+              <FormField title="jwt_claims.machine_to_machine_jwt.card_field">
+                <div className={styles.description}>
+                  {t('jwt_claims.machine_to_machine_jwt.card_description')}
+                </div>
+                {clientCredentialsJwtCustomizer ? (
+                  <CustomizerItem tokenType={LogtoJwtTokenKeyType.ClientCredentials} />
+                ) : (
+                  <CreateButton tokenType={LogtoJwtTokenKeyType.ClientCredentials} />
+                )}
+              </FormField>
+            </FormCard>
+          </>
+        )}
+      </div>
+    </main>
+  );
+}
+
+export default withAppInsights(CustomizeJwt);
diff --git a/packages/console/src/pages/CustomizeJwt/use-jwt-customizer.ts b/packages/console/src/pages/CustomizeJwt/use-jwt-customizer.ts
new file mode 100644
index 00000000000..d3d0f2b1893
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/use-jwt-customizer.ts
@@ -0,0 +1,40 @@
+import { LogtoJwtTokenKey, type JwtCustomizerConfigs } from '@logto/schemas';
+import { type ResponseError } from '@withtyped/client';
+import { useMemo } from 'react';
+import useSWR from 'swr';
+
+import useApi from '@/hooks/use-api';
+import useSwrFetcher from '@/hooks/use-swr-fetcher';
+
+import { getApiPath } from './utils/path';
+
+function useJwtCustomizer() {
+  const fetchApi = useApi({ hideErrorToast: true });
+
+  const fetcher = useSwrFetcher<JwtCustomizerConfigs[]>(fetchApi);
+  const {
+    data,
+    isLoading: isDataLoading,
+    error,
+    mutate,
+  } = useSWR<JwtCustomizerConfigs[], ResponseError>(getApiPath(), {
+    fetcher,
+  });
+  const isLoading = isDataLoading && !error;
+
+  return useMemo(() => {
+    const { value: accessTokenJwtCustomizer } =
+      data?.find(({ key }) => key === LogtoJwtTokenKey.AccessToken) ?? {};
+    const { value: clientCredentialsJwtCustomizer } =
+      data?.find(({ key }) => key === LogtoJwtTokenKey.ClientCredentials) ?? {};
+
+    return {
+      accessTokenJwtCustomizer,
+      clientCredentialsJwtCustomizer,
+      isLoading,
+      mutate,
+    };
+  }, [data, isLoading, mutate]);
+}
+
+export default useJwtCustomizer;
diff --git a/packages/console/src/pages/CustomizeJwt/utils/path.ts b/packages/console/src/pages/CustomizeJwt/utils/path.ts
new file mode 100644
index 00000000000..e011f8168ea
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/utils/path.ts
@@ -0,0 +1,24 @@
+import { type LogtoJwtTokenKeyType } from '@logto/schemas';
+
+import { type Action } from './type';
+
+export const getApiPath = (tokenType?: LogtoJwtTokenKeyType) => {
+  if (!tokenType) {
+    return 'api/configs/jwt-customizer';
+  }
+
+  return `api/configs/jwt-customizer/${tokenType}`;
+};
+
+export const getPagePath = (tokenType?: LogtoJwtTokenKeyType, action?: Action) => {
+  if (!tokenType) {
+    return '/customize-jwt';
+  }
+
+  if (action) {
+    return `/customize-jwt/${tokenType}/${action}`;
+  }
+
+  // Fallback to the main page
+  return `/customize-jwt`;
+};
diff --git a/packages/console/src/pages/CustomizeJwt/utils/type.ts b/packages/console/src/pages/CustomizeJwt/utils/type.ts
new file mode 100644
index 00000000000..4c1266ed031
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwt/utils/type.ts
@@ -0,0 +1 @@
+export type Action = 'create' | 'edit';
diff --git a/packages/console/src/pages/CustomizeJwtDetails/CodeEditorLoadingContext.ts b/packages/console/src/pages/CustomizeJwtDetails/CodeEditorLoadingContext.ts
new file mode 100644
index 00000000000..24ada929d9d
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/CodeEditorLoadingContext.ts
@@ -0,0 +1,20 @@
+/**
+ * This context is used to share the loading state of the code editor with the root page.
+ *
+ * 1. First code editor won't be rendered until the fetch API is returned.
+ * 2. After the code editor is mounted, multiple async operations will be triggered to load the monaco editor.
+ * 3. We need to mount the code editor component will keep the loading state until the monaco editor is ready.
+ */
+
+import { noop } from '@silverhand/essentials';
+import { createContext } from 'react';
+
+type CodeEditorLoadingContextType = {
+  isMonacoLoaded: boolean;
+  setIsMonacoLoaded: (isLoading: boolean) => void;
+};
+
+export const CodeEditorLoadingContext = createContext<CodeEditorLoadingContextType>({
+  isMonacoLoaded: false,
+  setIsMonacoLoaded: noop,
+});
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/CodeRestoreButton.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/CodeRestoreButton.tsx
new file mode 100644
index 00000000000..05505757d17
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/CodeRestoreButton.tsx
@@ -0,0 +1,28 @@
+import classNames from 'classnames';
+import { useTranslation } from 'react-i18next';
+
+import RedoIcon from '@/assets/icons/redo.svg';
+
+import ActionButton from './index';
+import * as styles from './index.module.scss';
+
+type Props = {
+  className?: string;
+  onClick: () => void;
+};
+
+function CodeRestoreButton({ className, onClick }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  return (
+    <ActionButton
+      className={classNames(className, styles.actionButton)}
+      actionTip={t('jwt_claims.restore')}
+      actionSuccessTip={t('jwt_claims.restored')}
+      icon={<RedoIcon />}
+      onClick={onClick}
+    />
+  );
+}
+
+export default CodeRestoreButton;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/index.module.scss
new file mode 100644
index 00000000000..70be358e097
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/index.module.scss
@@ -0,0 +1,5 @@
+@use '@/scss/underscore' as _;
+
+.actionButton {
+  border-radius: 6px;
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/index.tsx
new file mode 100644
index 00000000000..4a81dd22f69
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/ActionButton/index.tsx
@@ -0,0 +1,61 @@
+import { useCallback, useRef, useState, type MouseEventHandler, useEffect } from 'react';
+
+import IconButton from '@/ds-components/IconButton';
+import { Tooltip } from '@/ds-components/Tip';
+
+type Props = {
+  actionTip: string;
+  actionSuccessTip: string;
+  actionLoadingTip?: string;
+  className?: string;
+  icon: React.ReactNode;
+  onClick: () => Promise<void> | void;
+};
+
+function ActionButton({
+  actionTip,
+  actionSuccessTip,
+  actionLoadingTip,
+  className,
+  icon,
+  onClick,
+}: Props) {
+  const [tipContent, setTipContent] = useState(actionTip);
+  const iconButtonRef = useRef<HTMLButtonElement>(null);
+
+  useEffect(() => {
+    const mouseLeaveHandler = () => {
+      setTipContent(actionTip);
+    };
+
+    iconButtonRef.current?.addEventListener('mouseleave', mouseLeaveHandler);
+
+    return () => {
+      // eslint-disable-next-line react-hooks/exhaustive-deps -- iconButtonRef.current is not a dependency
+      iconButtonRef.current?.removeEventListener('mouseleave', mouseLeaveHandler);
+    };
+  });
+
+  const handleClick = useCallback<MouseEventHandler<HTMLButtonElement>>(async () => {
+    iconButtonRef.current?.blur();
+
+    if (actionLoadingTip) {
+      setTipContent(actionLoadingTip);
+    }
+
+    await onClick();
+    setTipContent(actionSuccessTip);
+  }, [actionLoadingTip, actionSuccessTip, onClick]);
+
+  return (
+    <div className={className}>
+      <Tooltip content={tipContent} isSuccessful={tipContent === actionSuccessTip}>
+        <IconButton ref={iconButtonRef} size="small" onClick={handleClick}>
+          {icon}
+        </IconButton>
+      </Tooltip>
+    </div>
+  );
+}
+
+export default ActionButton;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/Dashboard/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/Dashboard/index.module.scss
new file mode 100644
index 00000000000..2dee6b10559
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/Dashboard/index.module.scss
@@ -0,0 +1,39 @@
+@use '@/scss/underscore' as _;
+
+.dashboard {
+  background-color: var(--color-code-bg-float);
+  border-top: 1px solid var(--color-code-dark-bg-focused);
+  font-family: 'Roboto Mono', monospace;
+  overflow: auto;
+  flex: 1;
+
+  .dashboardHeader {
+    padding: _.unit(3) _.unit(4);
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    font: var(--font-label-2);
+    font-family: 'Roboto Mono', monospace;
+    color: var(--color-code-white);
+  }
+
+  .dashboardContent {
+    padding: _.unit(2) _.unit(4);
+    font: var(--font-body-2);
+    overflow: auto;
+    color: var(--color-code-white);
+
+    pre {
+      white-space: pre-wrap;
+
+      &.error {
+        color: var(--color-error);
+      }
+
+      &:first-child {
+        margin-top: 0;
+      }
+    }
+  }
+}
+
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/Dashboard/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/Dashboard/index.tsx
new file mode 100644
index 00000000000..54ea03bf2bd
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/Dashboard/index.tsx
@@ -0,0 +1,30 @@
+import classNames from 'classnames';
+import { type ReactNode } from 'react';
+
+import CloseIcon from '@/assets/icons/close.svg';
+import IconButton from '@/ds-components/IconButton';
+
+import * as styles from './index.module.scss';
+
+export type Props = {
+  title: string;
+  content: ReactNode;
+  className?: string;
+  onClose: () => void;
+};
+
+function Dashboard({ title, content, className, onClose }: Props) {
+  return (
+    <div className={classNames(styles.dashboard, className)}>
+      <div className={styles.dashboardHeader}>
+        <span>{title}</span>
+        <IconButton onClick={onClose}>
+          <CloseIcon />
+        </IconButton>
+      </div>
+      <div className={styles.dashboardContent}>{content}</div>
+    </div>
+  );
+}
+
+export default Dashboard;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/config.ts b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/config.ts
new file mode 100644
index 00000000000..075776f7b4c
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/config.ts
@@ -0,0 +1,33 @@
+import { type EditorProps } from '@monaco-editor/react';
+
+import type { IStandaloneThemeData } from './type';
+
+// Logto dark theme extends vs-dark theme
+export const logtoDarkTheme: IStandaloneThemeData = {
+  base: 'vs-dark',
+  inherit: true,
+  rules: [],
+  colors: {
+    'editor.background': '#090613', // :token/code/code-bg
+  },
+};
+
+export const logtoLightTheme: IStandaloneThemeData = {
+  ...logtoDarkTheme,
+  colors: {
+    'editor.background': '#181133', // :token/code/code-bg
+  },
+};
+
+// @see {@link https://microsoft.github.io/monaco-editor/typedoc/interfaces/editor.IStandaloneEditorConstructionOptions.html}
+export const defaultOptions: EditorProps['options'] = {
+  minimap: {
+    enabled: false,
+  },
+  renderLineHighlight: 'none',
+  fontFamily: 'Roboto Mono, monospace',
+  fontSize: 14,
+  automaticLayout: true,
+  tabSize: 2,
+  scrollBeyondLastLine: false,
+};
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/index.module.scss
new file mode 100644
index 00000000000..601a41e42e9
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/index.module.scss
@@ -0,0 +1,87 @@
+@use '@/scss/underscore' as _;
+
+.codeEditor {
+  position: relative;
+  display: flex;
+  flex-direction: column;
+  border-radius: 8px;
+  background-color: var(--color-code-bg);
+
+
+  header {
+    padding: _.unit(4);
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+
+    .tabList {
+      display: flex;
+      gap: _.unit(2);
+
+      .tab {
+        font: var(--font-label-2);
+        font-family: 'Roboto Mono', monospace;
+        padding: _.unit(1.5) _.unit(3);
+        color: var(--color-code-white);
+        display: flex;
+        align-items: center;
+        gap: _.unit(1);
+
+        &.tabButton {
+          color: var(--color-code-grey);
+          cursor: pointer;
+
+          &.active,
+          &:hover {
+            color: var(--color-code-white);
+            background-color: var(--color-code-dark-bg-focused);
+            border-radius: 8px;
+          }
+        }
+      }
+    }
+
+    .actionButtons {
+      display: flex;
+      gap: _.unit(3);
+      align-items: center;
+      background: none;
+
+      svg {
+        color: var(--color-code-grey);
+      }
+
+      .iconButton {
+        transition: background 0.2s ease-in-out;
+        cursor: pointer;
+
+        &:hover {
+          background: var(--color-overlay-dark-bg-hover);
+        }
+
+        &:active {
+          background: var(--color-overlay-dark-bg-pressed);
+        }
+
+        // TODO (LOG-8602): Remove the default left margin of CopyToClipboard copyToolTipAnchor component.
+        div[class*='copyToolTipAnchor'] {
+          margin-left: 0;
+        }
+      }
+    }
+  }
+
+  .editorContainer {
+    position: relative;
+    flex-grow: 1;
+
+    &.dashboardOpen {
+      flex-grow: 0;
+      height: calc(50% - 64px); // 64px = header height
+    }
+  }
+
+  .resultPanel {
+    border-radius: 0 0 8px 8px;
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/index.tsx
new file mode 100644
index 00000000000..ad9c0a8fd67
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/index.tsx
@@ -0,0 +1,205 @@
+import { Theme } from '@logto/schemas';
+import { Editor, useMonaco, type OnMount } from '@monaco-editor/react';
+import { type Nullable } from '@silverhand/essentials';
+import classNames from 'classnames';
+import { useCallback, useEffect, useMemo, useRef, type ReactNode } from 'react';
+
+import CopyToClipboard from '@/ds-components/CopyToClipboard';
+import useTheme from '@/hooks/use-theme';
+import { onKeyDownHandler } from '@/utils/a11y';
+
+import CodeRestoreButton from './ActionButton/CodeRestoreButton.js';
+import DashBoard, { type Props as DashboardProps } from './Dashboard';
+import { defaultOptions, logtoDarkTheme, logtoLightTheme } from './config.js';
+import * as styles from './index.module.scss';
+import type { IStandaloneCodeEditor, ModelSettings } from './type.js';
+import useEditorHeight from './use-editor-height.js';
+
+export type { Props as DashboardProps } from './Dashboard';
+export type { ModelControl, ModelSettings } from './type.js';
+
+type ActionButtonType = 'restore' | 'copy';
+
+type Props = {
+  className?: string;
+  enabledActions?: ActionButtonType[];
+  models: ModelSettings[];
+  activeModelName?: string;
+  setActiveModel?: (name: string) => void;
+  value?: string;
+  environmentVariablesDefinition?: string;
+  onChange?: (value: string | undefined) => void;
+  onMountHandler?: (editor: IStandaloneCodeEditor) => void;
+  actionButtons?: ReactNode;
+  dashboard?: DashboardProps;
+};
+/**
+ * Monaco code editor component.
+ * @param {Props} prop
+ * @param {string} [prop.className] - The class name of the component.
+ * @param {ActionButtonType[]} prop.enabledActions - The enabled action buttons, available values are 'clear', 'restore', 'copy'.
+ * @param {ModelSettings[]} prop.models - The static model settings (all tabs) for the code editor.
+ * @param {string} prop.activeModelName - The active model name.
+ * @param {(name: string) => void} prop.setActiveModel - The callback function to set the active model. Used to switch between tabs.
+ * @param {string} prop.value - The value of the code editor for the current active model.
+ * @param {(value: string | undefined) => void} prop.onChange - The callback function to handle the value change of the code editor.
+ * @param {string} [prop.environmentVariablesDefinition] - The environment variables type definition for the script section.
+ * @param {ReactNode} [actionButtons] - Additional action buttons shown on the header
+ * @param {DashboardProps} [dashboard] - The dashboard component shown at the bottom of the editor.
+ *
+ * @returns
+ */
+function MonacoCodeEditor({
+  className,
+  enabledActions = ['copy'],
+  models,
+  activeModelName,
+  value,
+  environmentVariablesDefinition,
+  setActiveModel,
+  onChange,
+  onMountHandler,
+  actionButtons,
+  dashboard,
+}: Props) {
+  const monaco = useMonaco();
+  const editorRef = useRef<Nullable<IStandaloneCodeEditor>>(null);
+  const theme = useTheme();
+
+  const activeModel = useMemo(
+    () => activeModelName && models.find((model) => model.name === activeModelName),
+    [activeModelName, models]
+  );
+
+  const isMultiModals = useMemo(() => models.length > 1, [models]);
+
+  // Get the container ref and the editor height
+  const { containerRef, editorHeight } = useEditorHeight();
+
+  // Handle editor extraLibs and language compile settings
+  useEffect(() => {
+    // Monaco will be ready after the editor is mounted, useEffect will be called after the monaco is ready
+    if (!monaco || !activeModel) {
+      return;
+    }
+
+    // Set the global declarations for the active model
+    // @see {@link https://microsoft.github.io/monaco-editor/typedoc/interfaces/languages.typescript.LanguageServiceDefaults.html#setExtraLibs}
+    if (activeModel.extraLibs) {
+      monaco.languages.typescript.typescriptDefaults.setExtraLibs(activeModel.extraLibs);
+    }
+
+    // Set the environment variables type definition for the active model
+    if (environmentVariablesDefinition) {
+      monaco.languages.typescript.typescriptDefaults.addExtraLib(
+        environmentVariablesDefinition,
+        'environmentVariables.d.ts'
+      );
+    }
+
+    if (activeModel.language === 'typescript') {
+      // Set the typescript compiler options
+      monaco.languages.typescript.typescriptDefaults.setCompilerOptions({
+        allowNonTsExtensions: true,
+        strictNullChecks: true,
+      });
+    }
+  }, [activeModel, monaco, environmentVariablesDefinition]);
+
+  // Handle the editor theme settings
+  useEffect(() => {
+    // Monaco will be ready after the editor is mounted, useEffect will be called after the monaco is ready
+    if (!monaco) {
+      return;
+    }
+
+    const editorTheme = theme === Theme.Light ? logtoLightTheme : logtoDarkTheme;
+
+    monaco.editor.defineTheme('logto-dark', editorTheme);
+  }, [monaco, theme]);
+
+  const handleEditorDidMount = useCallback<OnMount>(
+    (editor) => {
+      // eslint-disable-next-line @silverhand/fp/no-mutation
+      editorRef.current = editor;
+      onMountHandler?.(editor);
+    },
+    [onMountHandler]
+  );
+
+  return (
+    <div className={classNames(className, styles.codeEditor)}>
+      <header>
+        <div className={styles.tabList}>
+          {models.map(({ name, title, icon }) => (
+            <div
+              key={name}
+              className={classNames(
+                styles.tab,
+                isMultiModals && styles.tabButton,
+                name === activeModelName && styles.active
+              )}
+              {...(isMultiModals && {
+                role: 'button',
+                tabIndex: 0,
+                onClick: () => {
+                  setActiveModel?.(name);
+                },
+                onKeyDown: onKeyDownHandler(() => {
+                  setActiveModel?.(name);
+                }),
+              })}
+            >
+              {icon}
+              {title}
+            </div>
+          ))}
+        </div>
+        <div className={styles.actionButtons}>
+          {enabledActions.includes('restore') && (
+            <CodeRestoreButton
+              className={styles.iconButton}
+              onClick={() => {
+                if (activeModel && value !== activeModel.defaultValue) {
+                  onChange?.(activeModel.defaultValue);
+                }
+              }}
+            />
+          )}
+          {enabledActions.includes('copy') && (
+            <CopyToClipboard
+              variant="icon"
+              value={editorRef.current?.getValue() ?? ''}
+              className={styles.iconButton}
+            />
+          )}
+          {actionButtons}
+        </div>
+      </header>
+      <div
+        ref={containerRef}
+        className={classNames(styles.editorContainer, dashboard && styles.dashboardOpen)}
+      >
+        {activeModel && (
+          <Editor
+            height={editorHeight}
+            language={activeModel.language}
+            path={activeModel.name}
+            theme="logto-dark"
+            options={{
+              ...defaultOptions,
+              ...activeModel.options,
+            }}
+            // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- empty string is falsy
+            value={value || activeModel.defaultValue}
+            onMount={handleEditorDidMount}
+            onChange={onChange}
+          />
+        )}
+      </div>
+      {dashboard && <DashBoard {...dashboard} className={styles.resultPanel} />}
+    </div>
+  );
+}
+
+export default MonacoCodeEditor;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/type.ts b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/type.ts
new file mode 100644
index 00000000000..fb3eef79d82
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/type.ts
@@ -0,0 +1,34 @@
+import { type EditorProps, type Monaco, type OnMount } from '@monaco-editor/react';
+
+export type IStandaloneThemeData = Parameters<Monaco['editor']['defineTheme']>[1];
+
+export type IStandaloneCodeEditor = Parameters<OnMount>[0];
+
+type ExtraLibrary = {
+  content: string;
+  filePath: string;
+};
+
+export type ModelSettings = {
+  /** Used as the unique key for the monaco editor model @see {@link https://github.com/suren-atoyan/monaco-react?tab=readme-ov-file#multi-model-editor} */
+  name: string;
+  /** The icon of the model, will be displayed on the tab */
+  icon?: React.ReactNode;
+  /** The title of the model */
+  title: string;
+  /** The default value of the file */
+  defaultValue?: string;
+  value?: string;
+  language: string;
+  /** ExtraLibs can be loaded to the code editor
+   * @see {@link https://microsoft.github.io/monaco-editor/typedoc/interfaces/languages.typescript.LanguageServiceDefaults.html#setExtraLibs}
+   * We use this to load the global type declarations for the active model
+   */
+  extraLibs?: ExtraLibrary[];
+  options?: EditorProps['options'];
+};
+
+export type ModelControl = {
+  value?: string;
+  onChange?: (value: string | undefined) => void;
+};
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/use-editor-height.ts b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/use-editor-height.ts
new file mode 100644
index 00000000000..b3a1045fc11
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor/use-editor-height.ts
@@ -0,0 +1,35 @@
+import { useLayoutEffect, useRef, useState } from 'react';
+
+// Recalculate the height of the editor when the container size changes
+// This is to avoid the code editor's height shaking when the content is updated.
+// @see {@link https://github.com/react-monaco-editor/react-monaco-editor/issues/391}
+const useEditorHeight = () => {
+  const containerRef = useRef<HTMLDivElement>(null);
+
+  const [editorHeight, setEditorHeight] = useState<number | string>('100%');
+  const safeArea = 16;
+
+  useLayoutEffect(() => {
+    const handleResize = () => {
+      if (containerRef.current) {
+        setEditorHeight(containerRef.current.clientHeight - safeArea);
+      }
+    };
+
+    handleResize();
+
+    const resizeObserver = new ResizeObserver(handleResize);
+
+    if (containerRef.current) {
+      resizeObserver.observe(containerRef.current);
+    }
+
+    return () => {
+      resizeObserver.disconnect();
+    };
+  }, []);
+
+  return { containerRef, editorHeight };
+};
+
+export default useEditorHeight;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/ErrorContent/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/ErrorContent/index.module.scss
new file mode 100644
index 00000000000..d9f27a639e8
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/ErrorContent/index.module.scss
@@ -0,0 +1,6 @@
+@use '@/scss/underscore' as _;
+
+.error {
+  margin: _.unit(4) 0;
+  color: var(--color-error-60);
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/ErrorContent/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/ErrorContent/index.tsx
new file mode 100644
index 00000000000..e1e07b3f3b9
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/ErrorContent/index.tsx
@@ -0,0 +1,28 @@
+import { type TestResultData } from '@/pages/CustomizeJwtDetails/MainContent/ScriptSection/use-test-handler';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  testResult: TestResultData;
+};
+
+function ErrorContent({ testResult }: Props) {
+  return (
+    <div>
+      {testResult.error && (
+        <pre className={styles.error}>
+          {'Error: \n'}
+          {testResult.error}
+        </pre>
+      )}
+      {testResult.payload && (
+        <pre>
+          {'Extra JWT claims: \n'}
+          {testResult.payload}
+        </pre>
+      )}
+    </div>
+  );
+}
+
+export default ErrorContent;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/index.module.scss
new file mode 100644
index 00000000000..84081b6dc5f
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/index.module.scss
@@ -0,0 +1,18 @@
+@use '@/scss/underscore' as _;
+
+.scriptSection {
+  position: relative;
+  min-width: 50%;
+
+  .fixHeightWrapper {
+    position: absolute;
+    inset: 0;
+    display: flex;
+    flex-direction: column;
+  }
+
+  .codeEditor {
+    min-height: 400px;
+    flex-grow: 1;
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/index.tsx
new file mode 100644
index 00000000000..e1212e94d77
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/index.tsx
@@ -0,0 +1,120 @@
+/* Code Editor for the custom JWT claims script. */
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import classNames from 'classnames';
+import { useCallback, useContext, useMemo } from 'react';
+import { Controller, useFormContext, useWatch } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import RunIcon from '@/assets/icons/start.svg';
+import Button from '@/ds-components/Button';
+import { CodeEditorLoadingContext } from '@/pages/CustomizeJwtDetails/CodeEditorLoadingContext';
+import MonacoCodeEditor, {
+  type DashboardProps,
+  type ModelSettings,
+} from '@/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor';
+import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
+import {
+  accessTokenJwtCustomizerModel,
+  clientCredentialsModel,
+} from '@/pages/CustomizeJwtDetails/utils/config';
+import { buildEnvironmentVariablesTypeDefinition } from '@/pages/CustomizeJwtDetails/utils/type-definitions';
+
+import ErrorContent from './ErrorContent';
+import * as styles from './index.module.scss';
+import useTestHandler from './use-test-handler';
+
+function ScriptSection() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { watch, control } = useFormContext<JwtCustomizerForm>();
+  const tokenType = watch('tokenType');
+
+  // Need to use useWatch hook to subscribe the mutation of the environmentVariables field
+  // Otherwise, the default watch function's return value won't mutate when the environmentVariables field changes
+  const envVariables = useWatch({
+    control,
+    name: 'environmentVariables',
+  });
+
+  const environmentVariablesTypeDefinition = useMemo(
+    () => buildEnvironmentVariablesTypeDefinition(envVariables),
+    [envVariables]
+  );
+
+  // Get the active model based on the token type
+  const activeModel = useMemo<ModelSettings>(
+    () =>
+      tokenType === LogtoJwtTokenKeyType.AccessToken
+        ? accessTokenJwtCustomizerModel
+        : clientCredentialsModel,
+    [tokenType]
+  );
+
+  // Set the Monaco editor loaded state to true when the editor is mounted
+  const { setIsMonacoLoaded } = useContext(CodeEditorLoadingContext);
+
+  const onMountHandler = useCallback(() => {
+    setIsMonacoLoaded(true);
+  }, [setIsMonacoLoaded]);
+
+  // Test handler
+  const { onTestHandler, setTestResult, isLoading, testResult } = useTestHandler();
+
+  const dashBoardProps = useMemo<DashboardProps | undefined>(() => {
+    if (!testResult) {
+      return;
+    }
+
+    return {
+      title: t('jwt_claims.tester.result_title'),
+      content: <ErrorContent testResult={testResult} />,
+      onClose: () => {
+        setTestResult(undefined);
+      },
+    };
+  }, [setTestResult, t, testResult]);
+
+  return (
+    <div className={styles.scriptSection}>
+      <div className={styles.fixHeightWrapper}>
+        <Controller
+          control={control}
+          name="script"
+          render={({ field: { onChange, value }, formState: { defaultValues } }) => (
+            <MonacoCodeEditor
+              className={classNames(styles.codeEditor)}
+              enabledActions={['restore', 'copy']}
+              models={[activeModel]}
+              activeModelName={activeModel.name}
+              value={value}
+              environmentVariablesDefinition={environmentVariablesTypeDefinition}
+              actionButtons={
+                <Button
+                  icon={<RunIcon />}
+                  size="small"
+                  title="jwt_claims.tester.run_button"
+                  type="primary"
+                  isLoading={isLoading}
+                  onClick={onTestHandler}
+                />
+              }
+              dashboard={dashBoardProps}
+              onChange={(newValue) => {
+                // If the value is the same as the default code and the original form script value is undefined, reset the value to undefined as well
+                if (newValue === activeModel.defaultValue && !defaultValues?.script) {
+                  onChange('');
+                  return;
+                }
+
+                // Input value should not be undefined for react-hook-form @see https://react-hook-form.com/docs/usecontroller/controller
+                onChange(newValue ?? '');
+              }}
+              onMountHandler={onMountHandler}
+            />
+          )}
+        />
+      </div>
+    </div>
+  );
+}
+
+export default ScriptSection;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/use-test-handler.ts b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/use-test-handler.ts
new file mode 100644
index 00000000000..cb2368297d7
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/ScriptSection/use-test-handler.ts
@@ -0,0 +1,84 @@
+import { type JsonObject, type RequestErrorBody } from '@logto/schemas';
+import { HTTPError } from 'ky';
+import { useCallback, useState } from 'react';
+import { useFormContext } from 'react-hook-form';
+import { z } from 'zod';
+
+import useApi from '@/hooks/use-api';
+import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
+import { formatFormDataToTestRequestPayload } from '@/pages/CustomizeJwtDetails/utils/format';
+
+const testEndpointPath = 'api/configs/jwt-customizer/test';
+const jwtCustomizerGeneralErrorCode = 'jwt_customizer.general';
+const apiInvalidInputErrorCode = 'guard.invalid_input';
+
+export type TestResultData = {
+  error?: string;
+  payload?: string;
+};
+
+const useTestHandler = () => {
+  const [testResult, setTestResult] = useState<TestResultData>();
+  const [isLoading, setIsLoading] = useState(false);
+  const { getValues } = useFormContext<JwtCustomizerForm>();
+  const api = useApi({ hideErrorToast: true });
+
+  const onTestHandler = useCallback(async () => {
+    const payload = getValues();
+    setIsLoading(true);
+
+    const result = await api
+      .post(testEndpointPath, {
+        json: formatFormDataToTestRequestPayload(payload),
+      })
+      .json<JsonObject>()
+      .catch(async (error: unknown) => {
+        if (error instanceof HTTPError) {
+          const { response } = error;
+          const metadata = await response.clone().json<RequestErrorBody>();
+
+          // Get error message from cloud connection client.
+          if (metadata.code === jwtCustomizerGeneralErrorCode) {
+            const result = z.object({ message: z.string() }).safeParse(metadata.data);
+            if (result.success) {
+              setTestResult({
+                error: result.data.message,
+              });
+              return;
+            }
+          }
+
+          /**
+           * Get error message when the API request violates the request guard.
+           * Find details on the implementation of:
+           * 1. `RequestError`
+           * 2. `koaGuard`
+           */
+          if (metadata.code === apiInvalidInputErrorCode) {
+            const result = z.string().safeParse(metadata.details);
+            if (result.success) {
+              setTestResult({
+                error: result.data,
+              });
+              return;
+            }
+          }
+        }
+
+        setTestResult({
+          error: error instanceof Error ? error.message : String(error),
+        });
+      })
+      .finally(() => {
+        setIsLoading(false);
+      });
+
+    if (result) {
+      setTestResult({ payload: JSON.stringify(result, null, 2) });
+    }
+  }, [api, getValues]);
+
+  return { testResult, isLoading, onTestHandler, setTestResult };
+};
+
+export default useTestHandler;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/EnvironmentVariablesField.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/EnvironmentVariablesField.tsx
new file mode 100644
index 00000000000..9d06a348683
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/EnvironmentVariablesField.tsx
@@ -0,0 +1,117 @@
+import { useCallback, useMemo } from 'react';
+import { useFieldArray, useFormContext } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import FormField from '@/ds-components/FormField';
+import KeyValueInputField from '@/ds-components/KeyValueInputField';
+import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
+
+const isValidKey = (key: string) => {
+  return /^\w+$/.test(key);
+};
+
+type Props = {
+  className?: string;
+};
+
+function EnvironmentVariablesField({ className }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const {
+    register,
+    getValues,
+    trigger,
+    formState: {
+      errors: { environmentVariables: envVariableErrors },
+      submitCount,
+    },
+  } = useFormContext<JwtCustomizerForm>();
+
+  // Read the form controller from the context @see {@link https://react-hook-form.com/docs/usefieldarray}
+  const { fields, remove, append } = useFieldArray<JwtCustomizerForm>({
+    name: 'environmentVariables',
+  });
+
+  const keyValidator = useCallback(
+    (key: string, index: number) => {
+      const envVariables = getValues('environmentVariables');
+
+      if (!envVariables) {
+        return true;
+      }
+
+      // Unique key validation
+      if (envVariables.filter(({ key: _key }) => _key.length > 0 && _key === key).length > 1) {
+        // Reuse the same error phrase key from webhook settings
+        return t('webhook_details.settings.key_duplicated_error');
+      }
+
+      // Empty key validation (if value is present)
+      const correspondValue = getValues(`environmentVariables.${index}.value`);
+      if (correspondValue) {
+        // Reuse the same error phrase key from webhook settings
+        return Boolean(key) || t('webhook_details.settings.key_missing_error');
+      }
+
+      // Key format validation
+      if (Boolean(key) && !isValidKey(key)) {
+        // Reuse the same error phrase key from webhook settings
+        return t('webhook_details.settings.invalid_key_error');
+      }
+
+      return true;
+    },
+    [getValues, t]
+  );
+
+  const valueValidator = useCallback(
+    (value: string, index: number) => {
+      return getValues(`environmentVariables.${index}.key`)
+        ? Boolean(value) || t('webhook_details.settings.value_missing_error')
+        : true;
+    },
+    [getValues, t]
+  );
+
+  const revalidate = useCallback(() => {
+    for (const [index] of fields.entries()) {
+      void trigger(`environmentVariables.${index}.key`);
+
+      // Only trigger value validation if the form has been submitted
+      if (submitCount > 0) {
+        void trigger(`environmentVariables.${index}.value`);
+      }
+    }
+  }, [fields, submitCount, trigger]);
+
+  const getInputFieldProps = useMemo(
+    () => ({
+      key: (index: number) =>
+        register(`environmentVariables.${index}.key`, {
+          validate: (key) => keyValidator(key, index),
+          onChange: revalidate,
+        }),
+      value: (index: number) =>
+        register(`environmentVariables.${index}.value`, {
+          validate: (value) => valueValidator(value, index),
+          onChange: revalidate,
+        }),
+    }),
+    [register, revalidate, keyValidator, valueValidator]
+  );
+
+  return (
+    <FormField title="jwt_claims.environment_variables.input_field_title" className={className}>
+      <KeyValueInputField
+        fields={fields}
+        // Force envVariableErrors to be an array, otherwise return undefined
+        errors={envVariableErrors?.map?.((error) => error)}
+        getInputFieldProps={getInputFieldProps}
+        onAppend={append}
+        onRemove={remove}
+      />
+    </FormField>
+  );
+}
+
+export default EnvironmentVariablesField;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.module.scss
new file mode 100644
index 00000000000..0f35d1b7ff2
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.module.scss
@@ -0,0 +1,60 @@
+@use '@/scss/underscore' as _;
+
+.card {
+  .headerRow {
+    display: flex;
+    flex-direction: row;
+    gap: _.unit(4);
+    align-items: center;
+    cursor: pointer;
+    user-select: none;
+  }
+
+  .cardHeader {
+    flex: 1;
+  }
+
+  .cardTitle {
+    font: var(--font-label-2);
+    color: var(--color-text);
+    margin-bottom: _.unit(1);
+  }
+
+  .cardSubtitle {
+    font: var(--font-body-2);
+    color: var(--color-text-secondary);
+  }
+
+  .cardContent {
+    max-height: 0;
+    overflow: hidden;
+    transition: max-height 0.3s ease;
+
+    // Collapsible content should be hidden by default, margin space can only be set at the child level
+    > *:first-child {
+      margin-top: _.unit(6);
+    }
+
+    > *:not(:last-child) {
+      margin-bottom: _.unit(4);
+    }
+  }
+
+  .expandButton {
+    width: 24px;
+    height: 24px;
+    transition: transform 0.3s ease;
+    color: var(--color-text-secondary);
+  }
+
+  &.expanded {
+    .expandButton {
+      transform: rotate(180deg);
+    }
+
+    .cardContent {
+      max-height: 1000;
+      overflow: visible;
+    }
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.tsx
new file mode 100644
index 00000000000..b432c49166d
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.tsx
@@ -0,0 +1,51 @@
+import classNames from 'classnames';
+import { useTranslation } from 'react-i18next';
+
+import CaretExpandedIcon from '@/assets/icons/caret-expanded.svg';
+import Card from '@/ds-components/Card';
+import { onKeyDownHandler } from '@/utils/a11y';
+
+import * as styles from './index.module.scss';
+
+export enum CardType {
+  UserData = 'user_data',
+  TokenData = 'token_data',
+  FetchExternalData = 'fetch_external_data',
+  EnvironmentVariables = 'environment_variables',
+}
+
+type GuardCardProps = {
+  name: CardType;
+  children?: React.ReactNode;
+  isExpanded: boolean;
+  setExpanded: (expanded: boolean) => void;
+};
+
+function GuideCard({ name, children, isExpanded, setExpanded }: GuardCardProps) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.jwt_claims' });
+
+  return (
+    <Card className={classNames(styles.card, isExpanded && styles.expanded)}>
+      <div
+        className={styles.headerRow}
+        role="button"
+        tabIndex={0}
+        onClick={() => {
+          setExpanded(!isExpanded);
+        }}
+        onKeyDown={onKeyDownHandler(() => {
+          setExpanded(!isExpanded);
+        })}
+      >
+        <div className={styles.cardHeader}>
+          <div className={styles.cardTitle}>{t(`${name}.title`)}</div>
+          <div className={styles.cardSubtitle}>{t(`${name}.subtitle`)}</div>
+        </div>
+        <CaretExpandedIcon className={styles.expandButton} />
+      </div>
+      <div className={styles.cardContent}>{children}</div>
+    </Card>
+  );
+}
+
+export default GuideCard;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.module.scss
new file mode 100644
index 00000000000..c3518755872
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.module.scss
@@ -0,0 +1,25 @@
+@use '@/scss/underscore' as _;
+
+
+.sampleCode {
+  :global {
+    /* stylelint-disable-next-line selector-class-pattern */
+    .monaco-editor {
+      border-radius: 8px;
+
+      /* stylelint-disable-next-line selector-class-pattern */
+      .overflow-guard {
+        border-radius: 8px;
+      }
+
+      /* stylelint-disable-next-line selector-class-pattern */
+      .lines-content {
+        padding: 0 16px;
+      }
+    }
+  }
+}
+
+.envVariablesField {
+  margin-bottom: _.unit(4);
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.tsx
new file mode 100644
index 00000000000..feee79af6df
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.tsx
@@ -0,0 +1,123 @@
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import { Editor } from '@monaco-editor/react';
+import classNames from 'classnames';
+import { useState } from 'react';
+import { useFormContext } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
+import {
+  environmentVariablesCodeExample,
+  fetchExternalDataCodeExample,
+  sampleCodeEditorOptions,
+  typeDefinitionCodeEditorOptions,
+} from '@/pages/CustomizeJwtDetails/utils/config';
+import {
+  accessTokenPayloadTypeDefinition,
+  clientCredentialsPayloadTypeDefinition,
+  jwtCustomizerUserContextTypeDefinition,
+} from '@/pages/CustomizeJwtDetails/utils/type-definitions';
+
+import * as tabContentStyles from '../index.module.scss';
+
+import EnvironmentVariablesField from './EnvironmentVariablesField';
+import GuideCard, { CardType } from './GuideCard';
+import * as styles from './index.module.scss';
+
+type Props = {
+  isActive: boolean;
+};
+
+/* Instructions and environment variable settings for the custom JWT claims script. */
+function InstructionTab({ isActive }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const [expendCard, setExpendCard] = useState<CardType>();
+
+  const { watch } = useFormContext<JwtCustomizerForm>();
+  const tokenType = watch('tokenType');
+
+  return (
+    <div className={classNames(tabContentStyles.tabContent, isActive && tabContentStyles.active)}>
+      <GuideCard
+        name={CardType.TokenData}
+        isExpanded={expendCard === CardType.TokenData}
+        setExpanded={(expand) => {
+          setExpendCard(expand ? CardType.TokenData : undefined);
+        }}
+      >
+        <Editor
+          language="typescript"
+          className={styles.sampleCode}
+          value={
+            tokenType === LogtoJwtTokenKeyType.AccessToken
+              ? accessTokenPayloadTypeDefinition
+              : clientCredentialsPayloadTypeDefinition
+          }
+          height="320px"
+          theme="logto-dark"
+          options={typeDefinitionCodeEditorOptions}
+        />
+      </GuideCard>
+      {tokenType === LogtoJwtTokenKeyType.AccessToken && (
+        <GuideCard
+          name={CardType.UserData}
+          isExpanded={expendCard === CardType.UserData}
+          setExpanded={(expand) => {
+            setExpendCard(expand ? CardType.UserData : undefined);
+          }}
+        >
+          <Editor
+            language="typescript"
+            className={styles.sampleCode}
+            value={jwtCustomizerUserContextTypeDefinition}
+            height="400px"
+            theme="logto-dark"
+            options={typeDefinitionCodeEditorOptions}
+          />
+        </GuideCard>
+      )}
+      <GuideCard
+        name={CardType.FetchExternalData}
+        isExpanded={expendCard === CardType.FetchExternalData}
+        setExpanded={(expand) => {
+          setExpendCard(expand ? CardType.FetchExternalData : undefined);
+        }}
+      >
+        <div className={tabContentStyles.description}>
+          {t('jwt_claims.fetch_external_data.description')}
+        </div>
+        <Editor
+          language="typescript"
+          className={styles.sampleCode}
+          value={fetchExternalDataCodeExample}
+          height="300px"
+          theme="logto-dark"
+          options={sampleCodeEditorOptions}
+        />
+      </GuideCard>
+      <GuideCard
+        name={CardType.EnvironmentVariables}
+        isExpanded={expendCard === CardType.EnvironmentVariables}
+        setExpanded={(expand) => {
+          setExpendCard(expand ? CardType.EnvironmentVariables : undefined);
+        }}
+      >
+        <EnvironmentVariablesField className={styles.envVariablesField} />
+        <div className={tabContentStyles.description}>
+          {t('jwt_claims.environment_variables.sample_code')}
+        </div>
+        <Editor
+          language="typescript"
+          className={styles.sampleCode}
+          value={environmentVariablesCodeExample}
+          height="400px"
+          theme="logto-dark"
+          options={sampleCodeEditorOptions}
+        />
+      </GuideCard>
+      <div className={tabContentStyles.description}>{t('jwt_claims.jwt_claims_description')}</div>
+    </div>
+  );
+}
+
+export default InstructionTab;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/TestTab/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/TestTab/index.module.scss
new file mode 100644
index 00000000000..5aba761d74a
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/TestTab/index.module.scss
@@ -0,0 +1,10 @@
+@use '@/scss/underscore' as _;
+
+.error {
+  color: var(--color-error);
+}
+
+.codeEditor {
+  min-height: 400px;
+  flex-grow: 1;
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/TestTab/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/TestTab/index.tsx
new file mode 100644
index 00000000000..548611bddb0
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/TestTab/index.tsx
@@ -0,0 +1,129 @@
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import { conditional } from '@silverhand/essentials';
+import classNames from 'classnames';
+import { useCallback, useEffect, useMemo, useState } from 'react';
+import { Controller, useFormContext, type ControllerRenderProps } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import MonacoCodeEditor, {
+  type ModelControl,
+} from '@/pages/CustomizeJwtDetails/MainContent/MonacoCodeEditor';
+import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
+import {
+  accessTokenPayloadTestModel,
+  clientCredentialsPayloadTestModel,
+  userContextTestModel,
+} from '@/pages/CustomizeJwtDetails/utils/config';
+
+import * as tabContentStyles from '../index.module.scss';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  isActive: boolean;
+};
+
+const accessTokenModelSettings = [accessTokenPayloadTestModel, userContextTestModel];
+const clientCredentialsModelSettings = [clientCredentialsPayloadTestModel];
+
+function TestTab({ isActive }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.jwt_claims' });
+  const [activeModelName, setActiveModelName] = useState<string>();
+
+  const { watch, control, formState } = useFormContext<JwtCustomizerForm>();
+  const tokenType = watch('tokenType');
+
+  const editorModels = useMemo(
+    () =>
+      tokenType === LogtoJwtTokenKeyType.AccessToken
+        ? accessTokenModelSettings
+        : clientCredentialsModelSettings,
+    [tokenType]
+  );
+
+  useEffect(() => {
+    setActiveModelName(editorModels[0]?.name);
+  }, [editorModels, tokenType]);
+
+  const getModelControllerProps = useCallback(
+    ({ value, onChange }: ControllerRenderProps<JwtCustomizerForm, 'testSample'>): ModelControl => {
+      return {
+        value:
+          activeModelName === userContextTestModel.name ? value.contextSample : value.tokenSample,
+        onChange: (newValue: string | undefined) => {
+          // Form value is a object we need to update the specific field
+          const updatedValue: JwtCustomizerForm['testSample'] = {
+            ...value,
+            ...conditional(
+              activeModelName === userContextTestModel.name && {
+                contextSample: newValue,
+              }
+            ),
+            ...conditional(
+              activeModelName === accessTokenPayloadTestModel.name && {
+                tokenSample: newValue,
+              }
+            ),
+            ...conditional(
+              activeModelName === clientCredentialsPayloadTestModel.name && {
+                // Reset the field to undefined if the value is the same as the default value
+                tokenSample: newValue,
+              }
+            ),
+          };
+
+          onChange(updatedValue);
+        },
+      };
+    },
+    [activeModelName]
+  );
+
+  const validateSampleCode = useCallback(
+    (value: JwtCustomizerForm['testSample']) => {
+      for (const [_, sampleCode] of Object.entries(value)) {
+        if (sampleCode) {
+          try {
+            JSON.parse(sampleCode);
+          } catch {
+            return t('form_error.invalid_json');
+          }
+        }
+      }
+
+      return true;
+    },
+    [t]
+  );
+
+  return (
+    <div className={classNames(tabContentStyles.tabContent, isActive && tabContentStyles.active)}>
+      <div className={tabContentStyles.description}>{t('tester.subtitle')}</div>
+      <div className={classNames(tabContentStyles.flexColumn, tabContentStyles.flexGrow)}>
+        <Controller
+          control={control}
+          name="testSample"
+          rules={{
+            validate: validateSampleCode,
+          }}
+          render={({ field }) => (
+            <MonacoCodeEditor
+              className={styles.codeEditor}
+              enabledActions={['restore', 'copy']}
+              models={editorModels}
+              activeModelName={activeModelName}
+              setActiveModel={setActiveModelName}
+              // Pass the value and onChange handler based on the active model
+              {...getModelControllerProps(field)}
+            />
+          )}
+        />
+        {formState.errors.testSample && (
+          <div className={styles.error}>{formState.errors.testSample.message}</div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default TestTab;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/index.module.scss
new file mode 100644
index 00000000000..15da6e3d63c
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/index.module.scss
@@ -0,0 +1,80 @@
+@use '@/scss/underscore' as _;
+
+.tabs {
+  display: flex;
+  align-items: center;
+  gap: _.unit(4);
+  margin-bottom: _.unit(4);
+
+
+  .tab {
+    display: flex;
+    align-items: center;
+    border-radius: 100px;
+    height: 34px;
+    color: var(--color-text);
+    background: var(--color-layer-1);
+    border: 1px solid var(--color-surface-5);
+    padding: 0 _.unit(3);
+    transition: none;
+
+    svg {
+      width: 16px;
+      height: 16px;
+      object-fit: cover;
+      color: var(--color-text-link);
+    }
+
+    &:active {
+      background: var(--color-overlay-primary-pressed);
+    }
+
+    &:not(:disabled):not(:active):hover {
+      background: var(--color-overlay-primary-hover);
+    }
+
+    &.active {
+      background: var(--color-inverse-primary);
+      color: var(--color-white);
+      border-color: var(--color-inverse-primary);
+      cursor: default;
+
+      svg {
+        color: var(--color-button-icon);
+      }
+
+      &:not(:disabled):not(:active):hover {
+        background: var(--color-inverse-primary);
+      }
+    }
+  }
+}
+
+.tabContent {
+  display: none;
+
+  &.active {
+    flex: 1;
+    display: flex;
+    flex-direction: column;
+    gap: _.unit(4);
+  }
+
+  .description {
+    font: var(--font-body-2);
+    color: var(--color-text-secondary);
+    padding: 0 _.unit(1);
+  }
+}
+
+
+/** Flexbox */
+.flexColumn {
+  display: flex;
+  flex-direction: column;
+}
+
+.flexGrow {
+  flex: 1;
+  min-height: 200px;
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/index.tsx
new file mode 100644
index 00000000000..a2a41c05ea8
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/index.tsx
@@ -0,0 +1,42 @@
+import classNames from 'classnames';
+import { useState } from 'react';
+
+import BookIcon from '@/assets/icons/book.svg';
+import FlaskIcon from '@/assets/icons/conical-flask.svg';
+import Button from '@/ds-components/Button';
+
+import InstructionTab from './InstructionTab';
+import TestTab from './TestTab';
+import * as styles from './index.module.scss';
+
+enum Tab {
+  DataSource = 'data_source_tab',
+  Test = 'test_tab',
+}
+
+function SettingsSection() {
+  const [activeTab, setActiveTab] = useState<Tab>(Tab.DataSource);
+
+  return (
+    <div className={styles.flexColumn}>
+      <div className={styles.tabs}>
+        {Object.values(Tab).map((tab) => (
+          <Button
+            key={tab}
+            type="primary"
+            icon={tab === Tab.DataSource ? <BookIcon /> : <FlaskIcon />}
+            title={`jwt_claims.${tab}`}
+            className={classNames(styles.tab, activeTab === tab && styles.active)}
+            onClick={() => {
+              setActiveTab(tab);
+            }}
+          />
+        ))}
+      </div>
+      <InstructionTab isActive={activeTab === Tab.DataSource} />
+      <TestTab isActive={activeTab === Tab.Test} />
+    </div>
+  );
+}
+
+export default SettingsSection;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/MainContent/index.module.scss
new file mode 100644
index 00000000000..cd752d35017
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/index.module.scss
@@ -0,0 +1,26 @@
+@use '@/scss/underscore' as _;
+
+
+.content {
+  display: flex;
+  flex-direction: row;
+  flex: 1;
+  margin-bottom: _.unit(3);
+
+  > * {
+    &:first-child {
+      margin-right: _.unit(3);
+      flex: 9;
+    }
+
+    &:last-child {
+      flex: 7;
+    }
+  }
+}
+
+.submitActionBar {
+  &.overwrite {
+    margin-top: 0;
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/MainContent/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/MainContent/index.tsx
new file mode 100644
index 00000000000..05d9b3afb3a
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/MainContent/index.tsx
@@ -0,0 +1,109 @@
+import { type LogtoJwtTokenKeyType } from '@logto/schemas';
+import classNames from 'classnames';
+import { FormProvider, useForm } from 'react-hook-form';
+import { useNavigate } from 'react-router-dom';
+import { type KeyedMutator } from 'swr';
+
+import SubmitFormChangesActionBar from '@/components/SubmitFormChangesActionBar';
+import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
+import useApi from '@/hooks/use-api';
+import { trySubmitSafe } from '@/utils/form';
+
+import useJwtCustomizer from '../../CustomizeJwt/use-jwt-customizer';
+import { type Action, type JwtCustomizer, type JwtCustomizerForm } from '../type';
+import { formatFormDataToRequestData, formatResponseDataToFormData } from '../utils/format';
+import { getApiPath } from '../utils/path';
+
+import ScriptSection from './ScriptSection';
+import SettingsSection from './SettingsSection';
+import * as styles from './index.module.scss';
+
+type Props<T extends LogtoJwtTokenKeyType> = {
+  className?: string;
+  token: T;
+  data?: JwtCustomizer<T>;
+  mutate: KeyedMutator<JwtCustomizer<T>>;
+  action: Action;
+};
+
+function MainContent<T extends LogtoJwtTokenKeyType>({
+  className,
+  token,
+  data,
+  mutate,
+  action,
+}: Props<T>) {
+  const api = useApi();
+  const navigate = useNavigate();
+  const { mutate: mutateJwtCustomizers } = useJwtCustomizer();
+
+  const methods = useForm<JwtCustomizerForm>({
+    defaultValues: formatResponseDataToFormData(token, data),
+  });
+
+  const {
+    formState: { isDirty, isSubmitting },
+    reset,
+    handleSubmit,
+  } = methods;
+
+  const onSubmitHandler = handleSubmit(
+    trySubmitSafe(async (data) => {
+      if (isSubmitting) {
+        return;
+      }
+
+      const { tokenType } = data;
+      const payload = formatFormDataToRequestData(data);
+
+      const updatedJwtCustomizer = await api
+        .put(getApiPath(tokenType), { json: payload })
+        .json<JwtCustomizer<T>>();
+
+      await mutate(updatedJwtCustomizer);
+
+      reset(formatResponseDataToFormData(tokenType, updatedJwtCustomizer));
+
+      /**
+       * Should `reset` (to set `isDirty` to false) before navigating back to the custom JWT listing page.
+       * Otherwise, the unsaved changes alert modal will be triggered on clicking `create` button, which
+       * is not expected.
+       */
+      if (action === 'create') {
+        // Refresh the JWT customizers list to reflect the latest changes.
+        await mutateJwtCustomizers();
+        navigate(-1);
+      }
+    })
+  );
+
+  return (
+    <>
+      <FormProvider {...methods}>
+        <form className={classNames(styles.content, className)}>
+          <ScriptSection />
+          <SettingsSection />
+        </form>
+      </FormProvider>
+      <SubmitFormChangesActionBar
+        // Always show the action bar if is the create mode
+        isOpen={isDirty || action === 'create'}
+        isSubmitting={isSubmitting}
+        confirmText={action === 'create' ? 'general.create' : 'general.save_changes'}
+        className={classNames(styles.submitActionBar, styles.overwrite)}
+        onDiscard={
+          // If the form is in create mode, navigate back to the previous page
+          action === 'create'
+            ? () => {
+                navigate(-1);
+              }
+            : reset
+        }
+        onSubmit={onSubmitHandler}
+      />
+      <UnsavedChangesAlertModal hasUnsavedChanges={isDirty && !isSubmitting} onConfirm={reset} />
+    </>
+  );
+}
+
+export default MainContent;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/PageLoadingSkeleton/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/PageLoadingSkeleton/index.module.scss
new file mode 100644
index 00000000000..8986a550e56
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/PageLoadingSkeleton/index.module.scss
@@ -0,0 +1,47 @@
+@use '@/scss/underscore' as _;
+
+.content {
+  display: flex;
+  flex-direction: row;
+  flex-grow: 1;
+
+  > * {
+    flex: 1;
+    margin-bottom: _.unit(6);
+
+    &:first-child {
+      margin-right: _.unit(3);
+    }
+  }
+}
+
+.blockShimmer {
+  @include _.shimmering-animation;
+  border-radius: 8px;
+  flex: 1;
+}
+
+.card:not(:last-child) {
+  margin-bottom: _.unit(4);
+}
+
+
+.textShimmer {
+  @include _.shimmering-animation;
+  width: 100%;
+  height: _.unit(6);
+  border-radius: 8px;
+
+  &:not(:last-child) {
+    margin-bottom: _.unit(4);
+  }
+
+  &.title {
+    width: _.unit(30);
+  }
+
+  &.large {
+    height: _.unit(8);
+  }
+}
+
diff --git a/packages/console/src/pages/CustomizeJwtDetails/PageLoadingSkeleton/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/PageLoadingSkeleton/index.tsx
new file mode 100644
index 00000000000..d4ea8f1c738
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/PageLoadingSkeleton/index.tsx
@@ -0,0 +1,41 @@
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import classNames from 'classnames';
+
+import Card from '@/ds-components/Card';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  tokenType: LogtoJwtTokenKeyType;
+};
+
+function PageLoadingSkeleton({ tokenType }: Props) {
+  return (
+    <div className={styles.content}>
+      <div className={styles.blockShimmer} />
+      <div>
+        <div className={classNames(styles.textShimmer, styles.large)} />
+        <Card className={styles.card}>
+          <div className={classNames(styles.textShimmer, styles.title)} />
+          <div className={styles.textShimmer} />
+        </Card>
+        <Card className={styles.card}>
+          <div className={classNames(styles.textShimmer, styles.title)} />
+          <div className={styles.textShimmer} />
+        </Card>
+        <Card className={styles.card}>
+          <div className={classNames(styles.textShimmer, styles.title)} />
+          <div className={styles.textShimmer} />
+        </Card>
+        {tokenType === LogtoJwtTokenKeyType.AccessToken && (
+          <Card className={styles.card}>
+            <div className={styles.textShimmer} />
+            <div className={styles.textShimmer} />
+          </Card>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default PageLoadingSkeleton;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/index.module.scss b/packages/console/src/pages/CustomizeJwtDetails/index.module.scss
new file mode 100644
index 00000000000..2cc1bcfdf6c
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/index.module.scss
@@ -0,0 +1,14 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  position: relative;
+
+  .header {
+    flex-shrink: 0;
+    margin-bottom: _.unit(4);
+  }
+
+  .hidden {
+    display: none;
+  }
+}
diff --git a/packages/console/src/pages/CustomizeJwtDetails/index.tsx b/packages/console/src/pages/CustomizeJwtDetails/index.tsx
new file mode 100644
index 00000000000..09421f3ea6c
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/index.tsx
@@ -0,0 +1,66 @@
+import { withAppInsights } from '@logto/app-insights/react/AppInsightsReact';
+import { type LogtoJwtTokenKeyType } from '@logto/schemas';
+import { useMemo, useState } from 'react';
+import { useParams } from 'react-router-dom';
+
+import DetailsPage from '@/components/DetailsPage';
+import EmptyDataPlaceholder from '@/components/EmptyDataPlaceholder';
+
+import { CodeEditorLoadingContext } from './CodeEditorLoadingContext';
+import MainContent from './MainContent';
+import PageLoadingSkeleton from './PageLoadingSkeleton';
+import * as styles from './index.module.scss';
+import { pageParamsGuard, type Action } from './type';
+import useDataFetch from './use-data-fetch';
+
+type Props = {
+  tokenType: LogtoJwtTokenKeyType;
+  action: Action;
+};
+
+function CustomizeJwtDetails({ tokenType, action }: Props) {
+  const { isLoading, error, ...rest } = useDataFetch(tokenType, action);
+
+  const [isMonacoLoaded, setIsMonacoLoaded] = useState(false);
+
+  const codeEditorContextValue = useMemo(
+    () => ({ isMonacoLoaded, setIsMonacoLoaded }),
+    [isMonacoLoaded]
+  );
+
+  return (
+    <DetailsPage
+      backLink="/customize-jwt"
+      backLinkTitle="jwt_claims.title"
+      className={styles.container}
+    >
+      {(isLoading || !isMonacoLoaded) && <PageLoadingSkeleton tokenType={tokenType} />}
+
+      {!isLoading && (
+        <CodeEditorLoadingContext.Provider value={codeEditorContextValue}>
+          <MainContent
+            action={action}
+            token={tokenType}
+            {...rest}
+            className={isMonacoLoaded ? undefined : styles.hidden}
+          />
+        </CodeEditorLoadingContext.Provider>
+      )}
+    </DetailsPage>
+  );
+}
+
+// Guard the parameters to ensure they are valid
+function CustomizeJwtDetailsWrapper() {
+  const { tokenType, action } = useParams();
+
+  const params = pageParamsGuard.safeParse({ tokenType, action });
+
+  if (!params.success) {
+    return <EmptyDataPlaceholder />;
+  }
+
+  return <CustomizeJwtDetails tokenType={params.data.tokenType} action={params.data.action} />;
+}
+
+export default withAppInsights(CustomizeJwtDetailsWrapper);
diff --git a/packages/console/src/pages/CustomizeJwtDetails/type.ts b/packages/console/src/pages/CustomizeJwtDetails/type.ts
new file mode 100644
index 00000000000..ac4083208db
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/type.ts
@@ -0,0 +1,25 @@
+import type { AccessTokenJwtCustomizer, ClientCredentialsJwtCustomizer } from '@logto/schemas';
+import { LogtoJwtTokenKeyType } from '@logto/schemas';
+import { z } from 'zod';
+
+export type JwtCustomizerForm = {
+  tokenType: LogtoJwtTokenKeyType;
+  script: string;
+  environmentVariables?: Array<{ key: string; value: string }>;
+  testSample: {
+    contextSample?: string;
+    tokenSample?: string;
+  };
+};
+
+export type Action = 'create' | 'edit';
+
+export type JwtCustomizer<T extends LogtoJwtTokenKeyType> =
+  T extends LogtoJwtTokenKeyType.AccessToken
+    ? AccessTokenJwtCustomizer
+    : ClientCredentialsJwtCustomizer;
+
+export const pageParamsGuard = z.object({
+  tokenType: z.nativeEnum(LogtoJwtTokenKeyType),
+  action: z.union([z.literal('create'), z.literal('edit')]),
+});
diff --git a/packages/console/src/pages/CustomizeJwtDetails/use-data-fetch.ts b/packages/console/src/pages/CustomizeJwtDetails/use-data-fetch.ts
new file mode 100644
index 00000000000..29812dcac42
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/use-data-fetch.ts
@@ -0,0 +1,35 @@
+import { type LogtoJwtTokenKeyType } from '@logto/schemas';
+import { type ResponseError } from '@withtyped/client';
+import useSWR from 'swr';
+
+import useApi from '@/hooks/use-api';
+import useSwrFetcher from '@/hooks/use-swr-fetcher';
+import { shouldRetryOnError } from '@/utils/request';
+
+import { type Action, type JwtCustomizer } from './type';
+import { getApiPath } from './utils/path';
+
+const useDataFetch = <T extends LogtoJwtTokenKeyType>(tokenType: T, action: Action) => {
+  const apiPath = getApiPath(tokenType);
+  const fetchApi = useApi({ hideErrorToast: true });
+  const fetcher = useSwrFetcher<JwtCustomizer<T>>(fetchApi);
+
+  // Return undefined if action is create
+  const { isLoading, data, mutate, error } = useSWR<JwtCustomizer<T>, ResponseError>(
+    action === 'create' ? undefined : apiPath,
+    {
+      fetcher,
+      shouldRetryOnError: shouldRetryOnError({ ignore: [404] }),
+    }
+  );
+
+  return {
+    // Show global loading status only if any of the fetchers are loading and no errors are present
+    isLoading: isLoading && !error,
+    data,
+    mutate,
+    error,
+  };
+};
+
+export default useDataFetch;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/utils/config.tsx b/packages/console/src/pages/CustomizeJwtDetails/utils/config.tsx
new file mode 100644
index 00000000000..4264623ce02
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/utils/config.tsx
@@ -0,0 +1,256 @@
+import type {
+  AccessTokenPayload,
+  ClientCredentialsPayload,
+  JwtCustomizerUserContext,
+} from '@logto/schemas';
+import { type EditorProps } from '@monaco-editor/react';
+
+import TokenFileIcon from '@/assets/icons/token-file-icon.svg';
+import UserFileIcon from '@/assets/icons/user-file-icon.svg';
+
+import type { ModelSettings } from '../MainContent/MonacoCodeEditor/type.js';
+
+import {
+  JwtCustomizerTypeDefinitionKey,
+  buildAccessTokenJwtCustomizerContextTsDefinition,
+  buildClientCredentialsJwtCustomizerContextTsDefinition,
+} from './type-definitions.js';
+
+/**
+ * JWT token code editor configuration
+ */
+const accessTokenJwtCustomizerDefinition = `
+declare global {
+  export interface CustomJwtClaims extends Record<string, any> {}
+
+  /** Logto internal data that can be used to pass additional information
+   * @param {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserContext}} user - The user info associated with the token.
+   */
+  export type Data = {
+    user: ${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserContext};
+  }
+
+  export interface Exports {
+    /**
+     * This function is called during the access token generation process to get custom claims for the JWT token.
+     * 
+     * @param {${JwtCustomizerTypeDefinitionKey.AccessTokenPayload}} token -The JWT token.
+     * @param {Data} data - Logto internal data that can be used to pass additional information
+     * @param {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserContext}} data.user - The user info associated with the token.
+     * @param {${JwtCustomizerTypeDefinitionKey.EnvironmentVariables}} envVariables - The environment variables.
+     * 
+     * @returns The custom claims.
+     */
+    getCustomJwtClaims: (token: ${JwtCustomizerTypeDefinitionKey.AccessTokenPayload}, data: Data, envVariables: ${JwtCustomizerTypeDefinitionKey.EnvironmentVariables}) => Promise<CustomJwtClaims>;
+  }
+
+  const exports: Exports;
+}
+
+export { exports as default };
+`;
+
+const clientCredentialsJwtCustomizerDefinition = `
+declare global {
+  export interface CustomJwtClaims extends Record<string, any> {}
+
+  export interface Exports {
+    /**
+     * This function is called during the access token generation process to get custom claims for the JWT token.
+     * 
+     * @param {${JwtCustomizerTypeDefinitionKey.ClientCredentialsPayload}} token -The JWT token.
+     * 
+     * @returns The custom claims.
+     */
+    getCustomJwtClaims: (token: ${JwtCustomizerTypeDefinitionKey.ClientCredentialsPayload}, envVariables: ${JwtCustomizerTypeDefinitionKey.EnvironmentVariables}) => Promise<CustomJwtClaims>;
+  }
+
+  const exports: Exports;
+}
+
+export { exports as default };
+`;
+
+export const defaultAccessTokenJwtCustomizerCode = `/**
+* This function is called during the access token generation process to get custom claims for the JWT token.
+* Limit custom claims to under 50KB.
+* 
+* @param {${JwtCustomizerTypeDefinitionKey.AccessTokenPayload}} token -The JWT token.
+* @param {Data} data - Logto internal data that can be used to pass additional information
+* @param {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserContext}} data.user - The user info associated with the token.
+* @param {${JwtCustomizerTypeDefinitionKey.EnvironmentVariables}} [envVariables] - The environment variables.
+*
+* @returns The custom claims.
+*/
+
+exports.getCustomJwtClaims = async (token, data, envVariables) => {
+  return {};
+}`;
+
+export const defaultClientCredentialsJwtCustomizerCode = `/**
+* This function is called during the access token generation process to get custom claims for the JWT token.
+* Limit custom claims to under 50KB.
+*
+* @param {${JwtCustomizerTypeDefinitionKey.ClientCredentialsPayload}} token -The JWT token.
+* @param {${JwtCustomizerTypeDefinitionKey.EnvironmentVariables}} [envVariables] - The environment variables.
+*
+* @returns The custom claims.
+*/
+
+exports.getCustomJwtClaims = async (token, envVariables) => {
+  return {};
+}`;
+
+export const accessTokenJwtCustomizerModel: ModelSettings = {
+  name: 'user-jwt.ts',
+  title: 'User access token',
+  language: 'typescript',
+  defaultValue: defaultAccessTokenJwtCustomizerCode,
+  extraLibs: [
+    {
+      content: accessTokenJwtCustomizerDefinition,
+      filePath: `file:///logto-jwt-customizer.d.ts`,
+    },
+    {
+      content: buildAccessTokenJwtCustomizerContextTsDefinition(),
+      filePath: `file:///logto-jwt-customizer-context.d.ts`,
+    },
+  ],
+};
+
+export const clientCredentialsModel: ModelSettings = {
+  name: 'machine-to-machine-jwt.ts',
+  title: 'Machine-to-machine token',
+  language: 'typescript',
+  defaultValue: defaultClientCredentialsJwtCustomizerCode,
+  extraLibs: [
+    {
+      content: clientCredentialsJwtCustomizerDefinition,
+      filePath: `file:///logto-jwt-customizer.d.ts`,
+    },
+    {
+      content: buildClientCredentialsJwtCustomizerContextTsDefinition(),
+      filePath: `file:///logto-jwt-customizer-context.d.ts`,
+    },
+  ],
+};
+
+/**
+ * JWT claims guide card configs
+ */
+export const sampleCodeEditorOptions: EditorProps['options'] = {
+  readOnly: true,
+  wordWrap: 'on',
+  minimap: { enabled: false },
+  renderLineHighlight: 'none',
+  fontSize: 14,
+  padding: { top: 16, bottom: 16 },
+  overviewRulerBorder: false,
+  overviewRulerLanes: 0,
+  lineNumbers: 'off',
+  folding: false,
+  tabSize: 2,
+  scrollBeyondLastLine: false,
+};
+
+export const typeDefinitionCodeEditorOptions: EditorProps['options'] = {
+  ...sampleCodeEditorOptions,
+  folding: true,
+};
+
+export const fetchExternalDataCodeExample = `const response = await fetch('https://api.example.com/data', {
+  headers: {
+    Authorization: \`{{API KEY}}\`,
+  }
+});
+
+const data = await response.json();
+
+return {
+  externalData: data,
+};`;
+
+export const environmentVariablesCodeExample = `exports.getCustomJwtClaims = async (token, data, envVariables) => {
+  const { apiKey } = envVariables;
+
+  const response = await fetch('https://api.example.com/data', {
+    headers: {
+      Authorization: apiKey,
+    }
+  });
+  
+  const data = await response.json();
+
+  return {
+    externalData: data,
+  };
+};`;
+
+/**
+ * Tester Code Editor configs
+ */
+const standardTokenPayloadData = {
+  jti: 'f1d3d2d1-1f2d-3d4e-5d6f-7d8a9d0e1d2',
+  aud: 'http://localhost:3000/api/test',
+  scope: 'read write',
+  clientId: 'my_app',
+};
+
+export const defaultAccessTokenPayload: AccessTokenPayload = {
+  ...standardTokenPayloadData,
+  accountId: 'uid_123',
+  grantId: 'grant_123',
+  gty: 'authorization_code',
+  kind: 'AccessToken',
+};
+
+export const defaultClientCredentialsPayload: ClientCredentialsPayload = {
+  ...standardTokenPayloadData,
+  kind: 'ClientCredentials',
+};
+
+const defaultUserContext: Partial<JwtCustomizerUserContext> = {
+  id: '123',
+  username: 'foo',
+  primaryEmail: 'foo@logto.io',
+  primaryPhone: '+1234567890',
+  name: 'Foo Bar',
+  avatar: 'https://example.com/avatar.png',
+  customData: {},
+  identities: {},
+  profile: {},
+  applicationId: 'my-app',
+  ssoIdentities: [],
+  mfaVerificationFactors: [],
+  roles: [],
+  organizations: [],
+  organizationRoles: [],
+};
+
+export const defaultUserTokenContextData = {
+  user: defaultUserContext,
+};
+
+export const accessTokenPayloadTestModel: ModelSettings = {
+  language: 'json',
+  icon: <TokenFileIcon />,
+  name: 'user-token-payload.json',
+  title: 'Token data',
+  defaultValue: JSON.stringify(defaultAccessTokenPayload, null, 2),
+};
+
+export const clientCredentialsPayloadTestModel: ModelSettings = {
+  language: 'json',
+  icon: <TokenFileIcon />,
+  name: 'machine-to-machine-token-payload.json',
+  title: 'Token data',
+  defaultValue: JSON.stringify(defaultClientCredentialsPayload, null, 2),
+};
+
+export const userContextTestModel: ModelSettings = {
+  language: 'json',
+  icon: <UserFileIcon />,
+  name: 'user-token-context.json',
+  title: 'User data',
+  defaultValue: JSON.stringify(defaultUserTokenContextData, null, 2),
+};
diff --git a/packages/console/src/pages/CustomizeJwtDetails/utils/format.ts b/packages/console/src/pages/CustomizeJwtDetails/utils/format.ts
new file mode 100644
index 00000000000..fe1ec8ffe46
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/utils/format.ts
@@ -0,0 +1,117 @@
+import { LogtoJwtTokenKeyType, type AccessTokenJwtCustomizer, type Json } from '@logto/schemas';
+
+import type { JwtCustomizer, JwtCustomizerForm } from '../type';
+
+import {
+  defaultAccessTokenJwtCustomizerCode,
+  defaultAccessTokenPayload,
+  defaultClientCredentialsJwtCustomizerCode,
+  defaultClientCredentialsPayload,
+  defaultUserTokenContextData,
+} from './config';
+
+const formatEnvVariablesResponseToFormData = (
+  enVariables?: AccessTokenJwtCustomizer['environmentVariables']
+) => {
+  if (!enVariables) {
+    return;
+  }
+
+  return Object.entries(enVariables).map(([key, value]) => ({ key, value }));
+};
+
+const formatEnvVariablesFormDataToRequest = (
+  envVariables: JwtCustomizerForm['environmentVariables']
+) => {
+  if (!envVariables) {
+    return;
+  }
+
+  const entries = envVariables.filter(({ key, value }) => key && value);
+
+  if (entries.length === 0) {
+    return;
+  }
+
+  return Object.fromEntries(entries.map(({ key, value }) => [key, value]));
+};
+
+const formatSampleCodeJsonToString = (sampleJson?: Json) => {
+  if (!sampleJson) {
+    return;
+  }
+
+  return JSON.stringify(sampleJson, null, 2);
+};
+
+const formatSampleCodeStringToJson = (sampleCode?: string) => {
+  if (!sampleCode) {
+    return;
+  }
+
+  try {
+    // eslint-disable-next-line no-restricted-syntax -- guarded by back-end validation
+    return JSON.parse(sampleCode) as Record<string, unknown>;
+  } catch {}
+};
+
+const defaultValues = Object.freeze({
+  [LogtoJwtTokenKeyType.AccessToken]: {
+    script: defaultAccessTokenJwtCustomizerCode,
+    tokenSample: defaultAccessTokenPayload,
+    contextSample: defaultUserTokenContextData,
+  },
+  [LogtoJwtTokenKeyType.ClientCredentials]: {
+    script: defaultClientCredentialsJwtCustomizerCode,
+    tokenSample: defaultClientCredentialsPayload,
+    contextSample: undefined,
+  },
+});
+
+export const formatResponseDataToFormData = <T extends LogtoJwtTokenKeyType>(
+  tokenType: T,
+  data?: JwtCustomizer<T>
+): JwtCustomizerForm => {
+  return {
+    tokenType,
+    script: data?.script ?? defaultValues[tokenType].script,
+    environmentVariables: formatEnvVariablesResponseToFormData(data?.environmentVariables) ?? [
+      { key: '', value: '' },
+    ],
+    testSample: {
+      tokenSample: formatSampleCodeJsonToString(
+        data?.tokenSample ?? defaultValues[tokenType].tokenSample
+      ),
+      contextSample: formatSampleCodeJsonToString(
+        data?.contextSample ?? defaultValues[tokenType].contextSample
+      ),
+    },
+  };
+};
+
+export const formatFormDataToRequestData = (data: JwtCustomizerForm) => {
+  return {
+    script: data.script,
+    environmentVariables: formatEnvVariablesFormDataToRequest(data.environmentVariables),
+    tokenSample: formatSampleCodeStringToJson(data.testSample.tokenSample),
+    contextSample: formatSampleCodeStringToJson(data.testSample.contextSample),
+  };
+};
+
+export const formatFormDataToTestRequestPayload = ({
+  tokenType,
+  script,
+  environmentVariables,
+  testSample,
+}: JwtCustomizerForm) => {
+  return {
+    tokenType,
+    script,
+    environmentVariables: formatEnvVariablesFormDataToRequest(environmentVariables),
+    token:
+      formatSampleCodeStringToJson(testSample.tokenSample) ?? defaultValues[tokenType].tokenSample,
+    context:
+      formatSampleCodeStringToJson(testSample.contextSample) ??
+      defaultValues[tokenType].contextSample,
+  };
+};
diff --git a/packages/console/src/pages/CustomizeJwtDetails/utils/path.ts b/packages/console/src/pages/CustomizeJwtDetails/utils/path.ts
new file mode 100644
index 00000000000..25c94ed2bc7
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/utils/path.ts
@@ -0,0 +1,4 @@
+import { type LogtoJwtTokenKeyType } from '@logto/schemas';
+
+export const getApiPath = (tokenType: LogtoJwtTokenKeyType) =>
+  `api/configs/jwt-customizer/${tokenType}`;
diff --git a/packages/console/src/pages/CustomizeJwtDetails/utils/type-definitions.ts b/packages/console/src/pages/CustomizeJwtDetails/utils/type-definitions.ts
new file mode 100644
index 00000000000..a5e3fe8f8a9
--- /dev/null
+++ b/packages/console/src/pages/CustomizeJwtDetails/utils/type-definitions.ts
@@ -0,0 +1,39 @@
+import {
+  JwtCustomizerTypeDefinitionKey,
+  accessTokenPayloadTypeDefinition,
+  clientCredentialsPayloadTypeDefinition,
+  jwtCustomizerUserContextTypeDefinition,
+} from '@/consts/jwt-customizer-type-definition';
+
+import { type JwtCustomizerForm } from '../type';
+
+export {
+  JwtCustomizerTypeDefinitionKey,
+  accessTokenPayloadTypeDefinition,
+  clientCredentialsPayloadTypeDefinition,
+  jwtCustomizerUserContextTypeDefinition,
+} from '@/consts/jwt-customizer-type-definition';
+
+export const buildAccessTokenJwtCustomizerContextTsDefinition = () => {
+  return `declare ${jwtCustomizerUserContextTypeDefinition}
+
+  declare ${accessTokenPayloadTypeDefinition}`;
+};
+
+export const buildClientCredentialsJwtCustomizerContextTsDefinition = () =>
+  `declare ${clientCredentialsPayloadTypeDefinition}`;
+
+export const buildEnvironmentVariablesTypeDefinition = (
+  envVariables?: JwtCustomizerForm['environmentVariables']
+) => {
+  const typeDefinition = envVariables
+    ? `{
+  ${envVariables
+    .filter(({ key }) => Boolean(key))
+    .map(({ key }) => `${key}: string`)
+    .join(';\n')}
+    }`
+    : 'undefined';
+
+  return `declare type ${JwtCustomizerTypeDefinitionKey.EnvironmentVariables} = ${typeDefinition}`;
+};
diff --git a/packages/console/src/pages/EnterpriseSso/SsoCreationModal/SsoConnectorRadioGroup/index.module.scss b/packages/console/src/pages/EnterpriseSso/SsoCreationModal/SsoConnectorRadioGroup/index.module.scss
index 0a7e72f5308..b123e575c6c 100644
--- a/packages/console/src/pages/EnterpriseSso/SsoCreationModal/SsoConnectorRadioGroup/index.module.scss
+++ b/packages/console/src/pages/EnterpriseSso/SsoCreationModal/SsoConnectorRadioGroup/index.module.scss
@@ -27,7 +27,7 @@
   }
 
   &.large {
-    grid-template-columns: repeat(3, 1fr);
+    grid-template-columns: repeat(4, 1fr);
 
     @media screen and (max-width: dim.$modal-layout-grid-medium) {
       grid-template-columns: repeat(2, 1fr);
diff --git a/packages/console/src/pages/EnterpriseSso/SsoCreationModal/index.tsx b/packages/console/src/pages/EnterpriseSso/SsoCreationModal/index.tsx
index 929432cc5ec..53755358e37 100644
--- a/packages/console/src/pages/EnterpriseSso/SsoCreationModal/index.tsx
+++ b/packages/console/src/pages/EnterpriseSso/SsoCreationModal/index.tsx
@@ -1,10 +1,10 @@
 import {
+  type RequestErrorBody,
   type SsoConnectorProvidersResponse,
   type SsoConnectorWithProviderConfig,
-  type RequestErrorBody,
 } from '@logto/schemas';
 import { HTTPError } from 'ky';
-import { useMemo, useState, useContext } from 'react';
+import { useContext, useMemo, useState } from 'react';
 import { useForm } from 'react-hook-form';
 import { Trans, useTranslation } from 'react-i18next';
 import Modal from 'react-modal';
@@ -21,8 +21,7 @@ import DynamicT from '@/ds-components/DynamicT';
 import FormField from '@/ds-components/FormField';
 import ModalLayout from '@/ds-components/ModalLayout';
 import TextInput from '@/ds-components/TextInput';
-import { type RequestError } from '@/hooks/use-api';
-import useApi from '@/hooks/use-api';
+import useApi, { type RequestError } from '@/hooks/use-api';
 import * as modalStyles from '@/scss/modal.module.scss';
 import { trySubmitSafe } from '@/utils/form';
 
@@ -150,12 +149,12 @@ function SsoCreationModal({ isOpen, onClose: rawOnClose }: Props) {
                   a: <ContactUsPhraseLink />,
                 }}
               >
-                {t('upsell.paywall.organizations')}
+                {t('upsell.paywall.sso_connectors')}
               </Trans>
             </QuotaGuardFooter>
           )
         }
-        size={radioGroupSize}
+        size="xlarge"
         onClose={onClose}
       >
         {isLoading && <Skeleton numberOfLoadingConnectors={2} />}
diff --git a/packages/console/src/pages/EnterpriseSso/types.ts b/packages/console/src/pages/EnterpriseSso/types.ts
deleted file mode 100644
index 595acc9d4db..00000000000
--- a/packages/console/src/pages/EnterpriseSso/types.ts
+++ /dev/null
@@ -1,85 +0,0 @@
-/**
- * Type definitions for Enterprise SSO guide form, since the type of SAML config is defined in
- * @logto/core and can not be imported here, should align with SAML config types.
- * See {@link @logto/core/packages/core/src/sso/SamlConnector/index.ts}.
- */
-import { type SsoProviderName, type SsoConnectorWithProviderConfig } from '@logto/schemas';
-
-type AttributeMapping = {
-  id?: string;
-  email?: string;
-  name?: string;
-};
-
-export const attributeKeys = Object.freeze(['id', 'email', 'name']) satisfies ReadonlyArray<
-  keyof AttributeMapping
->;
-
-export type SamlGuideFormType = {
-  metadataUrl?: string;
-  metadata?: string;
-  signInEndpoint?: string;
-  entityId?: string;
-  x509Certificate?: string;
-  attributeMapping?: AttributeMapping;
-};
-
-export type OidcGuideFormType = {
-  clientId?: string;
-  clientSecret?: string;
-  issuer?: string;
-  scope?: string;
-};
-
-export type GuideFormType<T extends SsoProviderName> = T extends
-  | SsoProviderName.OIDC
-  | SsoProviderName.GOOGLE_WORKSPACE
-  | SsoProviderName.OKTA
-  ? OidcGuideFormType
-  : T extends SsoProviderName.SAML | SsoProviderName.AZURE_AD
-  ? SamlGuideFormType
-  : never;
-
-/**
- * This type aligned with the type of `SamlIdentityProviderMetadata` (packages/core/src/sso/types/saml.ts)
- * and `OidcConfigResponse` (packages/core/src/sso/types/oidc.ts).
- *
- * Since these types are defined in @logto/core, we can't import them directly here.
- */
-export type ParsedSsoIdentityProviderConfig<T extends SsoProviderName> =
-  T extends SsoProviderName.OIDC
-    ? {
-        authorizationEndpoint: string;
-        tokenEndpoint: string;
-        userinfoEndpoint: string;
-        jwksUri: string;
-        issuer: string;
-      }
-    : T extends SsoProviderName.SAML
-    ? {
-        defaultAttributeMapping: AttributeMapping;
-        serviceProvider: {
-          entityId: string;
-          assertionConsumerServiceUrl: string;
-        };
-        identityProvider?: {
-          entityId: string;
-          signInEndpoint: string;
-          x509Certificate: string;
-          certificateExpiresAt: number;
-          isCertificateValid: boolean;
-        };
-      }
-    : never;
-
-export type SsoConnectorConfig<T extends SsoProviderName> = GuideFormType<T>;
-
-// Help the Guide component type to be inferred from the connector's type.
-export type SsoConnectorWithProviderConfigWithGeneric<T extends SsoProviderName> = Omit<
-  SsoConnectorWithProviderConfig,
-  'config' | 'providerName' | 'providerConfig'
-> & {
-  providerName: T;
-  providerConfig?: ParsedSsoIdentityProviderConfig<T>;
-  config: SsoConnectorConfig<T>;
-};
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/BasicInfo/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/BasicInfo/index.tsx
deleted file mode 100644
index 9d37b184ff6..00000000000
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/BasicInfo/index.tsx
+++ /dev/null
@@ -1,85 +0,0 @@
-import { SsoProviderName, type SsoConnectorWithProviderConfig } from '@logto/schemas';
-import { conditionalString } from '@silverhand/essentials';
-import { useContext } from 'react';
-import { z } from 'zod';
-
-import { AppDataContext } from '@/contexts/AppDataProvider';
-import CopyToClipboard from '@/ds-components/CopyToClipboard';
-import FormField from '@/ds-components/FormField';
-import useCustomDomain from '@/hooks/use-custom-domain';
-
-import * as styles from './index.module.scss';
-
-type Props = {
-  ssoConnectorId: string;
-} & Pick<SsoConnectorWithProviderConfig, 'providerName' | 'providerConfig'>;
-
-/**
- * TODO: Should align this with the guard `samlServiceProviderMetadataGuard` defined in {@link logto/core/src/sso/types/saml.ts}.
- * This only applies to SAML SSO connectors.
- */
-const providerPropertiesGuard = z.object({
-  serviceProvider: z.object({
-    assertionConsumerServiceUrl: z.string().min(1),
-    entityId: z.string().min(1),
-  }),
-});
-
-function BasicInfo({ ssoConnectorId, providerName, providerConfig }: Props) {
-  const { tenantEndpoint } = useContext(AppDataContext);
-  const { applyDomain: applyCustomDomain } = useCustomDomain();
-
-  if (
-    [SsoProviderName.OIDC, SsoProviderName.GOOGLE_WORKSPACE, SsoProviderName.OKTA].includes(
-      providerName
-    )
-  ) {
-    return (
-      <FormField title="enterprise_sso.basic_info.oidc.redirect_uri_field_name">
-        {/* Generated and passed in by Admin console. */}
-        <CopyToClipboard
-          className={styles.copyToClipboard}
-          variant="border"
-          value={applyCustomDomain(
-            new URL(`/callback/${ssoConnectorId}`, tenantEndpoint).toString()
-          )}
-        />
-      </FormField>
-    );
-  }
-
-  const result = providerPropertiesGuard.safeParse(providerConfig);
-
-  /**
-   * Should not fallback to some other manually concatenated URL, show empty string instead.
-   * Empty string should never show up unless the API does not work properly.
-   */
-  return (
-    <>
-      <FormField title="enterprise_sso.basic_info.saml.acs_url_field_name">
-        <CopyToClipboard
-          className={styles.copyToClipboard}
-          variant="border"
-          value={conditionalString(
-            result.success &&
-              result.data.serviceProvider.assertionConsumerServiceUrl &&
-              applyCustomDomain(result.data.serviceProvider.assertionConsumerServiceUrl)
-          )}
-        />
-      </FormField>
-      <FormField title="enterprise_sso.basic_info.saml.audience_uri_field_name">
-        <CopyToClipboard
-          className={styles.copyToClipboard}
-          variant="border"
-          value={conditionalString(
-            result.success &&
-              result.data.serviceProvider.entityId &&
-              applyCustomDomain(result.data.serviceProvider.entityId)
-          )}
-        />
-      </FormField>
-    </>
-  );
-}
-
-export default BasicInfo;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcConnectorForm.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcConnectorForm.tsx
new file mode 100644
index 00000000000..6c816ab78e7
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcConnectorForm.tsx
@@ -0,0 +1,138 @@
+import { type RequestErrorBody } from '@logto/schemas';
+import cleanDeep from 'clean-deep';
+import { HTTPError } from 'ky';
+import { useEffect, useMemo } from 'react';
+import { FormProvider, useForm } from 'react-hook-form';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+
+import DetailsForm from '@/components/DetailsForm';
+import FormCard from '@/components/FormCard';
+import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
+import useApi from '@/hooks/use-api';
+
+import { invalidConfigErrorCode } from '../config';
+import {
+  type OidcSsoConnectorWithProviderConfig,
+  type OidcConnectorConfig,
+  oidcConnectorConfigGuard,
+  oidcProviderConfigGuard,
+} from '../types/oidc';
+
+import OidcMetadataForm from './OidcMetadataForm';
+import OidcConnectorSpInfo from './ServiceProviderInfo/OidcConnectorSpInfo';
+
+type Props = {
+  isDeleted: boolean;
+  data: OidcSsoConnectorWithProviderConfig;
+  onUpdated: (data: OidcSsoConnectorWithProviderConfig) => void;
+};
+
+function OidcConnectorForm({ isDeleted, data, onUpdated }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const api = useApi({ hideErrorToast: [invalidConfigErrorCode] });
+
+  const methods = useForm<OidcConnectorConfig>();
+
+  const {
+    formState: { isSubmitting, isDirty },
+    handleSubmit,
+    reset,
+    setError,
+  } = methods;
+
+  const { config, providerConfig, providerName, id: connectorId } = data;
+
+  // Guard the config data
+  const oidcConnectorConfig = useMemo(() => {
+    const result = oidcConnectorConfigGuard.safeParse(config);
+    const { success } = result;
+    const guardedConfig = success ? result.data : undefined;
+
+    return guardedConfig;
+  }, [config]);
+
+  const oidcProviderConfig = useMemo(() => {
+    const result = oidcProviderConfigGuard.safeParse(providerConfig);
+    const { success } = result;
+    const guardedConfig = success ? result.data : undefined;
+
+    return guardedConfig;
+  }, [providerConfig]);
+
+  useEffect(() => {
+    reset(oidcConnectorConfig);
+  }, [oidcConnectorConfig, reset]);
+
+  const onSubmit = handleSubmit(async (formData) => {
+    if (isSubmitting) {
+      return;
+    }
+
+    try {
+      const result = await api
+        .patch(`api/sso-connectors/${connectorId}`, {
+          json: {
+            config: cleanDeep(formData),
+          },
+        })
+        .json<OidcSsoConnectorWithProviderConfig>();
+
+      toast.success(t('general.saved'));
+
+      onUpdated(result);
+
+      reset(result.config);
+    } catch (error: unknown) {
+      if (error instanceof HTTPError) {
+        const errorBody = await error.response.clone().json<RequestErrorBody>();
+
+        // Manually handle the error to show the error message in the form.
+        if (errorBody.code === invalidConfigErrorCode) {
+          setError('issuer', {
+            type: 'custom',
+            message: errorBody.message,
+          });
+          return;
+        }
+      }
+
+      throw error;
+    }
+  });
+
+  return (
+    <FormProvider {...methods}>
+      <DetailsForm
+        isDirty={isDirty}
+        isSubmitting={isSubmitting}
+        onDiscard={reset}
+        onSubmit={onSubmit}
+      >
+        <FormCard
+          title="enterprise_sso_details.upload_idp_metadata_title_oidc"
+          description="enterprise_sso_details.upload_idp_metadata_description_oidc"
+        >
+          {/* Can not infer the type by narrowing down the value of `providerName`, so we need to cast it. */}
+          <OidcMetadataForm
+            providerName={providerName}
+            config={oidcConnectorConfig}
+            providerConfig={oidcProviderConfig}
+          />
+        </FormCard>
+        <FormCard
+          title="enterprise_sso_details.service_provider_property_title"
+          description="enterprise_sso_details.service_provider_property_description"
+          descriptionInterpolation={{
+            protocol: 'OIDC',
+          }}
+        >
+          <OidcConnectorSpInfo ssoConnectorId={connectorId} />
+        </FormCard>
+      </DetailsForm>
+      <UnsavedChangesAlertModal hasUnsavedChanges={!isDeleted && isDirty} />
+    </FormProvider>
+  );
+}
+
+export default OidcConnectorForm;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/ParsedConfigPreview/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/ParsedConfigPreview/index.tsx
index d12b7963816..37976269d0d 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/ParsedConfigPreview/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/ParsedConfigPreview/index.tsx
@@ -1,13 +1,12 @@
-import { type SsoProviderName } from '@logto/schemas';
 import classNames from 'classnames';
 import { useTranslation } from 'react-i18next';
 
-import { type ParsedSsoIdentityProviderConfig } from '@/pages/EnterpriseSso/types.js';
+import { type OidcProviderConfig } from '@/pages/EnterpriseSsoDetails/types/oidc';
 
 import * as styles from './index.module.scss';
 
 type Props = {
-  providerConfig: ParsedSsoIdentityProviderConfig<SsoProviderName.OIDC>;
+  providerConfig: OidcProviderConfig;
   className?: string;
 };
 
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx
index 2fb056fa538..7ca7fd80c2d 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx
@@ -6,19 +6,16 @@ import CopyToClipboard from '@/ds-components/CopyToClipboard';
 import FormField from '@/ds-components/FormField';
 import InlineNotification from '@/ds-components/InlineNotification';
 import TextInput from '@/ds-components/TextInput';
-import {
-  type ParsedSsoIdentityProviderConfig,
-  type OidcGuideFormType,
-  type SsoConnectorConfig,
-} from '@/pages/EnterpriseSso/types.js';
 import { uriValidator } from '@/utils/validator';
 
+import { type OidcConnectorConfig, type OidcProviderConfig } from '../../types/oidc';
+
 import ParsedConfigPreview from './ParsedConfigPreview';
 import * as styles from './index.module.scss';
 
 type Props = {
-  providerConfig?: ParsedSsoIdentityProviderConfig<SsoProviderName.OIDC>;
-  config?: SsoConnectorConfig<SsoProviderName.OIDC>;
+  providerConfig?: OidcProviderConfig;
+  config?: OidcConnectorConfig;
   providerName: SsoProviderName;
 };
 
@@ -28,7 +25,7 @@ function OidcMetadataForm({ providerConfig, config, providerName }: Props) {
   const {
     register,
     formState: { errors },
-  } = useFormContext<OidcGuideFormType>();
+  } = useFormContext<OidcConnectorConfig>();
 
   const isConfigEmpty = !config || Object.keys(config).length === 0;
 
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlAttributeMapping/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlAttributeMapping/index.tsx
index eeec8db4e87..bf139fa857d 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlAttributeMapping/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlAttributeMapping/index.tsx
@@ -1,39 +1,25 @@
-import { socialUserInfoGuard } from '@logto/connector-kit';
-import { type SsoConnectorWithProviderConfig } from '@logto/schemas';
 import { conditional, conditionalString } from '@silverhand/essentials';
 import { useFormContext } from 'react-hook-form';
-import { z } from 'zod';
 
 import CopyToClipboard from '@/ds-components/CopyToClipboard';
 import DynamicT from '@/ds-components/DynamicT';
 import TextInput from '@/ds-components/TextInput';
-
-import { attributeKeys, type SamlGuideFormType } from '../../../EnterpriseSso/types.js';
+import {
+  samlAttributeKeys,
+  type SamlProviderConfig,
+  type SamlConnectorConfig,
+} from '@/pages/EnterpriseSsoDetails/types/saml';
 
 import * as styles from './index.module.scss';
 
-type Props = Pick<SsoConnectorWithProviderConfig, 'providerConfig'>;
-
-/**
- * TODO: Should align this with the guard `samlAttributeMappingGuard` defined in {@link logto/core/src/sso/types/saml.ts}.
- * This only applies to SAML-protocol-based SSO connectors.
- */
-const providerPropertiesGuard = z.object({
-  defaultAttributeMapping: socialUserInfoGuard
-    .pick({
-      id: true,
-      email: true,
-      name: true,
-    })
-    .required(),
-});
+type Props = {
+  samlProviderConfig?: SamlProviderConfig;
+};
 
 const primaryKey = 'attributeMapping';
 
-function SamlAttributeMapping({ providerConfig }: Props) {
-  const { register } = useFormContext<SamlGuideFormType>();
-
-  const result = providerPropertiesGuard.safeParse(providerConfig);
+function SamlAttributeMapping({ samlProviderConfig }: Props) {
+  const { register } = useFormContext<SamlConnectorConfig>();
 
   return (
     <table className={styles.table}>
@@ -48,7 +34,7 @@ function SamlAttributeMapping({ providerConfig }: Props) {
         </tr>
       </thead>
       <tbody className={styles.body}>
-        {attributeKeys.map((key) => {
+        {samlAttributeKeys.map((key) => {
           return (
             <tr key={key} className={styles.row}>
               <td>
@@ -61,16 +47,12 @@ function SamlAttributeMapping({ providerConfig }: Props) {
                   <CopyToClipboard
                     className={styles.copyToClipboard}
                     variant="border"
-                    value={conditionalString(
-                      result.success && result.data.defaultAttributeMapping[key]
-                    )}
+                    value={conditionalString(samlProviderConfig?.defaultAttributeMapping[key])}
                   />
                 ) : (
                   <TextInput
                     {...register(`${primaryKey}.${key}`)}
-                    placeholder={conditional(
-                      result.success && result.data.defaultAttributeMapping[key]
-                    )}
+                    placeholder={conditional(samlProviderConfig?.defaultAttributeMapping[key])}
                   />
                 )}
               </td>
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlConnectorForm.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlConnectorForm.tsx
new file mode 100644
index 00000000000..08742890607
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlConnectorForm.tsx
@@ -0,0 +1,147 @@
+import { type LogtoErrorCode } from '@logto/phrases';
+import { type RequestErrorBody } from '@logto/schemas';
+import cleanDeep from 'clean-deep';
+import { HTTPError } from 'ky';
+import { useEffect, useMemo } from 'react';
+import { FormProvider, useForm } from 'react-hook-form';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+
+import DetailsForm from '@/components/DetailsForm';
+import FormCard from '@/components/FormCard';
+import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
+import useApi from '@/hooks/use-api';
+import {
+  samlConnectorConfigGuard,
+  samlProviderConfigGuard,
+  type SamlConnectorConfig,
+  type SamlSsoConnectorWithProviderConfig,
+} from '@/pages/EnterpriseSsoDetails/types/saml';
+import { trySubmitSafe } from '@/utils/form';
+
+import { invalidConfigErrorCode, invalidMetadataErrorCode } from '../config';
+
+import SamlAttributeMapping from './SamlAttributeMapping';
+import SamlMetadataForm from './SamlMetadataForm';
+import SamlConnectorSpInfo from './ServiceProviderInfo/SamlConnectorSpInfo';
+import * as styles from './index.module.scss';
+
+type Props = {
+  isDeleted: boolean;
+  data: SamlSsoConnectorWithProviderConfig;
+  onUpdated: (data: SamlSsoConnectorWithProviderConfig) => void;
+};
+
+const manualHandleErrorCodes: LogtoErrorCode[] = [invalidConfigErrorCode, invalidMetadataErrorCode];
+
+function SamlConnectorForm({ isDeleted, data, onUpdated }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const api = useApi({ hideErrorToast: manualHandleErrorCodes });
+  const methods = useForm<SamlConnectorConfig>();
+
+  const {
+    formState: { isSubmitting, isDirty },
+    handleSubmit,
+    reset,
+    setError,
+  } = methods;
+
+  const { config, providerConfig, id: connectorId } = data;
+
+  // Guard the config data
+  const samlConnectorConfig = useMemo(() => {
+    const result = samlConnectorConfigGuard.safeParse(config);
+    const { success } = result;
+    const guardedConfig = success ? result.data : undefined;
+
+    return guardedConfig;
+  }, [config]);
+
+  // Guard the provider config data
+  const samlProviderConfig = useMemo(() => {
+    const result = samlProviderConfigGuard.safeParse(providerConfig);
+    const { success } = result;
+    const guardedConfig = success ? result.data : undefined;
+
+    return guardedConfig;
+  }, [providerConfig]);
+
+  useEffect(() => {
+    reset(samlConnectorConfig);
+  }, [samlConnectorConfig, reset]);
+
+  const onSubmit = handleSubmit(
+    trySubmitSafe(async (formData) => {
+      if (isSubmitting) {
+        return;
+      }
+
+      try {
+        const result = await api
+          .patch(`api/sso-connectors/${connectorId}`, {
+            json: { config: cleanDeep(formData) },
+          })
+          .json<SamlSsoConnectorWithProviderConfig>();
+
+        toast.success(t('general.saved'));
+
+        onUpdated(result);
+
+        reset(result.config);
+      } catch (error: unknown) {
+        if (error instanceof HTTPError) {
+          const errorBody = await error.response.clone().json<RequestErrorBody>();
+
+          // Manually handle the error to show the error message in the form.
+          if (manualHandleErrorCodes.includes(errorBody.code)) {
+            const errorFormKey = formData.metadataUrl ? 'metadataUrl' : 'metadata';
+
+            setError(errorFormKey, { type: 'custom', message: errorBody.message });
+            return;
+          }
+        }
+
+        throw error;
+      }
+    })
+  );
+
+  return (
+    <FormProvider {...methods}>
+      <DetailsForm
+        isDirty={isDirty}
+        isSubmitting={isSubmitting}
+        onDiscard={reset}
+        onSubmit={onSubmit}
+      >
+        <FormCard
+          title="enterprise_sso_details.upload_idp_metadata_title_saml"
+          description="enterprise_sso_details.upload_idp_metadata_description_saml"
+        >
+          <div className={styles.samlMetadataForm}>
+            <SamlMetadataForm config={samlConnectorConfig} providerConfig={samlProviderConfig} />
+          </div>
+        </FormCard>
+        <FormCard
+          title="enterprise_sso_details.service_provider_property_title"
+          description="enterprise_sso_details.service_provider_property_description"
+          descriptionInterpolation={{
+            protocol: 'SAML 2.0',
+          }}
+        >
+          <SamlConnectorSpInfo samlProviderConfig={samlProviderConfig} />
+        </FormCard>
+        <FormCard
+          title="enterprise_sso_details.attribute_mapping_title"
+          description="enterprise_sso_details.attribute_mapping_description"
+        >
+          <SamlAttributeMapping samlProviderConfig={samlProviderConfig} />
+        </FormCard>
+      </DetailsForm>
+      <UnsavedChangesAlertModal hasUnsavedChanges={!isDeleted && isDirty} />
+    </FormProvider>
+  );
+}
+
+export default SamlConnectorForm;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/ParsedConfigPreview/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/ParsedConfigPreview/index.tsx
index d87cb96828f..4d7d57e47b1 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/ParsedConfigPreview/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/ParsedConfigPreview/index.tsx
@@ -1,5 +1,4 @@
 import { isLanguageTag } from '@logto/language-kit';
-import { type SsoProviderName } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 import classNames from 'classnames';
 import i18next from 'i18next';
@@ -7,12 +6,12 @@ import { useTranslation } from 'react-i18next';
 
 import CopyToClipboard from '@/ds-components/CopyToClipboard';
 import DynamicT from '@/ds-components/DynamicT';
-import { type ParsedSsoIdentityProviderConfig } from '@/pages/EnterpriseSso/types.js';
+import { type SamlProviderConfig } from '@/pages/EnterpriseSsoDetails/types/saml';
 
 import * as styles from './index.module.scss';
 
 type Props = {
-  identityProviderConfig: ParsedSsoIdentityProviderConfig<SsoProviderName.SAML>['identityProvider'];
+  identityProviderConfig: SamlProviderConfig['identityProvider'];
 };
 
 type CertificatePreviewProps = {
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/index.tsx
index be224324faa..254f8353d3f 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/SamlMetadataForm/index.tsx
@@ -1,4 +1,3 @@
-import { type SsoProviderName } from '@logto/schemas';
 import { useState } from 'react';
 import { useFormContext, Controller } from 'react-hook-form';
 import { useTranslation } from 'react-i18next';
@@ -7,10 +6,9 @@ import FormField from '@/ds-components/FormField';
 import InlineNotification from '@/ds-components/InlineNotification';
 import TextInput from '@/ds-components/TextInput';
 import {
-  type ParsedSsoIdentityProviderConfig,
-  type SamlGuideFormType,
-  type SsoConnectorConfig,
-} from '@/pages/EnterpriseSso/types.js';
+  type SamlConnectorConfig,
+  type SamlProviderConfig,
+} from '@/pages/EnterpriseSsoDetails/types/saml';
 import { uriValidator } from '@/utils/validator';
 
 import FileReader, { type Props as FileReaderProps } from '../FileReader';
@@ -20,17 +18,13 @@ import SwitchFormatButton, { FormFormat } from './SwitchFormatButton';
 import * as styles from './index.module.scss';
 
 type SamlMetadataFormFieldsProps = Pick<SamlMetadataFormProps, 'config'> & {
-  identityProviderConfig?: ParsedSsoIdentityProviderConfig<SsoProviderName.SAML>['identityProvider'];
+  identityProviderConfig?: SamlProviderConfig['identityProvider'];
   formFormat: FormFormat;
 };
 
-type SamlMetadataFormProps = {
-  config?: SsoConnectorConfig<SsoProviderName.SAML>;
-  providerConfig?: ParsedSsoIdentityProviderConfig<SsoProviderName.SAML>;
-};
+type FileValueKeyType = keyof Pick<SamlConnectorConfig, 'metadata' | 'x509Certificate'>; // I.e. 'metadata' | 'x509Certificate'.
 
-type KeyType = keyof Pick<SamlGuideFormType, 'metadata' | 'x509Certificate'>; // I.e. 'metadata' | 'x509Certificate'.
-const keyToAttributes: Record<KeyType, FileReaderProps['attributes']> = {
+const fileReaderAttributesMap: Record<FileValueKeyType, FileReaderProps['attributes']> = {
   // Accept xml file.
   metadata: {
     buttonTitle: 'enterprise_sso.metadata.saml.metadata_xml_uploader_text',
@@ -59,12 +53,13 @@ function SamlMetadataFormFields({
   config,
 }: SamlMetadataFormFieldsProps) {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
   const {
     setError,
     control,
     register,
     formState: { errors },
-  } = useFormContext<SamlGuideFormType>();
+  } = useFormContext<SamlConnectorConfig>();
 
   switch (formFormat) {
     case FormFormat.Manual: {
@@ -107,7 +102,7 @@ function SamlMetadataFormFields({
               render={({ field: { onChange, value } }) => (
                 <>
                   <FileReader
-                    attributes={keyToAttributes.x509Certificate}
+                    attributes={fileReaderAttributesMap.x509Certificate}
                     value={value}
                     fieldError={errors.x509Certificate}
                     setError={(error) => {
@@ -137,7 +132,7 @@ function SamlMetadataFormFields({
               name="metadata"
               render={({ field: { onChange, value } }) => (
                 <FileReader
-                  attributes={keyToAttributes.metadata}
+                  attributes={fileReaderAttributesMap.metadata}
                   value={value}
                   fieldError={errors.metadata}
                   setError={(error) => {
@@ -166,7 +161,7 @@ function SamlMetadataFormFields({
                 validate: (value) =>
                   !value || uriValidator(value) || t('errors.invalid_uri_format'),
               })}
-              error={Boolean(errors.metadataUrl)}
+              error={errors.metadataUrl?.message}
               placeholder="https://"
             />
             <div className={styles.description}>
@@ -187,10 +182,15 @@ function SamlMetadataFormFields({
   }
 }
 
+type SamlMetadataFormProps = {
+  config?: SamlConnectorConfig;
+  providerConfig?: SamlProviderConfig;
+};
+
 // Do not show inline notification and parsed config preview if it is on guide page.
 function SamlMetadataForm({ config, providerConfig }: SamlMetadataFormProps) {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
-  const { setValue } = useFormContext<SamlGuideFormType>();
+  const { setValue } = useFormContext<SamlConnectorConfig>();
   const identityProviderConfig = providerConfig?.identityProvider;
 
   const isConfigEmpty = !config || Object.keys(config).length === 0;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/OidcConnectorSpInfo.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/OidcConnectorSpInfo.tsx
new file mode 100644
index 00000000000..3a1b3704a38
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/OidcConnectorSpInfo.tsx
@@ -0,0 +1,30 @@
+import { useContext } from 'react';
+
+import { AppDataContext } from '@/contexts/AppDataProvider';
+import CopyToClipboard from '@/ds-components/CopyToClipboard';
+import FormField from '@/ds-components/FormField';
+import useCustomDomain from '@/hooks/use-custom-domain';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  ssoConnectorId: string;
+};
+
+function OidcConnectorSpInfo({ ssoConnectorId }: Props) {
+  const { tenantEndpoint } = useContext(AppDataContext);
+  const { applyDomain: applyCustomDomain } = useCustomDomain();
+
+  return (
+    <FormField title="enterprise_sso.basic_info.oidc.redirect_uri_field_name">
+      {/* Generated and passed in by Admin console. */}
+      <CopyToClipboard
+        className={styles.copyToClipboard}
+        variant="border"
+        value={applyCustomDomain(new URL(`/callback/${ssoConnectorId}`, tenantEndpoint).toString())}
+      />
+    </FormField>
+  );
+}
+
+export default OidcConnectorSpInfo;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/SamlConnectorSpInfo.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/SamlConnectorSpInfo.tsx
new file mode 100644
index 00000000000..c0de49f3ca4
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/SamlConnectorSpInfo.tsx
@@ -0,0 +1,48 @@
+import { conditionalString } from '@silverhand/essentials';
+
+import CopyToClipboard from '@/ds-components/CopyToClipboard';
+import FormField from '@/ds-components/FormField';
+import useCustomDomain from '@/hooks/use-custom-domain';
+
+import { type SamlProviderConfig } from '../../types/saml';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  samlProviderConfig?: SamlProviderConfig;
+};
+
+function SamlConnectorSpInfo({ samlProviderConfig }: Props) {
+  const { applyDomain: applyCustomDomain } = useCustomDomain();
+
+  /**
+   * Should not fallback to some other manually concatenated URL, show empty string instead.
+   * Empty string should never show up unless the API does not work properly.
+   */
+  return (
+    <>
+      <FormField title="enterprise_sso.basic_info.saml.acs_url_field_name">
+        <CopyToClipboard
+          className={styles.copyToClipboard}
+          variant="border"
+          value={conditionalString(
+            samlProviderConfig?.serviceProvider &&
+              applyCustomDomain(samlProviderConfig.serviceProvider.assertionConsumerServiceUrl)
+          )}
+        />
+      </FormField>
+      <FormField title="enterprise_sso.basic_info.saml.audience_uri_field_name">
+        <CopyToClipboard
+          className={styles.copyToClipboard}
+          variant="border"
+          value={conditionalString(
+            samlProviderConfig?.serviceProvider &&
+              applyCustomDomain(samlProviderConfig.serviceProvider.entityId)
+          )}
+        />
+      </FormField>
+    </>
+  );
+}
+
+export default SamlConnectorSpInfo;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/BasicInfo/index.module.scss b/packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/index.module.scss
similarity index 100%
rename from packages/console/src/pages/EnterpriseSsoDetails/Connection/BasicInfo/index.module.scss
rename to packages/console/src/pages/EnterpriseSsoDetails/Connection/ServiceProviderInfo/index.module.scss
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/index.tsx
index 0ce4f697182..37ccabbf05c 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/index.tsx
@@ -1,211 +1,39 @@
-import { SsoProviderName, type RequestErrorBody } from '@logto/schemas';
-import { conditional, type Optional } from '@silverhand/essentials';
-import cleanDeep from 'clean-deep';
-import { HTTPError } from 'ky';
-import { useEffect } from 'react';
-import { useForm, FormProvider, type Path } from 'react-hook-form';
-import { toast } from 'react-hot-toast';
-import { useTranslation } from 'react-i18next';
+import { SsoProviderType, type SsoConnectorWithProviderConfig } from '@logto/schemas';
 
-import DetailsForm from '@/components/DetailsForm';
-import FormCard from '@/components/FormCard';
-import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
-import useApi from '@/hooks/use-api';
-import {
-  type SsoConnectorWithProviderConfigWithGeneric,
-  type ParsedSsoIdentityProviderConfig,
-  type GuideFormType,
-  type SsoConnectorConfig,
-  type SamlGuideFormType,
-} from '@/pages/EnterpriseSso/types';
-import { trySubmitSafe } from '@/utils/form';
+import { type OidcSsoConnectorWithProviderConfig } from '../types/oidc';
+import { type SamlSsoConnectorWithProviderConfig } from '../types/saml';
 
-import BasicInfo from './BasicInfo';
-import OidcMetadataForm from './OidcMetadataForm';
-import SamlAttributeMapping from './SamlAttributeMapping';
-import SamlMetadataForm from './SamlMetadataForm';
-import * as styles from './index.module.scss';
+import OidcConnectorForm from './OidcConnectorForm';
+import SamlConnectorForm from './SamlConnectorForm';
 
-type Props<T extends SsoProviderName> = {
+type Props = {
   isDeleted: boolean;
-  data: SsoConnectorWithProviderConfigWithGeneric<T>;
-  onUpdated: (data: SsoConnectorWithProviderConfigWithGeneric<T>) => void;
+  data: SsoConnectorWithProviderConfig;
+  onUpdated: (data: SsoConnectorWithProviderConfig) => void;
 };
 
-const invalidConfigErrorCode = 'connector.invalid_config';
-const invalidMetadataErrorCode = 'connector.invalid_metadata';
-
-// This component contains only `data.config`.
-function Connection<T extends SsoProviderName>({ isDeleted, data, onUpdated }: Props<T>) {
-  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
-  const { id: ssoConnectorId, providerName, providerConfig, config } = data;
-
-  const api = useApi({ hideErrorToast: true });
-
-  const methods = useForm<GuideFormType<T>>();
-
-  const {
-    watch,
-    setError,
-    formState: { isSubmitting, isDirty },
-    handleSubmit,
-    reset,
-  } = methods;
-
-  useEffect(() => {
-    reset(config);
-  }, [config, reset]);
-
-  const onSubmit = handleSubmit(
-    trySubmitSafe(async (formData) => {
-      if (isSubmitting) {
-        return;
-      }
-
-      try {
-        const updatedSsoConnector = await api
-          // TODO: @darcyYe add console test case to remove attribute mapping config.
-          .patch(`api/sso-connectors/${ssoConnectorId}`, {
-            json: { config: cleanDeep(formData) },
-          })
-          .json<SsoConnectorWithProviderConfigWithGeneric<T>>();
-
-        toast.success(t('general.saved'));
-        onUpdated(updatedSsoConnector);
-
-        reset(updatedSsoConnector.config);
-      } catch (error: unknown) {
-        if (error instanceof HTTPError) {
-          const { response } = error;
-          const metadata = await response.clone().json<RequestErrorBody>();
-
-          // TODO: @darcyYe refactor the generic of `GuideFormType<T>`.
-          // Typescript can not infer the generic `GuideFormType<T>`, find a better way to deal with the types later.
-
-          if (metadata.code === invalidConfigErrorCode) {
-            // OIDC-based SSO connector's config only relies on the result of read from `issuer` field.
-            if (
-              [
-                SsoProviderName.OIDC,
-                SsoProviderName.GOOGLE_WORKSPACE,
-                SsoProviderName.OKTA,
-              ].includes(providerName)
-            ) {
-              // eslint-disable-next-line no-restricted-syntax
-              setError('issuer' as Path<GuideFormType<T>>, {
-                type: 'custom',
-                message: metadata.message,
-              });
-            }
+function isSamlProviderData(
+  data: SsoConnectorWithProviderConfig
+): data is SamlSsoConnectorWithProviderConfig {
+  return data.providerType === SsoProviderType.SAML;
+}
 
-            // OIDC-based config has been excluded in previous condition check.
-            // eslint-disable-next-line no-restricted-syntax
-            const formConfig = watch() as SamlGuideFormType;
-            const key =
-              conditional(formConfig.metadata && 'metadata') ??
-              conditional(formConfig.metadataUrl && 'metadataUrl');
-            if (key) {
-              // eslint-disable-next-line no-restricted-syntax
-              setError(key as Path<GuideFormType<T>>, {
-                type: 'custom',
-                message: metadata.message,
-              });
-            }
-          }
+function isOidcProviderData(
+  data: SsoConnectorWithProviderConfig
+): data is OidcSsoConnectorWithProviderConfig {
+  return data.providerType === SsoProviderType.OIDC;
+}
 
-          // Invalid metadata error only happens for SAML based SSO connectors, when trying to init IdP with XML-format metadata.
-          if (
-            metadata.code === invalidMetadataErrorCode &&
-            [SsoProviderName.SAML, SsoProviderName.AZURE_AD].includes(providerName)
-          ) {
-            // Typescript can not infer the generic of setError() path.
-            // eslint-disable-next-line no-restricted-syntax
-            const formConfig = watch() as SamlGuideFormType;
-            const key =
-              conditional(formConfig.metadata && 'metadata') ??
-              conditional(formConfig.metadataUrl && 'metadataUrl');
-            // eslint-disable-next-line no-restricted-syntax
-            setError(key as Path<GuideFormType<T>>, { type: 'custom', message: metadata.message });
-          }
-        }
+function Connection({ isDeleted, data, onUpdated }: Props) {
+  if (isSamlProviderData(data)) {
+    return <SamlConnectorForm isDeleted={isDeleted} data={data} onUpdated={onUpdated} />;
+  }
 
-        throw error;
-      }
-    })
-  );
+  if (isOidcProviderData(data)) {
+    return <OidcConnectorForm isDeleted={isDeleted} data={data} onUpdated={onUpdated} />;
+  }
 
-  return (
-    <FormProvider {...methods}>
-      <DetailsForm
-        isDirty={isDirty}
-        isSubmitting={isSubmitting}
-        onDiscard={reset}
-        onSubmit={onSubmit}
-      >
-        {[SsoProviderName.OIDC, SsoProviderName.GOOGLE_WORKSPACE, SsoProviderName.OKTA].includes(
-          providerName
-        ) ? (
-          <FormCard
-            title="enterprise_sso_details.upload_idp_metadata_title_oidc"
-            description="enterprise_sso_details.upload_idp_metadata_description_oidc"
-          >
-            {/* Can not infer the type by narrowing down the value of `providerName`, so we need to cast it. */}
-            <OidcMetadataForm
-              providerName={providerName}
-              // eslint-disable-next-line no-restricted-syntax
-              config={config as SsoConnectorConfig<SsoProviderName.OIDC>}
-              providerConfig={
-                // eslint-disable-next-line no-restricted-syntax
-                providerConfig as Optional<ParsedSsoIdentityProviderConfig<SsoProviderName.OIDC>>
-              }
-            />
-          </FormCard>
-        ) : (
-          <FormCard
-            title="enterprise_sso_details.upload_idp_metadata_title_saml"
-            description="enterprise_sso_details.upload_idp_metadata_description_saml"
-          >
-            {/* Can not infer the type by narrowing down the value of `providerName`, so we need to cast it. */}
-            {/* Modify spacing between form fields and switch button of SAML metadata form. */}
-            <div className={styles.samlMetadataForm}>
-              <SamlMetadataForm
-                // eslint-disable-next-line no-restricted-syntax
-                config={config as SsoConnectorConfig<SsoProviderName.SAML>}
-                providerConfig={
-                  // eslint-disable-next-line no-restricted-syntax
-                  providerConfig as Optional<ParsedSsoIdentityProviderConfig<SsoProviderName.SAML>>
-                }
-              />
-            </div>
-          </FormCard>
-        )}
-        <FormCard
-          title="enterprise_sso_details.service_provider_property_title"
-          description="enterprise_sso_details.service_provider_property_description"
-          descriptionInterpolation={{
-            protocol: [SsoProviderName.SAML, SsoProviderName.AZURE_AD].includes(providerName)
-              ? 'SAML 2.0'
-              : 'OIDC',
-          }}
-        >
-          <BasicInfo
-            ssoConnectorId={ssoConnectorId}
-            providerName={providerName}
-            providerConfig={providerConfig}
-          />
-        </FormCard>
-        {[SsoProviderName.SAML, SsoProviderName.AZURE_AD].includes(providerName) && (
-          <FormCard
-            title="enterprise_sso_details.attribute_mapping_title"
-            description="enterprise_sso_details.attribute_mapping_description"
-          >
-            <SamlAttributeMapping providerConfig={providerConfig} />
-          </FormCard>
-        )}
-      </DetailsForm>
-      <UnsavedChangesAlertModal hasUnsavedChanges={!isDeleted && isDirty} />
-    </FormProvider>
-  );
+  return null;
 }
 
 export default Connection;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/config.ts b/packages/console/src/pages/EnterpriseSsoDetails/config.ts
new file mode 100644
index 00000000000..00f44620e75
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/config.ts
@@ -0,0 +1,3 @@
+export const enterpriseSsoPathname = '/enterprise-sso';
+export const invalidConfigErrorCode = 'connector.invalid_config';
+export const invalidMetadataErrorCode = 'connector.invalid_metadata';
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/index.tsx
index a17228469c5..9351609be89 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/index.tsx
@@ -1,11 +1,9 @@
 import { withAppInsights } from '@logto/app-insights/react';
-import { type SsoProviderName, type SignInExperience } from '@logto/schemas';
+import { type SignInExperience, type SsoConnectorWithProviderConfig } from '@logto/schemas';
 import { pick } from '@silverhand/essentials';
 import { useEffect, useState } from 'react';
-import { toast } from 'react-hot-toast';
-import { useTranslation } from 'react-i18next';
 import { useLocation, useParams } from 'react-router-dom';
-import useSWR, { useSWRConfig } from 'swr';
+import useSWR from 'swr';
 
 import Delete from '@/assets/icons/delete.svg';
 import File from '@/assets/icons/file.svg';
@@ -19,52 +17,46 @@ import ConfirmModal from '@/ds-components/ConfirmModal';
 import DynamicT from '@/ds-components/DynamicT';
 import TabNav, { TabNavItem } from '@/ds-components/TabNav';
 import type { RequestError } from '@/hooks/use-api';
-import useApi from '@/hooks/use-api';
-import useTenantPathname from '@/hooks/use-tenant-pathname';
 import useUserAssetsService from '@/hooks/use-user-assets-service';
 
 import SsoConnectorLogo from '../EnterpriseSso/SsoConnectorLogo';
-import { type SsoConnectorWithProviderConfigWithGeneric } from '../EnterpriseSso/types';
 
 import Connection from './Connection';
 import Experience from './Experience';
 import SsoGuide from './SsoGuide';
+import { enterpriseSsoPathname } from './config';
 import * as styles from './index.module.scss';
+import useDeleteConnector from './use-delete-connector';
 
-const enterpriseSsoPathname = '/enterprise-sso';
 const getSsoConnectorDetailsPathname = (ssoConnectorId: string, tab: EnterpriseSsoDetailsTabs) =>
   `${enterpriseSsoPathname}/${ssoConnectorId}/${tab}`;
 
-function EnterpriseSsoConnectorDetails<T extends SsoProviderName>() {
+function EnterpriseSsoConnectorDetails() {
   const { pathname } = useLocation();
   const { ssoConnectorId, tab } = useParams();
-  const { mutate: mutateGlobal } = useSWRConfig();
 
-  const [isDeleted, setIsDeleted] = useState(false);
+  const { isDeleted, isDeleting, onDeleteHandler } = useDeleteConnector(ssoConnectorId);
+
   const [isReadmeOpen, setIsReadmeOpen] = useState(false);
 
   const { isLoading: isUserAssetServiceLoading } = useUserAssetsService();
+
   const { data: signInExperience, isLoading: isSignInExperienceLoading } =
     useSWR<SignInExperience>('api/sign-in-exp');
 
-  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
   const {
     data: ssoConnector,
     error: requestError,
     mutate,
     isLoading: isSsoConnectorLoading,
-  } = useSWR<SsoConnectorWithProviderConfigWithGeneric<T>, RequestError>(
+  } = useSWR<SsoConnectorWithProviderConfig, RequestError>(
     ssoConnectorId && `api/sso-connectors/${ssoConnectorId}`,
     { keepPreviousData: true }
   );
 
   const isLoading = isSsoConnectorLoading || isUserAssetServiceLoading || isSignInExperienceLoading;
 
-  const api = useApi();
-  const { navigate } = useTenantPathname();
-
   const [isDeleteAlertOpen, setIsDeleteAlertOpen] = useState(false);
-  const [isDeleting, setIsDeleting] = useState(false);
 
   const isDarkModeEnabled = signInExperience?.color.isDarkModeEnabled ?? false;
 
@@ -72,27 +64,6 @@ function EnterpriseSsoConnectorDetails<T extends SsoProviderName>() {
     setIsDeleteAlertOpen(false);
   }, [pathname]);
 
-  const handleDelete = async () => {
-    if (!ssoConnectorId || isDeleting) {
-      return;
-    }
-    setIsDeleting(true);
-
-    try {
-      await api
-        .delete(`api/sso-connectors/${ssoConnectorId}`)
-        .json<SsoConnectorWithProviderConfigWithGeneric<T>>();
-
-      setIsDeleted(true);
-
-      toast.success(t('enterprise_sso_details.enterprise_sso_deleted'));
-      await mutateGlobal('api/sso-connectors');
-      navigate(enterpriseSsoPathname, { replace: true });
-    } finally {
-      setIsDeleting(false);
-    }
-  };
-
   if (!ssoConnectorId) {
     return null;
   }
@@ -194,7 +165,7 @@ function EnterpriseSsoConnectorDetails<T extends SsoProviderName>() {
             onCancel={async () => {
               setIsDeleteAlertOpen(false);
             }}
-            onConfirm={handleDelete}
+            onConfirm={onDeleteHandler}
           >
             <DynamicT forKey="enterprise_sso_details.delete_confirm_modal_content" />
           </ConfirmModal>
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/types/oidc.ts b/packages/console/src/pages/EnterpriseSsoDetails/types/oidc.ts
new file mode 100644
index 00000000000..c366b5dfcbf
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/types/oidc.ts
@@ -0,0 +1,36 @@
+import { type SsoProviderType, type SsoConnectorWithProviderConfig } from '@logto/schemas';
+import { z } from 'zod';
+
+/* Oidc Connectors */
+export type OidcSsoConnectorWithProviderConfig = Omit<
+  SsoConnectorWithProviderConfig,
+  'providerType'
+> & {
+  providerType: SsoProviderType.OIDC;
+};
+
+/**
+ * All the following guards are copied from {@link @logto/core/packages/core/src/sso/types/oidc }
+ * @TODO: consider to move them to a shared package e.g. @logto/schemas
+ */
+
+export const oidcConnectorConfigGuard = z
+  .object({
+    clientId: z.string(),
+    clientSecret: z.string(),
+    issuer: z.string(),
+    scope: z.string().optional(),
+  })
+  .partial();
+
+export type OidcConnectorConfig = z.infer<typeof oidcConnectorConfigGuard>;
+
+export const oidcProviderConfigGuard = z.object({
+  authorizationEndpoint: z.string(),
+  tokenEndpoint: z.string(),
+  userinfoEndpoint: z.string(),
+  jwksUri: z.string(),
+  issuer: z.string(),
+});
+
+export type OidcProviderConfig = z.infer<typeof oidcProviderConfigGuard>;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/types/saml.ts b/packages/console/src/pages/EnterpriseSsoDetails/types/saml.ts
new file mode 100644
index 00000000000..0df2413638a
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/types/saml.ts
@@ -0,0 +1,64 @@
+import { type SsoConnectorWithProviderConfig, type SsoProviderType } from '@logto/schemas';
+import { z } from 'zod';
+
+/* Saml Connectors */
+export type SamlSsoConnectorWithProviderConfig = Omit<
+  SsoConnectorWithProviderConfig,
+  'providerType'
+> & {
+  providerType: SsoProviderType.SAML;
+};
+
+/**
+ * All the following guards are copied from {@link @logto/core/packages/core/src/sso/types/saml }
+ * @TODO: consider to move them to a shared package e.g. @logto/schemas
+ */
+const samlAttributeMappingGuard = z
+  .object({
+    id: z.string(),
+    email: z.string(),
+    name: z.string(),
+  })
+  .partial();
+
+type SamlAttributeMapping = z.infer<typeof samlAttributeMappingGuard>;
+
+export const samlAttributeKeys = Object.freeze(['id', 'email', 'name']) satisfies ReadonlyArray<
+  keyof SamlAttributeMapping
+>;
+
+// Guard the saml connector config data from the response of the API.
+export const samlConnectorConfigGuard = z
+  .object({
+    metadataUrl: z.string(),
+    metadata: z.string(),
+    signInEndpoint: z.string(),
+    entityId: z.string(),
+    x509Certificate: z.string(),
+    attributeMapping: samlAttributeMappingGuard,
+  })
+  .partial();
+
+export type SamlConnectorConfig = z.infer<typeof samlConnectorConfigGuard>;
+
+// Guard the saml provider config from the response of the API.
+const samlServiceProviderMetadataGuard = z.object({
+  entityId: z.string().min(1),
+  assertionConsumerServiceUrl: z.string().min(1),
+});
+
+const samlIdentityProviderMetadataGuard = z.object({
+  entityId: z.string(),
+  signInEndpoint: z.string(),
+  x509Certificate: z.string(),
+  certificateExpiresAt: z.number(), // Timestamp in milliseconds.
+  isCertificateValid: z.boolean(),
+});
+
+export const samlProviderConfigGuard = z.object({
+  defaultAttributeMapping: samlAttributeMappingGuard,
+  serviceProvider: samlServiceProviderMetadataGuard,
+  identityProvider: samlIdentityProviderMetadataGuard.optional(),
+});
+
+export type SamlProviderConfig = z.infer<typeof samlProviderConfigGuard>;
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/use-delete-connector.ts b/packages/console/src/pages/EnterpriseSsoDetails/use-delete-connector.ts
new file mode 100644
index 00000000000..15e1a1869b3
--- /dev/null
+++ b/packages/console/src/pages/EnterpriseSsoDetails/use-delete-connector.ts
@@ -0,0 +1,50 @@
+import { useCallback, useState } from 'react';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+import { useSWRConfig } from 'swr';
+
+import useApi from '@/hooks/use-api';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+
+import { enterpriseSsoPathname } from './config';
+
+function useDeleteConnector(ssoConnectorId?: string) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const [isDeleted, setIsDeleted] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  const api = useApi();
+  const { mutate: mutateGlobal } = useSWRConfig();
+  const { navigate } = useTenantPathname();
+
+  const onDeleteHandler = useCallback(async () => {
+    if (!ssoConnectorId || isDeleting) {
+      return;
+    }
+
+    setIsDeleting(true);
+
+    try {
+      await api.delete(`api/sso-connectors/${ssoConnectorId}`);
+      setIsDeleted(true);
+
+      toast.success(t('enterprise_sso_details.enterprise_sso_deleted'));
+
+      // Reset the sso-connectors data to refresh the list.
+      await mutateGlobal('api/sso-connectors');
+
+      navigate(enterpriseSsoPathname, { replace: true });
+    } finally {
+      setIsDeleting(false);
+    }
+  }, [api, isDeleting, mutateGlobal, navigate, ssoConnectorId, t]);
+
+  return {
+    isDeleted,
+    isDeleting,
+    onDeleteHandler,
+  };
+}
+
+export default useDeleteConnector;
diff --git a/packages/console/src/pages/OrganizationRoleDetails/Permissions/index.module.scss b/packages/console/src/pages/OrganizationRoleDetails/Permissions/index.module.scss
new file mode 100644
index 00000000000..1adec369d2c
--- /dev/null
+++ b/packages/console/src/pages/OrganizationRoleDetails/Permissions/index.module.scss
@@ -0,0 +1,11 @@
+@use '@/scss/underscore' as _;
+
+.filter {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+
+  .assignButton {
+    margin-left: _.unit(2);
+  }
+}
diff --git a/packages/console/src/pages/OrganizationRoleDetails/Permissions/index.tsx b/packages/console/src/pages/OrganizationRoleDetails/Permissions/index.tsx
new file mode 100644
index 00000000000..89ac8f32d27
--- /dev/null
+++ b/packages/console/src/pages/OrganizationRoleDetails/Permissions/index.tsx
@@ -0,0 +1,155 @@
+import { type OrganizationScope } from '@logto/schemas';
+import { useCallback, useMemo, useState } from 'react';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+import useSWR from 'swr';
+
+import Plus from '@/assets/icons/plus.svg';
+import ActionsButton from '@/components/ActionsButton';
+import Breakable from '@/components/Breakable';
+import EmptyDataPlaceholder from '@/components/EmptyDataPlaceholder';
+import ManageOrganizationPermissionModal from '@/components/ManageOrganizationPermissionModal';
+import Button from '@/ds-components/Button';
+import DynamicT from '@/ds-components/DynamicT';
+import Search from '@/ds-components/Search';
+import Table from '@/ds-components/Table';
+import Tag from '@/ds-components/Tag';
+import useApi, { type RequestError } from '@/hooks/use-api';
+import useSearchParametersWatcher from '@/hooks/use-search-parameters-watcher';
+
+import * as styles from './index.module.scss';
+
+const organizationRolesPath = 'api/organization-roles';
+
+type Props = {
+  organizationRoleId: string;
+};
+
+function Permissions({ organizationRoleId }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const api = useApi();
+
+  const { data, error, isLoading, mutate } = useSWR<OrganizationScope[], RequestError>(
+    `${organizationRolesPath}/${organizationRoleId}/scopes`
+  );
+
+  const [{ keyword }, updateSearchParameters] = useSearchParametersWatcher({
+    keyword: '',
+  });
+
+  const filteredData = useMemo(() => {
+    if (keyword) {
+      return data?.filter((roleScope) => roleScope.name.includes(keyword));
+    }
+    return data;
+  }, [data, keyword]);
+
+  const [editPermission, setEditPermission] = useState<OrganizationScope>();
+
+  const scopeRemoveHandler = useCallback(
+    (scopeToRemove: OrganizationScope) => async () => {
+      await api.put(`${organizationRolesPath}/${organizationRoleId}/scopes`, {
+        json: {
+          organizationScopeIds:
+            data?.filter((scope) => scope.id !== scopeToRemove.id).map(({ id }) => id) ?? [],
+        },
+      });
+      toast.success(
+        t('organization_role_details.permissions.removed', { name: scopeToRemove.name })
+      );
+      void mutate();
+    },
+    [api, data, mutate, organizationRoleId, t]
+  );
+
+  return (
+    <>
+      <Table
+        rowGroups={[{ key: 'organizationRolePermissions', data: filteredData }]}
+        rowIndexKey="id"
+        columns={[
+          {
+            title: <DynamicT forKey="organization_role_details.permissions.name_column" />,
+            dataIndex: 'name',
+            colSpan: 7,
+            render: ({ name }) => {
+              return (
+                <Tag variant="cell">
+                  <Breakable>{name}</Breakable>
+                </Tag>
+              );
+            },
+          },
+          {
+            title: <DynamicT forKey="organization_role_details.permissions.description_column" />,
+            dataIndex: 'description',
+            colSpan: 8,
+            render: ({ description }) => <Breakable>{description ?? '-'}</Breakable>,
+          },
+          {
+            title: null,
+            dataIndex: 'action',
+            colSpan: 1,
+            render: (scope) => (
+              <ActionsButton
+                fieldName="organization_role_details.permissions.name_column"
+                deleteConfirmation="organization_role_details.permissions.remove_confirmation"
+                textOverrides={{
+                  delete: 'organization_role_details.permissions.remove_permission',
+                  deleteConfirmation: 'general.remove',
+                }}
+                onEdit={() => {
+                  setEditPermission(scope);
+                }}
+                onDelete={async () => {
+                  await scopeRemoveHandler(scope)();
+                }}
+              />
+            ),
+          },
+        ]}
+        filter={
+          <div className={styles.filter}>
+            <Search
+              isClearable={Boolean(keyword)}
+              placeholder={t('organization_template.permissions.search_placeholder')}
+              defaultValue={keyword}
+              onSearch={(keyword) => {
+                if (keyword) {
+                  updateSearchParameters({ keyword });
+                }
+              }}
+              onClearSearch={() => {
+                updateSearchParameters({ keyword: '' });
+              }}
+            />
+            <Button
+              title="organization_role_details.permissions.assign_permissions"
+              className={styles.assignButton}
+              type="primary"
+              icon={<Plus />}
+              onClick={() => {
+                // Todo @xiaoyijun Assign permissions to org role
+              }}
+            />
+          </div>
+        }
+        placeholder={<EmptyDataPlaceholder />}
+        isLoading={isLoading}
+        errorMessage={error?.body?.message ?? error?.message}
+        onRetry={async () => mutate(undefined, true)}
+      />
+      {editPermission && (
+        <ManageOrganizationPermissionModal
+          data={editPermission}
+          onClose={() => {
+            setEditPermission(undefined);
+            void mutate();
+          }}
+        />
+      )}
+    </>
+  );
+}
+
+export default Permissions;
diff --git a/packages/console/src/pages/OrganizationRoleDetails/Settings/index.tsx b/packages/console/src/pages/OrganizationRoleDetails/Settings/index.tsx
new file mode 100644
index 00000000000..70615c58ff1
--- /dev/null
+++ b/packages/console/src/pages/OrganizationRoleDetails/Settings/index.tsx
@@ -0,0 +1,78 @@
+import { type OrganizationRole } from '@logto/schemas';
+import { useForm } from 'react-hook-form';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+
+import DetailsForm from '@/components/DetailsForm';
+import FormCard from '@/components/FormCard';
+import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
+import { organizationRoleLink } from '@/consts';
+import FormField from '@/ds-components/FormField';
+import TextInput from '@/ds-components/TextInput';
+import useApi from '@/hooks/use-api';
+import useDocumentationUrl from '@/hooks/use-documentation-url';
+import { trySubmitSafe } from '@/utils/form';
+
+type Props = {
+  data: OrganizationRole;
+  onUpdate: (updatedData: OrganizationRole) => void;
+};
+
+function Settings({ data, onUpdate }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { getDocumentationUrl } = useDocumentationUrl();
+  const {
+    register,
+    handleSubmit,
+    reset,
+    formState: { errors, isDirty, isSubmitting },
+  } = useForm<OrganizationRole>({ defaultValues: data });
+
+  const api = useApi();
+
+  const onSubmit = handleSubmit(
+    trySubmitSafe(async (formData) => {
+      const updatedData = await api
+        .patch(`api/organization-roles/${data.id}`, { json: formData })
+        .json<OrganizationRole>();
+      reset(updatedData);
+      onUpdate(updatedData);
+      toast.success(t('general.saved'));
+    })
+  );
+
+  return (
+    <DetailsForm
+      isDirty={isDirty}
+      isSubmitting={isSubmitting}
+      onSubmit={onSubmit}
+      onDiscard={reset}
+    >
+      <FormCard
+        title="organization_role_details.general.settings"
+        description="organization_role_details.general.description"
+        learnMoreLink={{
+          href: getDocumentationUrl(organizationRoleLink),
+          targetBlank: 'noopener',
+        }}
+      >
+        <FormField isRequired title="organization_role_details.general.name_field">
+          <TextInput
+            placeholder="viewer"
+            error={Boolean(errors.name)}
+            {...register('name', { required: true })}
+          />
+        </FormField>
+        <FormField title="organization_role_details.general.description_field">
+          <TextInput
+            placeholder={t('organization_role_details.general.description_field_placeholder')}
+            {...register('description')}
+          />
+        </FormField>
+      </FormCard>
+      <UnsavedChangesAlertModal hasUnsavedChanges={isDirty} />
+    </DetailsForm>
+  );
+}
+
+export default Settings;
diff --git a/packages/console/src/pages/OrganizationRoleDetails/index.tsx b/packages/console/src/pages/OrganizationRoleDetails/index.tsx
new file mode 100644
index 00000000000..9abcfcfdd8d
--- /dev/null
+++ b/packages/console/src/pages/OrganizationRoleDetails/index.tsx
@@ -0,0 +1,126 @@
+import { withAppInsights } from '@logto/app-insights/react/AppInsightsReact';
+import { type OrganizationRole } from '@logto/schemas';
+import { useState } from 'react';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+import { Navigate, Route, Routes, useParams } from 'react-router-dom';
+import useSWR, { useSWRConfig } from 'swr';
+
+import Delete from '@/assets/icons/delete.svg';
+import OrgRoleIcon from '@/assets/icons/role-feature.svg';
+import DetailsPage from '@/components/DetailsPage';
+import DetailsPageHeader from '@/components/DetailsPage/DetailsPageHeader';
+import PageMeta from '@/components/PageMeta';
+import ThemedIcon from '@/components/ThemedIcon';
+import { OrganizationRoleDetailsTabs, OrganizationTemplateTabs } from '@/consts';
+import ConfirmModal from '@/ds-components/ConfirmModal';
+import DynamicT from '@/ds-components/DynamicT';
+import TabNav, { TabNavItem } from '@/ds-components/TabNav';
+import useApi, { type RequestError } from '@/hooks/use-api';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+
+import Permissions from './Permissions';
+import Settings from './Settings';
+
+const orgRolesPath = `/organization-template/${OrganizationTemplateTabs.OrganizationRoles}`;
+
+function OrganizationRoleDetails() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const { id } = useParams();
+  const { navigate } = useTenantPathname();
+
+  const { data, error, mutate, isLoading } = useSWR<OrganizationRole, RequestError>(
+    id && `api/organization-roles/${id}`
+  );
+  const api = useApi();
+  const { mutate: mutateGlobal } = useSWRConfig();
+  const [isDeletionAlertOpen, setIsDeletionAlertOpen] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  const handleDelete = async () => {
+    if (!data) {
+      return;
+    }
+
+    setIsDeleting(true);
+
+    try {
+      await api.delete(`api/organization-roles/${data.id}`);
+      toast.success(t('organization_role_details.deleted', { name: data.name }));
+      await mutateGlobal('api/roles');
+      navigate(orgRolesPath, { replace: true });
+    } finally {
+      setIsDeleting(false);
+    }
+  };
+
+  return (
+    <DetailsPage
+      backLink={orgRolesPath}
+      backLinkTitle="organization_role_details.back_to_org_roles"
+      isLoading={isLoading}
+      error={error}
+      onRetry={mutate}
+    >
+      <PageMeta titleKey="organization_role_details.page_title" />
+      {data && (
+        <>
+          <DetailsPageHeader
+            icon={<ThemedIcon for={OrgRoleIcon} size={60} />}
+            title={data.name}
+            primaryTag={t('organization_role_details.org_role')}
+            identifier={{ name: 'ID', value: data.id }}
+            actionMenuItems={[
+              {
+                title: 'general.delete',
+                icon: <Delete />,
+                type: 'danger',
+                onClick: () => {
+                  setIsDeletionAlertOpen(true);
+                },
+              },
+            ]}
+          />
+          <ConfirmModal
+            isOpen={isDeletionAlertOpen}
+            isLoading={isDeleting}
+            confirmButtonText="general.delete"
+            onCancel={() => {
+              setIsDeletionAlertOpen(false);
+            }}
+            onConfirm={handleDelete}
+          >
+            <DynamicT forKey="organization_role_details.delete_confirm" />
+          </ConfirmModal>
+          <TabNav>
+            <TabNavItem
+              href={`${orgRolesPath}/${data.id}/${OrganizationRoleDetailsTabs.Permissions}`}
+            >
+              <DynamicT forKey="organization_role_details.permissions.tab" />
+            </TabNavItem>
+            <TabNavItem href={`${orgRolesPath}/${data.id}/${OrganizationRoleDetailsTabs.General}`}>
+              <DynamicT forKey="organization_role_details.general.tab" />
+            </TabNavItem>
+          </TabNav>
+          <Routes>
+            <Route
+              index
+              element={<Navigate replace to={OrganizationRoleDetailsTabs.Permissions} />}
+            />
+            <Route
+              path={OrganizationRoleDetailsTabs.Permissions}
+              element={<Permissions organizationRoleId={data.id} />}
+            />
+            <Route
+              path={OrganizationRoleDetailsTabs.General}
+              element={<Settings data={data} onUpdate={mutate} />}
+            />
+          </Routes>
+        </>
+      )}
+    </DetailsPage>
+  );
+}
+
+export default withAppInsights(OrganizationRoleDetails);
diff --git a/packages/console/src/pages/OrganizationTemplate/OrganizationPermissions/index.module.scss b/packages/console/src/pages/OrganizationTemplate/OrganizationPermissions/index.module.scss
new file mode 100644
index 00000000000..59e6e65b106
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/OrganizationPermissions/index.module.scss
@@ -0,0 +1,11 @@
+@use '@/scss/underscore' as _;
+
+.filter {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+
+  .createButton {
+    margin-left: _.unit(2);
+  }
+}
diff --git a/packages/console/src/pages/OrganizationTemplate/OrganizationPermissions/index.tsx b/packages/console/src/pages/OrganizationTemplate/OrganizationPermissions/index.tsx
new file mode 100644
index 00000000000..d8343c0bd2b
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/OrganizationPermissions/index.tsx
@@ -0,0 +1,156 @@
+import { type OrganizationScope } from '@logto/schemas';
+import { type Nullable, cond } from '@silverhand/essentials';
+import { useState } from 'react';
+import { useTranslation } from 'react-i18next';
+import useSWR from 'swr';
+
+import Plus from '@/assets/icons/plus.svg';
+import PermissionsEmptyDark from '@/assets/images/permissions-empty-dark.svg';
+import PermissionsEmpty from '@/assets/images/permissions-empty.svg';
+import ActionsButton from '@/components/ActionsButton';
+import Breakable from '@/components/Breakable';
+import EmptyDataPlaceholder from '@/components/EmptyDataPlaceholder';
+import ManageOrganizationPermissionModal from '@/components/ManageOrganizationPermissionModal';
+import { organizationPermissionLink } from '@/consts';
+import Button from '@/ds-components/Button';
+import DynamicT from '@/ds-components/DynamicT';
+import Search from '@/ds-components/Search';
+import Table from '@/ds-components/Table';
+import TablePlaceholder from '@/ds-components/Table/TablePlaceholder';
+import Tag from '@/ds-components/Tag';
+import useApi, { type RequestError } from '@/hooks/use-api';
+import useDocumentationUrl from '@/hooks/use-documentation-url';
+import useSearchParametersWatcher from '@/hooks/use-search-parameters-watcher';
+import { buildUrl, formatSearchKeyword } from '@/utils/url';
+
+import * as styles from './index.module.scss';
+
+function OrganizationPermissions() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { getDocumentationUrl } = useDocumentationUrl();
+  const [{ keyword }, updateSearchParameters] = useSearchParametersWatcher({
+    keyword: '',
+  });
+
+  const { data, error, mutate, isLoading } = useSWR<OrganizationScope[], RequestError>(
+    buildUrl('api/organization-scopes', {
+      ...cond(keyword && { q: formatSearchKeyword(keyword) }),
+    })
+  );
+
+  const api = useApi();
+
+  const [permissionModalData, setPermissionModalData] = useState<Nullable<OrganizationScope>>();
+
+  return (
+    <>
+      <Table
+        rowGroups={[{ key: 'organizationPermissions', data }]}
+        rowIndexKey="id"
+        columns={[
+          {
+            title: <DynamicT forKey="organization_template.permissions.permission_column" />,
+            dataIndex: 'name',
+            colSpan: 7,
+            render: ({ name }) => {
+              return (
+                <Tag variant="cell">
+                  <Breakable>{name}</Breakable>
+                </Tag>
+              );
+            },
+          },
+          {
+            title: <DynamicT forKey="organization_template.permissions.description_column" />,
+            dataIndex: 'scopes',
+            colSpan: 8,
+            render: ({ description }) => <Breakable>{description ?? '-'}</Breakable>,
+          },
+          {
+            title: null,
+            dataIndex: 'action',
+            colSpan: 1,
+            render: (scope) => (
+              <ActionsButton
+                fieldName="organization_template.permissions.permission_column"
+                deleteConfirmation="organization_template.permissions.delete_confirm"
+                onEdit={() => {
+                  setPermissionModalData(scope);
+                }}
+                onDelete={async () => {
+                  await api.delete(`api/organization-scopes/${scope.id}`);
+                  void mutate();
+                }}
+              />
+            ),
+          },
+        ]}
+        filter={
+          <div className={styles.filter}>
+            <Search
+              placeholder={t('organization_template.permissions.search_placeholder')}
+              defaultValue={keyword}
+              isClearable={Boolean(keyword)}
+              onSearch={(keyword) => {
+                updateSearchParameters({ keyword });
+              }}
+              onClearSearch={() => {
+                updateSearchParameters({ keyword: '' });
+              }}
+            />
+            <Button
+              title="organization_template.permissions.create_org_permission"
+              className={styles.createButton}
+              type="primary"
+              icon={<Plus />}
+              onClick={() => {
+                setPermissionModalData(null);
+              }}
+            />
+          </div>
+        }
+        placeholder={
+          keyword ? (
+            <EmptyDataPlaceholder />
+          ) : (
+            <TablePlaceholder
+              image={<PermissionsEmpty />}
+              imageDark={<PermissionsEmptyDark />}
+              title="organization_template.permissions.placeholder_title"
+              description="organization_template.permissions.placeholder_description"
+              learnMoreLink={{
+                href: getDocumentationUrl(organizationPermissionLink),
+                targetBlank: 'noopener',
+              }}
+              action={
+                <Button
+                  title="organization_template.permissions.create_org_permission"
+                  type="primary"
+                  size="large"
+                  icon={<Plus />}
+                  onClick={() => {
+                    setPermissionModalData(null);
+                  }}
+                />
+              }
+            />
+          )
+        }
+        isLoading={isLoading}
+        errorMessage={error?.body?.message ?? error?.message}
+        onRetry={async () => mutate(undefined, true)}
+      />
+      {permissionModalData !== undefined && (
+        <ManageOrganizationPermissionModal
+          data={permissionModalData}
+          onClose={() => {
+            setPermissionModalData(undefined);
+            void mutate();
+          }}
+        />
+      )}
+    </>
+  );
+}
+
+export default OrganizationPermissions;
diff --git a/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/CreateOrganizationRoleModal.tsx b/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/CreateOrganizationRoleModal.tsx
new file mode 100644
index 00000000000..6978a1f741f
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/CreateOrganizationRoleModal.tsx
@@ -0,0 +1,86 @@
+import { type OrganizationRole } from '@logto/schemas';
+import { useForm } from 'react-hook-form';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+import ReactModal from 'react-modal';
+
+import Button from '@/ds-components/Button';
+import FormField from '@/ds-components/FormField';
+import ModalLayout from '@/ds-components/ModalLayout';
+import TextInput from '@/ds-components/TextInput';
+import useApi from '@/hooks/use-api';
+import * as modalStyles from '@/scss/modal.module.scss';
+import { trySubmitSafe } from '@/utils/form';
+
+type FormData = Pick<OrganizationRole, 'name' | 'description'>;
+
+type Props = {
+  onClose: (createdOrganizationRole?: OrganizationRole) => void;
+};
+
+function CreateOrganizationRoleModal({ onClose }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const {
+    register,
+    formState: { errors, isSubmitting },
+    handleSubmit,
+  } = useForm<FormData>();
+
+  const api = useApi();
+
+  const submit = handleSubmit(
+    trySubmitSafe(async (formData) => {
+      const createdData = await api
+        .post('api/organization-roles', { json: formData })
+        .json<OrganizationRole>();
+      toast.success(
+        t('organization_template.roles.create_modal.created', { name: createdData.name })
+      );
+      onClose(createdData);
+    })
+  );
+
+  return (
+    <ReactModal
+      isOpen
+      className={modalStyles.content}
+      overlayClassName={modalStyles.overlay}
+      onRequestClose={() => {
+        onClose();
+      }}
+    >
+      <ModalLayout
+        title="organization_template.roles.create_modal.title"
+        footer={
+          <Button
+            type="primary"
+            title="organization_template.roles.create_modal.create"
+            isLoading={isSubmitting}
+            onClick={submit}
+          />
+        }
+        onClose={onClose}
+      >
+        <FormField isRequired title="organization_template.roles.create_modal.name_field">
+          <TextInput
+            // eslint-disable-next-line jsx-a11y/no-autofocus
+            autoFocus
+            placeholder="viewer"
+            error={Boolean(errors.name)}
+            {...register('name', { required: true })}
+          />
+        </FormField>
+        <FormField title="organization_template.permissions.description_field_name">
+          <TextInput
+            placeholder={t('organization_role_details.general.description_field_placeholder')}
+            error={Boolean(errors.description)}
+            {...register('description')}
+          />
+        </FormField>
+      </ModalLayout>
+    </ReactModal>
+  );
+}
+
+export default CreateOrganizationRoleModal;
diff --git a/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/index.module.scss b/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/index.module.scss
new file mode 100644
index 00000000000..da411ee4af3
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/index.module.scss
@@ -0,0 +1,13 @@
+@use '@/scss/underscore' as _;
+
+.permissions {
+  display: flex;
+  flex-wrap: wrap;
+  gap: _.unit(2);
+}
+
+.filter {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+}
diff --git a/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/index.tsx b/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/index.tsx
new file mode 100644
index 00000000000..18b093b0ebe
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/OrganizationRoles/index.tsx
@@ -0,0 +1,168 @@
+import { type OrganizationRoleWithScopes } from '@logto/schemas';
+import { cond } from '@silverhand/essentials';
+import { useState } from 'react';
+import { useTranslation } from 'react-i18next';
+import useSWR from 'swr';
+
+import Plus from '@/assets/icons/plus.svg';
+import OrgRoleIcon from '@/assets/icons/role-feature.svg';
+import RolesEmptyDark from '@/assets/images/roles-empty-dark.svg';
+import RolesEmpty from '@/assets/images/roles-empty.svg';
+import Breakable from '@/components/Breakable';
+import EmptyDataPlaceholder from '@/components/EmptyDataPlaceholder';
+import ItemPreview from '@/components/ItemPreview';
+import ThemedIcon from '@/components/ThemedIcon';
+import { defaultPageSize, organizationRoleLink } from '@/consts';
+import Button from '@/ds-components/Button';
+import DynamicT from '@/ds-components/DynamicT';
+import Search from '@/ds-components/Search';
+import Table from '@/ds-components/Table';
+import TablePlaceholder from '@/ds-components/Table/TablePlaceholder';
+import Tag from '@/ds-components/Tag';
+import { type RequestError } from '@/hooks/use-api';
+import useDocumentationUrl from '@/hooks/use-documentation-url';
+import useSearchParametersWatcher from '@/hooks/use-search-parameters-watcher';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+import { buildUrl, formatSearchKeyword } from '@/utils/url';
+
+import CreateOrganizationRoleModal from './CreateOrganizationRoleModal';
+import * as styles from './index.module.scss';
+
+function OrganizationRoles() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { getDocumentationUrl } = useDocumentationUrl();
+  const { navigate } = useTenantPathname();
+  const [{ page, keyword }, updateSearchParameters] = useSearchParametersWatcher({
+    page: 1,
+    keyword: '',
+  });
+
+  const { data, error, mutate, isLoading } = useSWR<
+    [OrganizationRoleWithScopes[], number],
+    RequestError
+  >(
+    buildUrl('api/organization-roles', {
+      page: String(page),
+      page_size: String(defaultPageSize),
+      ...cond(keyword && { q: formatSearchKeyword(keyword) }),
+    })
+  );
+
+  const [orgRoles, totalCount] = data ?? [];
+
+  const [isCreateModalOpen, setIsCreateModalOpen] = useState(false);
+
+  return (
+    <>
+      <Table
+        rowGroups={[{ key: 'organizationRoles', data: orgRoles }]}
+        rowIndexKey="id"
+        columns={[
+          {
+            title: <DynamicT forKey="organization_template.roles.role_column" />,
+            dataIndex: 'name',
+            colSpan: 4,
+            render: ({ id, name }) => {
+              return <ItemPreview title={name} icon={<ThemedIcon for={OrgRoleIcon} />} to={id} />;
+            },
+          },
+          {
+            title: <DynamicT forKey="organization_template.roles.permissions_column" />,
+            dataIndex: 'scopes',
+            colSpan: 12,
+            render: ({ scopes }) => {
+              return scopes.length === 0 ? (
+                '-'
+              ) : (
+                <div className={styles.permissions}>
+                  {scopes.map(({ id, name }) => (
+                    <Tag key={id} variant="cell">
+                      <Breakable>{name}</Breakable>
+                    </Tag>
+                  ))}
+                </div>
+              );
+            },
+          },
+        ]}
+        rowClickHandler={({ id }) => {
+          navigate(id);
+        }}
+        filter={
+          <div className={styles.filter}>
+            <Search
+              placeholder={t('organization_template.roles.search_placeholder')}
+              defaultValue={keyword}
+              isClearable={Boolean(keyword)}
+              onSearch={(keyword) => {
+                updateSearchParameters({ keyword });
+              }}
+              onClearSearch={() => {
+                updateSearchParameters({ keyword: '' });
+              }}
+            />
+            <Button
+              title="organization_template.roles.create_title"
+              type="primary"
+              icon={<Plus />}
+              onClick={() => {
+                setIsCreateModalOpen(true);
+              }}
+            />
+          </div>
+        }
+        placeholder={
+          keyword ? (
+            <EmptyDataPlaceholder />
+          ) : (
+            <TablePlaceholder
+              image={<RolesEmpty />}
+              imageDark={<RolesEmptyDark />}
+              title="organization_template.roles.placeholder_title"
+              description="organization_template.roles.placeholder_description"
+              learnMoreLink={{
+                href: getDocumentationUrl(organizationRoleLink),
+                targetBlank: 'noopener',
+              }}
+              action={
+                <Button
+                  title="organization_template.roles.create_title"
+                  type="primary"
+                  size="large"
+                  icon={<Plus />}
+                  onClick={() => {
+                    setIsCreateModalOpen(true);
+                  }}
+                />
+              }
+            />
+          )
+        }
+        pagination={{
+          page,
+          totalCount,
+          pageSize: defaultPageSize,
+          onChange: (page) => {
+            updateSearchParameters({ page });
+          },
+        }}
+        isLoading={isLoading}
+        errorMessage={error?.body?.message ?? error?.message}
+        onRetry={async () => mutate(undefined, true)}
+      />
+      {isCreateModalOpen && (
+        <CreateOrganizationRoleModal
+          onClose={(createdRole) => {
+            setIsCreateModalOpen(false);
+            if (createdRole) {
+              void mutate();
+              navigate(createdRole.id);
+            }
+          }}
+        />
+      )}
+    </>
+  );
+}
+
+export default OrganizationRoles;
diff --git a/packages/console/src/pages/OrganizationTemplate/index.module.scss b/packages/console/src/pages/OrganizationTemplate/index.module.scss
new file mode 100644
index 00000000000..386849176e3
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/index.module.scss
@@ -0,0 +1,8 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  > *:not(:first-child) {
+    margin-top: _.unit(4);
+  }
+}
+
diff --git a/packages/console/src/pages/OrganizationTemplate/index.tsx b/packages/console/src/pages/OrganizationTemplate/index.tsx
new file mode 100644
index 00000000000..d03abdf24e1
--- /dev/null
+++ b/packages/console/src/pages/OrganizationTemplate/index.tsx
@@ -0,0 +1,71 @@
+import { withAppInsights } from '@logto/app-insights/react/AppInsightsReact';
+import classNames from 'classnames';
+import { useState } from 'react';
+import { Outlet } from 'react-router-dom';
+
+import Research from '@/assets/icons/research.svg';
+import Drawer from '@/components/Drawer';
+import PageMeta from '@/components/PageMeta';
+import { OrganizationTemplateTabs, organizationTemplateLink } from '@/consts';
+import Button from '@/ds-components/Button';
+import CardTitle from '@/ds-components/CardTitle';
+import DynamicT from '@/ds-components/DynamicT';
+import TabNav, { TabNavItem } from '@/ds-components/TabNav';
+import useDocumentationUrl from '@/hooks/use-documentation-url';
+import * as pageLayout from '@/scss/page-layout.module.scss';
+
+import Introduction from '../Organizations/Guide/Introduction';
+
+import * as styles from './index.module.scss';
+
+const basePathname = '/organization-template';
+
+function OrganizationTemplate() {
+  const { getDocumentationUrl } = useDocumentationUrl();
+  const [isGuideDrawerOpen, setIsGuideDrawerOpen] = useState(false);
+
+  return (
+    <div className={classNames(pageLayout.container, styles.container)}>
+      <PageMeta titleKey="organization_template.title" />
+      <div className={pageLayout.headline}>
+        <CardTitle
+          title="organization_template.title"
+          subtitle="organization_template.subtitle"
+          learnMoreLink={{
+            href: getDocumentationUrl(organizationTemplateLink),
+            targetBlank: 'noopener',
+          }}
+        />
+        <Button
+          icon={<Research />}
+          title="application_details.check_guide"
+          type="outline"
+          onClick={() => {
+            setIsGuideDrawerOpen(true);
+          }}
+        />
+        <Drawer
+          title="organizations.guide.title"
+          subtitle="organizations.guide.subtitle"
+          isOpen={isGuideDrawerOpen}
+          onClose={() => {
+            setIsGuideDrawerOpen(false);
+          }}
+        >
+          <Introduction isReadonly />
+        </Drawer>
+      </div>
+      <TabNav>
+        <TabNavItem href={`${basePathname}/${OrganizationTemplateTabs.OrganizationRoles}`}>
+          <DynamicT forKey="organization_template.roles.tab_name" />
+        </TabNavItem>
+        <TabNavItem href={`${basePathname}/${OrganizationTemplateTabs.OrganizationPermissions}`}>
+          <DynamicT forKey="organization_template.permissions.tab_name" />
+        </TabNavItem>
+      </TabNav>
+      <Outlet />
+    </div>
+  );
+}
+
+export default withAppInsights(OrganizationTemplate);
diff --git a/packages/console/src/pages/RoleDetails/RolePermissions/index.tsx b/packages/console/src/pages/RoleDetails/RolePermissions/index.tsx
index 07423446bf0..5698ccf84c1 100644
--- a/packages/console/src/pages/RoleDetails/RolePermissions/index.tsx
+++ b/packages/console/src/pages/RoleDetails/RolePermissions/index.tsx
@@ -1,4 +1,4 @@
-import type { Scope, ScopeResponse } from '@logto/schemas';
+import type { ScopeResponse } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 import { useState } from 'react';
 import { toast } from 'react-hot-toast';
@@ -8,7 +8,6 @@ import useSWR from 'swr';
 
 import PermissionsTable from '@/components/PermissionsTable';
 import { defaultPageSize } from '@/consts';
-import ConfirmModal from '@/ds-components/ConfirmModal';
 import type { RequestError } from '@/hooks/use-api';
 import useApi from '@/hooks/use-api';
 import useSearchParametersWatcher from '@/hooks/use-search-parameters-watcher';
@@ -46,27 +45,13 @@ function RolePermissions() {
   const [scopes, totalCount] = data ?? [];
 
   const [isAssignPermissionsModalOpen, setIsAssignPermissionsModalOpen] = useState(false);
-  const [scopeToBeDeleted, setScopeToBeDeleted] = useState<Scope>();
-  const [isDeleting, setIsDeleting] = useState(false);
 
   const api = useApi();
 
-  const handleDelete = async () => {
-    if (!scopeToBeDeleted || isDeleting) {
-      return;
-    }
-    setIsDeleting(true);
-
-    try {
-      await api.delete(`api/roles/${roleId}/scopes/${scopeToBeDeleted.id}`);
-      toast.success(
-        t('role_details.permission.permission_deleted', { name: scopeToBeDeleted.name })
-      );
-      await mutate();
-      setScopeToBeDeleted(undefined);
-    } finally {
-      setIsDeleting(false);
-    }
+  const handleDelete = async (scope: ScopeResponse) => {
+    await api.delete(`api/roles/${roleId}/scopes/${scope.id}`);
+    toast.success(t('role_details.permission.permission_deleted', { name: scope.name }));
+    await mutate();
   };
 
   return (
@@ -76,11 +61,15 @@ function RolePermissions() {
         scopes={scopes}
         isLoading={isLoading}
         createButtonTitle="role_details.permission.assign_button"
-        deleteButtonTitle="general.remove"
+        deletionText={{
+          actionButton: 'permissions.remove',
+          confirmation: 'role_details.permission.deletion_description',
+          confirmButton: 'general.remove',
+        }}
         createHandler={() => {
           setIsAssignPermissionsModalOpen(true);
         }}
-        deleteHandler={setScopeToBeDeleted}
+        deleteHandler={handleDelete}
         errorMessage={error?.body?.message ?? error?.message}
         retryHandler={async () => mutate(undefined, true)}
         pagination={{
@@ -100,20 +89,8 @@ function RolePermissions() {
             updateSearchParameters({ keyword: '', page: 1 });
           },
         }}
+        onPermissionUpdated={mutate}
       />
-      {scopeToBeDeleted && (
-        <ConfirmModal
-          isOpen
-          isLoading={isDeleting}
-          confirmButtonText="general.remove"
-          onCancel={() => {
-            setScopeToBeDeleted(undefined);
-          }}
-          onConfirm={handleDelete}
-        >
-          {t('role_details.permission.deletion_description')}
-        </ConfirmModal>
-      )}
       {isAssignPermissionsModalOpen && totalCount !== undefined && (
         <AssignPermissionsModal
           roleId={roleId}
diff --git a/packages/console/src/pages/Roles/components/AssignToRoleModal/index.tsx b/packages/console/src/pages/Roles/components/AssignToRoleModal/index.tsx
index e7b93fb9712..9d6197c06a7 100644
--- a/packages/console/src/pages/Roles/components/AssignToRoleModal/index.tsx
+++ b/packages/console/src/pages/Roles/components/AssignToRoleModal/index.tsx
@@ -1,4 +1,4 @@
-import type { RoleResponse, User, Application } from '@logto/schemas';
+import type { RoleResponse, UserProfileResponse, Application } from '@logto/schemas';
 import { RoleType } from '@logto/schemas';
 import { useState } from 'react';
 import { toast } from 'react-hot-toast';
@@ -15,7 +15,7 @@ import { getUserTitle } from '@/utils/user';
 
 type Props =
   | {
-      entity: User;
+      entity: UserProfileResponse;
       onClose: (success?: boolean) => void;
       type: RoleType.User;
     }
diff --git a/packages/console/src/pages/Roles/components/CreateRoleModal/index.tsx b/packages/console/src/pages/Roles/components/CreateRoleModal/index.tsx
index 745b19cb620..1bc7e752573 100644
--- a/packages/console/src/pages/Roles/components/CreateRoleModal/index.tsx
+++ b/packages/console/src/pages/Roles/components/CreateRoleModal/index.tsx
@@ -32,6 +32,20 @@ function CreateRoleModal({ onClose }: Props) {
     onClose();
   };
 
+  // Show assign role modal after role is created
+  if (createdRole) {
+    return (
+      <AssignRoleModal
+        isRemindSkip
+        roleId={createdRole.id}
+        roleType={createdRole.type}
+        onClose={() => {
+          navigate(`/roles/${createdRole.id}`, { replace: true });
+        }}
+      />
+    );
+  }
+
   return (
     <ReactModal
       isOpen
@@ -40,18 +54,7 @@ function CreateRoleModal({ onClose }: Props) {
       overlayClassName={modalStyles.overlay}
       onRequestClose={onClose}
     >
-      {createdRole ? (
-        <AssignRoleModal
-          isRemindSkip
-          roleId={createdRole.id}
-          roleType={createdRole.type}
-          onClose={() => {
-            navigate(`/roles/${createdRole.id}`, { replace: true });
-          }}
-        />
-      ) : (
-        <CreateRoleForm onClose={onCreateFormClose} />
-      )}
+      <CreateRoleForm onClose={onCreateFormClose} />
     </ReactModal>
   );
 }
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/SigningKeys/index.module.scss b/packages/console/src/pages/SigningKeys/SigningKeyFormCard/index.module.scss
similarity index 100%
rename from packages/console/src/pages/TenantSettings/TenantBasicSettings/SigningKeys/index.module.scss
rename to packages/console/src/pages/SigningKeys/SigningKeyFormCard/index.module.scss
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/SigningKeys/index.tsx b/packages/console/src/pages/SigningKeys/SigningKeyFormCard/index.tsx
similarity index 75%
rename from packages/console/src/pages/TenantSettings/TenantBasicSettings/SigningKeys/index.tsx
rename to packages/console/src/pages/SigningKeys/SigningKeyFormCard/index.tsx
index 14e47b95691..180279fdb80 100644
--- a/packages/console/src/pages/TenantSettings/TenantBasicSettings/SigningKeys/index.tsx
+++ b/packages/console/src/pages/SigningKeys/SigningKeyFormCard/index.tsx
@@ -13,24 +13,25 @@ import Delete from '@/assets/icons/delete.svg';
 import FormCard from '@/components/FormCard';
 import Button from '@/ds-components/Button';
 import DangerConfirmModal from '@/ds-components/DeleteConfirmModal';
-import DynamicT from '@/ds-components/DynamicT';
 import FormField from '@/ds-components/FormField';
 import IconButton from '@/ds-components/IconButton';
 import Select from '@/ds-components/Select';
-import TabNav, { TabNavItem } from '@/ds-components/TabNav';
 import Table from '@/ds-components/Table';
 import Tag from '@/ds-components/Tag';
 import useApi, { type RequestError } from '@/hooks/use-api';
 
 import * as styles from './index.module.scss';
 
-function SigningKeys() {
+type Props = {
+  keyType: LogtoOidcConfigKeyType;
+};
+
+function SigningKeyFormCard({ keyType }: Props) {
   const api = useApi();
-  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.tenants.signing_keys' });
-  const [keyType, setKeyType] = useState<LogtoOidcConfigKeyType>(
-    LogtoOidcConfigKeyType.PrivateKeys
-  );
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.signing_keys' });
+
   const isPrivateKey = keyType === LogtoOidcConfigKeyType.PrivateKeys;
+  const keyTypePhrase = isPrivateKey ? 'private' : 'cookie';
 
   const { data, error, mutate } = useSWR<OidcConfigKeysResponse[], RequestError>(
     `api/configs/oidc/${keyType}`
@@ -96,26 +97,11 @@ function SigningKeys() {
   );
 
   return (
-    <FormCard title="tenants.signing_keys.title" description="tenants.signing_keys.description">
-      <TabNav>
-        <TabNavItem
-          isActive={keyType === LogtoOidcConfigKeyType.PrivateKeys}
-          onClick={() => {
-            setKeyType(LogtoOidcConfigKeyType.PrivateKeys);
-          }}
-        >
-          <DynamicT forKey="tenants.signing_keys.type.private_key" />
-        </TabNavItem>
-        <TabNavItem
-          isActive={keyType === LogtoOidcConfigKeyType.CookieKeys}
-          onClick={() => {
-            setKeyType(LogtoOidcConfigKeyType.CookieKeys);
-          }}
-        >
-          <DynamicT forKey="tenants.signing_keys.type.cookie_key" />
-        </TabNavItem>
-      </TabNav>
-      <FormField title={`tenants.signing_keys.${isPrivateKey ? 'private' : 'cookie'}_keys_in_use`}>
+    <FormCard
+      title={`signing_keys.${keyTypePhrase}_key`}
+      description={`signing_keys.${keyTypePhrase}_keys_description`}
+    >
+      <FormField title={`signing_keys.${keyTypePhrase}_keys_in_use`}>
         <Table
           hasBorder
           isRowHoverEffectDisabled
@@ -126,13 +112,11 @@ function SigningKeys() {
           columns={tableColumns}
         />
       </FormField>
-      <FormField title={`tenants.signing_keys.rotate_${isPrivateKey ? 'private' : 'cookie'}_keys`}>
+      <FormField title={`signing_keys.rotate_${keyTypePhrase}_keys`}>
         <div className={styles.rotateKey}>
-          <div className={styles.description}>
-            {t(`rotate_${isPrivateKey ? 'private' : 'cookie'}_keys_description`)}
-          </div>
+          <div className={styles.description}>{t(`rotate_${keyTypePhrase}_keys_description`)}</div>
           <Button
-            title={`tenants.signing_keys.rotate_${isPrivateKey ? 'private' : 'cookie'}_keys`}
+            title={`signing_keys.rotate_${keyTypePhrase}_keys`}
             type="default"
             onClick={() => {
               setShowRotateConfirmModal(true);
@@ -141,7 +125,7 @@ function SigningKeys() {
         </div>
       </FormField>
       <DangerConfirmModal
-        confirmButtonText="tenants.signing_keys.rotate_button"
+        confirmButtonText="signing_keys.rotate_button"
         isOpen={showRotateConfirmModal}
         onCancel={() => {
           setShowRotateConfirmModal(false);
@@ -164,11 +148,11 @@ function SigningKeys() {
       >
         <span>
           <Trans components={{ strong: <strong /> }}>
-            {t(`reminder.rotate_${isPrivateKey ? 'private' : 'cookie'}_key`)}
+            {t(`reminder.rotate_${keyTypePhrase}_key`)}
           </Trans>
         </span>
         {isPrivateKey && (
-          <FormField title="tenants.signing_keys.select_private_key_algorithm">
+          <FormField title="signing_keys.select_private_key_algorithm">
             <Select
               options={Object.values(SupportedSigningKeyAlgorithm).map((value) => ({
                 title: value,
@@ -205,7 +189,7 @@ function SigningKeys() {
       >
         <span>
           <Trans components={{ strong: <strong /> }}>
-            {t(`reminder.delete_${isPrivateKey ? 'private' : 'cookie'}_key`)}
+            {t(`reminder.delete_${keyTypePhrase}_key`)}
           </Trans>
         </span>
       </DangerConfirmModal>
@@ -213,4 +197,4 @@ function SigningKeys() {
   );
 }
 
-export default SigningKeys;
+export default SigningKeyFormCard;
diff --git a/packages/console/src/pages/SigningKeys/index.module.scss b/packages/console/src/pages/SigningKeys/index.module.scss
new file mode 100644
index 00000000000..7fce7951fa4
--- /dev/null
+++ b/packages/console/src/pages/SigningKeys/index.module.scss
@@ -0,0 +1,14 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  flex-direction: column;
+  min-height: 100%;
+  gap: _.unit(4);
+  padding-bottom: _.unit(6);
+
+  .header {
+    flex-shrink: 0;
+  }
+}
+
diff --git a/packages/console/src/pages/SigningKeys/index.tsx b/packages/console/src/pages/SigningKeys/index.tsx
new file mode 100644
index 00000000000..f2f3aaba3e2
--- /dev/null
+++ b/packages/console/src/pages/SigningKeys/index.tsx
@@ -0,0 +1,30 @@
+import { withAppInsights } from '@logto/app-insights/react/AppInsightsReact';
+import { LogtoOidcConfigKeyType } from '@logto/schemas';
+
+import PageMeta from '@/components/PageMeta';
+import { signingKeysLink } from '@/consts';
+import CardTitle from '@/ds-components/CardTitle';
+import useDocumentationUrl from '@/hooks/use-documentation-url';
+
+import SigningKeyFormCard from './SigningKeyFormCard';
+import * as styles from './index.module.scss';
+
+function SigningKeys() {
+  const { getDocumentationUrl } = useDocumentationUrl();
+
+  return (
+    <div className={styles.container}>
+      <PageMeta titleKey="signing_keys.title" />
+      <CardTitle
+        title="signing_keys.title"
+        subtitle="signing_keys.description"
+        learnMoreLink={{ href: getDocumentationUrl(signingKeysLink), targetBlank: 'noopener' }}
+        className={styles.header}
+      />
+      <SigningKeyFormCard keyType={LogtoOidcConfigKeyType.PrivateKeys} />
+      <SigningKeyFormCard keyType={LogtoOidcConfigKeyType.CookieKeys} />
+    </div>
+  );
+}
+
+export default withAppInsights(SigningKeys);
diff --git a/packages/console/src/pages/TenantSettings/Subscription/PlanComparisonTable/index.tsx b/packages/console/src/pages/TenantSettings/Subscription/PlanComparisonTable/index.tsx
index fcd1042968a..550b30cb3ad 100644
--- a/packages/console/src/pages/TenantSettings/Subscription/PlanComparisonTable/index.tsx
+++ b/packages/console/src/pages/TenantSettings/Subscription/PlanComparisonTable/index.tsx
@@ -3,6 +3,14 @@ import { type TFuncKey } from 'i18next';
 import { Fragment, useMemo } from 'react';
 import { useTranslation } from 'react-i18next';
 
+import {
+  freePlanAuditLogsRetentionDays,
+  freePlanM2mLimit,
+  freePlanMauLimit,
+  freePlanPermissionsLimit,
+  freePlanRoleLimit,
+  proPlanAuditLogsRetentionDays,
+} from '@/consts/subscriptions';
 import DynamicT from '@/ds-components/DynamicT';
 
 import TableDataWrapper from './TableDataWrapper';
@@ -111,13 +119,15 @@ function PlanComparisonTable() {
     const orgPermissions = t('organizations.org_permissions');
     const jitProvisioning = t('organizations.just_in_time_provisioning');
 
-    // Audit logs
-    const auditLogRetention = t('audit_logs.retention');
-    const freePlanLogRetention = t('days', { count: 3 });
-    const paidPlanLogRetention = t('days', { count: 14 });
-
-    // Webhooks
-    const webhooks = t('hooks.hooks');
+    // Developers and platform
+    const webhooks = t('developers_and_platform.hooks');
+    const auditLogRetention = t('developers_and_platform.audit_logs_retention');
+    const freePlanLogRetention = t('days', { count: freePlanAuditLogsRetentionDays });
+    const paidPlanLogRetention = t('days', { count: proPlanAuditLogsRetentionDays });
+    const jwtClaims = t('developers_and_platform.jwt_claims');
+    const tenantMembers = t('developers_and_platform.tenant_members');
+    const tenantMembersLimit = t('included', { value: 3 });
+    const tenantMembersPrice = t('per_member', { value: 8 });
 
     // Compliance and support
     const community = t('support.community');
@@ -130,7 +140,10 @@ function PlanComparisonTable() {
         title: 'quota.title',
         rows: [
           { name: basePrice, data: ['0', proPlanBasePrice, contact] },
-          { name: `${mauLimit}|${mauLimitTip}`, data: ['50,000', unlimited, contact] },
+          {
+            name: `${mauLimit}|${mauLimitTip}`,
+            data: [freePlanMauLimit.toLocaleString(), unlimited, contact],
+          },
           {
             name: `${includedTokens}|${includedTokensTip}`,
             data: ['500,000', `${proPlanIncludedTokens}|${proPlanIncludedTokensTip}`, contact],
@@ -144,7 +157,7 @@ function PlanComparisonTable() {
           {
             name: m2mApps,
             data: [
-              '1',
+              `${freePlanM2mLimit}`,
               `${proPlanM2mAppLimit}|${paidQuotaLimitTip}|${proPlanM2mAppPrice}`,
               contact,
             ],
@@ -197,9 +210,9 @@ function PlanComparisonTable() {
         title: 'user_management.title',
         rows: [
           { name: userManagement, data: ['✓', '✓', '✓'] },
-          { name: userRoles, data: ['1', unlimited, contact] },
+          { name: userRoles, data: [`${freePlanRoleLimit}`, unlimited, contact] },
           { name: m2mRoles, data: ['1', unlimited, contact] },
-          { name: permissionsPerRole, data: ['1', unlimited, contact] },
+          { name: permissionsPerRole, data: [`${freePlanPermissionsLimit}`, unlimited, contact] },
         ],
       },
       {
@@ -217,15 +230,21 @@ function PlanComparisonTable() {
         ],
       },
       {
-        title: 'audit_logs.title',
+        title: 'developers_and_platform.title',
         rows: [
+          { name: webhooks, data: ['1', '10', contact] },
           { name: auditLogRetention, data: [freePlanLogRetention, paidPlanLogRetention, contact] },
+          { name: jwtClaims, data: ['-', comingSoon, comingSoon] },
+          {
+            name: tenantMembers,
+            data: [
+              '1',
+              `${tenantMembersLimit}|${paidAddOnFeatureTip}|${tenantMembersPrice}`,
+              contact,
+            ],
+          },
         ],
       },
-      {
-        title: 'hooks.title',
-        rows: [{ name: webhooks, data: ['1', '10', contact] }],
-      },
       {
         title: 'support.title',
         rows: [
@@ -264,8 +283,9 @@ function PlanComparisonTable() {
                   <td className={styles.quotaKeyColumn}>
                     <TableDataWrapper isLeftAligned value={name} />
                   </td>
-                  {data.map((value) => (
-                    <td key={value}>
+                  {data.map((value, index) => (
+                    // eslint-disable-next-line react/no-array-index-key
+                    <td key={`${title}-${name}-${index}`}>
                       <TableDataWrapper value={value} />
                     </td>
                   ))}
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/LeaveCard/index.module.scss b/packages/console/src/pages/TenantSettings/TenantBasicSettings/LeaveCard/index.module.scss
new file mode 100644
index 00000000000..2bbae3ea2b0
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantBasicSettings/LeaveCard/index.module.scss
@@ -0,0 +1,15 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  align-items: center;
+  border: 1px solid var(--color-divider);
+  border-radius: _.unit(2);
+  padding: _.unit(4);
+
+  .description {
+    flex: 1;
+    margin-right: _.unit(2);
+    font: var(--font-body-2);
+  }
+}
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/LeaveCard/index.tsx b/packages/console/src/pages/TenantSettings/TenantBasicSettings/LeaveCard/index.tsx
new file mode 100644
index 00000000000..85a3f8e45fe
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantBasicSettings/LeaveCard/index.tsx
@@ -0,0 +1,64 @@
+import { useContext, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import FormCard from '@/components/FormCard';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import Button from '@/ds-components/Button';
+import FormField from '@/ds-components/FormField';
+import { useConfirmModal } from '@/hooks/use-confirm-modal';
+import useCurrentUser from '@/hooks/use-current-user';
+
+import * as styles from './index.module.scss';
+
+function LeaveCard() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { show: showModal } = useConfirmModal();
+  const api = useAuthedCloudApi();
+  const { currentTenantId, removeTenant, navigateTenant } = useContext(TenantsContext);
+  const { user } = useCurrentUser();
+  const [isLoading, setIsLoading] = useState(false);
+
+  const onClickLeave = async () => {
+    const [confirm] = await showModal({
+      ModalContent: t('tenants.leave_tenant_modal.description'),
+      type: 'confirm',
+      confirmButtonText: 'tenants.leave_tenant_modal.leave_button',
+    });
+
+    if (!confirm || !user) {
+      return;
+    }
+
+    setIsLoading(true);
+    try {
+      await api.delete(`/api/tenants/:tenantId/members/:userId`, {
+        params: { tenantId: currentTenantId, userId: user.id },
+      });
+      removeTenant(currentTenantId);
+      navigateTenant('');
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <FormCard title="tenants.leave_tenant_card.leave_tenant">
+      <FormField title="tenants.leave_tenant_card.leave_tenant">
+        <div className={styles.container}>
+          <div className={styles.description}>
+            {t('tenants.leave_tenant_card.leave_tenant_description')}
+          </div>
+          <Button
+            type="default"
+            title="tenants.leave_tenant_card.leave_tenant"
+            isLoading={isLoading}
+            onClick={onClickLeave}
+          />
+        </div>
+      </FormField>
+    </FormCard>
+  );
+}
+
+export default LeaveCard;
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/ProfileForm/index.tsx b/packages/console/src/pages/TenantSettings/TenantBasicSettings/ProfileForm/index.tsx
index c66a6028c9b..f050d91de14 100644
--- a/packages/console/src/pages/TenantSettings/TenantBasicSettings/ProfileForm/index.tsx
+++ b/packages/console/src/pages/TenantSettings/TenantBasicSettings/ProfileForm/index.tsx
@@ -4,6 +4,7 @@ import FormCard from '@/components/FormCard';
 import CopyToClipboard from '@/ds-components/CopyToClipboard';
 import FormField from '@/ds-components/FormField';
 import TextInput from '@/ds-components/TextInput';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
 
 import { type TenantSettingsForm } from '../types.js';
 
@@ -15,6 +16,7 @@ type Props = {
 };
 
 function ProfileForm({ currentTenantId }: Props) {
+  const { canManageTenant } = useCurrentTenantScopes();
   const {
     register,
     formState: { errors },
@@ -29,6 +31,7 @@ function ProfileForm({ currentTenantId }: Props) {
       <FormField isRequired title="tenants.settings.tenant_name">
         <TextInput
           {...register('profile.name', { required: true })}
+          readOnly={!canManageTenant}
           error={Boolean(errors.profile?.name)}
         />
       </FormField>
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.module.scss b/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.module.scss
index d13f31ad273..c9977141a3a 100644
--- a/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.module.scss
+++ b/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.module.scss
@@ -4,15 +4,13 @@
   flex-grow: 1;
   display: flex;
   flex-direction: column;
-  padding-bottom: _.unit(2);
+  padding-bottom: _.unit(4);
   min-width: 540px;
+  gap: _.unit(4);
 
   &.withSubmitActionBar {
     padding-bottom: 0;
-  }
-
-  >:not(:first-child) {
-    margin-top: _.unit(4);
+    margin-bottom: 0;
   }
 
   .fields {
diff --git a/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.tsx b/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.tsx
index b8bb31cbea1..d60310ae48d 100644
--- a/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.tsx
+++ b/packages/console/src/pages/TenantSettings/TenantBasicSettings/index.tsx
@@ -12,12 +12,13 @@ import SubmitFormChangesActionBar from '@/components/SubmitFormChangesActionBar'
 import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
 import { TenantsContext } from '@/contexts/TenantsProvider';
 import { useConfirmModal } from '@/hooks/use-confirm-modal';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
 import { trySubmitSafe } from '@/utils/form';
 
 import DeleteCard from './DeleteCard';
 import DeleteModal from './DeleteModal';
+import LeaveCard from './LeaveCard';
 import ProfileForm from './ProfileForm';
-import SigningKeys from './SigningKeys';
 import * as styles from './index.module.scss';
 import { type TenantSettingsForm } from './types.js';
 
@@ -29,6 +30,7 @@ const tenantProfileToForm = (tenant?: TenantResponse): TenantSettingsForm => {
 
 function TenantBasicSettings() {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  const { canManageTenant } = useCurrentTenantScopes();
   const api = useCloudApi();
   const {
     currentTenant,
@@ -121,27 +123,35 @@ function TenantBasicSettings() {
         <FormProvider {...methods}>
           <div className={styles.fields}>
             <ProfileForm currentTenantId={currentTenantId} />
-            <SigningKeys />
-            <DeleteCard currentTenantId={currentTenantId} onClick={onClickDeletionButton} />
+            <LeaveCard />
+            {canManageTenant && (
+              <DeleteCard currentTenantId={currentTenantId} onClick={onClickDeletionButton} />
+            )}
           </div>
         </FormProvider>
-        <SubmitFormChangesActionBar
-          isOpen={isDirty}
-          isSubmitting={isSubmitting}
-          onDiscard={reset}
-          onSubmit={onSubmit}
-        />
+        {canManageTenant && (
+          <SubmitFormChangesActionBar
+            isOpen={isDirty}
+            isSubmitting={isSubmitting}
+            onDiscard={reset}
+            onSubmit={onSubmit}
+          />
+        )}
       </form>
-      <UnsavedChangesAlertModal hasUnsavedChanges={isDirty} />
-      <DeleteModal
-        isOpen={isDeletionModalOpen}
-        isLoading={isDeleting}
-        tenant={watch('profile')}
-        onClose={() => {
-          setIsDeletionModalOpen(false);
-        }}
-        onDelete={onDelete}
-      />
+      {canManageTenant && (
+        <>
+          <UnsavedChangesAlertModal hasUnsavedChanges={isDirty} />
+          <DeleteModal
+            isOpen={isDeletionModalOpen}
+            isLoading={isDeleting}
+            tenant={watch('profile')}
+            onClose={() => {
+              setIsDeletionModalOpen(false);
+            }}
+            onDelete={onDelete}
+          />
+        </>
+      )}
     </>
   );
 }
diff --git a/packages/console/src/pages/TenantSettings/TenantDomainSettings/AddDomainForm/index.tsx b/packages/console/src/pages/TenantSettings/TenantDomainSettings/AddDomainForm/index.tsx
index c4846a31241..93d79993469 100644
--- a/packages/console/src/pages/TenantSettings/TenantDomainSettings/AddDomainForm/index.tsx
+++ b/packages/console/src/pages/TenantSettings/TenantDomainSettings/AddDomainForm/index.tsx
@@ -16,10 +16,11 @@ type FormData = {
 
 type Props = {
   className?: string;
+  isReadonly?: boolean;
   onSubmitCustomDomain: (data: FormData) => Promise<void>;
 };
 
-function AddDomainForm({ className, onSubmitCustomDomain }: Props) {
+function AddDomainForm({ className, isReadonly, onSubmitCustomDomain }: Props) {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
   const {
     register,
@@ -46,6 +47,7 @@ function AddDomainForm({ className, onSubmitCustomDomain }: Props) {
         className={styles.textInput}
         placeholder={t('domain.custom.custom_domain_placeholder')}
         error={errors.domain?.message}
+        readOnly={isReadonly}
         onKeyDown={onKeyDownHandler({ Enter: onSubmit })}
         {...register('domain', {
           required: true,
@@ -60,7 +62,7 @@ function AddDomainForm({ className, onSubmitCustomDomain }: Props) {
         type="primary"
         title="domain.custom.add_domain"
         isLoading={isSubmitting}
-        disabled={domainInput.length === 0}
+        disabled={domainInput.length === 0 || isReadonly}
         onClick={onSubmit}
       />
     </div>
diff --git a/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/CustomDomainHeader/index.tsx b/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/CustomDomainHeader/index.tsx
index 967278928b4..335c717630b 100644
--- a/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/CustomDomainHeader/index.tsx
+++ b/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/CustomDomainHeader/index.tsx
@@ -18,6 +18,7 @@ type Props = {
   customDomain: CustomDomain;
   hasExtraTipsOnDelete?: boolean;
   hasOpenExternalLink?: boolean;
+  isReadonly?: boolean;
   onDeleteCustomDomain: () => Promise<void>;
 };
 
@@ -25,6 +26,7 @@ function CustomDomainHeader({
   customDomain: { domain, status },
   hasExtraTipsOnDelete,
   hasOpenExternalLink,
+  isReadonly,
   onDeleteCustomDomain,
 }: Props) {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
@@ -72,15 +74,17 @@ function CustomDomainHeader({
       <Spacer />
       <CopyToClipboard value={domain} variant="icon" />
       {hasOpenExternalLink && <OpenExternalLink link={`https://${domain}`} />}
-      <ActionMenu
-        icon={<More className={styles.icon} />}
-        iconSize="small"
-        title={<DynamicT forKey="general.more_options" />}
-      >
-        <ActionMenuItem icon={<Delete />} type="danger" onClick={handleDelete}>
-          <DynamicT forKey="general.delete" />
-        </ActionMenuItem>
-      </ActionMenu>
+      {!isReadonly && (
+        <ActionMenu
+          icon={<More className={styles.icon} />}
+          iconSize="small"
+          title={<DynamicT forKey="general.more_options" />}
+        >
+          <ActionMenuItem icon={<Delete />} type="danger" onClick={handleDelete}>
+            <DynamicT forKey="general.delete" />
+          </ActionMenuItem>
+        </ActionMenu>
+      )}
     </div>
   );
 }
diff --git a/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/index.tsx b/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/index.tsx
index 13764029d1e..9454764e6a5 100644
--- a/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/index.tsx
+++ b/packages/console/src/pages/TenantSettings/TenantDomainSettings/CustomDomain/index.tsx
@@ -10,6 +10,7 @@ type Props = {
   customDomain: CustomDomainType;
   hasExtraTipsOnDelete?: boolean;
   hasOpenExternalLink?: boolean;
+  isReadonly?: boolean;
   onDeleteCustomDomain: () => Promise<void>;
 };
 
@@ -18,6 +19,7 @@ function CustomDomain({
   customDomain,
   hasExtraTipsOnDelete,
   hasOpenExternalLink,
+  isReadonly,
   onDeleteCustomDomain,
 }: Props) {
   return (
@@ -26,6 +28,7 @@ function CustomDomain({
         customDomain={customDomain}
         hasExtraTipsOnDelete={hasExtraTipsOnDelete}
         hasOpenExternalLink={hasOpenExternalLink}
+        isReadonly={isReadonly}
         onDeleteCustomDomain={onDeleteCustomDomain}
       />
       {customDomain.status !== DomainStatus.Active && (
diff --git a/packages/console/src/pages/TenantSettings/TenantDomainSettings/index.tsx b/packages/console/src/pages/TenantSettings/TenantDomainSettings/index.tsx
index cf5fbac8830..ab09201e810 100644
--- a/packages/console/src/pages/TenantSettings/TenantDomainSettings/index.tsx
+++ b/packages/console/src/pages/TenantSettings/TenantDomainSettings/index.tsx
@@ -7,6 +7,7 @@ import PageMeta from '@/components/PageMeta';
 import FormField from '@/ds-components/FormField';
 import TextLink from '@/ds-components/TextLink';
 import useApi from '@/hooks/use-api';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
 import useCustomDomain from '@/hooks/use-custom-domain';
 import useDocumentationUrl from '@/hooks/use-documentation-url';
 
@@ -22,6 +23,7 @@ function TenantDomainSettings() {
   const { data: customDomain, isLoading: isLoadingCustomDomain, mutate } = useCustomDomain(true);
   const { getDocumentationUrl } = useDocumentationUrl();
   const api = useApi();
+  const { canManageTenant } = useCurrentTenantScopes();
 
   if (isLoadingCustomDomain) {
     return <Skeleton />;
@@ -42,6 +44,7 @@ function TenantDomainSettings() {
           {customDomain ? (
             <CustomDomain
               hasExtraTipsOnDelete
+              isReadonly={!canManageTenant}
               customDomain={customDomain}
               onDeleteCustomDomain={async () => {
                 await api.delete(`api/domains/${customDomain.id}`);
@@ -50,6 +53,7 @@ function TenantDomainSettings() {
             />
           ) : (
             <AddDomainForm
+              isReadonly={!canManageTenant}
               onSubmitCustomDomain={async (json) => {
                 const createdDomain = await api.post('api/domains', { json }).json<Domain>();
                 mutate(createdDomain);
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/EditMemberModal/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/EditMemberModal/index.tsx
new file mode 100644
index 00000000000..f16d28990df
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/EditMemberModal/index.tsx
@@ -0,0 +1,102 @@
+import { TenantRole } from '@logto/schemas';
+import { getUserDisplayName } from '@logto/shared/universal';
+import { useContext, useMemo, useState } from 'react';
+import { Trans, useTranslation } from 'react-i18next';
+import ReactModal from 'react-modal';
+
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type TenantMemberResponse } from '@/cloud/types/router';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import Button from '@/ds-components/Button';
+import FormField from '@/ds-components/FormField';
+import ModalLayout from '@/ds-components/ModalLayout';
+import Select, { type Option } from '@/ds-components/Select';
+import { useConfirmModal } from '@/hooks/use-confirm-modal';
+import * as modalStyles from '@/scss/modal.module.scss';
+
+type Props = {
+  user: TenantMemberResponse;
+  isOpen: boolean;
+  onClose: () => void;
+};
+
+function EditMemberModal({ user, isOpen, onClose }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.tenant_members' });
+  const { currentTenantId } = useContext(TenantsContext);
+
+  const [isLoading, setIsLoading] = useState(false);
+  const [role, setRole] = useState(TenantRole.Collaborator);
+  const { show } = useConfirmModal();
+  const cloudApi = useAuthedCloudApi();
+
+  const roleOptions: Array<Option<TenantRole>> = useMemo(
+    () => [
+      { value: TenantRole.Admin, title: t('admin') },
+      { value: TenantRole.Collaborator, title: t('collaborator') },
+    ],
+    [t]
+  );
+
+  const onSubmit = async () => {
+    if (role === TenantRole.Admin) {
+      const [result] = await show({
+        ModalContent: () => (
+          <Trans components={{ ul: <ul />, li: <li /> }}>{t('assign_admin_confirm')}</Trans>
+        ),
+        confirmButtonText: 'general.confirm',
+      });
+
+      if (!result) {
+        return;
+      }
+    }
+
+    setIsLoading(true);
+    try {
+      await cloudApi.put(`/api/tenants/:tenantId/members/:userId/roles`, {
+        params: { tenantId: currentTenantId, userId: user.id },
+        body: { roleName: role },
+      });
+      onClose();
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <ReactModal
+      isOpen={isOpen}
+      className={modalStyles.content}
+      overlayClassName={modalStyles.overlay}
+      onRequestClose={onClose}
+    >
+      <ModalLayout
+        title={<>{t('edit_modal.title', { name: getUserDisplayName(user) })}</>}
+        footer={
+          <Button
+            size="large"
+            type="primary"
+            title="general.save"
+            isLoading={isLoading}
+            onClick={onSubmit}
+          />
+        }
+        onClose={onClose}
+      >
+        <FormField title="tenant_members.roles">
+          <Select
+            options={roleOptions}
+            value={role}
+            onChange={(value) => {
+              if (value) {
+                setRole(value);
+              }
+            }}
+          />
+        </FormField>
+      </ModalLayout>
+    </ReactModal>
+  );
+}
+
+export default EditMemberModal;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/Invitations/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/Invitations/index.tsx
new file mode 100644
index 00000000000..9b2eb0ae6bb
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/Invitations/index.tsx
@@ -0,0 +1,248 @@
+import { OrganizationInvitationStatus, TenantRole } from '@logto/schemas';
+import { condArray, conditional } from '@silverhand/essentials';
+import { format } from 'date-fns';
+import { useContext, useState } from 'react';
+import { toast } from 'react-hot-toast';
+import { useTranslation } from 'react-i18next';
+import useSWR from 'swr';
+
+import Delete from '@/assets/icons/delete.svg';
+import Invite from '@/assets/icons/invitation.svg';
+import More from '@/assets/icons/more.svg';
+import Plus from '@/assets/icons/plus.svg';
+import Redo from '@/assets/icons/redo.svg';
+import UsersEmptyDark from '@/assets/images/users-empty-dark.svg';
+import UsersEmpty from '@/assets/images/users-empty.svg';
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import type { InvitationResponse, TenantInvitationResponse } from '@/cloud/types/router';
+import Breakable from '@/components/Breakable';
+import { RoleOption } from '@/components/OrganizationRolesSelect';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import ActionMenu, { ActionMenuItem } from '@/ds-components/ActionMenu';
+import Button from '@/ds-components/Button';
+import DynamicT from '@/ds-components/DynamicT';
+import Table from '@/ds-components/Table';
+import TablePlaceholder from '@/ds-components/Table/TablePlaceholder';
+import Tag, { type Props as TagProps } from '@/ds-components/Tag';
+import { type RequestError } from '@/hooks/use-api';
+import { useConfirmModal } from '@/hooks/use-confirm-modal';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
+
+import InviteMemberModal from '../InviteMemberModal';
+
+const convertInvitationStatusToTagStatus = (
+  status: OrganizationInvitationStatus
+): TagProps['status'] => {
+  switch (status) {
+    case OrganizationInvitationStatus.Pending: {
+      return 'alert';
+    }
+    case OrganizationInvitationStatus.Accepted: {
+      return 'success';
+    }
+    case OrganizationInvitationStatus.Revoked: {
+      return 'error';
+    }
+    default: {
+      return 'info';
+    }
+  }
+};
+
+function Invitations() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.tenant_members' });
+  const cloudApi = useAuthedCloudApi();
+  const { currentTenantId } = useContext(TenantsContext);
+  const { canInviteMember, canRemoveMember } = useCurrentTenantScopes();
+
+  const { data, error, isLoading, mutate } = useSWR<TenantInvitationResponse[], RequestError>(
+    'api/tenants/:tenantId/invitations',
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/invitations', { params: { tenantId: currentTenantId } })
+  );
+
+  const [showInviteModal, setShowInviteModal] = useState(false);
+  const { show } = useConfirmModal();
+
+  const handleRevoke = async (invitationId: string) => {
+    const [result] = await show({
+      ModalContent: t('revoke_invitation_confirm'),
+      confirmButtonText: 'general.confirm',
+    });
+
+    if (!result) {
+      return;
+    }
+
+    await cloudApi.patch(`/api/tenants/:tenantId/invitations/:invitationId/status`, {
+      params: { tenantId: currentTenantId, invitationId },
+      body: { status: OrganizationInvitationStatus.Revoked },
+    });
+    void mutate();
+    toast.success(t('messages.invitation_revoked'));
+  };
+
+  const handleDelete = async (invitationId: string) => {
+    const [result] = await show({
+      ModalContent: t('delete_user_confirm'),
+      confirmButtonText: 'general.delete',
+    });
+
+    if (!result) {
+      return;
+    }
+
+    await cloudApi.delete(`/api/tenants/:tenantId/invitations/:invitationId`, {
+      params: { tenantId: currentTenantId, invitationId },
+    });
+    void mutate();
+    toast.success(t('messages.invitation_deleted'));
+  };
+
+  return (
+    <>
+      <Table
+        isRowHoverEffectDisabled
+        placeholder={
+          <TablePlaceholder
+            image={<UsersEmpty />}
+            imageDark={<UsersEmptyDark />}
+            title="tenant_members.invitation_empty_placeholder.title"
+            description="tenant_members.invitation_empty_placeholder.description"
+            action={conditional(
+              canInviteMember && (
+                <Button
+                  title="tenant_members.invite_members"
+                  type="primary"
+                  size="large"
+                  icon={<Plus />}
+                  onClick={() => {
+                    setShowInviteModal(true);
+                  }}
+                />
+              )
+            )}
+          />
+        }
+        isLoading={isLoading}
+        errorMessage={error?.toString()}
+        rowGroups={[{ key: 'data', data }]}
+        columns={[
+          {
+            dataIndex: 'user',
+            colSpan: 2,
+            title: t('user'),
+            render: ({ invitee }) => <span>{invitee}</span>,
+          },
+          {
+            dataIndex: 'roles',
+            colSpan: 2,
+            title: t('roles'),
+            render: ({ organizationRoles }) => {
+              if (organizationRoles.length === 0) {
+                return '-';
+              }
+
+              return organizationRoles.map(({ id }) => (
+                <Tag key={id} variant="cell">
+                  <RoleOption
+                    value={id}
+                    title={t(id === TenantRole.Admin ? 'admin' : 'collaborator')}
+                  />
+                </Tag>
+              ));
+            },
+          },
+          {
+            dataIndex: 'status',
+            colSpan: 2,
+            title: t('invitation_status'),
+            render: ({ status }) => (
+              <Tag type="state" status={convertInvitationStatusToTagStatus(status)}>
+                {status}
+              </Tag>
+            ),
+          },
+          {
+            dataIndex: 'inviter',
+            colSpan: 3,
+            title: t('inviter'),
+            render: ({ inviterName }) => <Breakable>{inviterName ?? '-'}</Breakable>,
+          },
+          {
+            dataIndex: 'expiresAt',
+            colSpan: 2,
+            title: t('expiration_date'),
+            render: ({ expiresAt }) => <span>{format(expiresAt, 'MMM do, yyyy')}</span>,
+          },
+          ...condArray(
+            (canInviteMember || canRemoveMember) && [
+              {
+                dataIndex: 'actions',
+                title: null,
+                render: ({ id, status }: InvitationResponse) => (
+                  <ActionMenu
+                    icon={<More />}
+                    iconSize="small"
+                    title={<DynamicT forKey="general.more_options" />}
+                  >
+                    {status === OrganizationInvitationStatus.Pending && canInviteMember && (
+                      <ActionMenuItem
+                        icon={<Invite />}
+                        onClick={async () => {
+                          await cloudApi.post(
+                            '/api/tenants/:tenantId/invitations/:invitationId/message',
+                            {
+                              params: { tenantId: currentTenantId, invitationId: id },
+                            }
+                          );
+                          toast.success(t('messages.invitation_sent'));
+                        }}
+                      >
+                        {t('menu_options.resend_invite')}
+                      </ActionMenuItem>
+                    )}
+                    {status === OrganizationInvitationStatus.Pending && canRemoveMember && (
+                      <ActionMenuItem
+                        icon={<Redo />}
+                        type="danger"
+                        onClick={() => {
+                          void handleRevoke(id);
+                        }}
+                      >
+                        {t('menu_options.revoke')}
+                      </ActionMenuItem>
+                    )}
+                    {status !== OrganizationInvitationStatus.Pending && canRemoveMember && (
+                      <ActionMenuItem
+                        icon={<Delete />}
+                        type="danger"
+                        onClick={() => {
+                          void handleDelete(id);
+                        }}
+                      >
+                        {t('menu_options.delete_invitation_record')}
+                      </ActionMenuItem>
+                    )}
+                  </ActionMenu>
+                ),
+              },
+            ]
+          ),
+        ]}
+        rowIndexKey="id"
+      />
+      {canInviteMember && (
+        <InviteMemberModal
+          isOpen={showInviteModal}
+          onClose={() => {
+            setShowInviteModal(false);
+            void mutate();
+          }}
+        />
+      )}
+    </>
+  );
+}
+
+export default Invitations;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/hooks.ts b/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/hooks.ts
new file mode 100644
index 00000000000..0ff9610b752
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/hooks.ts
@@ -0,0 +1,133 @@
+import { emailRegEx } from '@logto/core-kit';
+import { OrganizationInvitationStatus } from '@logto/schemas';
+import { conditional, conditionalArray, conditionalString } from '@silverhand/essentials';
+import { useCallback, useContext } from 'react';
+import { useTranslation } from 'react-i18next';
+import useSWR from 'swr';
+
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type TenantInvitationResponse, type TenantMemberResponse } from '@/cloud/types/router';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import { type RequestError } from '@/hooks/use-api';
+
+import { type InviteeEmailItem } from '../types';
+
+const useEmailInputUtils = () => {
+  const cloudApi = useAuthedCloudApi();
+  const { currentTenantId } = useContext(TenantsContext);
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
+  const { data: existingMembers = [] } = useSWR<TenantMemberResponse[], RequestError>(
+    `api/tenant/${currentTenantId}/members`,
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/members', { params: { tenantId: currentTenantId } })
+  );
+
+  const { data: existingInvitations = [] } = useSWR<TenantInvitationResponse[], RequestError>(
+    'api/tenants/:tenantId/invitations',
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/invitations', { params: { tenantId: currentTenantId } })
+  );
+
+  /**
+   * Find duplicated and invalid formatted email addresses.
+   *
+   * @param emails Array of email emails.
+   * @returns
+   */
+  const findDuplicatedOrInvalidEmails = useCallback(
+    (emails: string[] = []) => {
+      const duplicatedEmails = new Set<string>();
+      const conflictMemberEmails = new Set<string>();
+      const conflictInvitationEmails = new Set<string>();
+      const invalidEmails = new Set<string>();
+      const validEmails = new Set<string>();
+
+      const existingMemberEmails = new Set<string>(
+        existingMembers.map(({ primaryEmail }) => primaryEmail ?? '').filter(Boolean)
+      );
+      const existingInvitationEmails = new Set<string>(
+        existingInvitations
+          .filter(({ status }) => status === OrganizationInvitationStatus.Pending)
+          .map(({ invitee }) => invitee)
+      );
+
+      for (const email of emails) {
+        if (!emailRegEx.test(email)) {
+          invalidEmails.add(email);
+        }
+        // Check email collisions
+        if (validEmails.has(email)) {
+          duplicatedEmails.add(email);
+        } else if (existingInvitationEmails.has(email)) {
+          conflictInvitationEmails.add(email);
+        } else if (existingMemberEmails.has(email)) {
+          conflictMemberEmails.add(email);
+        } else {
+          validEmails.add(email);
+        }
+      }
+
+      return {
+        duplicatedEmails,
+        conflictMemberEmails,
+        conflictInvitationEmails,
+        invalidEmails,
+      };
+    },
+    [existingInvitations, existingMembers]
+  );
+
+  const parseEmailOptions = useCallback(
+    (
+      inputValues: InviteeEmailItem[]
+    ): {
+      values: InviteeEmailItem[];
+      errorMessage?: string;
+    } => {
+      const { duplicatedEmails, conflictInvitationEmails, conflictMemberEmails, invalidEmails } =
+        findDuplicatedOrInvalidEmails(inputValues.map((email) => email.value));
+      // Show error message and update the inputs' status for error display.
+      if (
+        duplicatedEmails.size > 0 ||
+        conflictInvitationEmails.size > 0 ||
+        conflictMemberEmails.size > 0 ||
+        invalidEmails.size > 0
+      ) {
+        return {
+          values: inputValues.map(({ status, ...rest }) => ({
+            ...rest,
+            ...conditional(
+              (duplicatedEmails.has(rest.value) ||
+                conflictInvitationEmails.has(rest.value) ||
+                conflictMemberEmails.has(rest.value) ||
+                invalidEmails.has(rest.value)) && {
+                status: 'error',
+              }
+            ),
+          })),
+          errorMessage: conditionalArray(
+            conditionalString(duplicatedEmails.size > 0 && t('tenant_members.errors.email_exists')),
+            conditionalString(
+              conflictInvitationEmails.size > 0 &&
+                t('tenant_members.errors.pending_invitation_exists')
+            ),
+            conditionalString(
+              conflictMemberEmails.size > 0 && t('tenant_members.errors.member_exists')
+            ),
+            conditionalString(invalidEmails.size > 0 && t('tenant_members.errors.invalid_email'))
+          ).join('\n'),
+        };
+      }
+
+      return { values: inputValues };
+    },
+    [findDuplicatedOrInvalidEmails, t]
+  );
+
+  return {
+    parseEmailOptions,
+  };
+};
+
+export default useEmailInputUtils;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/index.module.scss b/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/index.module.scss
new file mode 100644
index 00000000000..a3158db2fb4
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/index.module.scss
@@ -0,0 +1,95 @@
+@use '@/scss/underscore' as _;
+
+.input {
+  display: flex;
+  align-items: flex-start;
+  justify-content: space-between;
+  min-height: 102px;
+  padding: _.unit(1.5) _.unit(3);
+  background: var(--color-layer-1);
+  border: 1px solid var(--color-border);
+  border-radius: 8px;
+  outline: 3px solid transparent;
+  transition-property: outline, border;
+  transition-timing-function: ease-in-out;
+  transition-duration: 0.2s;
+  font: var(--font-body-2);
+  cursor: pointer;
+  position: relative;
+
+  .wrapper {
+    display: flex;
+    align-items: center;
+    justify-content: flex-start;
+    flex-wrap: wrap;
+    gap: _.unit(2);
+    cursor: text;
+
+    .tag {
+      cursor: auto;
+      display: flex;
+      align-items: center;
+      gap: _.unit(1);
+      position: relative;
+
+      &.focused::after {
+        content: '';
+        position: absolute;
+        inset: 0;
+        background: var(--color-overlay-default-focused);
+      }
+
+      &.error {
+        background: var(--color-error-container);
+      }
+    }
+
+    .close {
+      width: 16px;
+      height: 16px;
+    }
+
+    .delete {
+      width: 20px;
+      height: 20px;
+      margin-right: _.unit(-0.5);
+    }
+
+    input {
+      color: var(--color-text);
+      font: var(--font-body-2);
+      background: transparent;
+      flex: 1;
+      padding: 0;
+      appearance: none;
+
+      &::placeholder {
+        color: var(--color-placeholder);
+      }
+    }
+  }
+
+  &:focus-within {
+    border-color: var(--color-primary);
+    outline-color: var(--color-focused-variant);
+  }
+
+  &.error {
+    border-color: var(--color-error);
+
+    &:focus-within {
+      outline-color: var(--color-danger-focused);
+    }
+  }
+}
+
+canvas {
+  display: none;
+}
+
+.errorMessage {
+  font: var(--font-body-2);
+  color: var(--color-error);
+  margin-top: _.unit(1);
+  white-space: pre-wrap;
+}
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/index.tsx
new file mode 100644
index 00000000000..77ae650bd1e
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/InviteEmailsInput/index.tsx
@@ -0,0 +1,176 @@
+import { emailRegEx } from '@logto/core-kit';
+import { generateStandardShortId } from '@logto/shared/universal';
+import { conditional, type Nullable } from '@silverhand/essentials';
+import classNames from 'classnames';
+import { useEffect, useRef, useState } from 'react';
+import { useFormContext } from 'react-hook-form';
+
+import Close from '@/assets/icons/close.svg';
+import IconButton from '@/ds-components/IconButton';
+import Tag from '@/ds-components/Tag';
+import { onKeyDownHandler } from '@/utils/a11y';
+
+import type { InviteeEmailItem, InviteMemberForm } from '../types';
+
+import useEmailInputUtils from './hooks';
+import * as styles from './index.module.scss';
+
+type Props = {
+  className?: string;
+  values: InviteeEmailItem[];
+  onChange: (values: InviteeEmailItem[]) => void;
+  error?: string | boolean;
+  placeholder?: string;
+};
+
+/**
+ * The body-2 font declared in @logto/core-kit/scss/fonts. It is referenced here to calculate
+ * the width of the input text, which determines the minimum width of the input field.
+ */
+const fontBody2 =
+  '400 14px / 20px -apple-system, system-ui, BlinkMacSystemFont, Segoe UI, Roboto, Helvetica Neue, Helvetica, Arial, sans-serif, Apple Color Emoji';
+
+function InviteEmailsInput({
+  className,
+  values,
+  onChange: rawOnChange,
+  error,
+  placeholder,
+}: Props) {
+  const ref = useRef<HTMLInputElement>(null);
+  const [focusedValueId, setFocusedValueId] = useState<Nullable<string>>(null);
+  const [currentValue, setCurrentValue] = useState('');
+  const { setError, clearErrors } = useFormContext<InviteMemberForm>();
+  const { parseEmailOptions } = useEmailInputUtils();
+  const [minInputWidth, setMinInputWidth] = useState<number>(0);
+  const canvasRef = useRef<HTMLCanvasElement>(null);
+
+  useEffect(() => {
+    // Render placeholder text in canvas to calculate its width in CSS pixels.
+    const ctx = canvasRef.current?.getContext('2d');
+    if (!ctx) {
+      return;
+    }
+    ctx.font = fontBody2;
+    setMinInputWidth(ctx.measureText(currentValue).width);
+  }, [currentValue]);
+
+  const onChange = (values: InviteeEmailItem[]) => {
+    const { values: parsedValues, errorMessage } = parseEmailOptions(values);
+    if (errorMessage) {
+      setError('emails', { type: 'custom', message: errorMessage });
+    } else {
+      clearErrors('emails');
+    }
+    rawOnChange(parsedValues);
+  };
+
+  const handleAdd = (value: string) => {
+    const newValues: InviteeEmailItem[] = [
+      ...values,
+      {
+        value,
+        id: generateStandardShortId(),
+        ...conditional(!emailRegEx.test(value) && { status: 'error' }),
+      },
+    ];
+    onChange(newValues);
+    setCurrentValue('');
+    ref.current?.focus();
+  };
+
+  const handleDelete = (option: InviteeEmailItem) => {
+    onChange(values.filter(({ id }) => id !== option.id));
+  };
+
+  return (
+    <>
+      <div
+        className={classNames(styles.input, Boolean(error) && styles.error, className)}
+        role="button"
+        tabIndex={0}
+        onKeyDown={onKeyDownHandler(() => {
+          ref.current?.focus();
+        })}
+        onClick={() => {
+          ref.current?.focus();
+        }}
+      >
+        <div className={styles.wrapper}>
+          {values.map((option) => (
+            <Tag
+              key={option.id}
+              variant="cell"
+              className={classNames(
+                styles.tag,
+                option.status && styles[option.status],
+                option.id === focusedValueId && styles.focused
+              )}
+              onClick={() => {
+                ref.current?.focus();
+              }}
+            >
+              {option.value}
+              <IconButton
+                className={styles.delete}
+                size="small"
+                onClick={() => {
+                  handleDelete(option);
+                }}
+                onKeyDown={onKeyDownHandler(() => {
+                  handleDelete(option);
+                })}
+              >
+                <Close className={styles.close} />
+              </IconButton>
+            </Tag>
+          ))}
+          <input
+            ref={ref}
+            placeholder={conditional(values.length === 0 && placeholder)}
+            value={currentValue}
+            style={{ minWidth: `${minInputWidth + 10}px` }}
+            onKeyDown={(event) => {
+              if (event.key === 'Backspace' && currentValue === '') {
+                if (focusedValueId) {
+                  onChange(values.filter(({ id }) => id !== focusedValueId));
+                  setFocusedValueId(null);
+                } else {
+                  setFocusedValueId(values.at(-1)?.id ?? null);
+                }
+                ref.current?.focus();
+              }
+              if (event.key === ' ' || event.code === 'Space' || event.key === 'Enter') {
+                // Focusing on input
+                if (currentValue !== '' && document.activeElement === ref.current) {
+                  handleAdd(currentValue);
+                }
+                // Do not react to "Enter"
+                event.preventDefault();
+              }
+            }}
+            onChange={({ currentTarget: { value } }) => {
+              setCurrentValue(value);
+              setFocusedValueId(null);
+            }}
+            onFocus={() => {
+              ref.current?.focus();
+            }}
+            onBlur={() => {
+              if (currentValue !== '') {
+                handleAdd(currentValue);
+              }
+              setFocusedValueId(null);
+            }}
+          />
+        </div>
+      </div>
+      {Boolean(error) && typeof error === 'string' && (
+        <div className={styles.errorMessage}>{error}</div>
+      )}
+      <canvas ref={canvasRef} />
+    </>
+  );
+}
+
+export default InviteEmailsInput;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/Footer/index.module.scss b/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/Footer/index.module.scss
new file mode 100644
index 00000000000..c085bcdad64
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/Footer/index.module.scss
@@ -0,0 +1,16 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  align-items: center;
+  gap: _.unit(6);
+  padding: _.unit(6);
+  background-color: var(--color-info-container);
+  margin: 0 _.unit(-6) _.unit(-6);
+
+  .description {
+    flex: 1;
+    flex-shrink: 0;
+    font: var(--font-body-2);
+  }
+}
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/Footer/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/Footer/index.tsx
new file mode 100644
index 00000000000..dca3c0187de
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/Footer/index.tsx
@@ -0,0 +1,74 @@
+import { ReservedPlanId } from '@logto/schemas';
+import { useContext } from 'react';
+import { Trans, useTranslation } from 'react-i18next';
+
+import ContactUsPhraseLink from '@/components/ContactUsPhraseLink';
+import QuotaGuardFooter from '@/components/QuotaGuardFooter';
+import { contactEmailLink } from '@/consts';
+import { SubscriptionDataContext } from '@/contexts/SubscriptionDataProvider';
+import Button, { LinkButton } from '@/ds-components/Button';
+
+import useTenantMembersUsage from '../../hooks';
+
+import * as styles from './index.module.scss';
+
+type Props = {
+  newInvitationCount?: number;
+  isLoading: boolean;
+  onSubmit: () => void;
+};
+
+function Footer({ newInvitationCount = 0, isLoading, onSubmit }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.upsell.paywall' });
+
+  const { currentPlan } = useContext(SubscriptionDataContext);
+  const { id: planId, quota } = currentPlan;
+
+  const { hasTenantMembersReachedLimit, limit, usage } = useTenantMembersUsage();
+
+  if (planId === ReservedPlanId.Free && hasTenantMembersReachedLimit) {
+    return (
+      <QuotaGuardFooter>
+        <Trans
+          components={{
+            a: <ContactUsPhraseLink />,
+          }}
+        >
+          {t('tenant_members')}
+        </Trans>
+      </QuotaGuardFooter>
+    );
+  }
+
+  if (
+    planId === ReservedPlanId.Development &&
+    (hasTenantMembersReachedLimit || usage + newInvitationCount > limit)
+  ) {
+    // Display a custom "Contact us" footer instead of asking for upgrade
+    return (
+      <div className={styles.container}>
+        <div className={styles.description}>
+          {t('tenant_members_dev_plan', { limit: quota.tenantMembersLimit })}
+        </div>
+        <LinkButton
+          size="large"
+          type="primary"
+          title="general.contact_us_action"
+          href={contactEmailLink}
+        />
+      </div>
+    );
+  }
+
+  return (
+    <Button
+      size="large"
+      type="primary"
+      title="tenant_members.invite_members"
+      isLoading={isLoading}
+      onClick={onSubmit}
+    />
+  );
+}
+
+export default Footer;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/index.tsx
new file mode 100644
index 00000000000..d1cdec79d16
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/InviteMemberModal/index.tsx
@@ -0,0 +1,158 @@
+import { TenantRole } from '@logto/schemas';
+import { useContext, useEffect, useMemo, useState } from 'react';
+import { Controller, FormProvider, useForm } from 'react-hook-form';
+import { toast } from 'react-hot-toast';
+import { Trans, useTranslation } from 'react-i18next';
+import ReactModal from 'react-modal';
+
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import FormField from '@/ds-components/FormField';
+import ModalLayout from '@/ds-components/ModalLayout';
+import Select, { type Option } from '@/ds-components/Select';
+import { useConfirmModal } from '@/hooks/use-confirm-modal';
+import * as modalStyles from '@/scss/modal.module.scss';
+
+import InviteEmailsInput from '../InviteEmailsInput';
+import useEmailInputUtils from '../InviteEmailsInput/hooks';
+import { type InviteMemberForm } from '../types';
+
+import Footer from './Footer';
+
+type Props = {
+  isOpen: boolean;
+  onClose: (isSuccessful?: boolean) => void;
+};
+
+function InviteMemberModal({ isOpen, onClose }: Props) {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.tenant_members' });
+  const { currentTenantId } = useContext(TenantsContext);
+
+  const [isLoading, setIsLoading] = useState(false);
+  const cloudApi = useAuthedCloudApi();
+  const { parseEmailOptions } = useEmailInputUtils();
+  const { show } = useConfirmModal();
+
+  const formMethods = useForm<InviteMemberForm>({
+    defaultValues: {
+      emails: [],
+      role: TenantRole.Collaborator,
+    },
+  });
+
+  const {
+    control,
+    handleSubmit,
+    reset,
+    watch,
+    formState: { errors },
+  } = formMethods;
+
+  useEffect(() => {
+    return () => {
+      reset();
+    };
+  }, [isOpen, reset]);
+
+  const roleOptions: Array<Option<TenantRole>> = useMemo(
+    () => [
+      { value: TenantRole.Admin, title: t('admin') },
+      { value: TenantRole.Collaborator, title: t('collaborator') },
+    ],
+    [t]
+  );
+
+  const onSubmit = handleSubmit(async ({ emails, role }) => {
+    if (role === TenantRole.Admin) {
+      const [result] = await show({
+        ModalContent: () => (
+          <Trans components={{ ul: <ul />, li: <li /> }}>{t('assign_admin_confirm')}</Trans>
+        ),
+        confirmButtonText: 'general.confirm',
+      });
+
+      if (!result) {
+        return;
+      }
+    }
+
+    setIsLoading(true);
+    try {
+      await Promise.all(
+        emails.map(async (email) =>
+          cloudApi.post('/api/tenants/:tenantId/invitations', {
+            params: { tenantId: currentTenantId },
+            body: { invitee: email.value, roleName: role },
+          })
+        )
+      );
+      toast.success(t('messages.invitation_sent'));
+      onClose(true);
+    } finally {
+      setIsLoading(false);
+    }
+  });
+
+  return (
+    <ReactModal
+      isOpen={isOpen}
+      className={modalStyles.content}
+      overlayClassName={modalStyles.overlay}
+      onRequestClose={() => {
+        onClose();
+      }}
+    >
+      <ModalLayout
+        size="large"
+        title="tenant_members.invite_modal.title"
+        subtitle="tenant_members.invite_modal.subtitle"
+        footer={
+          <Footer
+            newInvitationCount={watch('emails').length}
+            isLoading={isLoading}
+            onSubmit={onSubmit}
+          />
+        }
+        onClose={onClose}
+      >
+        <FormProvider {...formMethods}>
+          <FormField isRequired title="tenant_members.invite_modal.to">
+            <Controller
+              name="emails"
+              control={control}
+              rules={{
+                validate: (value) => {
+                  if (value.length === 0) {
+                    return t('errors.email_required');
+                  }
+                  const { errorMessage } = parseEmailOptions(value);
+                  // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
+                  return errorMessage || true;
+                },
+              }}
+              render={({ field: { onChange, value } }) => (
+                <InviteEmailsInput
+                  values={value}
+                  error={errors.emails?.message}
+                  placeholder={t('invite_modal.email_input_placeholder')}
+                  onChange={onChange}
+                />
+              )}
+            />
+          </FormField>
+          <FormField title="tenant_members.roles">
+            <Controller
+              name="role"
+              control={control}
+              render={({ field: { onChange, value } }) => (
+                <Select options={roleOptions} value={value} onChange={onChange} />
+              )}
+            />
+          </FormField>
+        </FormProvider>
+      </ModalLayout>
+    </ReactModal>
+  );
+}
+
+export default InviteMemberModal;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/Members/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/Members/index.tsx
new file mode 100644
index 00000000000..9b4687c670b
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/Members/index.tsx
@@ -0,0 +1,125 @@
+import { TenantRole } from '@logto/schemas';
+import { condArray, conditional } from '@silverhand/essentials';
+import { useContext, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+import useSWR from 'swr';
+
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type TenantMemberResponse } from '@/cloud/types/router';
+import ActionsButton from '@/components/ActionsButton';
+import EmptyDataPlaceholder from '@/components/EmptyDataPlaceholder';
+import UserPreview from '@/components/ItemPreview/UserPreview';
+import { RoleOption } from '@/components/OrganizationRolesSelect';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import Table from '@/ds-components/Table';
+import Tag from '@/ds-components/Tag';
+import { type RequestError } from '@/hooks/use-api';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
+import useCurrentUser from '@/hooks/use-current-user';
+
+import EditMemberModal from '../EditMemberModal';
+
+function Members() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console.tenant_members' });
+  const cloudApi = useAuthedCloudApi();
+  const { currentTenantId } = useContext(TenantsContext);
+  const { user: currentUser } = useCurrentUser();
+  const { canRemoveMember, canUpdateMemberRole } = useCurrentTenantScopes();
+
+  const { data, error, isLoading, mutate } = useSWR<TenantMemberResponse[], RequestError>(
+    `api/tenants/:tenantId/members`,
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/members', { params: { tenantId: currentTenantId } })
+  );
+
+  const [userToBeEdited, setUserToBeEdited] = useState<TenantMemberResponse>();
+
+  return (
+    <>
+      <Table
+        isRowHoverEffectDisabled
+        placeholder={<EmptyDataPlaceholder />}
+        isLoading={isLoading}
+        errorMessage={error?.toString()}
+        rowGroups={[{ key: 'data', data }]}
+        columns={[
+          {
+            dataIndex: 'user',
+            title: t('user'),
+            colSpan: 4,
+            render: (user) => <UserPreview user={user} hasUserDetailsLink={false} />,
+          },
+          {
+            dataIndex: 'roles',
+            title: t('roles'),
+            colSpan: 6,
+            render: ({ organizationRoles }) => {
+              if (organizationRoles.length === 0) {
+                return '-';
+              }
+
+              return organizationRoles.map(({ id }) => (
+                <Tag key={id} variant="cell">
+                  <RoleOption
+                    value={id}
+                    title={t(id === TenantRole.Admin ? 'admin' : 'collaborator')}
+                  />
+                </Tag>
+              ));
+            },
+          },
+          ...condArray(
+            (canUpdateMemberRole || canRemoveMember) && [
+              {
+                dataIndex: 'actions',
+                title: null,
+                colSpan: 1,
+                render: (user: TenantMemberResponse) => (
+                  <ActionsButton
+                    deleteConfirmation="tenant_members.delete_user_confirm"
+                    fieldName="tenant_members.user"
+                    textOverrides={{
+                      edit: 'tenant_members.menu_options.edit',
+                      delete: 'tenant_members.menu_options.delete',
+                      deleteConfirmation: 'general.remove',
+                    }}
+                    onEdit={conditional(
+                      canUpdateMemberRole &&
+                        (() => {
+                          setUserToBeEdited(user);
+                        })
+                    )}
+                    onDelete={conditional(
+                      canRemoveMember &&
+                        // Cannot remove self from members list
+                        currentUser?.id !== user.id &&
+                        (async () => {
+                          await cloudApi.delete(`/api/tenants/:tenantId/members/:userId`, {
+                            params: { tenantId: currentTenantId, userId: user.id },
+                          });
+                          void mutate();
+                        })
+                    )}
+                  />
+                ),
+              },
+            ]
+          ),
+        ]}
+        rowIndexKey="id"
+      />
+      {canUpdateMemberRole && userToBeEdited && (
+        <EditMemberModal
+          isOpen
+          user={userToBeEdited}
+          onClose={() => {
+            setUserToBeEdited(undefined);
+            void mutate();
+          }}
+        />
+      )}
+    </>
+  );
+}
+
+export default Members;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/hooks.ts b/packages/console/src/pages/TenantSettings/TenantMembers/hooks.ts
new file mode 100644
index 00000000000..b154f551f9b
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/hooks.ts
@@ -0,0 +1,68 @@
+import { OrganizationInvitationStatus } from '@logto/schemas';
+import { useContext, useMemo } from 'react';
+import useSWR from 'swr';
+
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import { type TenantInvitationResponse, type TenantMemberResponse } from '@/cloud/types/router';
+import { SubscriptionDataContext } from '@/contexts/SubscriptionDataProvider';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import { type RequestError } from '@/hooks/use-api';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
+import { hasReachedQuotaLimit, hasSurpassedQuotaLimit } from '@/utils/quota';
+
+const useTenantMembersUsage = () => {
+  const { currentPlan } = useContext(SubscriptionDataContext);
+  const { currentTenantId } = useContext(TenantsContext);
+  const { canInviteMember } = useCurrentTenantScopes();
+
+  const cloudApi = useAuthedCloudApi();
+
+  const { data: members } = useSWR<TenantMemberResponse[], RequestError>(
+    `api/tenants/:tenantId/members`,
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/members', { params: { tenantId: currentTenantId } })
+  );
+  const { data: invitations } = useSWR<TenantInvitationResponse[], RequestError>(
+    canInviteMember && 'api/tenants/:tenantId/invitations',
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/invitations', { params: { tenantId: currentTenantId } })
+  );
+
+  const pendingInvitations = useMemo(
+    () => invitations?.filter(({ status }) => status === OrganizationInvitationStatus.Pending),
+    [invitations]
+  );
+
+  const usage = useMemo(() => {
+    return (members?.length ?? 0) + (pendingInvitations?.length ?? 0);
+  }, [members?.length, pendingInvitations?.length]);
+
+  const hasTenantMembersReachedLimit = useMemo(
+    () =>
+      hasReachedQuotaLimit({
+        quotaKey: 'tenantMembersLimit',
+        plan: currentPlan,
+        usage,
+      }),
+    [currentPlan, usage]
+  );
+
+  const hasTenantMembersSurpassedLimit = useMemo(
+    () =>
+      hasSurpassedQuotaLimit({
+        quotaKey: 'tenantMembersLimit',
+        plan: currentPlan,
+        usage,
+      }),
+    [currentPlan, usage]
+  );
+
+  return {
+    hasTenantMembersReachedLimit,
+    hasTenantMembersSurpassedLimit,
+    usage,
+    limit: currentPlan.quota.tenantMembersLimit ?? Number.POSITIVE_INFINITY,
+  };
+};
+
+export default useTenantMembersUsage;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/index.module.scss b/packages/console/src/pages/TenantSettings/TenantMembers/index.module.scss
new file mode 100644
index 00000000000..bb444a0dd5d
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/index.module.scss
@@ -0,0 +1,64 @@
+@use '@/scss/underscore' as _;
+
+.container {
+  display: flex;
+  flex-direction: column;
+  gap: _.unit(4);
+
+  .chargeNotification {
+    margin: _.unit(4) 0 0;
+  }
+
+  .tabButtons {
+    display: flex;
+    align-items: center;
+    gap: _.unit(4);
+
+    .button {
+      border-radius: 100px;
+      border-color: var(--color-surface-5);
+      background: var(--color-layer-1);
+      height: 34px;
+      padding: 0 _.unit(3);
+      transition: none;
+
+      svg {
+        color: var(--color-text-link);
+      }
+
+      &:active {
+        background: var(--color-overlay-primary-pressed);
+      }
+
+      &:not(:disabled):not(:active):hover {
+        background: var(--color-overlay-primary-hover);
+      }
+
+
+      &.active {
+        background: var(--color-specific-tag-upsell);
+        border-color: var(--color-specific-tag-upsell);
+        color: var(--color-static-white);
+        cursor: default;
+
+        svg {
+          color: var(--color-specific-button-icon);
+        }
+
+        &:not(:disabled):not(:active):hover {
+          background: var(--color-specific-tag-upsell);
+        }
+      }
+    }
+  }
+}
+
+ul {
+  padding-inline-start: _.unit(6);
+
+  > li {
+    font: var(--font-body-2);
+    margin-block: _.unit(2);
+    padding-inline-start: _.unit(1);
+  }
+}
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/index.tsx b/packages/console/src/pages/TenantSettings/TenantMembers/index.tsx
new file mode 100644
index 00000000000..9af808b80df
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/index.tsx
@@ -0,0 +1,107 @@
+import classNames from 'classnames';
+import { useContext, useState } from 'react';
+import { Route, Routes } from 'react-router-dom';
+import useSWRMutation from 'swr/mutation';
+
+import InvitationIcon from '@/assets/icons/invitation.svg';
+import MembersIcon from '@/assets/icons/members.svg';
+import PlusIcon from '@/assets/icons/plus.svg';
+import { useAuthedCloudApi } from '@/cloud/hooks/use-cloud-api';
+import ChargeNotification from '@/components/ChargeNotification';
+import { TenantSettingsTabs } from '@/consts';
+import { TenantsContext } from '@/contexts/TenantsProvider';
+import Button from '@/ds-components/Button';
+import Spacer from '@/ds-components/Spacer';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
+import useTenantPathname from '@/hooks/use-tenant-pathname';
+import NotFound from '@/pages/NotFound';
+
+import Invitations from './Invitations';
+import InviteMemberModal from './InviteMemberModal';
+import Members from './Members';
+import useTenantMembersUsage from './hooks';
+import * as styles from './index.module.scss';
+
+const invitationsRoute = 'invitations';
+
+function TenantMembers() {
+  const { hasTenantMembersSurpassedLimit } = useTenantMembersUsage();
+  const { navigate, match } = useTenantPathname();
+  const [showInviteModal, setShowInviteModal] = useState(false);
+  const { canInviteMember } = useCurrentTenantScopes();
+
+  const isInvitationTab = match(
+    `/tenant-settings/${TenantSettingsTabs.Members}/${invitationsRoute}`
+  );
+
+  const { currentTenantId } = useContext(TenantsContext);
+  const cloudApi = useAuthedCloudApi();
+  const { trigger: mutateInvitations } = useSWRMutation(
+    'api/tenants/:tenantId/invitations',
+    async () =>
+      cloudApi.get('/api/tenants/:tenantId/invitations', { params: { tenantId: currentTenantId } })
+  );
+
+  return (
+    <div className={styles.container}>
+      <ChargeNotification
+        hasSurpassedLimit={hasTenantMembersSurpassedLimit}
+        quotaItemPhraseKey="tenant_member"
+        className={styles.chargeNotification}
+        checkedFlagKey="tenantMember"
+      />
+      {canInviteMember && (
+        <div className={styles.tabButtons}>
+          <Button
+            className={classNames(styles.button, !isInvitationTab && styles.active)}
+            icon={<MembersIcon />}
+            title="tenant_members.members"
+            onClick={() => {
+              navigate('.');
+            }}
+          />
+          <Button
+            className={classNames(styles.button, isInvitationTab && styles.active)}
+            icon={<InvitationIcon />}
+            title="tenant_members.invitations"
+            onClick={() => {
+              navigate('invitations');
+            }}
+          />
+          <Spacer />
+          <Button
+            type="primary"
+            size="large"
+            icon={<PlusIcon />}
+            title="tenant_members.invite_members"
+            onClick={() => {
+              setShowInviteModal(true);
+            }}
+          />
+        </div>
+      )}
+      <Routes>
+        <Route path="*" element={<NotFound />} />
+        <Route index element={<Members />} />
+        {canInviteMember && <Route path={invitationsRoute} element={<Invitations />} />}
+      </Routes>
+      {canInviteMember && (
+        <InviteMemberModal
+          isOpen={showInviteModal}
+          onClose={(isSuccessful) => {
+            setShowInviteModal(false);
+            if (isSuccessful) {
+              if (isInvitationTab) {
+                void mutateInvitations();
+              } else {
+                navigate('invitations');
+              }
+            }
+          }}
+        />
+      )}
+    </div>
+  );
+}
+
+export default TenantMembers;
diff --git a/packages/console/src/pages/TenantSettings/TenantMembers/types.ts b/packages/console/src/pages/TenantSettings/TenantMembers/types.ts
new file mode 100644
index 00000000000..9ec73081977
--- /dev/null
+++ b/packages/console/src/pages/TenantSettings/TenantMembers/types.ts
@@ -0,0 +1,23 @@
+import { type TenantRole } from '@logto/schemas';
+
+import { type Props as TagProps } from '@/ds-components/Tag';
+
+export type InviteeEmailItem = {
+  /**
+   * Generate a random unique id for each option to handle deletion.
+   * Sometimes we may have options with the same value, which is allowed when inputting but prohibited when submitting.
+   */
+  id: string;
+  value: string;
+  /**
+   * The `status` is used to indicate the input status of the email item (could fall into following categories):
+   * - undefined: valid email
+   * - 'info': duplicated email or invalid email format.
+   */
+  status?: Extract<TagProps['status'], 'error'>;
+};
+
+export type InviteMemberForm = {
+  emails: InviteeEmailItem[];
+  role: TenantRole;
+};
diff --git a/packages/console/src/pages/TenantSettings/index.tsx b/packages/console/src/pages/TenantSettings/index.tsx
index 6e6f1a00678..e1daa7c820b 100644
--- a/packages/console/src/pages/TenantSettings/index.tsx
+++ b/packages/console/src/pages/TenantSettings/index.tsx
@@ -6,11 +6,14 @@ import { TenantsContext } from '@/contexts/TenantsProvider';
 import CardTitle from '@/ds-components/CardTitle';
 import DynamicT from '@/ds-components/DynamicT';
 import TabNav, { TabNavItem } from '@/ds-components/TabNav';
+import useCurrentTenantScopes from '@/hooks/use-current-tenant-scopes';
 
 import * as styles from './index.module.scss';
 
 function TenantSettings() {
   const { isDevTenant } = useContext(TenantsContext);
+  const { canManageTenant } = useCurrentTenantScopes();
+
   return (
     <div className={styles.container}>
       <CardTitle
@@ -25,7 +28,10 @@ function TenantSettings() {
         <TabNavItem href={`/tenant-settings/${TenantSettingsTabs.Domains}`}>
           <DynamicT forKey="tenants.tabs.domains" />
         </TabNavItem>
-        {!isDevTenant && (
+        <TabNavItem href={`/tenant-settings/${TenantSettingsTabs.Members}`}>
+          <DynamicT forKey="tenants.tabs.members" />
+        </TabNavItem>
+        {!isDevTenant && canManageTenant && (
           <>
             <TabNavItem href={`/tenant-settings/${TenantSettingsTabs.Subscription}`}>
               <DynamicT forKey="tenants.tabs.subscription" />
diff --git a/packages/console/src/pages/UserDetails/utils.ts b/packages/console/src/pages/UserDetails/utils.ts
index 053d6f8d582..f6e32b82ff5 100644
--- a/packages/console/src/pages/UserDetails/utils.ts
+++ b/packages/console/src/pages/UserDetails/utils.ts
@@ -1,11 +1,11 @@
-import type { User } from '@logto/schemas';
+import type { UserProfileResponse } from '@logto/schemas';
 import { formatToInternationalPhoneNumber } from '@logto/shared/universal';
 import { conditional } from '@silverhand/essentials';
 
 import type { UserDetailsForm } from './types';
 
 export const userDetailsParser = {
-  toLocalForm: (data: User): UserDetailsForm => {
+  toLocalForm: (data: UserProfileResponse): UserDetailsForm => {
     const { primaryEmail, primaryPhone, username, name, avatar, customData } = data;
     const parsedPhoneNumber = conditional(
       primaryPhone && formatToInternationalPhoneNumber(primaryPhone)
diff --git a/packages/console/src/pages/WebhookDetails/WebhookLogs/index.tsx b/packages/console/src/pages/WebhookDetails/WebhookLogs/index.tsx
index 290c73fb29b..e4a24c6d167 100644
--- a/packages/console/src/pages/WebhookDetails/WebhookLogs/index.tsx
+++ b/packages/console/src/pages/WebhookDetails/WebhookLogs/index.tsx
@@ -21,7 +21,7 @@ import { type WebhookDetailsOutletContext } from '../types';
 
 import * as styles from './index.module.scss';
 
-const hooLogEventOptions = Object.values(HookEvent).map((event) => ({
+const hookLogEventOptions = Object.values(HookEvent).map((event) => ({
   title: <DynamicT forKey={hookEventLabel[event]} />,
   value: hookEventLogKey[event],
 }));
@@ -64,7 +64,7 @@ function WebhookLogs() {
           <div className={styles.eventSelector}>
             <EventSelector
               value={event}
-              options={hooLogEventOptions}
+              options={hookLogEventOptions}
               onChange={(event) => {
                 updateSearchParameters({ event, page: undefined });
               }}
diff --git a/packages/console/src/pages/WebhookDetails/WebhookSettings/CustomHeaderField/index.tsx b/packages/console/src/pages/WebhookDetails/WebhookSettings/CustomHeaderField/index.tsx
index 1b62efa2ec5..c9d4bcc9938 100644
--- a/packages/console/src/pages/WebhookDetails/WebhookSettings/CustomHeaderField/index.tsx
+++ b/packages/console/src/pages/WebhookDetails/WebhookSettings/CustomHeaderField/index.tsx
@@ -1,16 +1,11 @@
+import { useCallback, useMemo } from 'react';
 import { useFieldArray, useFormContext } from 'react-hook-form';
 import { useTranslation } from 'react-i18next';
 
-import CirclePlus from '@/assets/icons/circle-plus.svg';
-import Minus from '@/assets/icons/minus.svg';
-import Button from '@/ds-components/Button';
 import FormField from '@/ds-components/FormField';
-import IconButton from '@/ds-components/IconButton';
-import TextInput from '@/ds-components/TextInput';
+import KeyValueInputField from '@/ds-components/KeyValueInputField';
 import { type WebhookDetailsFormType } from '@/pages/WebhookDetails/types';
 
-import * as styles from './index.module.scss';
-
 const isValidHeaderKey = (key: string) => {
   return /^[\u0021-\u0039\u003B-\u007E]+$/.test(key);
 };
@@ -21,6 +16,7 @@ const isValidHeaderValue = (value: string) => {
 
 function CustomHeaderField() {
   const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+
   const {
     control,
     register,
@@ -37,101 +33,81 @@ function CustomHeaderField() {
     name: 'headers',
   });
 
-  const keyValidator = (key: string, index: number) => {
-    const headers = getValues('headers');
-    if (!headers) {
-      return true;
-    }
+  const validateKey = useCallback(
+    (key: string, index: number) => {
+      const headers = getValues('headers');
+      if (!headers) {
+        return true;
+      }
 
-    if (headers.filter(({ key: _key }) => _key.length > 0 && _key === key).length > 1) {
-      return t('webhook_details.settings.key_duplicated_error');
-    }
+      if (headers.filter(({ key: _key }) => _key.length > 0 && _key === key).length > 1) {
+        return t('webhook_details.settings.key_duplicated_error');
+      }
 
-    const correspondValue = getValues(`headers.${index}.value`);
-    if (correspondValue) {
-      return Boolean(key) || t('webhook_details.settings.key_missing_error');
-    }
+      const correspondValue = getValues(`headers.${index}.value`);
+      if (correspondValue) {
+        return Boolean(key) || t('webhook_details.settings.key_missing_error');
+      }
 
-    if (Boolean(key) && !isValidHeaderKey(key)) {
-      return t('webhook_details.settings.invalid_key_error');
-    }
+      if (Boolean(key) && !isValidHeaderKey(key)) {
+        return t('webhook_details.settings.invalid_key_error');
+      }
 
-    return true;
-  };
+      return true;
+    },
+    [getValues, t]
+  );
 
-  const valueValidator = (value: string, index: number) => {
-    if (Boolean(value) && !isValidHeaderValue(value)) {
-      return t('webhook_details.settings.invalid_value_error');
-    }
+  const validateValue = useCallback(
+    (value: string, index: number) => {
+      if (Boolean(value) && !isValidHeaderValue(value)) {
+        return t('webhook_details.settings.invalid_value_error');
+      }
 
-    return getValues(`headers.${index}.key`)
-      ? Boolean(value) || t('webhook_details.settings.value_missing_error')
-      : true;
-  };
+      return getValues(`headers.${index}.key`)
+        ? Boolean(value) || t('webhook_details.settings.value_missing_error')
+        : true;
+    },
+    [getValues, t]
+  );
 
-  const revalidate = () => {
+  const revalidate = useCallback(() => {
     for (const [index] of fields.entries()) {
       void trigger(`headers.${index}.key`);
       if (submitCount > 0) {
         void trigger(`headers.${index}.value`);
       }
     }
-  };
+  }, [fields, submitCount, trigger]);
+
+  const getInputFieldProps = useMemo(
+    () => ({
+      key: (index: number) =>
+        register(`headers.${index}.key`, {
+          validate: (key) => validateKey(key, index),
+          onChange: revalidate,
+        }),
+      value: (index: number) =>
+        register(`headers.${index}.value`, {
+          validate: (value) => validateValue(value, index),
+          onChange: revalidate,
+        }),
+    }),
+    [validateKey, register, revalidate, validateValue]
+  );
 
   return (
     <FormField
       title="webhook_details.settings.custom_headers"
       tip={t('webhook_details.settings.custom_headers_tip')}
     >
-      {fields.map((header, index) => {
-        return (
-          <div key={header.id} className={styles.field}>
-            <div className={styles.input}>
-              <TextInput
-                className={styles.keyInput}
-                placeholder="Key"
-                error={Boolean(headerErrors?.[index]?.key)}
-                {...register(`headers.${index}.key`, {
-                  validate: (key) => keyValidator(key, index),
-                  onChange: revalidate,
-                })}
-              />
-              <TextInput
-                className={styles.valueInput}
-                placeholder="Value"
-                error={Boolean(headerErrors?.[index]?.value)}
-                {...register(`headers.${index}.value`, {
-                  validate: (value) => valueValidator(value, index),
-                  onChange: revalidate,
-                })}
-              />
-              {fields.length > 1 && (
-                <IconButton
-                  onClick={() => {
-                    remove(index);
-                  }}
-                >
-                  <Minus />
-                </IconButton>
-              )}
-            </div>
-            {headerErrors?.[index]?.key?.message && (
-              <div className={styles.error}>{headerErrors[index]?.key?.message}</div>
-            )}
-            {headerErrors?.[index]?.value?.message && (
-              <div className={styles.error}>{headerErrors[index]?.value?.message}</div>
-            )}
-          </div>
-        );
-      })}
-      <Button
-        size="small"
-        type="text"
-        title="general.add_another"
-        icon={<CirclePlus />}
-        onClick={() => {
-          append({ key: '', value: '' });
-        }}
+      <KeyValueInputField
+        fields={fields}
+        // Force headerErrors to be an array, otherwise return undefined
+        errors={headerErrors?.map?.((error) => error)}
+        getInputFieldProps={getInputFieldProps}
+        onAppend={append}
+        onRemove={remove}
       />
     </FormField>
   );
diff --git a/packages/console/src/scss/_underscore.scss b/packages/console/src/scss/_underscore.scss
index 5c8159ad155..6813f7680bf 100644
--- a/packages/console/src/scss/_underscore.scss
+++ b/packages/console/src/scss/_underscore.scss
@@ -5,7 +5,7 @@
 }
 
 @mixin main-content-width {
-  max-width: 1168px;
+  max-width: 1300px;
   min-width: 560px;
   margin: 0 auto;
 }
diff --git a/packages/console/src/scss/normalized.scss b/packages/console/src/scss/normalized.scss
index fe26a155683..982cc7de9ba 100644
--- a/packages/console/src/scss/normalized.scss
+++ b/packages/console/src/scss/normalized.scss
@@ -9,6 +9,7 @@ body {
   color: var(--color-text);
   -webkit-font-smoothing: antialiased;
   -moz-osx-font-smoothing: auto;
+  min-height: 100vh;
 }
 
 * {
diff --git a/packages/console/src/utils/user.ts b/packages/console/src/utils/user.ts
index 6e81cc191cd..5ea997be881 100644
--- a/packages/console/src/utils/user.ts
+++ b/packages/console/src/utils/user.ts
@@ -1,11 +1,11 @@
-import type { User } from '@logto/schemas';
+import type { UserInfo } from '@logto/schemas';
 import { getUserDisplayName } from '@logto/shared/universal';
 import { t } from 'i18next';
 
-export const getUserTitle = (user?: User): string =>
+export const getUserTitle = (user?: Partial<UserInfo>): string =>
   (user ? getUserDisplayName(user) : undefined) ?? t('admin_console.users.unnamed');
 
-export const getUserSubtitle = (user?: User) => {
+export const getUserSubtitle = (user?: Partial<UserInfo>) => {
   if (!user?.name) {
     return;
   }
diff --git a/packages/console/tsconfig.scripts.gen.json b/packages/console/tsconfig.scripts.gen.json
new file mode 100644
index 00000000000..ac248a2ce7f
--- /dev/null
+++ b/packages/console/tsconfig.scripts.gen.json
@@ -0,0 +1,7 @@
+{
+  "extends": "@silverhand/ts-config/tsconfig.base",
+  "compilerOptions": {
+    "outDir": "scripts-js"
+  },
+  "include": ["scripts"]
+}
diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md
index ed651e7c328..e8c4dd10bc6 100644
--- a/packages/core/CHANGELOG.md
+++ b/packages/core/CHANGELOG.md
@@ -1,5 +1,101 @@
 # Change Log
 
+## 1.15.0
+
+### Minor Changes
+
+- 172411946: Add avatar and customData fields to create user API (POST /api/users)
+- abffb9f95: full oidc standard claims support
+
+  We have added support for the remaining [OpenID Connect standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). Now, these claims are accessible in both ID tokens and the response from the `/me` endpoint.
+
+  Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the `profile` scope, and the `address` claim can be obtained by using the `address` scope.
+
+  For all newly introduced claims, we store them in the `user.profile` field.
+
+  > ![Note]
+  > Unlike other database fields (e.g. `name`), the claims stored in the `profile` field will fall back to `undefined` rather than `null`. We refrain from using `?? null` here to reduce the size of ID tokens, since `undefined` fields will be stripped in tokens.
+
+- 2cbc591ff: support `first_screen` parameter in authentication request
+
+  Sign-in experience can be initiated with a specific screen by setting the `first_screen` parameter in the OIDC authentication request. This parameter is intended to replace the `interaction_mode` parameter, which is now deprecated.
+
+  The `first_screen` parameter can have the following values:
+
+  - `signIn`: The sign-in screen is displayed first.
+  - `register`: The registration screen is displayed first.
+
+  Here's a non-normative example of how to use the `first_screen` parameter:
+
+  ```
+  GET /authorize?
+    response_type=code
+    &client_id=your_client_id
+    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
+    &scope=openid
+    &state=af0ifjsldkj
+    &nonce=n-0S6_WzA2Mj
+    &first_screen=signIn
+  ```
+
+  When `first_screen` is set, the legacy `interaction_mode` parameter is ignored.
+
+- 468558721: Get organization roles with search keyword.
+- cc01acbd0: Create a new user through API with password digest and corresponding algorithm
+- 2cbc591ff: support direct sign-in
+
+  Instead of showing a screen for the user to choose between the sign-in methods, a specific sign-in method can be initiated directly by setting the `direct_sign_in` parameter in the OIDC authentication request.
+
+  This parameter follows the format of `direct_sign_in=<method>:<target>`, where:
+
+  - `<method>` is the sign-in method to trigger. Currently the only supported value is `social`.
+  - `<target>` is the target value for the sign-in method. If the method is `social`, the value is the social connector's `target`.
+
+  When a valid `direct_sign_in` parameter is set, the first screen will be skipped and the specified sign-in method will be triggered immediately upon entering the sign-in experience. If the parameter is invalid, the default behavior of showing the first screen will be used.
+
+### Patch Changes
+
+- 7c22c50cb: Fix SSO connector new user authentication internal server error.
+
+  ## Description
+
+  Thanks to the [issue](https://github.com/logto-io/logto/issues/5502) report, we found that the SSO connector new user authentication was causing an internal server error. Should return an 422 status code instead of 500. Frontend sign-in page can not handle the 500 error and complete the new user registration process.
+
+  ### Root cause
+
+  When the SSO connector returns a new user that does not exist in the Logto database, the backend with throw a 422 error. Frontend relies the 422 error to redirect and complete the new user registration process.
+
+  However, the backend was throwing a 500 error instead. That is because we applied a strict API response status code guard at the koaGuard middleware level. The status code 422 was not listed. Therefore, the middleware threw a 500 error.
+
+  ### Solution
+
+  We added the 422 status code to the koaGuard middleware. Now, the backend will return a 422 status code when the SSO connector returns a new user that does not exist in the Logto database. The frontend sign-in page can handle the 422 error and complete the new user registration process.
+
+- Updated dependencies [5758f84f5]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [7756f50f8]
+- Updated dependencies [abffb9f95]
+- Updated dependencies [746483c49]
+- Updated dependencies [2cbc591ff]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [cc01acbd0]
+- Updated dependencies [2cbc591ff]
+- Updated dependencies [951865859]
+- Updated dependencies [5a7204571]
+- Updated dependencies [2cbc591ff]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/console@1.13.0
+  - @logto/phrases@1.10.0
+  - @logto/connector-kit@3.0.0
+  - @logto/experience@1.6.0
+  - @logto/core-kit@2.4.0
+  - @logto/schemas@1.15.0
+  - @logto/phrases-experience@1.6.1
+  - @logto/demo-app@1.2.0
+  - @logto/cli@1.15.0
+  - @logto/shared@3.1.0
+
 ## 1.14.0
 
 ### Minor Changes
diff --git a/packages/core/package.json b/packages/core/package.json
index 1cbd889480a..4941a09bfd9 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/core",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "description": "The open source identity solution.",
   "main": "build/index.js",
   "author": "Silverhand Inc. <contact@silverhand.io>",
@@ -32,20 +32,20 @@
     "@koa/cors": "^5.0.0",
     "@logto/affiliate": "^0.1.0",
     "@logto/app-insights": "workspace:^1.4.0",
-    "@logto/cli": "workspace:^1.14.0",
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/cli": "workspace:^1.15.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "@logto/console": "workspace:*",
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/demo-app": "workspace:*",
     "@logto/experience": "workspace:*",
     "@logto/language-kit": "workspace:^1.1.0",
-    "@logto/phrases": "workspace:^1.9.0",
-    "@logto/phrases-experience": "workspace:^1.6.0",
-    "@logto/schemas": "workspace:^1.14.0",
+    "@logto/phrases": "workspace:^1.10.0",
+    "@logto/phrases-experience": "workspace:^1.6.1",
+    "@logto/schemas": "workspace:^1.15.0",
     "@logto/shared": "workspace:^3.1.0",
     "@silverhand/essentials": "^2.9.0",
     "@simplewebauthn/server": "^9.0.0",
-    "@withtyped/client": "^0.7.22",
+    "@withtyped/client": "^0.8.4",
     "camelcase": "^8.0.0",
     "camelcase-keys": "^9.0.0",
     "chalk": "^5.0.0",
@@ -85,15 +85,13 @@
     "roarr": "^7.11.0",
     "samlify": "2.8.10",
     "semver": "^7.3.8",
-    "slonik": "^30.0.0",
-    "slonik-interceptor-preset": "^1.2.10",
-    "slonik-sql-tag-raw": "^1.1.4",
-    "snake-case": "^3.0.4",
-    "snakecase-keys": "^6.0.0",
+    "@silverhand/slonik": "31.0.0-beta.2",
+    "snake-case": "^4.0.0",
+    "snakecase-keys": "^7.0.0",
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@logto/cloud": "0.2.5-faca9a9",
+    "@logto/cloud": "0.2.5-ab8a489",
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
     "@types/debug": "^4.1.7",
diff --git a/packages/core/src/__mocks__/index.ts b/packages/core/src/__mocks__/index.ts
index 0157329384a..119ef647e94 100644
--- a/packages/core/src/__mocks__/index.ts
+++ b/packages/core/src/__mocks__/index.ts
@@ -11,7 +11,13 @@ import type {
   Scope,
   UsersRole,
 } from '@logto/schemas';
-import { RoleType, ApplicationType, LogtoOidcConfigKey, DomainStatus } from '@logto/schemas';
+import {
+  RoleType,
+  ApplicationType,
+  LogtoOidcConfigKey,
+  DomainStatus,
+  LogtoJwtTokenKey,
+} from '@logto/schemas';
 
 import { protectedAppSignInCallbackUrl } from '#src/constants/index.js';
 import { mockId } from '#src/test-utils/nanoid.js';
@@ -159,7 +165,7 @@ export const mockCookieKeys: OidcConfigKey[] = [
   { id: 'cookie', value: 'bar', createdAt: 987_654_321 },
 ];
 
-export const mockLogtoConfigs: LogtoConfig[] = [
+const mockLogtoConfigs: LogtoConfig[] = [
   {
     tenantId: 'fake_tenant',
     key: LogtoOidcConfigKey.PrivateKeys,
@@ -172,6 +178,14 @@ export const mockLogtoConfigs: LogtoConfig[] = [
   },
 ];
 
+export const mockLogtoConfigRows = {
+  rows: mockLogtoConfigs,
+  rowCount: mockLogtoConfigs.length,
+  command: 'SELECT' as const,
+  fields: [],
+  notices: [],
+};
+
 export const mockPasscode: Passcode = {
   tenantId: 'fake_tenant',
   id: 'foo',
@@ -198,3 +212,30 @@ export const mockApplicationRole: ApplicationsRole = {
   applicationId: 'application_id',
   roleId: 'role_id',
 };
+
+export const mockJwtCustomizerConfigForAccessToken = {
+  tenantId: 'fake_tenant',
+  key: LogtoJwtTokenKey.AccessToken,
+  value: {
+    script: 'console.log("hello world");',
+    environmentVariables: {
+      API_KEY: '<api-key>',
+    },
+    contextSample: {
+      user: {
+        username: 'user',
+      },
+    },
+  },
+};
+
+export const mockJwtCustomizerConfigForClientCredentials = {
+  tenantId: 'fake_tenant',
+  key: LogtoJwtTokenKey.ClientCredentials,
+  value: {
+    script: 'console.log("hello world");',
+    environmentVariables: {
+      API_KEY: '<api-key>',
+    },
+  },
+};
diff --git a/packages/core/src/__mocks__/user.ts b/packages/core/src/__mocks__/user.ts
index f9883193ebf..14bfe03f1cf 100644
--- a/packages/core/src/__mocks__/user.ts
+++ b/packages/core/src/__mocks__/user.ts
@@ -8,7 +8,8 @@ export const mockUser: User = {
   username: 'foo',
   primaryEmail: 'foo@logto.io',
   primaryPhone: '111111',
-  passwordEncrypted: 'password',
+  passwordEncrypted:
+    '$argon2i$v=19$m=4096,t=256,p=1$SYD0xSoVR8l+CN63Nz8fGw$ln5T09X9u4yd0DwLBKnlNV/eUHxwSWo32scw40ov4kI',
   passwordEncryptionMethod: UsersPasswordEncryptionMethod.Argon2i,
   name: null,
   avatar: null,
@@ -18,9 +19,11 @@ export const mockUser: User = {
   logtoConfig: {},
   mfaVerifications: [],
   customData: {},
+  profile: {},
   applicationId: 'bar',
   lastSignInAt: 1_650_969_465_789,
   createdAt: 1_650_969_000_000,
+  updatedAt: 1_650_969_000_000,
   isSuspended: false,
 };
 
@@ -72,9 +75,11 @@ export const mockUserWithPassword: User = {
   customData: {},
   logtoConfig: {},
   mfaVerifications: [],
+  profile: {},
   applicationId: 'bar',
   lastSignInAt: 1_650_969_465_789,
   createdAt: 1_650_969_000_000,
+  updatedAt: 1_650_969_000_000,
   isSuspended: false,
 };
 
@@ -93,9 +98,11 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
     createdAt: 1_650_969_000_000,
+    updatedAt: 1_650_969_000_000,
     isSuspended: false,
   },
   {
@@ -112,9 +119,11 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
     createdAt: 1_650_969_000_000,
+    updatedAt: 1_650_969_000_000,
     isSuspended: false,
   },
   {
@@ -131,9 +140,11 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
     createdAt: 1_650_969_000_000,
+    updatedAt: 1_650_969_000_000,
     isSuspended: false,
   },
   {
@@ -150,9 +161,11 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
     createdAt: 1_650_969_000_000,
+    updatedAt: 1_650_969_000_000,
     isSuspended: false,
   },
   {
@@ -169,9 +182,11 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
     createdAt: 1_650_969_000_000,
+    updatedAt: 1_650_969_000_000,
     isSuspended: false,
   },
 ];
diff --git a/packages/core/src/app/init.ts b/packages/core/src/app/init.ts
index 4ffdb811ca2..5ac044affee 100644
--- a/packages/core/src/app/init.ts
+++ b/packages/core/src/app/init.ts
@@ -29,7 +29,7 @@ export default async function initApp(app: Koa): Promise<void> {
       return next();
     }
 
-    const tenantId = await getTenantId(ctx.URL);
+    const [tenantId, isCustomDomain] = await getTenantId(ctx.URL);
 
     if (!tenantId) {
       ctx.status = 404;
@@ -37,7 +37,11 @@ export default async function initApp(app: Koa): Promise<void> {
       return next();
     }
 
-    const tenant = await trySafe(tenantPool.get(tenantId), (error) => {
+    // If the request is a custom domain of the tenant, use the custom endpoint to build "OIDC issuer"
+    // otherwise, build from the default endpoint (subdomain).
+    const customEndpoint = isCustomDomain ? ctx.URL.origin : undefined;
+
+    const tenant = await trySafe(tenantPool.get(tenantId, customEndpoint), (error) => {
       ctx.status = error instanceof TenantNotFoundError ? 404 : 500;
       void appInsights.trackException(error);
     });
diff --git a/packages/core/src/database/delete-by-id.ts b/packages/core/src/database/delete-by-id.ts
index 36d073e2661..c98d110a4ba 100644
--- a/packages/core/src/database/delete-by-id.ts
+++ b/packages/core/src/database/delete-by-id.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 
diff --git a/packages/core/src/database/find-all-entities.ts b/packages/core/src/database/find-all-entities.ts
index 6da12f92b61..41e6a64da36 100644
--- a/packages/core/src/database/find-all-entities.ts
+++ b/packages/core/src/database/find-all-entities.ts
@@ -1,6 +1,7 @@
 import { type GeneratedSchema, type SchemaLike } from '@logto/schemas';
-import { conditionalSql, convertToIdentifiers, manyRows } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
+
+import { conditionalSql, convertToIdentifiers, manyRows } from '#src/utils/sql.js';
 
 import { buildSearchSql, expandFields, type SearchOptions } from './utils.js';
 
diff --git a/packages/core/src/database/find-entity-by-id.ts b/packages/core/src/database/find-entity-by-id.ts
index 95076d9fa7f..3454dbddde9 100644
--- a/packages/core/src/database/find-entity-by-id.ts
+++ b/packages/core/src/database/find-entity-by-id.ts
@@ -1,11 +1,11 @@
 import type { SchemaLike, GeneratedSchema } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql, NotFoundError } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql, NotFoundError } from '@silverhand/slonik';
 
 import RequestError from '#src/errors/RequestError/index.js';
 import assertThat from '#src/utils/assert-that.js';
 import { isKeyOf } from '#src/utils/schema.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 type WithId<Key> = Key | 'id';
 
diff --git a/packages/core/src/database/insert-into.test.ts b/packages/core/src/database/insert-into.test.ts
index 79e270c6a03..76cec8045dc 100644
--- a/packages/core/src/database/insert-into.test.ts
+++ b/packages/core/src/database/insert-into.test.ts
@@ -1,9 +1,9 @@
 import type { CreateUser } from '@logto/schemas';
 import { Users } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
 import decamelize from 'decamelize';
 
 import { InsertionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 import { createTestPool } from '#src/utils/test-utils.js';
 
 const { buildInsertIntoWithPool } = await import('./insert-into.js');
diff --git a/packages/core/src/database/insert-into.ts b/packages/core/src/database/insert-into.ts
index eb76499d760..91739592169 100644
--- a/packages/core/src/database/insert-into.ts
+++ b/packages/core/src/database/insert-into.ts
@@ -1,17 +1,17 @@
 import type { GeneratedSchema, SchemaLike } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
+import { has } from '@silverhand/essentials';
+import type { CommonQueryMethods, IdentifierSqlToken } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
+
+import { InsertionError } from '#src/errors/SlonikError/index.js';
+import assertThat from '#src/utils/assert-that.js';
 import {
+  type OmitAutoSetFields,
   convertToIdentifiers,
   excludeAutoSetFields,
   convertToPrimitiveOrSql,
   conditionalSql,
-} from '@logto/shared';
-import { has } from '@silverhand/essentials';
-import type { CommonQueryMethods, IdentifierSqlToken } from 'slonik';
-import { sql } from 'slonik';
-
-import { InsertionError } from '#src/errors/SlonikError/index.js';
-import assertThat from '#src/utils/assert-that.js';
+} from '#src/utils/sql.js';
 
 const setExcluded = (...fields: IdentifierSqlToken[]) =>
   sql.join(
diff --git a/packages/core/src/database/row-count.ts b/packages/core/src/database/row-count.ts
index a56fe4489cf..66b1ee2dd5a 100644
--- a/packages/core/src/database/row-count.ts
+++ b/packages/core/src/database/row-count.ts
@@ -1,7 +1,7 @@
 import { type GeneratedSchema } from '@logto/schemas';
 import { type SchemaLike } from '@logto/shared';
-import type { CommonQueryMethods, IdentifierSqlToken } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods, IdentifierSqlToken } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { type SearchOptions, buildSearchSql } from './utils.js';
 
diff --git a/packages/core/src/database/update-where.ts b/packages/core/src/database/update-where.ts
index 32e559871c9..d602ab0f4f0 100644
--- a/packages/core/src/database/update-where.ts
+++ b/packages/core/src/database/update-where.ts
@@ -1,14 +1,14 @@
 import type { SchemaLike, GeneratedSchema, SchemaValue } from '@logto/schemas';
-import { convertToIdentifiers, convertToPrimitiveOrSql, conditionalSql } from '@logto/shared';
 import type { UpdateWhereData } from '@logto/shared';
 import type { Truthy } from '@silverhand/essentials';
 import { notFalsy } from '@silverhand/essentials';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { UpdateError } from '#src/errors/SlonikError/index.js';
 import assertThat from '#src/utils/assert-that.js';
 import { isKeyOf } from '#src/utils/schema.js';
+import { convertToIdentifiers, convertToPrimitiveOrSql, conditionalSql } from '#src/utils/sql.js';
 
 type BuildUpdateWhere = {
   <
diff --git a/packages/core/src/database/utils.ts b/packages/core/src/database/utils.ts
index 300d430f66b..5c210be81b0 100644
--- a/packages/core/src/database/utils.ts
+++ b/packages/core/src/database/utils.ts
@@ -1,6 +1,8 @@
 import { type GeneratedSchema } from '@logto/schemas';
-import { type SchemaLike, conditionalSql, convertToIdentifiers, type Table } from '@logto/shared';
-import { type SqlSqlToken, sql } from 'slonik';
+import { type SchemaLike, type Table } from '@logto/shared';
+import { type SqlSqlToken, sql } from '@silverhand/slonik';
+
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 /**
  * Options for searching for a string within a set of fields (case-insensitive).
diff --git a/packages/core/src/env-set/check-alteration-state.ts b/packages/core/src/env-set/check-alteration-state.ts
index aa7e82b8cf0..42eaad7c163 100644
--- a/packages/core/src/env-set/check-alteration-state.ts
+++ b/packages/core/src/env-set/check-alteration-state.ts
@@ -1,6 +1,6 @@
 import { getAvailableAlterations } from '@logto/cli/lib/commands/database/alteration/index.js';
+import type { DatabasePool } from '@silverhand/slonik';
 import chalk from 'chalk';
-import type { DatabasePool } from 'slonik';
 
 import { consoleLog } from '#src/utils/console.js';
 
diff --git a/packages/core/src/env-set/create-pool.ts b/packages/core/src/env-set/create-pool.ts
index f0863109f30..6dce0f5327b 100644
--- a/packages/core/src/env-set/create-pool.ts
+++ b/packages/core/src/env-set/create-pool.ts
@@ -1,6 +1,11 @@
 import { assert } from '@silverhand/essentials';
-import { createMockPool, createMockQueryResult, createPool, parseDsn } from 'slonik';
-import { createInterceptors } from 'slonik-interceptor-preset';
+import {
+  createMockPool,
+  createMockQueryResult,
+  createPool,
+  parseDsn,
+  createInterceptorsPreset,
+} from '@silverhand/slonik';
 
 const createPoolByEnv = async (
   databaseDsn: string,
@@ -12,11 +17,12 @@ const createPoolByEnv = async (
     return createMockPool({ query: async () => createMockQueryResult([]) });
   }
 
-  const interceptors = [...createInterceptors()];
-
   assert(parseDsn(databaseDsn).databaseName, new Error('Database name is required'));
 
-  return createPool(databaseDsn, { interceptors, maximumPoolSize: poolSize });
+  return createPool(databaseDsn, {
+    interceptors: createInterceptorsPreset(),
+    maximumPoolSize: poolSize,
+  });
 };
 
 export default createPoolByEnv;
diff --git a/packages/core/src/env-set/index.ts b/packages/core/src/env-set/index.ts
index 7fb599dac50..20b395fd530 100644
--- a/packages/core/src/env-set/index.ts
+++ b/packages/core/src/env-set/index.ts
@@ -1,7 +1,7 @@
 import { GlobalValues } from '@logto/shared';
 import type { Optional } from '@silverhand/essentials';
 import { appendPath } from '@silverhand/essentials';
-import type { DatabasePool } from 'slonik';
+import type { DatabasePool } from '@silverhand/slonik';
 
 import { createLogtoConfigLibrary } from '#src/libraries/logto-config.js';
 import { createLogtoConfigQueries } from '#src/queries/logto-config.js';
@@ -63,7 +63,7 @@ export class EnvSet {
     return this.#oidc;
   }
 
-  async load() {
+  async load(customDomain?: string) {
     const pool = await createPoolByEnv(
       this.databaseUrl,
       EnvSet.values.isUnitTest,
@@ -77,7 +77,9 @@ export class EnvSet {
     });
 
     const oidcConfigs = await getOidcConfigs();
-    const endpoint = getTenantEndpoint(this.tenantId, EnvSet.values);
+    const endpoint = customDomain
+      ? new URL(customDomain)
+      : getTenantEndpoint(this.tenantId, EnvSet.values);
     this.#oidc = await loadOidcValues(appendPath(endpoint, '/oidc').href, oidcConfigs);
   }
 
diff --git a/packages/core/src/errors/RequestError/index.ts b/packages/core/src/errors/RequestError/index.ts
index aaf0b306640..7f36865984b 100644
--- a/packages/core/src/errors/RequestError/index.ts
+++ b/packages/core/src/errors/RequestError/index.ts
@@ -5,7 +5,7 @@ import { conditional, pick } from '@silverhand/essentials';
 import i18next from 'i18next';
 import { ZodError } from 'zod';
 
-const formatZodError = ({ issues }: ZodError): string[] =>
+export const formatZodError = ({ issues }: ZodError): string[] =>
   issues.map((issue) => {
     const base = `Error in key path "${issue.path.map(String).join('.')}": (${issue.code}) `;
 
diff --git a/packages/core/src/errors/SlonikError/index.ts b/packages/core/src/errors/SlonikError/index.ts
index 1f8028464a6..f589014b9ec 100644
--- a/packages/core/src/errors/SlonikError/index.ts
+++ b/packages/core/src/errors/SlonikError/index.ts
@@ -1,6 +1,8 @@
 import type { SchemaLike, GeneratedSchema } from '@logto/schemas';
-import type { OmitAutoSetFields, UpdateWhereData } from '@logto/shared';
-import { SlonikError } from 'slonik';
+import type { UpdateWhereData } from '@logto/shared';
+import { SlonikError } from '@silverhand/slonik';
+
+import { type OmitAutoSetFields } from '#src/utils/sql.js';
 
 export class DeletionError extends SlonikError {
   public constructor(
diff --git a/packages/core/src/errors/SlonikError/slonik-error.test.ts b/packages/core/src/errors/SlonikError/slonik-error.test.ts
index e5df10ff27b..3f65510e0e1 100644
--- a/packages/core/src/errors/SlonikError/slonik-error.test.ts
+++ b/packages/core/src/errors/SlonikError/slonik-error.test.ts
@@ -1,4 +1,4 @@
-import { SlonikError } from 'slonik';
+import { SlonikError } from '@silverhand/slonik';
 
 import { DeletionError } from './index.js';
 
diff --git a/packages/core/src/include.d/slonik-interceptor-preset.d.ts b/packages/core/src/include.d/slonik-interceptor-preset.d.ts
deleted file mode 100644
index 778cb40c066..00000000000
--- a/packages/core/src/include.d/slonik-interceptor-preset.d.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-declare module 'slonik-interceptor-preset' {
-  import type { Interceptor } from 'slonik';
-
-  export const createInterceptors: (config?: {
-    benchmarkQueries: boolean;
-    logQueries: boolean;
-    normaliseQueries: boolean;
-    transformFieldNames: boolean;
-  }) => readonly Interceptor[];
-}
diff --git a/packages/core/src/libraries/cloud-connection.test.ts b/packages/core/src/libraries/cloud-connection.test.ts
index 9895fe9aa41..5b42d312a1a 100644
--- a/packages/core/src/libraries/cloud-connection.test.ts
+++ b/packages/core/src/libraries/cloud-connection.test.ts
@@ -34,6 +34,10 @@ const logtoConfigs: LogtoConfigLibrary = {
     resource: 'resource',
   }),
   getOidcConfigs: jest.fn(),
+  upsertJwtCustomizer: jest.fn(),
+  getJwtCustomizer: jest.fn(),
+  getJwtCustomizers: jest.fn(),
+  updateJwtCustomizer: jest.fn(),
 };
 
 describe('getAccessToken()', () => {
diff --git a/packages/core/src/libraries/cloud-connection.ts b/packages/core/src/libraries/cloud-connection.ts
index d09343d06d4..e97e87d3d45 100644
--- a/packages/core/src/libraries/cloud-connection.ts
+++ b/packages/core/src/libraries/cloud-connection.ts
@@ -27,8 +27,9 @@ const accessTokenResponseGuard = z.object({
 /**
  * The scope here can be empty and still work, because the cloud API requests made using this client do not rely on scope verification.
  * The `CloudScope.SendEmail` is added for now because it needs to call the cloud email service API.
+ * The `CloudScope.FetchCustomJwt` is added for now because it needs to call the cloud custom JWT service API.
  */
-const scopes: string[] = [CloudScope.SendEmail];
+const scopes: string[] = [CloudScope.SendEmail, CloudScope.FetchCustomJwt];
 const accessTokenExpirationMargin = 60;
 
 /** The library for connecting to Logto Cloud service. */
diff --git a/packages/core/src/libraries/hook/utils.ts b/packages/core/src/libraries/hook/utils.ts
index f74fdc02c0c..79485401eff 100644
--- a/packages/core/src/libraries/hook/utils.ts
+++ b/packages/core/src/libraries/hook/utils.ts
@@ -65,10 +65,12 @@ export const generateHookTestPayload = (hookId: string, event: HookEvent): HookE
           userId: 'fake-google-user-id',
         },
       },
+      profile: {},
       applicationId: 'fake-application-id',
       isSuspended: false,
       lastSignInAt: now.getTime(),
       createdAt: now.getTime(),
+      updatedAt: now.getTime(),
     },
     application: {
       id: 'fake-spa-application-id',
diff --git a/packages/core/src/libraries/jwt-customizer.ts b/packages/core/src/libraries/jwt-customizer.ts
new file mode 100644
index 00000000000..2e1d73e7b3c
--- /dev/null
+++ b/packages/core/src/libraries/jwt-customizer.ts
@@ -0,0 +1,71 @@
+import type { JwtCustomizerUserContext } from '@logto/schemas';
+import { userInfoSelectFields, jwtCustomizerUserContextGuard } from '@logto/schemas';
+import { deduplicate, pick, pickState } from '@silverhand/essentials';
+
+import { type ScopeLibrary } from '#src/libraries/scope.js';
+import { type UserLibrary } from '#src/libraries/user.js';
+import type Queries from '#src/tenants/Queries.js';
+
+export const createJwtCustomizerLibrary = (
+  queries: Queries,
+  userLibrary: UserLibrary,
+  scopeLibrary: ScopeLibrary
+) => {
+  const {
+    users: { findUserById },
+    rolesScopes: { findRolesScopesByRoleIds },
+    scopes: { findScopesByIds },
+    userSsoIdentities,
+    organizations: { relations },
+  } = queries;
+  const { findUserRoles } = userLibrary;
+  const { attachResourceToScopes } = scopeLibrary;
+
+  /**
+   * We does not include org roles' scopes for the following reason:
+   * 1. The org scopes query method requires `limit` and `offset` parameters. Other management API get
+   * these APIs from console setup while this library method is a backend used method.
+   * 2. Logto developers can get the org roles' id from this user context and hence query the org roles' scopes via management API.
+   */
+  const getUserContext = async (userId: string): Promise<JwtCustomizerUserContext> => {
+    const user = await findUserById(userId);
+    const fullSsoIdentities = await userSsoIdentities.findUserSsoIdentitiesByUserId(userId);
+    const roles = await findUserRoles(userId);
+    const rolesScopes = await findRolesScopesByRoleIds(roles.map(({ id }) => id));
+    const scopeIds = rolesScopes.map(({ scopeId }) => scopeId);
+    const scopes = await findScopesByIds(scopeIds);
+    const scopesWithResources = await attachResourceToScopes(scopes);
+    const organizationsWithRoles = await relations.users.getOrganizationsByUserId(userId);
+    const userContext = {
+      ...pick(user, ...userInfoSelectFields),
+      ssoIdentities: fullSsoIdentities.map(pickState('issuer', 'identityId', 'detail')),
+      mfaVerificationFactors: deduplicate(user.mfaVerifications.map(({ type }) => type)),
+      roles: roles.map((role) => {
+        const scopeIds = new Set(
+          rolesScopes.filter(({ roleId }) => roleId === role.id).map(({ scopeId }) => scopeId)
+        );
+        return {
+          ...pick(role, 'id', 'name', 'description'),
+          scopes: scopesWithResources
+            .filter(({ id }) => scopeIds.has(id))
+            .map(pickState('id', 'name', 'description', 'resourceId', 'resource')),
+        };
+      }),
+      organizations: organizationsWithRoles.map(pickState('id', 'name', 'description')),
+      organizationRoles: organizationsWithRoles.flatMap(
+        ({ id: organizationId, organizationRoles }) =>
+          organizationRoles.map(({ id: roleId, name: roleName }) => ({
+            organizationId,
+            roleId,
+            roleName,
+          }))
+      ),
+    };
+
+    return jwtCustomizerUserContextGuard.parse(userContext);
+  };
+
+  return {
+    getUserContext,
+  };
+};
diff --git a/packages/core/src/libraries/logto-config.ts b/packages/core/src/libraries/logto-config.ts
index 96d2a026d89..01438e4b604 100644
--- a/packages/core/src/libraries/logto-config.ts
+++ b/packages/core/src/libraries/logto-config.ts
@@ -1,20 +1,28 @@
-import type { LogtoOidcConfigType } from '@logto/schemas';
 import {
   cloudApiIndicator,
   cloudConnectionDataGuard,
   logtoOidcConfigGuard,
   LogtoOidcConfigKey,
+  jwtCustomizerConfigGuard,
+  LogtoConfigs,
+  LogtoJwtTokenKey,
 } from '@logto/schemas';
+import type { LogtoOidcConfigType, CloudConnectionData, JwtCustomizerType } from '@logto/schemas';
 import chalk from 'chalk';
 import { z, ZodError } from 'zod';
 
+import RequestError from '#src/errors/RequestError/index.js';
 import type Queries from '#src/tenants/Queries.js';
 import { consoleLog } from '#src/utils/console.js';
 
 export type LogtoConfigLibrary = ReturnType<typeof createLogtoConfigLibrary>;
 
 export const createLogtoConfigLibrary = ({
-  logtoConfigs: { getRowsByKeys, getCloudConnectionData: queryCloudConnectionData },
+  logtoConfigs: {
+    getRowsByKeys,
+    getCloudConnectionData: queryCloudConnectionData,
+    upsertJwtCustomizer: queryUpsertJwtCustomizer,
+  },
 }: Pick<Queries, 'logtoConfigs'>) => {
   const getOidcConfigs = async (): Promise<LogtoOidcConfigType> => {
     try {
@@ -44,7 +52,7 @@ export const createLogtoConfigLibrary = ({
     }
   };
 
-  const getCloudConnectionData = async () => {
+  const getCloudConnectionData = async (): Promise<CloudConnectionData> => {
     const { value } = await queryCloudConnectionData();
     const result = cloudConnectionDataGuard.safeParse(value);
 
@@ -59,5 +67,74 @@ export const createLogtoConfigLibrary = ({
     };
   };
 
-  return { getOidcConfigs, getCloudConnectionData };
+  // Can not narrow down the type of value if we utilize `buildInsertIntoWithPool` method.
+  const upsertJwtCustomizer = async <T extends LogtoJwtTokenKey>(
+    key: T,
+    value: z.infer<(typeof jwtCustomizerConfigGuard)[T]>
+  ) => {
+    const { value: rawValue } = await queryUpsertJwtCustomizer(key, value);
+
+    return {
+      key,
+      value: jwtCustomizerConfigGuard[key].parse(rawValue),
+    };
+  };
+
+  const getJwtCustomizer = async <T extends LogtoJwtTokenKey>(key: T) => {
+    const { rows } = await getRowsByKeys([key]);
+
+    // If the record does not exist (`rows` is empty)
+    if (rows.length === 0) {
+      throw new RequestError({
+        code: 'entity.not_exists_with_id',
+        name: LogtoConfigs.tableSingular,
+        id: key,
+        status: 404,
+      });
+    }
+
+    return z.object({ value: jwtCustomizerConfigGuard[key] }).parse(rows[0]).value;
+  };
+
+  const getJwtCustomizers = async (): Promise<Partial<JwtCustomizerType>> => {
+    try {
+      const { rows } = await getRowsByKeys(Object.values(LogtoJwtTokenKey));
+
+      return z
+        .object(jwtCustomizerConfigGuard)
+        .partial()
+        .parse(Object.fromEntries(rows.map(({ key, value }) => [key, value])));
+    } catch (error: unknown) {
+      if (error instanceof ZodError) {
+        consoleLog.error(
+          error.issues
+            .map(({ message, path }) => `${message} at ${chalk.green(path.join('.'))}`)
+            .join('\n')
+        );
+      } else {
+        consoleLog.error(error);
+      }
+
+      throw new Error('Failed to get JWT customizers');
+    }
+  };
+
+  const updateJwtCustomizer = async <T extends LogtoJwtTokenKey>(
+    key: T,
+    value: JwtCustomizerType[T]
+  ): Promise<JwtCustomizerType[T]> => {
+    const originValue = await getJwtCustomizer(key);
+    const result = jwtCustomizerConfigGuard[key].parse({ ...originValue, ...value });
+    const updatedRow = await upsertJwtCustomizer(key, result);
+    return updatedRow.value;
+  };
+
+  return {
+    getOidcConfigs,
+    getCloudConnectionData,
+    upsertJwtCustomizer,
+    getJwtCustomizer,
+    getJwtCustomizers,
+    updateJwtCustomizer,
+  };
 };
diff --git a/packages/core/src/libraries/organization-invitation.ts b/packages/core/src/libraries/organization-invitation.ts
index 5677c2fac4c..17859be08bd 100644
--- a/packages/core/src/libraries/organization-invitation.ts
+++ b/packages/core/src/libraries/organization-invitation.ts
@@ -14,8 +14,6 @@ import type Queries from '#src/tenants/Queries.js';
 
 import { type ConnectorLibrary } from './connector.js';
 
-const invitationLinkPath = '/invitation';
-
 /**
  * The ending statuses of an organization invitation per RFC 0003. It means that the invitation
  * status cannot be changed anymore.
@@ -58,8 +56,21 @@ export class OrganizationInvitationLibrary {
   ) {
     const { inviterId, invitee, organizationId, expiresAt, organizationRoleIds } = data;
 
+    if (await this.queries.organizations.relations.users.isMember(organizationId, invitee)) {
+      throw new RequestError({
+        status: 422,
+        code: 'request.invalid_input',
+        details: 'The invitee is already a member of the organization.',
+      });
+    }
+
     return this.queries.pool.transaction(async (connection) => {
       const organizationQueries = new OrganizationQueries(connection);
+      // Check if any pending invitation has expired, if yes, update the invitation status to "Expired" first
+      // Note: Even if the status may appear to be "Expired", the actual data in DB may still be "Pending".
+      // Check `findEntities` in `OrganizationQueries` for more details.
+      await organizationQueries.invitations.updateExpiredEntities({ invitee, organizationId });
+      // Insert the new invitation
       const invitation = await organizationQueries.invitations.insert({
         id: generateStandardId(),
         inviterId,
@@ -186,7 +197,8 @@ export class OrganizationInvitationLibrary {
     });
   }
 
-  protected async sendEmail(to: string, payload: SendMessagePayload) {
+  /** Send an organization invitation email. */
+  async sendEmail(to: string, payload: SendMessagePayload) {
     const emailConnector = await this.connector.getMessageConnector(ConnectorType.Email);
     return emailConnector.sendMessage({
       to,
diff --git a/packages/core/src/libraries/quota.ts b/packages/core/src/libraries/quota.ts
index 45603bf4ebd..65cf4fb72a5 100644
--- a/packages/core/src/libraries/quota.ts
+++ b/packages/core/src/libraries/quota.ts
@@ -65,6 +65,7 @@ export const createQuotaLibrary = (
       ).length;
       return { count };
     },
+    tenantMembersLimit: notNumber, // Cloud Admin tenant feature, no limit for now
     customDomainEnabled: notNumber,
     mfaEnabled: notNumber,
     organizationsEnabled: notNumber,
diff --git a/packages/core/src/libraries/scope.ts b/packages/core/src/libraries/scope.ts
new file mode 100644
index 00000000000..2b6d60fed2f
--- /dev/null
+++ b/packages/core/src/libraries/scope.ts
@@ -0,0 +1,30 @@
+import type { Scope, ScopeResponse } from '@logto/schemas';
+
+import type Queries from '#src/tenants/Queries.js';
+import assertThat from '#src/utils/assert-that.js';
+
+export type ScopeLibrary = ReturnType<typeof createScopeLibrary>;
+
+export const createScopeLibrary = (queries: Queries) => {
+  const {
+    resources: { findResourcesByIds },
+  } = queries;
+
+  const attachResourceToScopes = async (scopes: readonly Scope[]): Promise<ScopeResponse[]> => {
+    const resources = await findResourcesByIds(scopes.map(({ resourceId }) => resourceId));
+    return scopes.map((scope) => {
+      const resource = resources.find(({ id }) => id === scope.resourceId);
+
+      assertThat(resource, new Error(`Cannot find resource for id ${scope.resourceId}`));
+
+      return {
+        ...scope,
+        resource,
+      };
+    });
+  };
+
+  return {
+    attachResourceToScopes,
+  };
+};
diff --git a/packages/core/src/libraries/sign-in-experience/index.test.ts b/packages/core/src/libraries/sign-in-experience/index.test.ts
index 2f7e7b38057..ef519c7fc6b 100644
--- a/packages/core/src/libraries/sign-in-experience/index.test.ts
+++ b/packages/core/src/libraries/sign-in-experience/index.test.ts
@@ -57,6 +57,10 @@ const cloudConnection = createCloudConnectionLibrary({
     resource: 'resource',
   }),
   getOidcConfigs: jest.fn(),
+  upsertJwtCustomizer: jest.fn(),
+  getJwtCustomizer: jest.fn(),
+  getJwtCustomizers: jest.fn(),
+  updateJwtCustomizer: jest.fn(),
 });
 
 const getLogtoConnectors = jest.spyOn(connectorLibrary, 'getLogtoConnectors');
diff --git a/packages/core/src/libraries/user.test.ts b/packages/core/src/libraries/user.test.ts
index 8efb0b5afff..fcd18cbfa03 100644
--- a/packages/core/src/libraries/user.test.ts
+++ b/packages/core/src/libraries/user.test.ts
@@ -1,11 +1,38 @@
 import { MfaFactor, UsersPasswordEncryptionMethod } from '@logto/schemas';
+import { createMockUtils } from '@logto/shared/esm';
 
 import { mockResource, mockAdminUserRole, mockScope } from '#src/__mocks__/index.js';
 import { mockUser } from '#src/__mocks__/user.js';
-import { MockQueries } from '#src/test-utils/tenant.js';
+import RequestError from '#src/errors/RequestError/index.js';
 
 const { jest } = import.meta;
-
+const { mockEsm } = createMockUtils(jest);
+
+mockEsm('hash-wasm', () => ({
+  argon2Verify: jest.fn(async ({ password }: { password: string }) => {
+    return password === 'password';
+  }),
+  bcryptVerify: jest.fn(async ({ password }: { password: string }) => {
+    return password === 'password';
+  }),
+  md5: jest.fn(async (password) => {
+    return password === 'password' ? '5f4dcc3b5aa765d61d8327deb882cf99' : 'wrong';
+  }),
+  sha1: jest.fn(async (password) => {
+    return password === 'password' ? '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8' : 'wrong';
+  }),
+  sha256: jest.fn(async (password) => {
+    return password === 'password'
+      ? '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8'
+      : 'wrong';
+  }),
+}));
+
+mockEsm('#src/utils/password.js', () => ({
+  encryptPassword: jest.fn().mockResolvedValue('argon2:xxx'),
+}));
+
+const { MockQueries } = await import('#src/test-utils/tenant.js');
 const { encryptUserPassword, createUserLibrary } = await import('./user.js');
 
 const hasUserWithId = jest.fn();
@@ -68,6 +95,106 @@ describe('encryptUserPassword()', () => {
   });
 });
 
+describe('verifyUserPassword()', () => {
+  const { verifyUserPassword } = createUserLibrary(queries);
+
+  describe('Argon2', () => {
+    it('resolves when password is correct', async () => {
+      await expect(verifyUserPassword(mockUser, 'password')).resolves.not.toThrowError();
+    });
+
+    it('rejects when password is incorrect', async () => {
+      await expect(verifyUserPassword(mockUser, 'wrong')).rejects.toThrowError(
+        new RequestError({ code: 'session.invalid_credentials', status: 422 })
+      );
+    });
+  });
+
+  describe('MD5', () => {
+    const user = {
+      ...mockUser,
+      passwordEncrypted: '5f4dcc3b5aa765d61d8327deb882cf99',
+      passwordEncryptionMethod: UsersPasswordEncryptionMethod.MD5,
+    };
+    it('resolves when password is correct', async () => {
+      await expect(verifyUserPassword(user, 'password')).resolves.not.toThrowError();
+    });
+
+    it('rejects when password is incorrect', async () => {
+      await expect(verifyUserPassword(user, 'wrong')).rejects.toThrowError(
+        new RequestError({ code: 'session.invalid_credentials', status: 422 })
+      );
+    });
+  });
+
+  describe('SHA1', () => {
+    const user = {
+      ...mockUser,
+      passwordEncrypted: '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8',
+      passwordEncryptionMethod: UsersPasswordEncryptionMethod.SHA1,
+    };
+    it('resolves when password is correct', async () => {
+      await expect(verifyUserPassword(user, 'password')).resolves.not.toThrowError();
+    });
+
+    it('rejects when password is incorrect', async () => {
+      await expect(verifyUserPassword(user, 'wrong')).rejects.toThrowError(
+        new RequestError({ code: 'session.invalid_credentials', status: 422 })
+      );
+    });
+  });
+
+  describe('SHA256', () => {
+    const user = {
+      ...mockUser,
+      passwordEncrypted: '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8',
+      passwordEncryptionMethod: UsersPasswordEncryptionMethod.SHA256,
+    };
+    it('resolves when password is correct', async () => {
+      await expect(verifyUserPassword(user, 'password')).resolves.not.toThrowError();
+    });
+
+    it('rejects when password is incorrect', async () => {
+      await expect(verifyUserPassword(user, 'wrong')).rejects.toThrowError(
+        new RequestError({ code: 'session.invalid_credentials', status: 422 })
+      );
+    });
+  });
+
+  describe('Bcrypt', () => {
+    const user = {
+      ...mockUser,
+      passwordEncrypted: '$2a$12$WQMqTfbtcZFBC1C1u8wpie6lXOSciUr5kk/8yEydoIMKltb9UKJ.6',
+      passwordEncryptionMethod: UsersPasswordEncryptionMethod.Bcrypt,
+    };
+    it('resolves when password is correct', async () => {
+      await expect(verifyUserPassword(user, 'password')).resolves.not.toThrowError();
+    });
+
+    it('rejects when password is incorrect', async () => {
+      await expect(verifyUserPassword(user, 'wrong')).rejects.toThrowError(
+        new RequestError({ code: 'session.invalid_credentials', status: 422 })
+      );
+    });
+  });
+
+  describe('Migrate other algorithms to Argon2', () => {
+    const user = {
+      ...mockUser,
+      passwordEncrypted: '5f4dcc3b5aa765d61d8327deb882cf99',
+      passwordEncryptionMethod: UsersPasswordEncryptionMethod.MD5,
+    };
+    it('migrates password to Argon2', async () => {
+      await verifyUserPassword(user, 'password');
+      expect(updateUserById).toHaveBeenCalledWith(user.id, {
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        passwordEncrypted: expect.stringContaining('argon2'),
+        passwordEncryptionMethod: UsersPasswordEncryptionMethod.Argon2i,
+      });
+    });
+  });
+});
+
 describe('findUserScopesForResourceId()', () => {
   const { findUserScopesForResourceIndicator } = createUserLibrary(queries);
 
diff --git a/packages/core/src/libraries/user.ts b/packages/core/src/libraries/user.ts
index bf29868fc23..027999ff593 100644
--- a/packages/core/src/libraries/user.ts
+++ b/packages/core/src/libraries/user.ts
@@ -1,10 +1,9 @@
 import type { User, CreateUser, Scope, BindMfa, MfaVerification } from '@logto/schemas';
 import { MfaFactor, Users, UsersPasswordEncryptionMethod } from '@logto/schemas';
 import { generateStandardShortId, generateStandardId } from '@logto/shared';
-import type { OmitAutoSetFields } from '@logto/shared';
 import type { Nullable } from '@silverhand/essentials';
 import { deduplicate } from '@silverhand/essentials';
-import { argon2Verify } from 'hash-wasm';
+import { argon2Verify, bcryptVerify, md5, sha1, sha256 } from 'hash-wasm';
 import pRetry from 'p-retry';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
@@ -14,6 +13,7 @@ import { createUsersRolesQueries } from '#src/queries/users-roles.js';
 import type Queries from '#src/tenants/Queries.js';
 import assertThat from '#src/utils/assert-that.js';
 import { encryptPassword } from '#src/utils/password.js';
+import type { OmitAutoSetFields } from '#src/utils/sql.js';
 
 export const encryptUserPassword = async (
   password: string
@@ -22,31 +22,11 @@ export const encryptUserPassword = async (
   passwordEncryptionMethod: UsersPasswordEncryptionMethod;
 }> => {
   const passwordEncryptionMethod = UsersPasswordEncryptionMethod.Argon2i;
-  const passwordEncrypted = await encryptPassword(
-    password,
-
-    passwordEncryptionMethod
-  );
+  const passwordEncrypted = await encryptPassword(password, passwordEncryptionMethod);
 
   return { passwordEncrypted, passwordEncryptionMethod };
 };
 
-export const verifyUserPassword = async (user: Nullable<User>, password: string): Promise<User> => {
-  assertThat(user, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
-  const { passwordEncrypted, passwordEncryptionMethod } = user;
-
-  assertThat(
-    passwordEncrypted && passwordEncryptionMethod,
-    new RequestError({ code: 'session.invalid_credentials', status: 422 })
-  );
-
-  const result = await argon2Verify({ password, hash: passwordEncrypted });
-
-  assertThat(result, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
-
-  return user;
-};
-
 /**
  * Convert bindMfa to mfaVerification, add common fields like "id" and "createdAt"
  * and transpile formats like "codes" to "code" for backup code
@@ -217,6 +197,68 @@ export const createUserLibrary = (queries: Queries) => {
     });
   };
 
+  const verifyUserPassword = async (user: Nullable<User>, password: string): Promise<User> => {
+    assertThat(user, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
+    const { passwordEncrypted, passwordEncryptionMethod, id } = user;
+
+    assertThat(
+      passwordEncrypted && passwordEncryptionMethod,
+      new RequestError({ code: 'session.invalid_credentials', status: 422 })
+    );
+
+    switch (passwordEncryptionMethod) {
+      case UsersPasswordEncryptionMethod.Argon2i: {
+        const result = await argon2Verify({ password, hash: passwordEncrypted });
+        assertThat(result, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
+        break;
+      }
+      case UsersPasswordEncryptionMethod.MD5: {
+        const expectedEncrypted = await md5(password);
+        assertThat(
+          expectedEncrypted === passwordEncrypted,
+          new RequestError({ code: 'session.invalid_credentials', status: 422 })
+        );
+        break;
+      }
+      case UsersPasswordEncryptionMethod.SHA1: {
+        const expectedEncrypted = await sha1(password);
+        assertThat(
+          expectedEncrypted === passwordEncrypted,
+          new RequestError({ code: 'session.invalid_credentials', status: 422 })
+        );
+        break;
+      }
+      case UsersPasswordEncryptionMethod.SHA256: {
+        const expectedEncrypted = await sha256(password);
+        assertThat(
+          expectedEncrypted === passwordEncrypted,
+          new RequestError({ code: 'session.invalid_credentials', status: 422 })
+        );
+        break;
+      }
+      case UsersPasswordEncryptionMethod.Bcrypt: {
+        const result = await bcryptVerify({ password, hash: passwordEncrypted });
+        assertThat(result, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
+        break;
+      }
+      default: {
+        throw new RequestError({ code: 'session.invalid_credentials', status: 422 });
+      }
+    }
+
+    // Migrate password to default algorithm: argon2i
+    if (passwordEncryptionMethod !== UsersPasswordEncryptionMethod.Argon2i) {
+      const { passwordEncrypted: newEncrypted, passwordEncryptionMethod: newMethod } =
+        await encryptUserPassword(password);
+      return updateUserById(id, {
+        passwordEncrypted: newEncrypted,
+        passwordEncryptionMethod: newMethod,
+      });
+    }
+
+    return user;
+  };
+
   return {
     generateUserId,
     insertUser,
@@ -225,5 +267,6 @@ export const createUserLibrary = (queries: Queries) => {
     findUserScopesForResourceIndicator,
     findUserRoles,
     addUserMfaVerification,
+    verifyUserPassword,
   };
 };
diff --git a/packages/core/src/libraries/verification-status.ts b/packages/core/src/libraries/verification-status.ts
index d51979b2873..bdf1565b713 100644
--- a/packages/core/src/libraries/verification-status.ts
+++ b/packages/core/src/libraries/verification-status.ts
@@ -1,10 +1,11 @@
 import { generateStandardId } from '@logto/shared';
 
 import RequestError from '#src/errors/RequestError/index.js';
-import { verificationTimeout } from '#src/routes/consts.js';
 import type Queries from '#src/tenants/Queries.js';
 import assertThat from '#src/utils/assert-that.js';
 
+const verificationTimeout = 10 * 60 * 1000; // 10 mins
+
 export const createVerificationStatusLibrary = (queries: Queries) => {
   const {
     findVerificationStatusByUserId,
diff --git a/packages/core/src/middleware/koa-auth/utils.ts b/packages/core/src/middleware/koa-auth/utils.ts
index c959bf680ea..9796f8d4b2d 100644
--- a/packages/core/src/middleware/koa-auth/utils.ts
+++ b/packages/core/src/middleware/koa-auth/utils.ts
@@ -7,13 +7,13 @@ import {
   LogtoOidcConfigKey,
   LogtoConfigs,
 } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
 import { appendPath } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
 import type { JWK } from 'jose';
-import { sql } from 'slonik';
 
 import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js';
 import { exportJWK } from '#src/utils/jwks.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(LogtoConfigs);
 
diff --git a/packages/core/src/middleware/koa-guard.ts b/packages/core/src/middleware/koa-guard.ts
index 40ac61204d7..8506aa67f43 100644
--- a/packages/core/src/middleware/koa-guard.ts
+++ b/packages/core/src/middleware/koa-guard.ts
@@ -92,18 +92,35 @@ export const isGuardMiddleware = <Type extends IMiddleware>(
 ): function_ is WithGuardConfig<Type> =>
   function_.name === 'guardMiddleware' && has(function_, 'config');
 
-const tryParse = <Output, Definition extends ZodTypeDef, Input>(
+/**
+ * Previous `tryParse` function's output type was `Output | undefined`.
+ * It can not properly infer the output type to be `Output` even if the guard is provided,
+ * which brings additional but unnecessary type checks.
+ */
+export const parse = <Output, Definition extends ZodTypeDef, Input>(
   type: 'query' | 'body' | 'params' | 'files',
-  guard: Optional<ZodType<Output, Definition, Input>>,
+  guard: ZodType<Output, Definition, Input>,
   data: unknown
 ) => {
   try {
-    return guard?.parse(data);
+    return guard.parse(data);
   } catch (error: unknown) {
     throw new RequestError({ code: 'guard.invalid_input', type }, error);
   }
 };
 
+const tryParse = <Output, Definition extends ZodTypeDef, Input>(
+  type: 'query' | 'body' | 'params' | 'files',
+  guard: Optional<ZodType<Output, Definition, Input>>,
+  data: unknown
+) => {
+  if (!guard) {
+    return;
+  }
+
+  return parse(type, guard, data);
+};
+
 export default function koaGuard<
   StateT,
   ContextT extends IRouterParamContext,
diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts
index 44d9c17bb76..5444fba618e 100644
--- a/packages/core/src/middleware/koa-security-headers.ts
+++ b/packages/core/src/middleware/koa-security-headers.ts
@@ -39,6 +39,14 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
   const developmentOrigins = conditionalArray(!isProduction && 'ws:');
   const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
 
+  // We use react-monaco-editor for code editing in the admin console. It loads the monaco editor asynchronously from a CDN.
+  // Allow the CDN src in the CSP.
+  // Allow blob: for monaco editor to load worker scripts
+  const monacoEditorCDNSource = [
+    'https://cdn.jsdelivr.net/npm/monaco-editor@0.43.0/min/vs/',
+    'blob:',
+  ];
+
   /**
    * Default Applied rules:
    * - crossOriginOpenerPolicy: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#cross-origin-opener-policy-coop
@@ -107,6 +115,7 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
         scriptSrc: [
           "'self'",
           ...conditionalArray(!isProduction && ["'unsafe-eval'", "'unsafe-inline'"]),
+          ...monacoEditorCDNSource,
         ],
         connectSrc: [
           "'self'",
diff --git a/packages/core/src/middleware/koa-slonik-error-handler.test.ts b/packages/core/src/middleware/koa-slonik-error-handler.test.ts
index e843e1e8327..04a051aedc4 100644
--- a/packages/core/src/middleware/koa-slonik-error-handler.test.ts
+++ b/packages/core/src/middleware/koa-slonik-error-handler.test.ts
@@ -1,5 +1,9 @@
 import { Users } from '@logto/schemas';
-import { NotFoundError, SlonikError, UniqueIntegrityConstraintViolationError } from 'slonik';
+import {
+  NotFoundError,
+  SlonikError,
+  UniqueIntegrityConstraintViolationError,
+} from '@silverhand/slonik';
 
 import RequestError from '#src/errors/RequestError/index.js';
 import { DeletionError, InsertionError, UpdateError } from '#src/errors/SlonikError/index.js';
diff --git a/packages/core/src/middleware/koa-slonik-error-handler.ts b/packages/core/src/middleware/koa-slonik-error-handler.ts
index d5f528165f0..8d8dc5f1b41 100644
--- a/packages/core/src/middleware/koa-slonik-error-handler.ts
+++ b/packages/core/src/middleware/koa-slonik-error-handler.ts
@@ -1,12 +1,12 @@
 import type { SchemaLike } from '@logto/schemas';
-import type { Middleware } from 'koa';
 import {
   SlonikError,
   NotFoundError,
   InvalidInputError,
   CheckIntegrityConstraintViolationError,
   UniqueIntegrityConstraintViolationError,
-} from 'slonik';
+} from '@silverhand/slonik';
+import type { Middleware } from 'koa';
 
 import RequestError from '#src/errors/RequestError/index.js';
 import { DeletionError, InsertionError, UpdateError } from '#src/errors/SlonikError/index.js';
diff --git a/packages/core/src/middleware/koa-spa-session-guard.ts b/packages/core/src/middleware/koa-spa-session-guard.ts
index f5c8f01dd20..66ebf56231e 100644
--- a/packages/core/src/middleware/koa-spa-session-guard.ts
+++ b/packages/core/src/middleware/koa-spa-session-guard.ts
@@ -52,7 +52,7 @@ export default function koaSpaSessionGuard<
           return;
         }
 
-        const tenantId = await getTenantId(ctx.URL);
+        const [tenantId] = await getTenantId(ctx.URL);
 
         if (!tenantId) {
           throw new RequestError({ code: 'session.not_found', status: 404 });
diff --git a/packages/core/src/oidc/init.test.ts b/packages/core/src/oidc/init.test.ts
index 212f632047c..384e1508e06 100644
--- a/packages/core/src/oidc/init.test.ts
+++ b/packages/core/src/oidc/init.test.ts
@@ -5,8 +5,10 @@ import initOidc from './init.js';
 
 describe('oidc provider init', () => {
   it('init should not throw', async () => {
-    const { queries, libraries } = new MockTenant();
+    const { queries, libraries, logtoConfigs, cloudConnection } = new MockTenant();
 
-    expect(() => initOidc(mockEnvSet, queries, libraries)).not.toThrow();
+    expect(() =>
+      initOidc(mockEnvSet, queries, libraries, logtoConfigs, cloudConnection)
+    ).not.toThrow();
   });
 });
diff --git a/packages/core/src/oidc/init.ts b/packages/core/src/oidc/init.ts
index d0a06d28317..9c768775328 100644
--- a/packages/core/src/oidc/init.ts
+++ b/packages/core/src/oidc/init.ts
@@ -1,5 +1,5 @@
+/* eslint-disable max-lines */
 /* istanbul ignore file */
-
 import assert from 'node:assert';
 import { readFileSync } from 'node:fs';
 
@@ -8,25 +8,38 @@ import type { I18nKey } from '@logto/phrases';
 import {
   customClientMetadataDefault,
   CustomClientMetadataKey,
-  demoAppApplicationId,
+  experience,
+  extraParamsObjectGuard,
   inSeconds,
   logtoCookieKey,
   type LogtoUiCookie,
+  LogtoJwtTokenKey,
+  ExtraParamsKey,
+  type Json,
+  jwtCustomizer as jwtCustomizerLog,
+  LogResult,
+  LogtoJwtTokenKeyType,
 } from '@logto/schemas';
-import { conditional, tryThat } from '@silverhand/essentials';
+import { generateStandardId } from '@logto/shared';
+import { conditional, trySafe, tryThat } from '@silverhand/essentials';
 import i18next from 'i18next';
 import koaBody from 'koa-body';
 import Provider, { errors } from 'oidc-provider';
 import snakecaseKeys from 'snakecase-keys';
 
-import { type EnvSet } from '#src/env-set/index.js';
+import { EnvSet } from '#src/env-set/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
 import { addOidcEventListeners } from '#src/event-listeners/index.js';
-import koaAuditLog from '#src/middleware/koa-audit-log.js';
+import { type CloudConnectionLibrary } from '#src/libraries/cloud-connection.js';
+import { type LogtoConfigLibrary } from '#src/libraries/logto-config.js';
+import koaAuditLog, { LogEntry } from '#src/middleware/koa-audit-log.js';
 import koaBodyEtag from '#src/middleware/koa-body-etag.js';
 import postgresAdapter from '#src/oidc/adapter.js';
-import { isOriginAllowed, validateCustomClientMetadata } from '#src/oidc/utils.js';
-import { routes } from '#src/routes/consts.js';
+import {
+  buildLoginPromptUrl,
+  isOriginAllowed,
+  validateCustomClientMetadata,
+} from '#src/oidc/utils.js';
 import type Libraries from '#src/tenants/Libraries.js';
 import type Queries from '#src/tenants/Queries.js';
 
@@ -40,16 +53,22 @@ import {
   filterResourceScopesForTheThirdPartyApplication,
 } from './resource.js';
 import { getAcceptedUserClaims, getUserClaimsData } from './scope.js';
-import { OIDCExtraParametersKey, InteractionMode } from './type.js';
 
 // Temporarily removed 'EdDSA' since it's not supported by browser yet
 const supportedSigningAlgs = Object.freeze(['RS256', 'PS256', 'ES256', 'ES384', 'ES512'] as const);
 
-export default function initOidc(envSet: EnvSet, queries: Queries, libraries: Libraries): Provider {
+export default function initOidc(
+  envSet: EnvSet,
+  queries: Queries,
+  libraries: Libraries,
+  logtoConfigs: LogtoConfigLibrary,
+  cloudConnection: CloudConnectionLibrary
+): Provider {
   const {
     resources: { findDefaultResource },
     users: { findUserById },
     organizations,
+    logs: { insertLog },
   } = queries;
   const logoutSource = readFileSync('static/html/logout.html', 'utf8');
   const logoutSuccessSource = readFileSync('static/html/post-logout/index.html', 'utf8');
@@ -165,8 +184,6 @@ export default function initOidc(envSet: EnvSet, queries: Queries, libraries: Li
     },
     interactions: {
       url: (ctx, { params: { client_id: appId }, prompt }) => {
-        const isDemoApp = appId === demoAppApplicationId;
-
         ctx.cookies.set(
           logtoCookieKey,
           JSON.stringify({
@@ -175,20 +192,15 @@ export default function initOidc(envSet: EnvSet, queries: Queries, libraries: Li
           { sameSite: 'lax', overwrite: true, httpOnly: false }
         );
 
-        const appendParameters = (path: string) => {
-          return isDemoApp ? path + `?no_cache` : path;
-        };
+        const params = trySafe(() => extraParamsObjectGuard.parse(ctx.oidc.params ?? {})) ?? {};
 
         switch (prompt.name) {
           case 'login': {
-            const isSignUp =
-              ctx.oidc.params?.[OIDCExtraParametersKey.InteractionMode] === InteractionMode.signUp;
-
-            return appendParameters(isSignUp ? routes.signUp : routes.signIn);
+            return '/' + buildLoginPromptUrl(params, appId);
           }
 
           case 'consent': {
-            return routes.consent;
+            return '/' + experience.routes.consent;
           }
 
           default: {
@@ -197,7 +209,100 @@ export default function initOidc(envSet: EnvSet, queries: Queries, libraries: Li
         }
       },
     },
-    extraParams: [OIDCExtraParametersKey.InteractionMode],
+    extraParams: Object.values(ExtraParamsKey),
+    // eslint-disable-next-line complexity
+    extraTokenClaims: async (ctx, token) => {
+      const { isDevFeaturesEnabled, isCloud } = EnvSet.values;
+
+      // No cloud connection for OSS version, skip.
+      if (!isDevFeaturesEnabled || !isCloud) {
+        return;
+      }
+
+      const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
+
+      try {
+        /**
+         * It is by design to use `trySafe` here to catch the error but not log it since we do not
+         * want to insert an error log every time the OIDC provider issues a token when the JWT
+         * customizer is not configured.
+         */
+        const { script, environmentVariables } =
+          (await trySafe(
+            logtoConfigs.getJwtCustomizer(
+              isTokenClientCredentials
+                ? LogtoJwtTokenKey.ClientCredentials
+                : LogtoJwtTokenKey.AccessToken
+            )
+          )) ?? {};
+
+        if (!script) {
+          return;
+        }
+
+        const pickedFields = isTokenClientCredentials
+          ? ctx.oidc.provider.ClientCredentials.IN_PAYLOAD
+          : ctx.oidc.provider.AccessToken.IN_PAYLOAD;
+        const readOnlyToken = Object.fromEntries(
+          pickedFields
+            .filter((field) => Reflect.get(token, field) !== undefined)
+            .map((field) => [field, Reflect.get(token, field)])
+        );
+
+        const client = await cloudConnection.getClient();
+
+        const commonPayload = {
+          script,
+          environmentVariables,
+          token: readOnlyToken,
+        };
+
+        // We pass context to the cloud API only when it is a user's access token.
+        const logtoUserInfo = conditional(
+          !isTokenClientCredentials &&
+            token.accountId &&
+            (await libraries.jwtCustomizers.getUserContext(token.accountId))
+        );
+
+        // `context` parameter is only eligible for user's access token for now.
+        return await client.post(`/api/services/custom-jwt`, {
+          body: isTokenClientCredentials
+            ? {
+                ...commonPayload,
+                tokenType: LogtoJwtTokenKeyType.ClientCredentials,
+              }
+            : {
+                ...commonPayload,
+                tokenType: LogtoJwtTokenKeyType.AccessToken,
+                // TODO (LOG-8555): the newly added `UserProfile` type includes undefined fields and can not be directly assigned to `Json` type. And the `undefined` fields should be removed by zod guard.
+                // eslint-disable-next-line no-restricted-syntax
+                context: { user: logtoUserInfo as Record<string, Json> },
+              },
+        });
+      } catch (error: unknown) {
+        const entry = new LogEntry(
+          `${jwtCustomizerLog.prefix}.${
+            isTokenClientCredentials
+              ? jwtCustomizerLog.Type.ClientCredentials
+              : jwtCustomizerLog.Type.AccessToken
+          }`
+        );
+        entry.append({
+          result: LogResult.Error,
+          error: { message: String(error) },
+        });
+        const { payload } = entry;
+        await insertLog({
+          id: generateStandardId(),
+          key: payload.key,
+          payload: {
+            ...payload,
+            tenantId: envSet.tenantId,
+            token,
+          },
+        });
+      }
+    },
     extraClientMetadata: {
       properties: Object.values(CustomClientMetadataKey),
       validator: (_, key, value) => {
@@ -351,3 +456,4 @@ export default function initOidc(envSet: EnvSet, queries: Queries, libraries: Li
 
   return oidc;
 }
+/* eslint-enable max-lines */
diff --git a/packages/core/src/oidc/scope.test.ts b/packages/core/src/oidc/scope.test.ts
index 7afff09e15b..9c94a8557bd 100644
--- a/packages/core/src/oidc/scope.test.ts
+++ b/packages/core/src/oidc/scope.test.ts
@@ -5,18 +5,33 @@ const use = {
   userinfo: 'userinfo',
 } as const;
 
+const profileExpectation = Object.freeze([
+  'name',
+  'family_name',
+  'given_name',
+  'middle_name',
+  'nickname',
+  'preferred_username',
+  'profile',
+  'picture',
+  'website',
+  'gender',
+  'birthdate',
+  'zoneinfo',
+  'locale',
+  'updated_at',
+  'username',
+  'created_at',
+]);
+
 describe('OIDC getUserClaims()', () => {
   it('should return proper ID Token claims', () => {
-    expect(getAcceptedUserClaims(use.idToken, 'openid profile', {}, [])).toEqual([
-      'name',
-      'picture',
-      'username',
-    ]);
+    expect(getAcceptedUserClaims(use.idToken, 'openid profile', {}, [])).toEqual(
+      profileExpectation
+    );
 
     expect(getAcceptedUserClaims(use.idToken, 'openid profile email phone', {}, [])).toEqual([
-      'name',
-      'picture',
-      'username',
+      ...profileExpectation,
       'email',
       'email_verified',
       'phone_number',
@@ -25,23 +40,23 @@ describe('OIDC getUserClaims()', () => {
 
     expect(
       getAcceptedUserClaims(use.idToken, 'openid profile custom_data identities', {}, [])
-    ).toEqual(['name', 'picture', 'username']);
+    ).toEqual(profileExpectation);
 
     expect(
       getAcceptedUserClaims(use.idToken, 'openid profile email', {}, ['email_verified'])
-    ).toEqual(['name', 'picture', 'username', 'email']);
+    ).toEqual([...profileExpectation, 'email']);
   });
 
   it('should return proper Userinfo claims', () => {
     expect(
       getAcceptedUserClaims(use.userinfo, 'openid profile custom_data identities', {}, [])
-    ).toEqual(['name', 'picture', 'username', 'custom_data', 'identities']);
+    ).toEqual([...profileExpectation, 'custom_data', 'identities']);
   });
 
   // Ignore `_claims` since [Claims Parameter](https://github.com/panva/node-oidc-provider/tree/main/docs#featuresclaimsparameter) is not enabled
   it('should ignore claims parameter', () => {
     expect(
       getAcceptedUserClaims(use.idToken, 'openid profile custom_data', { email: null }, [])
-    ).toEqual(['name', 'picture', 'username']);
+    ).toEqual(profileExpectation);
   });
 });
diff --git a/packages/core/src/oidc/scope.ts b/packages/core/src/oidc/scope.ts
index e7d9e340aaf..105a75b97fe 100644
--- a/packages/core/src/oidc/scope.ts
+++ b/packages/core/src/oidc/scope.ts
@@ -2,13 +2,17 @@ import assert from 'node:assert';
 
 import type { UserClaim } from '@logto/core-kit';
 import { idTokenClaims, userinfoClaims, UserScope } from '@logto/core-kit';
-import { type User } from '@logto/schemas';
+import { type UserProfile, type User, userProfileKeys } from '@logto/schemas';
 import { pick, type Nullable, cond } from '@silverhand/essentials';
 import type { ClaimsParameterMember } from 'oidc-provider';
+import { snakeCase } from 'snake-case';
+import { type SnakeCaseKeys } from 'snakecase-keys';
 
 import type Libraries from '#src/tenants/Libraries.js';
 import type Queries from '#src/tenants/Queries.js';
 
+type UserProfileClaimSnakeCase = keyof SnakeCaseKeys<UserProfile>;
+
 const claimToUserKey: Readonly<
   Record<
     Exclude<
@@ -19,6 +23,7 @@ const claimToUserKey: Readonly<
       | 'organizations'
       | 'organization_data'
       | 'organization_roles'
+      | UserProfileClaimSnakeCase
     >,
     keyof User
   >
@@ -30,8 +35,29 @@ const claimToUserKey: Readonly<
   phone_number: 'primaryPhone',
   custom_data: 'customData',
   identities: 'identities',
+  created_at: 'createdAt',
+  updated_at: 'updatedAt',
 });
 
+const claimToUserProfileKey: Readonly<Record<UserProfileClaimSnakeCase, keyof UserProfile>> =
+  Object.freeze({
+    family_name: 'familyName',
+    given_name: 'givenName',
+    middle_name: 'middleName',
+    nickname: 'nickname',
+    preferred_username: 'preferredUsername',
+    profile: 'profile',
+    website: 'website',
+    gender: 'gender',
+    birthdate: 'birthdate',
+    zoneinfo: 'zoneinfo',
+    locale: 'locale',
+    address: 'address',
+  });
+
+const isUserProfileClaim = (claim: string): claim is UserProfileClaimSnakeCase =>
+  userProfileKeys.some((key) => snakeCase(key) === claim);
+
 /**
  * Get user claims data according to the claims.
  *
@@ -88,6 +114,19 @@ export const getUserClaimsData = async (
           ];
         }
         default: {
+          if (isUserProfileClaim(claim)) {
+            // Unlike other database fields (e.g. `name`), the claims stored in the `profile` field
+            // will fall back to `undefined` rather than `null`. We refrain from using `?? null`
+            // here to reduce the size of ID tokens, since `undefined` fields will be stripped in
+            // tokens.
+            //
+            // The only consideration here is the inconsistency for `name` and `picture`, which are
+            // also standard claims but they will fall back to `null`. While it's possible to align
+            // their behavior by having their fallback to `undefined`, it's better to maintain the
+            // current setup for now to prevent breaking changes.
+            return [claim, user.profile[claimToUserProfileKey[claim]]];
+          }
+
           return [claim, user[claimToUserKey[claim]]];
         }
       }
diff --git a/packages/core/src/oidc/type.ts b/packages/core/src/oidc/type.ts
deleted file mode 100644
index a8db5a1f2a9..00000000000
--- a/packages/core/src/oidc/type.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-export enum OIDCExtraParametersKey {
-  InteractionMode = 'interaction_mode',
-}
-
-export enum InteractionMode {
-  signIn = 'signIn',
-  signUp = 'signUp',
-}
diff --git a/packages/core/src/oidc/utils.test.ts b/packages/core/src/oidc/utils.test.ts
index b4586245759..8c71c71dc13 100644
--- a/packages/core/src/oidc/utils.test.ts
+++ b/packages/core/src/oidc/utils.test.ts
@@ -1,4 +1,11 @@
-import { ApplicationType, CustomClientMetadataKey, GrantType } from '@logto/schemas';
+import {
+  ApplicationType,
+  CustomClientMetadataKey,
+  FirstScreen,
+  GrantType,
+  InteractionMode,
+  demoAppApplicationId,
+} from '@logto/schemas';
 
 import { mockEnvSet } from '#src/test-utils/env-set.js';
 
@@ -7,6 +14,7 @@ import {
   buildOidcClientMetadata,
   getConstantClientMetadata,
   validateCustomClientMetadata,
+  buildLoginPromptUrl,
 } from './utils.js';
 
 describe('getConstantClientMetadata()', () => {
@@ -121,3 +129,49 @@ describe('isOriginAllowed', () => {
     ).toBeTruthy();
   });
 });
+
+describe('buildLoginPromptUrl', () => {
+  it('should return the correct url for empty parameters', () => {
+    expect(buildLoginPromptUrl({})).toBe('sign-in');
+    expect(buildLoginPromptUrl({}, 'foo')).toBe('sign-in');
+    expect(buildLoginPromptUrl({}, demoAppApplicationId)).toBe('sign-in?no_cache=');
+  });
+
+  it('should return the correct url for firstScreen', () => {
+    expect(buildLoginPromptUrl({ first_screen: FirstScreen.Register })).toBe('register');
+    expect(buildLoginPromptUrl({ first_screen: FirstScreen.Register }, 'foo')).toBe('register');
+    expect(buildLoginPromptUrl({ first_screen: FirstScreen.SignIn }, demoAppApplicationId)).toBe(
+      'sign-in?no_cache='
+    );
+    // Legacy interactionMode support
+    expect(buildLoginPromptUrl({ interaction_mode: InteractionMode.SignUp })).toBe('register');
+  });
+
+  it('should return the correct url for directSignIn', () => {
+    expect(buildLoginPromptUrl({ direct_sign_in: 'method:target' })).toBe(
+      'direct/method/target?fallback=sign-in'
+    );
+    expect(buildLoginPromptUrl({ direct_sign_in: 'method:target' }, 'foo')).toBe(
+      'direct/method/target?fallback=sign-in'
+    );
+    expect(buildLoginPromptUrl({ direct_sign_in: 'method:target' }, demoAppApplicationId)).toBe(
+      'direct/method/target?no_cache=&fallback=sign-in'
+    );
+    expect(buildLoginPromptUrl({ direct_sign_in: 'method' })).toBe(
+      'direct/method?fallback=sign-in'
+    );
+    expect(buildLoginPromptUrl({ direct_sign_in: '' })).toBe('sign-in');
+  });
+
+  it('should return the correct url for mixed parameters', () => {
+    expect(
+      buildLoginPromptUrl({ first_screen: FirstScreen.Register, direct_sign_in: 'method:target' })
+    ).toBe('direct/method/target?fallback=register');
+    expect(
+      buildLoginPromptUrl(
+        { first_screen: FirstScreen.Register, direct_sign_in: 'method:target' },
+        demoAppApplicationId
+      )
+    ).toBe('direct/method/target?no_cache=&fallback=register');
+  });
+});
diff --git a/packages/core/src/oidc/utils.ts b/packages/core/src/oidc/utils.ts
index 3f630425edb..7185acb8a72 100644
--- a/packages/core/src/oidc/utils.ts
+++ b/packages/core/src/oidc/utils.ts
@@ -1,5 +1,15 @@
-import type { CustomClientMetadata, OidcClientMetadata } from '@logto/schemas';
-import { ApplicationType, customClientMetadataGuard, GrantType } from '@logto/schemas';
+import path from 'node:path';
+
+import type { CustomClientMetadata, ExtraParamsObject, OidcClientMetadata } from '@logto/schemas';
+import {
+  ApplicationType,
+  customClientMetadataGuard,
+  GrantType,
+  ExtraParamsKey,
+  demoAppApplicationId,
+  FirstScreen,
+  experience,
+} from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 import { type AllClientMetadata, type ClientAuthMethod, errors } from 'oidc-provider';
 
@@ -69,3 +79,27 @@ export const getUtcStartOfTheDay = (date: Date) => {
     Date.UTC(date.getUTCFullYear(), date.getUTCMonth(), date.getUTCDate(), 0, 0, 0, 0)
   );
 };
+
+export const buildLoginPromptUrl = (params: ExtraParamsObject, appId?: unknown): string => {
+  const firstScreenKey =
+    params[ExtraParamsKey.FirstScreen] ??
+    params[ExtraParamsKey.InteractionMode] ??
+    FirstScreen.SignIn;
+  const firstScreen =
+    firstScreenKey === 'signUp' ? experience.routes.register : experience.routes[firstScreenKey];
+  const directSignIn = params[ExtraParamsKey.DirectSignIn];
+  const searchParams = new URLSearchParams();
+  const getSearchParamString = () => (searchParams.size > 0 ? `?${searchParams.toString()}` : '');
+
+  if (appId === demoAppApplicationId) {
+    searchParams.append('no_cache', '');
+  }
+
+  if (directSignIn) {
+    searchParams.append('fallback', firstScreen);
+    const [method, target] = directSignIn.split(':');
+    return path.join('direct', method ?? '', target ?? '') + getSearchParamString();
+  }
+
+  return firstScreen + getSearchParamString();
+};
diff --git a/packages/core/src/queries/application-sign-in-experience.ts b/packages/core/src/queries/application-sign-in-experience.ts
index 963cf2b67b5..3a9e0f157ae 100644
--- a/packages/core/src/queries/application-sign-in-experience.ts
+++ b/packages/core/src/queries/application-sign-in-experience.ts
@@ -1,9 +1,9 @@
 import { ApplicationSignInExperiences, type ApplicationSignInExperience } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const createApplicationSignInExperienceQueries = (pool: CommonQueryMethods) => {
   const insert = buildInsertIntoWithPool(pool)(ApplicationSignInExperiences, {
diff --git a/packages/core/src/queries/application-user-consent-organizations.ts b/packages/core/src/queries/application-user-consent-organizations.ts
index f2cab0f11c9..f50fc90f880 100644
--- a/packages/core/src/queries/application-user-consent-organizations.ts
+++ b/packages/core/src/queries/application-user-consent-organizations.ts
@@ -4,10 +4,10 @@ import {
   Organizations,
   Users,
 } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import RelationQueries from '#src/utils/RelationQueries.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 class ApplicationUserConsentOrganizationsQuery extends RelationQueries<
   [typeof Applications, typeof Users, typeof Organizations]
diff --git a/packages/core/src/queries/application-user-consent-scopes.ts b/packages/core/src/queries/application-user-consent-scopes.ts
index f3fe2ce092c..394be6c71ed 100644
--- a/packages/core/src/queries/application-user-consent-scopes.ts
+++ b/packages/core/src/queries/application-user-consent-scopes.ts
@@ -7,12 +7,12 @@ import {
   OrganizationScopes,
   Scopes,
 } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import { TwoRelationsQueries } from '#src/utils/RelationQueries.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 export class ApplicationUserConsentOrganizationScopeQueries extends TwoRelationsQueries<
   typeof Applications,
diff --git a/packages/core/src/queries/application.test.ts b/packages/core/src/queries/application.test.ts
index 655d9ed3c3b..ce1c7a2e9c2 100644
--- a/packages/core/src/queries/application.test.ts
+++ b/packages/core/src/queries/application.test.ts
@@ -1,10 +1,14 @@
 import { Applications } from '@logto/schemas';
-import { convertToIdentifiers, convertToPrimitiveOrSql, excludeAutoSetFields } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 import { snakeCase } from 'snake-case';
 
 import { mockApplication } from '#src/__mocks__/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import {
+  convertToIdentifiers,
+  convertToPrimitiveOrSql,
+  excludeAutoSetFields,
+} from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
diff --git a/packages/core/src/queries/application.ts b/packages/core/src/queries/application.ts
index 37280a22246..31f7dbf4289 100644
--- a/packages/core/src/queries/application.ts
+++ b/packages/core/src/queries/application.ts
@@ -1,9 +1,7 @@
 import type { Application, CreateApplication } from '@logto/schemas';
 import { ApplicationType, Applications, SearchJointMode } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
-import { convertToIdentifiers, conditionalSql, conditionalArraySql } from '@logto/shared';
-import type { CommonQueryMethods, SqlSqlToken } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods, SqlSqlToken } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
@@ -12,6 +10,8 @@ import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import { buildConditionsFromSearch } from '#src/utils/search.js';
 import type { Search } from '#src/utils/search.js';
+import { convertToIdentifiers, conditionalSql, conditionalArraySql } from '#src/utils/sql.js';
+import type { OmitAutoSetFields } from '#src/utils/sql.js';
 
 import ApplicationUserConsentOrganizationsQuery from './application-user-consent-organizations.js';
 import {
diff --git a/packages/core/src/queries/applications-roles.ts b/packages/core/src/queries/applications-roles.ts
index e0497b42c3c..e47dcfe7406 100644
--- a/packages/core/src/queries/applications-roles.ts
+++ b/packages/core/src/queries/applications-roles.ts
@@ -1,11 +1,11 @@
 import type { ApplicationsRole, CreateApplicationsRole, Role } from '@logto/schemas';
 import { Roles, ApplicationsRoles, RolesScopes } from '@logto/schemas';
-import { convertToIdentifiers, conditionalSql } from '@logto/shared';
 import { type Nullable } from '@silverhand/essentials';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers, conditionalSql } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(ApplicationsRoles, true);
 const { fields: insertFields } = convertToIdentifiers(ApplicationsRoles);
diff --git a/packages/core/src/queries/connector.test.ts b/packages/core/src/queries/connector.test.ts
index 10c1ff79a11..1aa740f0fed 100644
--- a/packages/core/src/queries/connector.test.ts
+++ b/packages/core/src/queries/connector.test.ts
@@ -1,10 +1,10 @@
 import { Connectors } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 
 import { mockConnector } from '#src/__mocks__/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import { MockWellKnownCache } from '#src/test-utils/tenant.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
diff --git a/packages/core/src/queries/connector.ts b/packages/core/src/queries/connector.ts
index 5f25eb0d6c8..df4a4cd1954 100644
--- a/packages/core/src/queries/connector.ts
+++ b/packages/core/src/queries/connector.ts
@@ -1,14 +1,14 @@
 import type { Connector } from '@logto/schemas';
 import { Connectors } from '@logto/schemas';
-import { manyRows, convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { type WellKnownCache } from '#src/caches/well-known.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import { type ConnectorWellKnown } from '#src/utils/connectors/types.js';
+import { convertToIdentifiers, manyRows } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Connectors);
 
diff --git a/packages/core/src/queries/custom-phrase.ts b/packages/core/src/queries/custom-phrase.ts
index bb77d7b78ff..aaa1ca29abd 100644
--- a/packages/core/src/queries/custom-phrase.ts
+++ b/packages/core/src/queries/custom-phrase.ts
@@ -1,12 +1,13 @@
 import type { CustomPhrase, Translation } from '@logto/schemas';
 import { CustomPhrases } from '@logto/schemas';
-import { convertToIdentifiers, generateStandardId, manyRows } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import { generateStandardId } from '@logto/shared';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { type WellKnownCache } from '#src/caches/well-known.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers, manyRows } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(CustomPhrases);
 
diff --git a/packages/core/src/queries/daily-active-user.ts b/packages/core/src/queries/daily-active-user.ts
index 547f6aa9194..ea3c9dcf9b1 100644
--- a/packages/core/src/queries/daily-active-user.ts
+++ b/packages/core/src/queries/daily-active-user.ts
@@ -1,14 +1,42 @@
 import { DailyActiveUsers } from '@logto/schemas';
-import type { CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
+
+const { table, fields } = convertToIdentifiers(DailyActiveUsers);
 
 export const createDailyActiveUsersQueries = (pool: CommonQueryMethods) => {
   const insertActiveUser = buildInsertIntoWithPool(pool)(DailyActiveUsers, {
     onConflict: { ignore: true },
   });
 
+  const countActiveUsersByTimeInterval = async (
+    startTimeExclusive: number,
+    endTimeInclusive: number
+  ) =>
+    pool.one<{ count: number }>(sql`
+      select count(distinct(${fields.userId}))
+      from ${table}
+      where ${fields.date} > to_timestamp(${startTimeExclusive}::double precision / 1000)
+      and ${fields.date} <= to_timestamp(${endTimeInclusive}::double precision / 1000)
+    `);
+
+  const getDailyActiveUserCountsByTimeInterval = async (
+    startTimeExclusive: number,
+    endTimeInclusive: number
+  ) =>
+    pool.any<{ date: string; count: number }>(sql`
+      select date(${fields.date}), count(distinct(${fields.userId}))
+      from ${table}
+      where ${fields.date} > to_timestamp(${startTimeExclusive}::double precision / 1000)
+      and ${fields.date} <= to_timestamp(${endTimeInclusive}::double precision / 1000)
+      group by date(${fields.date})
+    `);
+
   return {
     insertActiveUser,
+    countActiveUsersByTimeInterval,
+    getDailyActiveUserCountsByTimeInterval,
   };
 };
diff --git a/packages/core/src/queries/daily-token-usage.ts b/packages/core/src/queries/daily-token-usage.ts
index 92f82b9c286..f8520e74a07 100644
--- a/packages/core/src/queries/daily-token-usage.ts
+++ b/packages/core/src/queries/daily-token-usage.ts
@@ -1,9 +1,10 @@
 import { DailyTokenUsage } from '@logto/schemas';
-import { convertToIdentifiers, generateStandardId } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import { generateStandardId } from '@logto/shared';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { getUtcStartOfTheDay } from '#src/oidc/utils.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(DailyTokenUsage);
 const { fields: fieldsWithPrefix } = convertToIdentifiers(DailyTokenUsage, true);
diff --git a/packages/core/src/queries/domains.ts b/packages/core/src/queries/domains.ts
index 68875f98984..c312e6a32eb 100644
--- a/packages/core/src/queries/domains.ts
+++ b/packages/core/src/queries/domains.ts
@@ -1,13 +1,12 @@
 import { type CreateDomain, type Domain, DomainStatus, Domains } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
-import { convertToIdentifiers, manyRows } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers, manyRows, type OmitAutoSetFields } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Domains);
 
diff --git a/packages/core/src/queries/hooks.ts b/packages/core/src/queries/hooks.ts
index 2705fec1a57..b87ee117869 100644
--- a/packages/core/src/queries/hooks.ts
+++ b/packages/core/src/queries/hooks.ts
@@ -1,8 +1,7 @@
 import type { CreateHook } from '@logto/schemas';
 import { Hooks } from '@logto/schemas';
-import { type OmitAutoSetFields, convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildFindAllEntitiesWithPool } from '#src/database/find-all-entities.js';
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
@@ -10,6 +9,7 @@ import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { getTotalRowCountWithPool } from '#src/database/row-count.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers, type OmitAutoSetFields } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Hooks);
 
diff --git a/packages/core/src/queries/log.ts b/packages/core/src/queries/log.ts
index c6ddaf923fe..be31bf98bb4 100644
--- a/packages/core/src/queries/log.ts
+++ b/packages/core/src/queries/log.ts
@@ -1,5 +1,5 @@
 import {
-  token,
+  type token,
   type hook,
   Logs,
   type HookExecutionStats,
@@ -7,14 +7,14 @@ import {
   type interaction,
   type LogKeyUnknown,
 } from '@logto/schemas';
-import { conditionalSql, convertToIdentifiers } from '@logto/shared';
 import { conditional, conditionalArray } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
 import { subDays } from 'date-fns';
-import { sql } from 'slonik';
-import type { CommonQueryMethods } from 'slonik';
 
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Logs);
 
@@ -77,33 +77,6 @@ export const createLogQueries = (pool: CommonQueryMethods) => {
 
   const findLogById = buildFindEntityByIdWithPool(pool)(Logs);
 
-  const getDailyActiveUserCountsByTimeInterval = async (
-    startTimeExclusive: number,
-    endTimeInclusive: number
-  ) =>
-    pool.any<{ date: string; count: number }>(sql`
-      select date(${fields.createdAt}), count(distinct(${fields.payload}->>'userId'))
-      from ${table}
-      where ${fields.createdAt} > to_timestamp(${startTimeExclusive}::double precision / 1000)
-      and ${fields.createdAt} <= to_timestamp(${endTimeInclusive}::double precision / 1000)
-      and ${fields.key} like ${`${token.Type.ExchangeTokenBy}.%`}
-      and ${fields.payload}->>'result' = 'Success'
-      group by date(${fields.createdAt})
-    `);
-
-  const countActiveUsersByTimeInterval = async (
-    startTimeExclusive: number,
-    endTimeInclusive: number
-  ) =>
-    pool.one<{ count: number }>(sql`
-      select count(distinct(${fields.payload}->>'userId'))
-      from ${table}
-      where ${fields.createdAt} > to_timestamp(${startTimeExclusive}::double precision / 1000)
-      and ${fields.createdAt} <= to_timestamp(${endTimeInclusive}::double precision / 1000)
-      and ${fields.key} like ${`${token.Type.ExchangeTokenBy}.%`}
-      and ${fields.payload}->>'result' = 'Success'
-    `);
-
   const getHookExecutionStatsByHookId = async (hookId: string) => {
     const startTimeExclusive = subDays(new Date(), 1).getTime();
     return pool.one<HookExecutionStats>(sql`
@@ -120,8 +93,6 @@ export const createLogQueries = (pool: CommonQueryMethods) => {
     countLogs,
     findLogs,
     findLogById,
-    getDailyActiveUserCountsByTimeInterval,
-    countActiveUsersByTimeInterval,
     getHookExecutionStatsByHookId,
   };
 };
diff --git a/packages/core/src/queries/logto-config.test.ts b/packages/core/src/queries/logto-config.test.ts
index 06d188dc886..8b36b9099b8 100644
--- a/packages/core/src/queries/logto-config.test.ts
+++ b/packages/core/src/queries/logto-config.test.ts
@@ -4,9 +4,9 @@ import {
   LogtoOidcConfigKey,
   LogtoTenantConfigKey,
 } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 
+import { convertToIdentifiers } from '#src/utils/sql.js';
 import { expectSqlAssert, type QueryType } from '#src/utils/test-utils.js';
 
 const { jest } = import.meta;
diff --git a/packages/core/src/queries/logto-config.ts b/packages/core/src/queries/logto-config.ts
index 8ff441ae8fa..6f0f3140e3c 100644
--- a/packages/core/src/queries/logto-config.ts
+++ b/packages/core/src/queries/logto-config.ts
@@ -1,14 +1,20 @@
-import type {
-  AdminConsoleData,
-  LogtoConfig,
-  LogtoConfigKey,
-  LogtoOidcConfigKey,
-  OidcConfigKey,
+import {
+  type jwtCustomizerConfigGuard,
+  LogtoTenantConfigKey,
+  LogtoConfigs,
+  type AdminConsoleData,
+  type LogtoConfig,
+  type LogtoConfigKey,
+  type LogtoOidcConfigKey,
+  type OidcConfigKey,
+  type LogtoJwtTokenKey,
 } from '@logto/schemas';
-import { LogtoTenantConfigKey, LogtoConfigs } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
+import { type z } from 'zod';
+
+import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(LogtoConfigs);
 
@@ -39,6 +45,17 @@ export const createLogtoConfigQueries = (pool: CommonQueryMethods) => {
         where ${fields.key} in (${sql.join(keys, sql`,`)})
     `);
 
+  const deleteRowByKey = async (key: LogtoConfigKey) => {
+    const { rowCount } = await pool.query(sql`
+      delete from ${table}
+      where ${fields.key}=${key}
+    `);
+
+    if (rowCount < 1) {
+      throw new DeletionError(LogtoConfigs.table, key);
+    }
+  };
+
   const updateOidcConfigsByKey = async (key: LogtoOidcConfigKey, value: OidcConfigKey[]) =>
     pool.query(sql`
       update ${table}
@@ -47,11 +64,31 @@ export const createLogtoConfigQueries = (pool: CommonQueryMethods) => {
       returning *
     `);
 
+  // Can not narrow down the type of value if we utilize `buildInsertIntoWithPool` method.
+  const upsertJwtCustomizer = async <T extends LogtoJwtTokenKey>(
+    key: T,
+    value: z.infer<(typeof jwtCustomizerConfigGuard)[T]>
+  ) =>
+    pool.one<{ key: T; value: Record<string, string> }>(
+      sql`
+        insert into ${table} (${fields.key}, ${fields.value})
+          values (${key}, ${sql.jsonb(value)})
+          on conflict (${fields.tenantId}, ${fields.key}) do update set ${
+            fields.value
+          } = ${sql.jsonb(value)}
+          returning *
+      `
+    );
+
+  const deleteJwtCustomizer = async <T extends LogtoJwtTokenKey>(key: T) => deleteRowByKey(key);
+
   return {
     getAdminConsoleConfig,
     updateAdminConsoleConfig,
     getCloudConnectionData,
     getRowsByKeys,
     updateOidcConfigsByKey,
+    upsertJwtCustomizer,
+    deleteJwtCustomizer,
   };
 };
diff --git a/packages/core/src/queries/oidc-model-instance.test.ts b/packages/core/src/queries/oidc-model-instance.test.ts
index e6f9065e581..a31f7623692 100644
--- a/packages/core/src/queries/oidc-model-instance.test.ts
+++ b/packages/core/src/queries/oidc-model-instance.test.ts
@@ -1,8 +1,8 @@
 import type { CreateOidcModelInstance } from '@logto/schemas';
 import { OidcModelInstances } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 
+import { convertToIdentifiers } from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
diff --git a/packages/core/src/queries/oidc-model-instance.ts b/packages/core/src/queries/oidc-model-instance.ts
index a81b352df2e..12d913bb66f 100644
--- a/packages/core/src/queries/oidc-model-instance.ts
+++ b/packages/core/src/queries/oidc-model-instance.ts
@@ -1,13 +1,13 @@
 import type { OidcModelInstance, OidcModelInstancePayload } from '@logto/schemas';
 import { OidcModelInstances } from '@logto/schemas';
-import { convertToIdentifiers, convertToTimestamp } from '@logto/shared';
 import type { Nullable } from '@silverhand/essentials';
 import { conditional } from '@silverhand/essentials';
+import type { CommonQueryMethods, ValueExpression } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 import { addSeconds, isBefore } from 'date-fns';
-import type { CommonQueryMethods, ValueExpression } from 'slonik';
-import { sql } from 'slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import { convertToIdentifiers, convertToTimestamp } from '#src/utils/sql.js';
 
 export type WithConsumed<T> = T & { consumed?: boolean };
 export type QueryResult = Pick<OidcModelInstance, 'payload' | 'consumedAt'>;
diff --git a/packages/core/src/queries/organization/index.ts b/packages/core/src/queries/organization/index.ts
index 8d47981120d..266728d4b79 100644
--- a/packages/core/src/queries/organization/index.ts
+++ b/packages/core/src/queries/organization/index.ts
@@ -17,16 +17,24 @@ import {
   type OrganizationInvitationEntity,
   OrganizationInvitationRoleRelations,
   OrganizationInvitationStatus,
+  OrganizationRoleResourceScopeRelations,
+  Scopes,
+  Resources,
 } from '@logto/schemas';
-import { conditionalSql, convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { type SearchOptions, buildSearchSql } from '#src/database/utils.js';
 import { TwoRelationsQueries } from '#src/utils/RelationQueries.js';
 import SchemaQueries from '#src/utils/SchemaQueries.js';
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 import { RoleUserRelationQueries, UserRelationQueries } from './relations.js';
 
+/**
+ * The schema field keys that can be used for searching roles.
+ */
+export const organizationRoleSearchKeys = Object.freeze(['id', 'name', 'description'] as const);
+
 class OrganizationRolesQueries extends SchemaQueries<
   OrganizationRoleKeys,
   CreateOrganizationRole,
@@ -55,25 +63,52 @@ class OrganizationRolesQueries extends SchemaQueries<
   ) {
     const { table, fields } = convertToIdentifiers(OrganizationRoles, true);
     const relations = convertToIdentifiers(OrganizationRoleScopeRelations, true);
+    const resourceScopeRelations = convertToIdentifiers(
+      OrganizationRoleResourceScopeRelations,
+      true
+    );
     const scopes = convertToIdentifiers(OrganizationScopes, true);
+    const resourceScopes = convertToIdentifiers(Scopes, true);
+    const resource = convertToIdentifiers(Resources, true);
 
     return sql<OrganizationRoleWithScopes>`
       select
         ${table}.*,
         coalesce(
-          json_agg(
-            json_build_object(
+          json_agg(distinct
+            jsonb_build_object(
               'id', ${scopes.fields.id},
-              'name', ${scopes.fields.name}
-            ) order by ${scopes.fields.name}
+              'name', ${scopes.fields.name},
+              'order', ${scopes.fields.id}
+            )
           ) filter (where ${scopes.fields.id} is not null),
           '[]'
-        ) as scopes -- left join could produce nulls as scopes
+        ) as scopes, -- left join could produce nulls as scopes
+        coalesce(
+          json_agg(distinct
+            jsonb_build_object(
+              'id', ${resourceScopes.fields.id},
+              'name', ${resourceScopes.fields.name},
+              'resource', json_build_object(
+                'id', ${resource.fields.id},
+                'name', ${resource.fields.name}
+              ),
+              'order', ${resourceScopes.fields.id}
+            )
+          ) filter (where ${resourceScopes.fields.id} is not null),
+          '[]'
+        ) as "resourceScopes" -- left join could produce nulls as resourceScopes
       from ${table}
       left join ${relations.table}
         on ${relations.fields.organizationRoleId} = ${fields.id}
       left join ${scopes.table}
         on ${relations.fields.organizationScopeId} = ${scopes.fields.id}
+      left join ${resourceScopeRelations.table}
+        on ${resourceScopeRelations.fields.organizationRoleId} = ${fields.id}
+      left join ${resourceScopes.table}
+        on ${resourceScopeRelations.fields.scopeId} = ${resourceScopes.fields.id}
+      left join ${resource.table}
+        on ${resourceScopes.fields.resourceId} = ${resource.fields.id}
       ${conditionalSql(roleId, (id) => {
         return sql`where ${fields.id} = ${id}`;
       })}
@@ -88,32 +123,59 @@ class OrganizationRolesQueries extends SchemaQueries<
   }
 }
 
+type OrganizationInvitationSearchOptions = {
+  invitationId?: string;
+  organizationId?: string;
+  inviterId?: string;
+  invitee?: string;
+};
+
 class OrganizationInvitationsQueries extends SchemaQueries<
   OrganizationInvitationKeys,
   CreateOrganizationInvitation,
   OrganizationInvitation
 > {
-  override async findById(id: string): Promise<Readonly<OrganizationInvitationEntity>> {
-    return this.pool.one(this.#findEntity(id));
+  override async findById(invitationId: string): Promise<Readonly<OrganizationInvitationEntity>> {
+    return this.pool.one(this.#findEntity({ invitationId }));
   }
 
-  override async findAll(
-    limit: number,
-    offset: number,
-    search?: SearchOptions<OrganizationInvitationKeys>
-  ): Promise<[totalNumber: number, rows: Readonly<OrganizationInvitationEntity[]>]> {
-    return Promise.all([
-      this.findTotalNumber(search),
-      this.pool.any(this.#findEntity(undefined, limit, offset, search)),
-    ]);
+  /** @deprecated Use `findEntities` instead. */
+  override async findAll(): Promise<never> {
+    throw new Error('Use `findEntities` instead.');
   }
 
-  #findEntity(
-    invitationId?: string,
-    limit = 1,
-    offset = 0,
-    search?: SearchOptions<OrganizationInvitationKeys>
-  ) {
+  // We don't override `.findAll()` since the function signature is different from the base class.
+  async findEntities(
+    options: Omit<OrganizationInvitationSearchOptions, 'invitationId'>
+  ): Promise<Readonly<OrganizationInvitationEntity[]>> {
+    return this.pool.any(this.#findEntity({ ...options, invitationId: undefined }));
+  }
+
+  async updateExpiredEntities({
+    organizationId,
+    invitee,
+  }: OrganizationInvitationSearchOptions): Promise<void> {
+    const { table, fields } = convertToIdentifiers(OrganizationInvitations);
+    await this.pool.query(sql`
+      update ${table}
+      set ${fields.status} = ${OrganizationInvitationStatus.Expired}
+      where ${fields.status} = ${OrganizationInvitationStatus.Pending}
+      and ${fields.expiresAt} < now()
+      ${conditionalSql(organizationId, (id) => {
+        return sql`and ${fields.organizationId} = ${id}`;
+      })}
+      ${conditionalSql(invitee, (email) => {
+        return sql`and ${fields.invitee} = ${email}`;
+      })}
+    `);
+  }
+
+  #findEntity({
+    invitationId,
+    organizationId,
+    inviterId,
+    invitee,
+  }: OrganizationInvitationSearchOptions) {
     const { table, fields } = convertToIdentifiers(OrganizationInvitations, true);
     const roleRelations = convertToIdentifiers(OrganizationInvitationRoleRelations, true);
     const roles = convertToIdentifiers(OrganizationRoles, true);
@@ -147,16 +209,23 @@ class OrganizationInvitationsQueries extends SchemaQueries<
         on ${roleRelations.fields.organizationInvitationId} = ${fields.id}
       left join ${roles.table}
         on ${roles.fields.id} = ${roleRelations.fields.organizationRoleId}
+      where true
       ${conditionalSql(invitationId, (id) => {
-        return sql`where ${fields.id} = ${id}`;
+        return sql`and ${fields.id} = ${id}`;
+      })}
+      ${conditionalSql(organizationId, (id) => {
+        return sql`and ${fields.organizationId} = ${id}`;
+      })}
+      ${conditionalSql(inviterId, (id) => {
+        return sql`and ${fields.inviterId} = ${id}`;
+      })}
+      ${conditionalSql(invitee, (email) => {
+        return sql`and ${fields.invitee} = ${email}`;
       })}
-      ${buildSearchSql(OrganizationInvitations, search)}
       group by ${fields.id}
       ${conditionalSql(this.orderBy, ({ field, order }) => {
         return sql`order by ${fields[field]} ${order === 'desc' ? sql`desc` : sql`asc`}`;
       })}
-      limit ${limit}
-      offset ${offset}
     `;
   }
 }
@@ -199,6 +268,13 @@ export default class OrganizationQueries extends SchemaQueries<
       OrganizationRoles,
       OrganizationScopes
     ),
+    /** Queries for organization role - organization resource scope relations. */
+    rolesResourceScopes: new TwoRelationsQueries(
+      this.pool,
+      OrganizationRoleResourceScopeRelations.table,
+      OrganizationRoles,
+      Scopes
+    ),
     /** Queries for organization - user relations. */
     users: new UserRelationQueries(this.pool),
     /** Queries for organization - organization role - user relations. */
diff --git a/packages/core/src/queries/organization/relations.ts b/packages/core/src/queries/organization/relations.ts
index d5c787c17ec..9d84c2a052a 100644
--- a/packages/core/src/queries/organization/relations.ts
+++ b/packages/core/src/queries/organization/relations.ts
@@ -11,14 +11,14 @@ import {
   type FeaturedUser,
   type OrganizationScopeEntity,
 } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { type SearchOptions, buildSearchSql, expandFields } from '#src/database/utils.js';
 import RelationQueries, {
   type GetEntitiesOptions,
   TwoRelationsQueries,
 } from '#src/utils/RelationQueries.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 import { type userSearchKeys } from '../user.js';
 
@@ -28,6 +28,20 @@ export class UserRelationQueries extends TwoRelationsQueries<typeof Organization
     super(pool, OrganizationUserRelations.table, Organizations, Users);
   }
 
+  async isMember(organizationId: string, email: string): Promise<boolean> {
+    const users = convertToIdentifiers(Users, true);
+    const relations = convertToIdentifiers(OrganizationUserRelations, true);
+
+    return this.pool.exists(sql`
+      select 1
+      from ${relations.table}
+      join ${users.table}
+        on ${relations.fields.userId} = ${users.fields.id}
+      where ${relations.fields.organizationId} = ${organizationId}
+      and ${users.fields.primaryEmail} = ${email}
+    `);
+  }
+
   async getFeatured(
     organizationId: string
   ): Promise<[totalNumber: number, users: readonly FeaturedUser[]]> {
diff --git a/packages/core/src/queries/passcode.test.ts b/packages/core/src/queries/passcode.test.ts
index fb83fc9ab1d..db4913f4be3 100644
--- a/packages/core/src/queries/passcode.test.ts
+++ b/packages/core/src/queries/passcode.test.ts
@@ -1,11 +1,15 @@
 import { TemplateType } from '@logto/connector-kit';
 import { Passcodes } from '@logto/schemas';
-import { convertToIdentifiers, convertToPrimitiveOrSql, excludeAutoSetFields } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 import { snakeCase } from 'snake-case';
 
 import { mockPasscode } from '#src/__mocks__/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import {
+  convertToIdentifiers,
+  convertToPrimitiveOrSql,
+  excludeAutoSetFields,
+} from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
diff --git a/packages/core/src/queries/passcode.ts b/packages/core/src/queries/passcode.ts
index 557001fb05b..36dfac52e9c 100644
--- a/packages/core/src/queries/passcode.ts
+++ b/packages/core/src/queries/passcode.ts
@@ -1,12 +1,12 @@
 import type { TemplateType } from '@logto/connector-kit';
 import type { Passcode, RequestVerificationCodePayload } from '@logto/schemas';
 import { Passcodes } from '@logto/schemas';
-import { conditionalSql, convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Passcodes);
 
diff --git a/packages/core/src/queries/resource.test.ts b/packages/core/src/queries/resource.test.ts
index d5cf2ba7648..707a7dc93dd 100644
--- a/packages/core/src/queries/resource.test.ts
+++ b/packages/core/src/queries/resource.test.ts
@@ -1,9 +1,9 @@
 import { Resources } from '@logto/schemas';
-import { convertToIdentifiers, convertToPrimitiveOrSql } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 
 import { mockResource } from '#src/__mocks__/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers, convertToPrimitiveOrSql } from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
diff --git a/packages/core/src/queries/resource.ts b/packages/core/src/queries/resource.ts
index 96f7b969c2c..a121bd8088a 100644
--- a/packages/core/src/queries/resource.ts
+++ b/packages/core/src/queries/resource.ts
@@ -1,9 +1,7 @@
 import type { Resource, CreateResource } from '@logto/schemas';
 import { Resources } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
-import { convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildFindAllEntitiesWithPool } from '#src/database/find-all-entities.js';
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
@@ -11,6 +9,8 @@ import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
 import { getTotalRowCountWithPool } from '#src/database/row-count.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError, UpdateError } from '#src/errors/SlonikError/index.js';
+import type { OmitAutoSetFields } from '#src/utils/sql.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Resources);
 
diff --git a/packages/core/src/queries/roles-scopes.ts b/packages/core/src/queries/roles-scopes.ts
index c0e82d5f7bc..0aabec1f0a0 100644
--- a/packages/core/src/queries/roles-scopes.ts
+++ b/packages/core/src/queries/roles-scopes.ts
@@ -1,10 +1,10 @@
 import type { CreateRolesScope, RolesScope } from '@logto/schemas';
 import { RolesScopes } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(RolesScopes);
 
diff --git a/packages/core/src/queries/roles.test.ts b/packages/core/src/queries/roles.test.ts
index e89e355cba5..86e66de4316 100644
--- a/packages/core/src/queries/roles.test.ts
+++ b/packages/core/src/queries/roles.test.ts
@@ -1,9 +1,13 @@
 import { Roles } from '@logto/schemas';
-import { convertToIdentifiers, convertToPrimitiveOrSql, excludeAutoSetFields } from '@logto/shared';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 
 import { mockAdminUserRole } from '#src/__mocks__/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import {
+  convertToIdentifiers,
+  convertToPrimitiveOrSql,
+  excludeAutoSetFields,
+} from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
diff --git a/packages/core/src/queries/roles.ts b/packages/core/src/queries/roles.ts
index 9b767d8fce6..ac6e076be65 100644
--- a/packages/core/src/queries/roles.ts
+++ b/packages/core/src/queries/roles.ts
@@ -1,9 +1,7 @@
 import type { CreateRole, Role, RoleType } from '@logto/schemas';
 import { internalRolePrefix, SearchJointMode, Roles } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
-import { conditionalArraySql, conditionalSql, convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
@@ -11,6 +9,8 @@ import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import type { Search } from '#src/utils/search.js';
 import { buildConditionsFromSearch } from '#src/utils/search.js';
+import { conditionalArraySql, conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
+import type { OmitAutoSetFields } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Roles);
 
diff --git a/packages/core/src/queries/scope.ts b/packages/core/src/queries/scope.ts
index 52617611f8d..0ab041f05ec 100644
--- a/packages/core/src/queries/scope.ts
+++ b/packages/core/src/queries/scope.ts
@@ -1,9 +1,7 @@
 import type { CreateScope, Scope } from '@logto/schemas';
 import { Resources, Scopes } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
-import { conditionalSql, convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
@@ -11,6 +9,8 @@ import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import type { Search } from '#src/utils/search.js';
 import { buildConditionsFromSearch } from '#src/utils/search.js';
+import type { OmitAutoSetFields } from '#src/utils/sql.js';
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Scopes, true);
 const resources = convertToIdentifiers(Resources, true);
diff --git a/packages/core/src/queries/sign-in-experience.test.ts b/packages/core/src/queries/sign-in-experience.test.ts
index f21e1458380..6b974df87bb 100644
--- a/packages/core/src/queries/sign-in-experience.test.ts
+++ b/packages/core/src/queries/sign-in-experience.test.ts
@@ -1,4 +1,4 @@
-import { createMockPool, createMockQueryResult } from 'slonik';
+import { createMockPool, createMockQueryResult } from '@silverhand/slonik';
 
 import { mockSignInExperience } from '#src/__mocks__/index.js';
 import { MockWellKnownCache } from '#src/test-utils/tenant.js';
diff --git a/packages/core/src/queries/sign-in-experience.ts b/packages/core/src/queries/sign-in-experience.ts
index 267df100be1..b6abe0e645c 100644
--- a/packages/core/src/queries/sign-in-experience.ts
+++ b/packages/core/src/queries/sign-in-experience.ts
@@ -1,6 +1,6 @@
 import type { CreateSignInExperience } from '@logto/schemas';
 import { SignInExperiences } from '@logto/schemas';
-import type { CommonQueryMethods } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
 
 import { type WellKnownCache } from '#src/caches/well-known.js';
 import { buildFindEntityByIdWithPool } from '#src/database/find-entity-by-id.js';
diff --git a/packages/core/src/queries/sso-connectors.ts b/packages/core/src/queries/sso-connectors.ts
index a5e5d26c522..4dfde1a2069 100644
--- a/packages/core/src/queries/sso-connectors.ts
+++ b/packages/core/src/queries/sso-connectors.ts
@@ -4,10 +4,10 @@ import {
   type SsoConnectorKeys,
   SsoConnectors,
 } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import SchemaQueries from '#src/utils/SchemaQueries.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 export default class SsoConnectorQueries extends SchemaQueries<
   SsoConnectorKeys,
diff --git a/packages/core/src/queries/system.ts b/packages/core/src/queries/system.ts
index 1bc85500020..218f4975fcd 100644
--- a/packages/core/src/queries/system.ts
+++ b/packages/core/src/queries/system.ts
@@ -1,7 +1,8 @@
 import { type SystemKey, Systems } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
+
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Systems);
 
diff --git a/packages/core/src/queries/tenant.ts b/packages/core/src/queries/tenant.ts
index 15d370dfdf7..d1f15da8018 100644
--- a/packages/core/src/queries/tenant.ts
+++ b/packages/core/src/queries/tenant.ts
@@ -1,6 +1,7 @@
 import { Tenants, type TenantModel } from '@logto/schemas/models';
-import { convertToIdentifiers } from '@logto/shared';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
+
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const createTenantQueries = (pool: CommonQueryMethods) => {
   const { table, fields } = convertToIdentifiers({
diff --git a/packages/core/src/queries/user-sso-identities.ts b/packages/core/src/queries/user-sso-identities.ts
index b01bd79c7fd..531a6b5287f 100644
--- a/packages/core/src/queries/user-sso-identities.ts
+++ b/packages/core/src/queries/user-sso-identities.ts
@@ -4,11 +4,11 @@ import {
   type UserSsoIdentity,
   UserSsoIdentities,
 } from '@logto/schemas';
-import { manyRows } from '@logto/shared';
 import { type Nullable } from '@silverhand/essentials';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import SchemaQueries from '#src/utils/SchemaQueries.js';
+import { manyRows } from '#src/utils/sql.js';
 
 export default class UserSsoIdentityQueries extends SchemaQueries<
   UserSsoIdentityKeys,
diff --git a/packages/core/src/queries/user.test.ts b/packages/core/src/queries/user.test.ts
index ca1a5e94152..a7949b95685 100644
--- a/packages/core/src/queries/user.test.ts
+++ b/packages/core/src/queries/user.test.ts
@@ -1,11 +1,11 @@
 import { Users } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
+import { createMockPool, createMockQueryResult, sql } from '@silverhand/slonik';
 import Sinon from 'sinon';
-import { createMockPool, createMockQueryResult, sql } from 'slonik';
 
 import { mockUser } from '#src/__mocks__/index.js';
 import { EnvSet } from '#src/env-set/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 import type { QueryType } from '#src/utils/test-utils.js';
 import { expectSqlAssert } from '#src/utils/test-utils.js';
 
@@ -49,6 +49,7 @@ describe('user query', () => {
   const { table, fields } = convertToIdentifiers(Users);
   const databaseValue = {
     ...mockUser,
+    profile: JSON.stringify({}),
     identities: JSON.stringify(mockUser.identities),
     customData: JSON.stringify(mockUser.customData),
     logtoConfig: JSON.stringify(mockUser.logtoConfig),
@@ -321,6 +322,7 @@ describe('user query', () => {
     const { connector1, ...restIdentities } = mockUser.identities;
     const finalDbvalue = {
       ...mockUser,
+      profile: JSON.stringify({}),
       identities: JSON.stringify(restIdentities),
       customData: JSON.stringify(mockUser.customData),
       logtoConfig: JSON.stringify(mockUser.logtoConfig),
diff --git a/packages/core/src/queries/user.ts b/packages/core/src/queries/user.ts
index 620095b362d..4aab200be5e 100644
--- a/packages/core/src/queries/user.ts
+++ b/packages/core/src/queries/user.ts
@@ -1,16 +1,16 @@
 import type { User, CreateUser } from '@logto/schemas';
 import { Users } from '@logto/schemas';
-import type { OmitAutoSetFields } from '@logto/shared';
-import { conditionalSql, convertToIdentifiers } from '@logto/shared';
 import { conditionalArray, pick } from '@silverhand/essentials';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { EnvSet } from '#src/env-set/index.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 import type { Search } from '#src/utils/search.js';
 import { buildConditionsFromSearch } from '#src/utils/search.js';
+import type { OmitAutoSetFields } from '#src/utils/sql.js';
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(Users);
 
diff --git a/packages/core/src/queries/users-roles.ts b/packages/core/src/queries/users-roles.ts
index 98e0c7005bb..9b7d60606e2 100644
--- a/packages/core/src/queries/users-roles.ts
+++ b/packages/core/src/queries/users-roles.ts
@@ -1,10 +1,10 @@
 import type { CreateUsersRole, UsersRole } from '@logto/schemas';
 import { UsersRoles } from '@logto/schemas';
-import { conditionalSql, convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { DeletionError } from '#src/errors/SlonikError/index.js';
+import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(UsersRoles);
 
diff --git a/packages/core/src/queries/verification-status.ts b/packages/core/src/queries/verification-status.ts
index 3225eda6d56..2439a9a12e0 100644
--- a/packages/core/src/queries/verification-status.ts
+++ b/packages/core/src/queries/verification-status.ts
@@ -1,10 +1,10 @@
 import type { VerificationStatus } from '@logto/schemas';
 import { VerificationStatuses } from '@logto/schemas';
-import { convertToIdentifiers } from '@logto/shared';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { table, fields } = convertToIdentifiers(VerificationStatuses);
 
diff --git a/packages/core/src/routes-me/user.ts b/packages/core/src/routes-me/user.ts
index 90fe834ccca..c1e3faf9c2c 100644
--- a/packages/core/src/routes-me/user.ts
+++ b/packages/core/src/routes-me/user.ts
@@ -4,7 +4,7 @@ import { conditional, pick } from '@silverhand/essentials';
 import { literal, object, string } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
-import { encryptUserPassword, verifyUserPassword } from '#src/libraries/user.js';
+import { encryptUserPassword } from '#src/libraries/user.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import assertThat from '#src/utils/assert-that.js';
 
@@ -20,7 +20,7 @@ export default function userRoutes<T extends AuthedMeRouter>(
       users: { findUserById, updateUserById },
     },
     libraries: {
-      users: { checkIdentifierCollision },
+      users: { checkIdentifierCollision, verifyUserPassword },
       verificationStatuses: { createVerificationStatus, checkVerificationStatus },
     },
   } = tenant;
diff --git a/packages/core/src/routes/admin-user/basic.openapi.json b/packages/core/src/routes/admin-user/basic.openapi.json
index 9f8ea597767..d6d9b7db5f0 100644
--- a/packages/core/src/routes/admin-user/basic.openapi.json
+++ b/packages/core/src/routes/admin-user/basic.openapi.json
@@ -108,6 +108,30 @@
         "description": "Update custom data for the given user ID. This method performs a partial update of the custom data object."
       }
     },
+    "/api/users/{userId}/profile": {
+      "patch": {
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "profile": {
+                    "description": "Partial profile object to update for the given user ID."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Updated profile in JSON for the given user ID."
+          }
+        },
+        "summary": "Update user profile",
+        "description": "Update profile for the given user ID. This method performs a partial update of the profile object."
+      }
+    },
     "/api/users": {
       "post": {
         "requestBody": {
@@ -124,6 +148,15 @@
                   },
                   "username": {
                     "description": "Username for the user. It should be unique across all users."
+                  },
+                  "password": {
+                    "description": "Plain text password for the user."
+                  },
+                  "passwordDigest": {
+                    "description": "In case you already have the password digests and not the passwords, you can use them for the newly created user via this property. The value should be generated with one of the supported algorithms. The algorithm can be specified using the `passwordAlgorithm` property."
+                  },
+                  "passwordAlgorithm": {
+                    "description": "The hash algorithm used for the password. It should be one of the supported algorithms: argon2, md5, sha1, sha256. Should the encryption algorithm differ from argon2, it will automatically be upgraded to argon2 upon the user's next sign-in."
                   }
                 }
               }
diff --git a/packages/core/src/routes/admin-user/basics.test.ts b/packages/core/src/routes/admin-user/basics.test.ts
index 0c332b07859..280502541fb 100644
--- a/packages/core/src/routes/admin-user/basics.test.ts
+++ b/packages/core/src/routes/admin-user/basics.test.ts
@@ -1,5 +1,5 @@
 import type { CreateUser, Role, SignInExperience, User } from '@logto/schemas';
-import { RoleType } from '@logto/schemas';
+import { RoleType, UsersPasswordEncryptionMethod } from '@logto/schemas';
 import { createMockUtils, pickDefault } from '@logto/shared/esm';
 import { removeUndefinedKeys } from '@silverhand/essentials';
 
@@ -69,17 +69,14 @@ const { revokeInstanceByUserId } = mockedQueries.oidcModelInstances;
 const { hasUser, findUserById, updateUserById, deleteUserIdentity, deleteUserById } =
   mockedQueries.users;
 
-const { encryptUserPassword, verifyUserPassword } = await mockEsmWithActual(
-  '#src/libraries/user.js',
-  () => ({
-    encryptUserPassword: jest.fn(() => ({
-      passwordEncrypted: 'password',
-      passwordEncryptionMethod: 'Argon2i',
-    })),
-    verifyUserPassword: jest.fn(),
-  })
-);
+const { encryptUserPassword } = await mockEsmWithActual('#src/libraries/user.js', () => ({
+  encryptUserPassword: jest.fn(() => ({
+    passwordEncrypted: 'password',
+    passwordEncryptionMethod: 'Argon2i',
+  })),
+}));
 
+const verifyUserPassword = jest.fn();
 const usersLibraries = {
   generateUserId: jest.fn(async () => 'fooId'),
   insertUser: jest.fn(
@@ -88,6 +85,7 @@ const usersLibraries = {
       ...removeUndefinedKeys(user), // No undefined values will be returned from database
     })
   ),
+  verifyUserPassword,
 } satisfies Partial<Libraries['users']>;
 
 const adminUserRoutes = await pickDefault(import('./basics.js'));
@@ -136,6 +134,20 @@ describe('adminUserRoutes', () => {
     ).resolves.toHaveProperty('status', 200);
   });
 
+  it('POST /users with password digest', async () => {
+    const username = 'MJAtLogto';
+    const name = 'Michael';
+
+    await expect(
+      userRequest.post('/users').send({
+        username,
+        name,
+        passwordDigest: '5f4dcc3b5aa765d61d8327deb882cf99',
+        passwordAlgorithm: UsersPasswordEncryptionMethod.MD5,
+      })
+    ).resolves.toHaveProperty('status', 200);
+  });
+
   it('POST /users should throw if username exists', async () => {
     const mockHasUser = hasUser as jest.Mock;
     mockHasUser.mockImplementationOnce(async () => true);
diff --git a/packages/core/src/routes/admin-user/basics.ts b/packages/core/src/routes/admin-user/basics.ts
index fe17335c28d..9ab6624e74c 100644
--- a/packages/core/src/routes/admin-user/basics.ts
+++ b/packages/core/src/routes/admin-user/basics.ts
@@ -1,10 +1,16 @@
 import { emailRegEx, phoneRegEx, usernameRegEx } from '@logto/core-kit';
-import { jsonObjectGuard, userInfoSelectFields, userProfileResponseGuard } from '@logto/schemas';
+import {
+  UsersPasswordEncryptionMethod,
+  jsonObjectGuard,
+  userInfoSelectFields,
+  userProfileGuard,
+  userProfileResponseGuard,
+} from '@logto/schemas';
 import { conditional, pick, yes } from '@silverhand/essentials';
-import { boolean, literal, object, string } from 'zod';
+import { boolean, literal, nativeEnum, object, string } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
-import { encryptUserPassword, verifyUserPassword } from '#src/libraries/user.js';
+import { encryptUserPassword } from '#src/libraries/user.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import assertThat from '#src/utils/assert-that.js';
 
@@ -25,7 +31,7 @@ export default function adminUserBasicsRoutes<T extends AuthedRouter>(...args: R
     userSsoIdentities,
   } = queries;
   const {
-    users: { checkIdentifierCollision, generateUserId, insertUser },
+    users: { checkIdentifierCollision, generateUserId, insertUser, verifyUserPassword },
   } = libraries;
 
   router.get(
@@ -103,6 +109,32 @@ export default function adminUserBasicsRoutes<T extends AuthedRouter>(...args: R
     }
   );
 
+  router.patch(
+    '/users/:userId/profile',
+    koaGuard({
+      params: object({ userId: string() }),
+      body: object({ profile: userProfileGuard }),
+      response: userProfileGuard,
+      status: [200, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { userId },
+        body: { profile },
+      } = ctx.guard;
+
+      await findUserById(userId);
+
+      const user = await updateUserById(userId, {
+        profile,
+      });
+
+      ctx.body = user.profile;
+
+      return next();
+    }
+  );
+
   router.post(
     '/users',
     koaGuard({
@@ -111,13 +143,32 @@ export default function adminUserBasicsRoutes<T extends AuthedRouter>(...args: R
         primaryEmail: string().regex(emailRegEx),
         username: string().regex(usernameRegEx),
         password: string().min(1),
+        passwordDigest: string(),
+        passwordAlgorithm: nativeEnum(UsersPasswordEncryptionMethod),
         name: string(),
+        avatar: string().url().or(literal('')).nullable(),
+        customData: jsonObjectGuard,
+        profile: userProfileGuard,
       }).partial(),
       response: userProfileResponseGuard,
       status: [200, 404, 422],
     }),
     async (ctx, next) => {
-      const { primaryEmail, primaryPhone, username, password, name } = ctx.guard.body;
+      const {
+        primaryEmail,
+        primaryPhone,
+        username,
+        password,
+        name,
+        passwordDigest,
+        passwordAlgorithm,
+        avatar,
+        customData,
+        profile,
+      } = ctx.guard.body;
+
+      assertThat(!(password && passwordDigest), new RequestError('user.password_and_digest'));
+      assertThat(!passwordDigest || passwordAlgorithm, 'user.password_algorithm_required');
 
       assertThat(
         !username || !(await hasUser(username)),
@@ -147,7 +198,16 @@ export default function adminUserBasicsRoutes<T extends AuthedRouter>(...args: R
           primaryPhone,
           username,
           name,
+          avatar,
+          ...conditional(customData && { customData }),
           ...conditional(password && (await encryptUserPassword(password))),
+          ...conditional(
+            passwordDigest && {
+              passwordEncrypted: passwordDigest,
+              passwordEncryptionMethod: passwordAlgorithm,
+            }
+          ),
+          ...conditional(profile && { profile }),
         },
         []
       );
@@ -169,6 +229,7 @@ export default function adminUserBasicsRoutes<T extends AuthedRouter>(...args: R
         name: string().or(literal('')).nullable(),
         avatar: string().url().or(literal('')).nullable(),
         customData: jsonObjectGuard,
+        profile: userProfileGuard,
       }).partial(),
       response: userProfileResponseGuard,
       status: [200, 404, 422],
@@ -287,6 +348,7 @@ export default function adminUserBasicsRoutes<T extends AuthedRouter>(...args: R
 
       return next();
     }
+    // eslint-disable-next-line max-lines
   );
 
   router.delete(
diff --git a/packages/core/src/routes/consts.ts b/packages/core/src/routes/consts.ts
deleted file mode 100644
index 2f07bfa19e3..00000000000
--- a/packages/core/src/routes/consts.ts
+++ /dev/null
@@ -1,11 +0,0 @@
-const signIn = '/sign-in';
-const signUp = '/register';
-const consent = '/consent';
-
-export const routes = Object.freeze({
-  signIn,
-  signUp,
-  consent,
-} as const);
-
-export const verificationTimeout = 10 * 60 * 1000; // 10 mins.
diff --git a/packages/core/src/routes/dashboard.test.ts b/packages/core/src/routes/dashboard.test.ts
index ae7ef9ae1b9..04995739b79 100644
--- a/packages/core/src/routes/dashboard.test.ts
+++ b/packages/core/src/routes/dashboard.test.ts
@@ -41,13 +41,13 @@ const users = {
 };
 const { countUsers, getDailyNewUserCountsByTimeInterval } = users;
 
-const logs = {
+const dailyActiveUsers = {
   getDailyActiveUserCountsByTimeInterval: jest.fn().mockResolvedValue(mockDailyActiveUserCounts),
   countActiveUsersByTimeInterval: jest.fn().mockResolvedValue({ count: mockActiveUserCount }),
 };
-const { getDailyActiveUserCountsByTimeInterval, countActiveUsersByTimeInterval } = logs;
+const { getDailyActiveUserCountsByTimeInterval, countActiveUsersByTimeInterval } = dailyActiveUsers;
 
-const tenantContext = new MockTenant(undefined, { logs, users });
+const tenantContext = new MockTenant(undefined, { dailyActiveUsers, users });
 const dashboardRoutes = await pickDefault(import('./dashboard.js'));
 
 describe('dashboardRoutes', () => {
diff --git a/packages/core/src/routes/dashboard.ts b/packages/core/src/routes/dashboard.ts
index b5c29d5ffec..f5f7b7deb3b 100644
--- a/packages/core/src/routes/dashboard.ts
+++ b/packages/core/src/routes/dashboard.ts
@@ -17,7 +17,7 @@ export default function dashboardRoutes<T extends AuthedRouter>(
   ...[router, { queries }]: RouterInitArgs<T>
 ) {
   const {
-    logs: { countActiveUsersByTimeInterval, getDailyActiveUserCountsByTimeInterval },
+    dailyActiveUsers: { countActiveUsersByTimeInterval, getDailyActiveUserCountsByTimeInterval },
     users: { countUsers, getDailyNewUserCountsByTimeInterval },
   } = queries;
 
diff --git a/packages/core/src/routes/domain.ts b/packages/core/src/routes/domain.ts
index 815e7544842..475920c2d54 100644
--- a/packages/core/src/routes/domain.ts
+++ b/packages/core/src/routes/domain.ts
@@ -60,7 +60,7 @@ export default function domainRoutes<T extends AuthedRouter>(
     koaGuard({
       body: Domains.createGuard.pick({ domain: true }),
       response: domainResponseGuard,
-      status: [201, 422],
+      status: [201, 422, 400],
     }),
     async (ctx, next) => {
       const existingDomains = await findAllDomains();
@@ -72,6 +72,7 @@ export default function domainRoutes<T extends AuthedRouter>(
         })
       );
 
+      // Throw 400 error if domain is invalid
       const syncedDomain = await addDomain(ctx.guard.body.domain);
 
       ctx.status = 201;
diff --git a/packages/core/src/routes/init.ts b/packages/core/src/routes/init.ts
index 48decc41726..a33c483159c 100644
--- a/packages/core/src/routes/init.ts
+++ b/packages/core/src/routes/init.ts
@@ -25,7 +25,7 @@ import domainRoutes from './domain.js';
 import hookRoutes from './hook.js';
 import interactionRoutes from './interaction/index.js';
 import logRoutes from './log.js';
-import logtoConfigRoutes from './logto-config.js';
+import logtoConfigRoutes from './logto-config/index.js';
 import organizationRoutes from './organization/index.js';
 import resourceRoutes from './resource.js';
 import resourceScopeRoutes from './resource.scope.js';
diff --git a/packages/core/src/routes/interaction/actions/helpers.ts b/packages/core/src/routes/interaction/actions/helpers.ts
index a2aea304306..d64a4a44db0 100644
--- a/packages/core/src/routes/interaction/actions/helpers.ts
+++ b/packages/core/src/routes/interaction/actions/helpers.ts
@@ -1,7 +1,6 @@
 import { defaults, parseAffiliateData } from '@logto/affiliate';
 import { consoleLog } from '@logto/cli/lib/utils.js';
 import { type CreateUser, type User, adminTenantId } from '@logto/schemas';
-import { type OmitAutoSetFields } from '@logto/shared';
 import { conditional, trySafe } from '@silverhand/essentials';
 import { type IRouterContext } from 'koa-router';
 
@@ -11,6 +10,7 @@ import { type ConnectorLibrary } from '#src/libraries/connector.js';
 import { encryptUserPassword } from '#src/libraries/user.js';
 import type Queries from '#src/tenants/Queries.js';
 import type TenantContext from '#src/tenants/TenantContext.js';
+import { type OmitAutoSetFields } from '#src/utils/sql.js';
 
 import {
   type Identifier,
diff --git a/packages/core/src/routes/interaction/actions/submit-interaction.mfa.test.ts b/packages/core/src/routes/interaction/actions/submit-interaction.mfa.test.ts
index 0549bb916cf..9d3fbe9aefe 100644
--- a/packages/core/src/routes/interaction/actions/submit-interaction.mfa.test.ts
+++ b/packages/core/src/routes/interaction/actions/submit-interaction.mfa.test.ts
@@ -36,7 +36,7 @@ mockEsm('@logto/shared', () => ({
 }));
 
 mockEsm('#src/utils/tenant.js', () => ({
-  getTenantId: () => adminTenantId,
+  getTenantId: () => [adminTenantId],
 }));
 
 const userQueries = {
diff --git a/packages/core/src/routes/interaction/actions/submit-interaction.test.ts b/packages/core/src/routes/interaction/actions/submit-interaction.test.ts
index 0dea2ab9a81..bc9007ac851 100644
--- a/packages/core/src/routes/interaction/actions/submit-interaction.test.ts
+++ b/packages/core/src/routes/interaction/actions/submit-interaction.test.ts
@@ -37,7 +37,7 @@ mockEsm('@logto/shared', () => ({
 }));
 
 mockEsm('#src/utils/tenant.js', () => ({
-  getTenantId: () => adminTenantId,
+  getTenantId: () => [adminTenantId],
 }));
 
 const userQueries = {
diff --git a/packages/core/src/routes/interaction/actions/submit-interaction.ts b/packages/core/src/routes/interaction/actions/submit-interaction.ts
index 861922e42e2..7f4583c5679 100644
--- a/packages/core/src/routes/interaction/actions/submit-interaction.ts
+++ b/packages/core/src/routes/interaction/actions/submit-interaction.ts
@@ -1,6 +1,6 @@
 import { Component, CoreEvent, getEventName } from '@logto/app-insights/custom-event';
 import { appInsights } from '@logto/app-insights/node';
-import type { User } from '@logto/schemas';
+import type { User, UserOnboardingData } from '@logto/schemas';
 import {
   AdminTenantRole,
   SignInMode,
@@ -13,6 +13,8 @@ import {
   getTenantRole,
   TenantRole,
   defaultManagementApiAdminName,
+  OrganizationInvitationStatus,
+  userOnboardingDataKey,
 } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { conditional, conditionalArray, trySafe } from '@silverhand/essentials';
@@ -90,8 +92,11 @@ async function handleSubmitRegister(
   log?: LogEntry
 ) {
   const { provider, libraries, queries, cloudConnection, id: tenantId } = tenantContext;
-  const { hasActiveUsers } = queries.users;
-  const { updateDefaultSignInExperience } = queries.signInExperiences;
+  const {
+    users: { hasActiveUsers },
+    signInExperiences: { updateDefaultSignInExperience },
+    organizations,
+  } = queries;
 
   const {
     users: { generateUserId, insertUser },
@@ -105,10 +110,20 @@ async function handleSubmitRegister(
   const { client_id } = ctx.interactionDetails.params;
 
   const { isCloud } = EnvSet.values;
-  const isInAdminTenant = (await getTenantId(ctx.URL)) === adminTenantId;
+  const [currentTenantId] = await getTenantId(ctx.URL);
+  const isInAdminTenant = currentTenantId === adminTenantId;
   const isCreatingFirstAdminUser =
     isInAdminTenant && String(client_id) === adminConsoleApplicationId && !(await hasActiveUsers());
 
+  // If it's Logto Cloud, Check if the new user has any pending invitations, if yes, skip onboarding flow.
+  const invitations =
+    isCloud && userProfile.primaryEmail
+      ? await organizations.invitations.findEntities({ invitee: userProfile.primaryEmail })
+      : [];
+  const hasPendingInvitations = invitations.some(
+    (invitation) => invitation.status === OrganizationInvitationStatus.Pending
+  );
+
   await insertUser(
     {
       id,
@@ -118,6 +133,16 @@ async function handleSubmitRegister(
           mfaVerifications,
         }
       ),
+      ...conditional(
+        // Skip onboarding flow if the new user has pending Cloud invitations
+        hasPendingInvitations && {
+          customData: {
+            [userOnboardingDataKey]: {
+              isOnboardingDone: true,
+            } satisfies UserOnboardingData,
+          },
+        }
+      ),
       ...conditional(
         mfaSkipped && {
           logtoConfig: {
@@ -141,8 +166,8 @@ async function handleSubmitRegister(
     // Create tenant organization and assign the admin user to it.
     // This is only for Cloud integration tests and data alignment, OSS still uses the legacy Management API user role.
     const organizationId = getTenantOrganizationId(defaultTenantId);
-    await queries.organizations.relations.users.insert([organizationId, id]);
-    await queries.organizations.relations.rolesUsers.insert([
+    await organizations.relations.users.insert([organizationId, id]);
+    await organizations.relations.rolesUsers.insert([
       organizationId,
       getTenantRole(TenantRole.Admin).id,
       id,
diff --git a/packages/core/src/routes/interaction/additional.test.ts b/packages/core/src/routes/interaction/additional.test.ts
index 7651b990f3a..7a3176a8cdf 100644
--- a/packages/core/src/routes/interaction/additional.test.ts
+++ b/packages/core/src/routes/interaction/additional.test.ts
@@ -44,6 +44,10 @@ const { getInteractionStorage, storeInteractionResult } = await mockEsmWithActua
   })
 );
 
+await mockEsmWithActual('./utils/totp-validation.js', () => ({
+  generateTotpSecret: jest.fn().mockReturnValue('secret'),
+}));
+
 const { sendVerificationCodeToIdentifier } = await mockEsmWithActual(
   './utils/verification-code-validation.js',
   () => ({
@@ -229,7 +233,7 @@ describe('interaction routes', () => {
       expect(getInteractionStorage).toBeCalled();
       expect(storeInteractionResult).toBeCalled();
       expect(response.statusCode).toEqual(200);
-      expect(response.body).toHaveProperty('secret');
+      expect(response.body).toHaveProperty('secret', 'secret');
       expect(response.body).toHaveProperty('secretQrCode');
     });
   });
diff --git a/packages/core/src/routes/interaction/single-sign-on.ts b/packages/core/src/routes/interaction/single-sign-on.ts
index b0db3d1f7b2..99faf43e1db 100644
--- a/packages/core/src/routes/interaction/single-sign-on.ts
+++ b/packages/core/src/routes/interaction/single-sign-on.ts
@@ -79,7 +79,7 @@ export default function singleSignOnRoutes<T extends IRouterParamContext>(
         connectorId: z.string(),
       }),
       body: z.record(z.unknown()),
-      status: [200, 404],
+      status: [200, 404, 422],
       response: z.object({
         redirectTo: z.string(),
       }),
diff --git a/packages/core/src/routes/interaction/utils/single-sign-on-session.ts b/packages/core/src/routes/interaction/utils/single-sign-on-session.ts
index cf6fe14dc7a..f096ca3e7ca 100644
--- a/packages/core/src/routes/interaction/utils/single-sign-on-session.ts
+++ b/packages/core/src/routes/interaction/utils/single-sign-on-session.ts
@@ -7,7 +7,7 @@ import {
   singleSignOnConnectorSessionGuard,
   singleSignOnInteractionIdentifierResultGuard,
   type SingleSignOnInteractionIdentifierResult,
-} from '#src/sso/types/session.js';
+} from '#src/sso/index.js';
 import assertThat from '#src/utils/assert-that.js';
 
 /**
diff --git a/packages/core/src/routes/interaction/utils/single-sign-on.test.ts b/packages/core/src/routes/interaction/utils/single-sign-on.test.ts
index 1180410218b..fc85eda76d4 100644
--- a/packages/core/src/routes/interaction/utils/single-sign-on.test.ts
+++ b/packages/core/src/routes/interaction/utils/single-sign-on.test.ts
@@ -6,7 +6,7 @@ import RequestError from '#src/errors/RequestError/index.js';
 import { type WithLogContext } from '#src/middleware/koa-audit-log.js';
 import { OidcSsoConnector } from '#src/sso/OidcSsoConnector/index.js';
 import { ssoConnectorFactories } from '#src/sso/index.js';
-import { type SingleSignOnConnectorData } from '#src/sso/types/index.js';
+import { type SingleSignOnConnectorData } from '#src/sso/types/connector.js';
 import { createMockLogContext } from '#src/test-utils/koa-audit-log.js';
 import { createMockProvider } from '#src/test-utils/oidc-provider.js';
 import { MockTenant } from '#src/test-utils/tenant.js';
diff --git a/packages/core/src/routes/interaction/utils/single-sign-on.ts b/packages/core/src/routes/interaction/utils/single-sign-on.ts
index bcaa2245ab5..32b49c6db62 100644
--- a/packages/core/src/routes/interaction/utils/single-sign-on.ts
+++ b/packages/core/src/routes/interaction/utils/single-sign-on.ts
@@ -13,8 +13,7 @@ import { z } from 'zod';
 import RequestError from '#src/errors/RequestError/index.js';
 import { type WithLogContext } from '#src/middleware/koa-audit-log.js';
 import { type WithInteractionDetailsContext } from '#src/routes/interaction/middleware/koa-interaction-details.js';
-import { ssoConnectorFactories } from '#src/sso/index.js';
-import { type SingleSignOnConnectorSession } from '#src/sso/types/index.js';
+import { ssoConnectorFactories, type SingleSignOnConnectorSession } from '#src/sso/index.js';
 import type Queries from '#src/tenants/Queries.js';
 import type TenantContext from '#src/tenants/TenantContext.js';
 import assertThat from '#src/utils/assert-that.js';
diff --git a/packages/core/src/routes/interaction/verifications/identifier-payload-verification.test.ts b/packages/core/src/routes/interaction/verifications/identifier-payload-verification.test.ts
index d79e82d6d02..237ccaed3f0 100644
--- a/packages/core/src/routes/interaction/verifications/identifier-payload-verification.test.ts
+++ b/packages/core/src/routes/interaction/verifications/identifier-payload-verification.test.ts
@@ -36,16 +36,15 @@ const { verifySocialIdentity } = mockEsm('../utils/social-verification.js', () =
   verifySocialIdentity: jest.fn().mockResolvedValue({ id: 'foo' }),
 }));
 
-const { verifyUserPassword } = await mockEsmWithActual('#src/libraries/user.js', () => ({
-  verifyUserPassword: jest.fn(),
-}));
-
 const identifierPayloadVerification = await pickDefault(
   import('./identifier-payload-verification.js')
 );
 
+const verifyUserPassword = jest.fn();
 const logContext = createMockLogContext();
-const tenant = new MockTenant();
+const tenant = new MockTenant(undefined, undefined, undefined, {
+  users: { verifyUserPassword },
+});
 
 describe('identifier verification', () => {
   const baseCtx = {
diff --git a/packages/core/src/routes/interaction/verifications/identifier-payload-verification.ts b/packages/core/src/routes/interaction/verifications/identifier-payload-verification.ts
index f607b20111c..4ba0925b405 100644
--- a/packages/core/src/routes/interaction/verifications/identifier-payload-verification.ts
+++ b/packages/core/src/routes/interaction/verifications/identifier-payload-verification.ts
@@ -12,7 +12,6 @@ import { type Optional, isKeyInObject } from '@silverhand/essentials';
 import { sha256 } from 'hash-wasm';
 
 import RequestError from '#src/errors/RequestError/index.js';
-import { verifyUserPassword } from '#src/libraries/user.js';
 import type { WithLogContext } from '#src/middleware/koa-audit-log.js';
 import type TenantContext from '#src/tenants/TenantContext.js';
 import assertThat from '#src/utils/assert-that.js';
@@ -56,7 +55,7 @@ const verifyPasswordIdentifier = async (
   log.append({ ...identity });
 
   const user = await findUserByIdentifier(tenant, identity);
-  const verifiedUser = await verifyUserPassword(user, password);
+  const verifiedUser = await tenant.libraries.users.verifyUserPassword(user, password);
 
   const { isSuspended, id } = verifiedUser;
 
diff --git a/packages/core/src/routes/interaction/verifications/mfa-verification.ts b/packages/core/src/routes/interaction/verifications/mfa-verification.ts
index 8d08e54377c..51e83ded21a 100644
--- a/packages/core/src/routes/interaction/verifications/mfa-verification.ts
+++ b/packages/core/src/routes/interaction/verifications/mfa-verification.ts
@@ -135,20 +135,6 @@ const isMfaSkipped = (logtoConfig: JsonObject): boolean => {
 
   return parsed.success ? parsed.data[userMfaDataKey].skipped === true : false;
 };
-/**
- * Mark MFA as skipped in user custom data
- */
-export const markMfaSkipped = async (tenant: TenantContext, accountId: string) => {
-  const { customData } = await tenant.queries.users.findUserById(accountId);
-  await tenant.queries.users.updateUserById(accountId, {
-    customData: {
-      ...customData,
-      [userMfaDataKey]: {
-        skipped: true,
-      },
-    },
-  });
-};
 
 export const validateMandatoryBindMfa = async (
   tenant: TenantContext,
diff --git a/packages/core/src/routes/logto-config.openapi.json b/packages/core/src/routes/logto-config.openapi.json
deleted file mode 100644
index 772a248c3d3..00000000000
--- a/packages/core/src/routes/logto-config.openapi.json
+++ /dev/null
@@ -1,109 +0,0 @@
-{
-  "tags": [
-    {
-      "name": "Configs",
-      "description": "Endpoints for managing Logto global configurations for the tenant, such as admin console config and OIDC signing keys.\n\nSee [🔑 Signing keys](https://docs.logto.io/docs/recipes/signing-keys-rotation/) to learn more about signing keys and key rotation."
-    }
-  ],
-  "paths": {
-    "/api/configs/admin-console": {
-      "get": {
-        "summary": "Get admin console config",
-        "description": "Get the global configuration object for Logto Console.",
-        "responses": {
-          "200": {
-            "description": "The configuration object."
-          },
-          "404": {
-            "description": "Configuration not found."
-          }
-        }
-      },
-      "patch": {
-        "summary": "Update admin console config",
-        "description": "Update the global configuration object for Logto Console. This method performs a partial update.",
-        "responses": {
-          "200": {
-            "description": "The updated configuration object."
-          },
-          "404": {
-            "description": "Configuration not found."
-          }
-        }
-      }
-    },
-    "/api/configs/oidc/{keyType}": {
-      "get": {
-        "summary": "Get OIDC keys",
-        "description": "Get OIDC signing keys by key type. The actual key will be redacted from the result.",
-        "parameters": [
-          {
-            "in": "path",
-            "name": "keyType",
-            "description": "Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead."
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "An array of OIDC signing keys for the given key type."
-          }
-        }
-      }
-    },
-    "/api/configs/oidc/{keyType}/{keyId}": {
-      "delete": {
-        "summary": "Delete OIDC key",
-        "description": "Delete an OIDC signing key by key type and key ID.",
-        "parameters": [
-          {
-            "in": "path",
-            "name": "keyType",
-            "description": "Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead."
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "The key was deleted successfully."
-          },
-          "404": {
-            "description": "The key was not found."
-          },
-          "422": {
-            "description": "At least one key must be kept."
-          }
-        }
-      }
-    },
-    "/api/configs/oidc/{keyType}/rotate": {
-      "post": {
-        "summary": "Rotate OIDC keys",
-        "description": "A new key will be generated and prepend to the list of keys.\n\nOnly two recent keys will be kept. The oldest key will be automatically removed if there are more than two keys.",
-        "parameters": [
-          {
-            "in": "path",
-            "name": "keyType",
-            "description": "Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead."
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "application/json": {
-              "schema": {
-                "properties": {
-                  "signingKeyAlgorithm": {
-                    "description": "The signing key algorithm the new generated private key is using.\n\nOnly applicable when `keyType` is `private-keys`."
-                  }
-                }
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "An array of OIDC signing keys after rotation."
-          }
-        }
-      }
-    }
-  }
-}
diff --git a/packages/core/src/routes/logto-config.test.ts b/packages/core/src/routes/logto-config/index.test.ts
similarity index 95%
rename from packages/core/src/routes/logto-config.test.ts
rename to packages/core/src/routes/logto-config/index.test.ts
index 40499e42bac..f1fea3943d7 100644
--- a/packages/core/src/routes/logto-config.test.ts
+++ b/packages/core/src/routes/logto-config/index.test.ts
@@ -3,12 +3,7 @@ import { generateStandardId } from '@logto/shared';
 import { createMockUtils, pickDefault } from '@logto/shared/esm';
 import Sinon from 'sinon';
 
-import {
-  mockAdminConsoleData,
-  mockCookieKeys,
-  mockLogtoConfigs,
-  mockPrivateKeys,
-} from '#src/__mocks__/index.js';
+import { mockAdminConsoleData, mockCookieKeys, mockPrivateKeys } from '#src/__mocks__/index.js';
 import { MockTenant } from '#src/test-utils/tenant.js';
 import { createRequester } from '#src/utils/test-utils.js';
 
@@ -52,13 +47,6 @@ const logtoConfigQueries = {
     },
   }),
   updateOidcConfigsByKey: jest.fn(),
-  getRowsByKeys: jest.fn(async () => ({
-    rows: mockLogtoConfigs,
-    rowCount: mockLogtoConfigs.length,
-    command: 'SELECT' as const,
-    fields: [],
-    notices: [],
-  })),
 };
 
 const logtoConfigLibraries = {
@@ -68,7 +56,7 @@ const logtoConfigLibraries = {
   })),
 };
 
-const settingRoutes = await pickDefault(import('./logto-config.js'));
+const settingRoutes = await pickDefault(import('./index.js'));
 
 describe('configs routes', () => {
   const tenantContext = new MockTenant(undefined, { logtoConfigs: logtoConfigQueries });
diff --git a/packages/core/src/routes/logto-config.ts b/packages/core/src/routes/logto-config/index.ts
similarity index 93%
rename from packages/core/src/routes/logto-config.ts
rename to packages/core/src/routes/logto-config/index.ts
index dcdbd3a084c..0b9e424d231 100644
--- a/packages/core/src/routes/logto-config.ts
+++ b/packages/core/src/routes/logto-config/index.ts
@@ -19,7 +19,9 @@ import RequestError from '#src/errors/RequestError/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import { exportJWK } from '#src/utils/jwks.js';
 
-import type { AuthedRouter, RouterInitArgs } from './types.js';
+import type { AuthedRouter, RouterInitArgs } from '../types.js';
+
+import logtoConfigJwtCustomizerRoutes from './jwt-customizer.js';
 
 /**
  * Provide a simple API router key type and DB config key mapping
@@ -58,11 +60,11 @@ const getRedactedOidcKeyResponse = async (
   );
 
 export default function logtoConfigRoutes<T extends AuthedRouter>(
-  ...[router, { queries, logtoConfigs, invalidateCache }]: RouterInitArgs<T>
+  ...[router, tenant]: RouterInitArgs<T>
 ) {
   const { getAdminConsoleConfig, updateAdminConsoleConfig, updateOidcConfigsByKey } =
-    queries.logtoConfigs;
-  const { getOidcConfigs } = logtoConfigs;
+    tenant.queries.logtoConfigs;
+  const { getOidcConfigs } = tenant.logtoConfigs;
 
   router.get(
     '/configs/admin-console',
@@ -137,7 +139,7 @@ export default function logtoConfigRoutes<T extends AuthedRouter>(
       const updatedKeys = existingKeys.filter(({ id }) => id !== keyId);
 
       await updateOidcConfigsByKey(configKey, updatedKeys);
-      void invalidateCache();
+      void tenant.invalidateCache();
 
       ctx.status = 204;
 
@@ -174,7 +176,7 @@ export default function logtoConfigRoutes<T extends AuthedRouter>(
       const updatedKeys = [newPrivateKey, ...existingKeys].slice(0, 2);
 
       await updateOidcConfigsByKey(configKey, updatedKeys);
-      void invalidateCache();
+      void tenant.invalidateCache();
 
       // Remove actual values of the private keys from response
       ctx.body = await getRedactedOidcKeyResponse(configKey, updatedKeys);
@@ -182,4 +184,6 @@ export default function logtoConfigRoutes<T extends AuthedRouter>(
       return next();
     }
   );
+
+  logtoConfigJwtCustomizerRoutes(router, tenant);
 }
diff --git a/packages/core/src/routes/logto-config/jwt-customizer.test.ts b/packages/core/src/routes/logto-config/jwt-customizer.test.ts
new file mode 100644
index 00000000000..6bf9de19564
--- /dev/null
+++ b/packages/core/src/routes/logto-config/jwt-customizer.test.ts
@@ -0,0 +1,127 @@
+import { LogtoJwtTokenKey } from '@logto/schemas';
+import { pickDefault } from '@logto/shared/esm';
+import { pick } from '@silverhand/essentials';
+import Sinon from 'sinon';
+
+import {
+  mockLogtoConfigRows,
+  mockJwtCustomizerConfigForAccessToken,
+  mockJwtCustomizerConfigForClientCredentials,
+} from '#src/__mocks__/index.js';
+import { MockTenant } from '#src/test-utils/tenant.js';
+import { createRequester } from '#src/utils/test-utils.js';
+
+const { jest } = import.meta;
+
+const logtoConfigQueries = {
+  getRowsByKeys: jest.fn(async () => mockLogtoConfigRows),
+  deleteJwtCustomizer: jest.fn(),
+};
+
+const logtoConfigLibraries = {
+  upsertJwtCustomizer: jest.fn(),
+  getJwtCustomizer: jest.fn(),
+  getJwtCustomizers: jest.fn(),
+  updateJwtCustomizer: jest.fn(),
+};
+
+const settingRoutes = await pickDefault(import('./index.js'));
+
+describe('configs JWT customizer routes', () => {
+  const tenantContext = new MockTenant(undefined, { logtoConfigs: logtoConfigQueries });
+  Sinon.stub(tenantContext, 'logtoConfigs').value(logtoConfigLibraries);
+
+  const routeRequester = createRequester({
+    authedRoutes: settingRoutes,
+    tenantContext,
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('PUT /configs/jwt-customizer/:tokenType should add a record successfully', async () => {
+    logtoConfigQueries.getRowsByKeys.mockResolvedValueOnce({
+      ...mockLogtoConfigRows,
+      rows: [],
+      rowCount: 0,
+    });
+    logtoConfigLibraries.upsertJwtCustomizer.mockResolvedValueOnce(
+      mockJwtCustomizerConfigForAccessToken
+    );
+    const response = await routeRequester
+      .put(`/configs/jwt-customizer/access-token`)
+      .send(mockJwtCustomizerConfigForAccessToken.value);
+    expect(logtoConfigLibraries.upsertJwtCustomizer).toHaveBeenCalledWith(
+      LogtoJwtTokenKey.AccessToken,
+      mockJwtCustomizerConfigForAccessToken.value
+    );
+    expect(response.status).toEqual(201);
+    expect(response.body).toEqual(mockJwtCustomizerConfigForAccessToken.value);
+  });
+
+  it('PUT /configs/jwt-customizer/:tokenType should update a record successfully', async () => {
+    logtoConfigQueries.getRowsByKeys.mockResolvedValueOnce({
+      ...mockLogtoConfigRows,
+      rows: [mockJwtCustomizerConfigForAccessToken],
+      rowCount: 1,
+    });
+    logtoConfigLibraries.upsertJwtCustomizer.mockResolvedValueOnce(
+      mockJwtCustomizerConfigForAccessToken
+    );
+    const response = await routeRequester
+      .put('/configs/jwt-customizer/access-token')
+      .send(mockJwtCustomizerConfigForAccessToken.value);
+    expect(logtoConfigLibraries.upsertJwtCustomizer).toHaveBeenCalledWith(
+      LogtoJwtTokenKey.AccessToken,
+      mockJwtCustomizerConfigForAccessToken.value
+    );
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual(mockJwtCustomizerConfigForAccessToken.value);
+  });
+
+  it('PATCH /configs/jwt-customizer/:tokenType should update a record successfully', async () => {
+    logtoConfigLibraries.updateJwtCustomizer.mockResolvedValueOnce(
+      mockJwtCustomizerConfigForAccessToken.value
+    );
+    const response = await routeRequester
+      .patch('/configs/jwt-customizer/access-token')
+      .send(mockJwtCustomizerConfigForAccessToken.value);
+    expect(logtoConfigLibraries.updateJwtCustomizer).toHaveBeenCalledWith(
+      LogtoJwtTokenKey.AccessToken,
+      mockJwtCustomizerConfigForAccessToken.value
+    );
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual(mockJwtCustomizerConfigForAccessToken.value);
+  });
+
+  it('GET /configs/jwt-customizer should return all records', async () => {
+    logtoConfigLibraries.getJwtCustomizers.mockResolvedValueOnce({
+      [LogtoJwtTokenKey.AccessToken]: mockJwtCustomizerConfigForAccessToken.value,
+      [LogtoJwtTokenKey.ClientCredentials]: mockJwtCustomizerConfigForClientCredentials.value,
+    });
+    const response = await routeRequester.get('/configs/jwt-customizer');
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual([
+      pick(mockJwtCustomizerConfigForAccessToken, 'key', 'value'),
+      pick(mockJwtCustomizerConfigForClientCredentials, 'key', 'value'),
+    ]);
+  });
+
+  it('GET /configs/jwt-customizer/:tokenType should return the record', async () => {
+    logtoConfigLibraries.getJwtCustomizer.mockResolvedValueOnce(
+      mockJwtCustomizerConfigForAccessToken.value
+    );
+    const response = await routeRequester.get('/configs/jwt-customizer/access-token');
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual(mockJwtCustomizerConfigForAccessToken.value);
+  });
+
+  it('DELETE /configs/jwt-customizer/:tokenType should delete the record', async () => {
+    const response = await routeRequester.delete('/configs/jwt-customizer/client-credentials');
+    expect(logtoConfigQueries.deleteJwtCustomizer).toHaveBeenCalledWith(
+      LogtoJwtTokenKey.ClientCredentials
+    );
+    expect(response.status).toEqual(204);
+  });
+});
diff --git a/packages/core/src/routes/logto-config/jwt-customizer.ts b/packages/core/src/routes/logto-config/jwt-customizer.ts
new file mode 100644
index 00000000000..0c312a2b84a
--- /dev/null
+++ b/packages/core/src/routes/logto-config/jwt-customizer.ts
@@ -0,0 +1,221 @@
+import {
+  accessTokenJwtCustomizerGuard,
+  clientCredentialsJwtCustomizerGuard,
+  LogtoJwtTokenKey,
+  LogtoJwtTokenKeyType,
+  jsonObjectGuard,
+  adminTenantId,
+  jwtCustomizerConfigsGuard,
+  jwtCustomizerTestRequestBodyGuard,
+} from '@logto/schemas';
+import { ResponseError } from '@withtyped/client';
+import { ZodError, z } from 'zod';
+
+import { EnvSet } from '#src/env-set/index.js';
+import RequestError, { formatZodError } from '#src/errors/RequestError/index.js';
+import koaGuard, { parse } from '#src/middleware/koa-guard.js';
+
+import type { AuthedRouter, RouterInitArgs } from '../types.js';
+
+const getJwtTokenKeyAndBody = (tokenPath: LogtoJwtTokenKeyType, body: unknown) => {
+  if (tokenPath === LogtoJwtTokenKeyType.AccessToken) {
+    return {
+      key: LogtoJwtTokenKey.AccessToken,
+      body: parse('body', accessTokenJwtCustomizerGuard, body),
+    };
+  }
+  return {
+    key: LogtoJwtTokenKey.ClientCredentials,
+    body: parse('body', clientCredentialsJwtCustomizerGuard, body),
+  };
+};
+
+export default function logtoConfigJwtCustomizerRoutes<T extends AuthedRouter>(
+  ...[router, { id: tenantId, queries, logtoConfigs, cloudConnection }]: RouterInitArgs<T>
+) {
+  const { getRowsByKeys, deleteJwtCustomizer } = queries.logtoConfigs;
+  const { upsertJwtCustomizer, getJwtCustomizer, getJwtCustomizers, updateJwtCustomizer } =
+    logtoConfigs;
+
+  router.put(
+    '/configs/jwt-customizer/:tokenTypePath',
+    koaGuard({
+      params: z.object({
+        tokenTypePath: z.nativeEnum(LogtoJwtTokenKeyType),
+      }),
+      /**
+       * Use `z.unknown()` to guard the request body as a JSON object, since the actual guard depends
+       * on the `tokenTypePath` and we can not get the value of `tokenTypePath` before parsing the request body,
+       * we will do more specific guard as long as we can get the value of `tokenTypePath`.
+       *
+       * Should specify `body` in koaGuard, otherwise the request body is not accessible even via `ctx.request.body`.
+       */
+      body: z.unknown(),
+      response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
+      status: [200, 201, 400, 403],
+    }),
+    async (ctx, next) => {
+      const { isCloud, isIntegrationTest } = EnvSet.values;
+      if (tenantId === adminTenantId && isCloud && !isIntegrationTest) {
+        throw new RequestError({
+          code: 'jwt_customizer.can_not_create_for_admin_tenant',
+          status: 422,
+        });
+      }
+
+      const {
+        params: { tokenTypePath },
+        body: rawBody,
+      } = ctx.guard;
+      const { key, body } = getJwtTokenKeyAndBody(tokenTypePath, rawBody);
+
+      const { rows } = await getRowsByKeys([key]);
+
+      const jwtCustomizer = await upsertJwtCustomizer(key, body);
+
+      if (rows.length === 0) {
+        ctx.status = 201;
+      }
+      ctx.body = jwtCustomizer.value;
+
+      return next();
+    }
+  );
+
+  router.patch(
+    '/configs/jwt-customizer/:tokenTypePath',
+    // See comments in the `PUT /configs/jwt-customizer/:tokenTypePath` route, handle the request body manually.
+    koaGuard({
+      params: z.object({
+        tokenTypePath: z.nativeEnum(LogtoJwtTokenKeyType),
+      }),
+      body: z.unknown(),
+      response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
+      status: [200, 400, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { tokenTypePath },
+        body: rawBody,
+      } = ctx.guard;
+      const { key, body } = getJwtTokenKeyAndBody(tokenTypePath, rawBody);
+
+      ctx.body = await updateJwtCustomizer(key, body);
+
+      return next();
+    }
+  );
+
+  router.get(
+    '/configs/jwt-customizer',
+    koaGuard({
+      response: jwtCustomizerConfigsGuard.array(),
+      status: [200],
+    }),
+    async (ctx, next) => {
+      const jwtCustomizer = await getJwtCustomizers();
+      ctx.body = Object.values(LogtoJwtTokenKey)
+        .filter((key) => jwtCustomizer[key])
+        .map((key) => ({ key, value: jwtCustomizer[key] }));
+      return next();
+    }
+  );
+
+  router.get(
+    '/configs/jwt-customizer/:tokenTypePath',
+    koaGuard({
+      params: z.object({
+        tokenTypePath: z.nativeEnum(LogtoJwtTokenKeyType),
+      }),
+      response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
+      status: [200, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { tokenTypePath },
+      } = ctx.guard;
+      ctx.body = await getJwtCustomizer(
+        tokenTypePath === LogtoJwtTokenKeyType.AccessToken
+          ? LogtoJwtTokenKey.AccessToken
+          : LogtoJwtTokenKey.ClientCredentials
+      );
+      return next();
+    }
+  );
+
+  router.delete(
+    '/configs/jwt-customizer/:tokenTypePath',
+    koaGuard({
+      params: z.object({
+        tokenTypePath: z.nativeEnum(LogtoJwtTokenKeyType),
+      }),
+      status: [204, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { tokenTypePath },
+      } = ctx.guard;
+
+      await deleteJwtCustomizer(
+        tokenTypePath === LogtoJwtTokenKeyType.AccessToken
+          ? LogtoJwtTokenKey.AccessToken
+          : LogtoJwtTokenKey.ClientCredentials
+      );
+      ctx.status = 204;
+      return next();
+    }
+  );
+
+  if (!EnvSet.values.isCloud) {
+    return;
+  }
+
+  router.post(
+    '/configs/jwt-customizer/test',
+    koaGuard({
+      /**
+       * Early throws when:
+       * 1. no `script` provided.
+       * 2. no `tokenSample` provided.
+       */
+      body: jwtCustomizerTestRequestBodyGuard,
+      response: jsonObjectGuard,
+      status: [200, 400, 403, 422],
+    }),
+    async (ctx, next) => {
+      const { body } = ctx.guard;
+
+      const client = await cloudConnection.getClient();
+
+      try {
+        ctx.body = await client.post(`/api/services/custom-jwt`, {
+          body,
+        });
+      } catch (error: unknown) {
+        /**
+         * All APIs should throw `RequestError` instead of `Error`.
+         * In the admin console, we caught the error and recognized the error with the code `jwt_customizer.general`,
+         * and then we extract and show the error message to the user.
+         *
+         * `ResponseError` comes from `@withtyped/client` and all `logto/core` API returns error in the
+         * format of `RequestError`, we manually transform it here to keep the error format consistent.
+         */
+        if (error instanceof ResponseError) {
+          const { message } = z.object({ message: z.string() }).parse(await error.response.json());
+          throw new RequestError({ code: 'jwt_customizer.general', status: 422 }, { message });
+        }
+
+        if (error instanceof ZodError) {
+          throw new RequestError(
+            { code: 'jwt_customizer.general', status: 422 },
+            { message: formatZodError(error) }
+          );
+        }
+
+        throw error;
+      }
+
+      return next();
+    }
+  );
+}
diff --git a/packages/core/src/routes/logto-config/logto-config.openapi.json b/packages/core/src/routes/logto-config/logto-config.openapi.json
new file mode 100644
index 00000000000..072e62750c1
--- /dev/null
+++ b/packages/core/src/routes/logto-config/logto-config.openapi.json
@@ -0,0 +1,298 @@
+{
+  "tags": [
+    {
+      "name": "Configs",
+      "description": "Endpoints for managing Logto global configurations for the tenant, such as admin console config and OIDC signing keys.\n\nSee [🔑 Signing keys](https://docs.logto.io/docs/recipes/signing-keys-rotation/) to learn more about signing keys and key rotation."
+    }
+  ],
+  "paths": {
+    "/api/configs/admin-console": {
+      "get": {
+        "summary": "Get admin console config",
+        "description": "Get the global configuration object for Logto Console.",
+        "responses": {
+          "200": {
+            "description": "The configuration object."
+          },
+          "404": {
+            "description": "Configuration not found."
+          }
+        }
+      },
+      "patch": {
+        "summary": "Update admin console config",
+        "description": "Update the global configuration object for Logto Console. This method performs a partial update.",
+        "responses": {
+          "200": {
+            "description": "The updated configuration object."
+          },
+          "404": {
+            "description": "Configuration not found."
+          }
+        }
+      }
+    },
+    "/api/configs/oidc/{keyType}": {
+      "get": {
+        "summary": "Get OIDC keys",
+        "description": "Get OIDC signing keys by key type. The actual key will be redacted from the result.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "keyType",
+            "description": "Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead."
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "An array of OIDC signing keys for the given key type."
+          }
+        }
+      }
+    },
+    "/api/configs/oidc/{keyType}/{keyId}": {
+      "delete": {
+        "summary": "Delete OIDC key",
+        "description": "Delete an OIDC signing key by key type and key ID.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "keyType",
+            "description": "Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead."
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "The key was deleted successfully."
+          },
+          "404": {
+            "description": "The key was not found."
+          },
+          "422": {
+            "description": "At least one key must be kept."
+          }
+        }
+      }
+    },
+    "/api/configs/oidc/{keyType}/rotate": {
+      "post": {
+        "summary": "Rotate OIDC keys",
+        "description": "A new key will be generated and prepend to the list of keys.\n\nOnly two recent keys will be kept. The oldest key will be automatically removed if there are more than two keys.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "keyType",
+            "description": "Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead."
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "signingKeyAlgorithm": {
+                    "description": "The signing key algorithm the new generated private key is using.\n\nOnly applicable when `keyType` is `private-keys`."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "An array of OIDC signing keys after rotation."
+          }
+        }
+      }
+    },
+    "/api/configs/jwt-customizer": {
+      "get": {
+        "summary": "Get all JWT customizers",
+        "description": "Get all JWT customizers for the tenant.",
+        "responses": {
+          "200": {
+            "description": "The JWT customizers."
+          }
+        }
+      }
+    },
+    "/api/configs/jwt-customizer/{tokenTypePath}": {
+      "put": {
+        "summary": "Create or update JWT customizer",
+        "description": "Create or update a JWT customizer for the given token type.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "tokenTypePath",
+            "description": "The token type to create a JWT customizer for."
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "script": {
+                    "description": "The script of the JWT customizer."
+                  },
+                  "environmentVariables": {
+                    "description": "The environment variables for the JWT customizer."
+                  },
+                  "contextSample": {
+                    "description": "The sample context for the JWT customizer script testing purpose."
+                  },
+                  "tokenSample": {
+                    "description": "The sample raw token payload for the JWT customizer script testing purpose."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "The updated JWT customizer."
+          },
+          "201": {
+            "description": "The created JWT customizer."
+          },
+          "400": {
+            "description": "The request body is invalid."
+          },
+          "403": {
+            "description": "Permission denied."
+          }
+        }
+      },
+      "patch": {
+        "summary": "Update JWT customizer",
+        "description": "Update the JWT customizer for the given token type.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "tokenTypePath",
+            "description": "The token type to update a JWT customizer for."
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "script": {
+                    "description": "The script of the JWT customizer."
+                  },
+                  "environmentVariables": {
+                    "description": "The environment variables for the JWT customizer."
+                  },
+                  "contextSample": {
+                    "description": "The sample context for the JWT customizer script testing purpose."
+                  },
+                  "tokenSample": {
+                    "description": "The sample raw token payload for the JWT customizer script testing purpose."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "The updated JWT customizer."
+          },
+          "400": {
+            "description": "The request body is invalid."
+          }
+        }
+      },
+      "get": {
+        "summary": "Get JWT customizer",
+        "description": "Get the JWT customizer for the given token type.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "tokenTypePath",
+            "description": "The token type to get the JWT customizer for."
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The JWT customizer."
+          },
+          "404": {
+            "description": "The JWT customizer does not exist."
+          }
+        }
+      },
+      "delete": {
+        "summary": "Delete JWT customizer",
+        "description": "Delete the JWT customizer for the given token type.",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "tokenTypePath",
+            "description": "The token type path to delete the JWT customizer for."
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "The JWT customizer was deleted successfully."
+          },
+          "404": {
+            "description": "The JWT customizer does not exist."
+          }
+        }
+      }
+    },
+    "/api/configs/jwt-customizer/test": {
+      "post": {
+        "tags": ["Cloud only"],
+        "summary": "Test JWT customizer",
+        "description": "Test the JWT customizer script with the given sample context and sample token payload.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "tokenType": {
+                    "description": "The token type to test the JWT customizer for."
+                  },
+                  "payload": {
+                    "properties": {
+                      "script": {
+                        "description": "The code snippet of the JWT customizer."
+                      },
+                      "environmentVariables": {
+                        "description": "The environment variables for the JWT customizer."
+                      },
+                      "contextSample": {
+                        "description": "The sample context for the JWT customizer script testing purpose."
+                      },
+                      "tokenSample": {
+                        "description": "The sample token payload for the JWT customizer script testing purpose."
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "The result of the JWT customizer script testing."
+          },
+          "400": {
+            "description": "Zod errors in cloud service (data type does not match expectation, can be either request body or response body)."
+          },
+          "403": {
+            "description": "Cloud connection does not have enough permission to perform the action."
+          },
+          "422": {
+            "description": "Syntax errors in cloud service."
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/packages/core/src/routes/organization/invitations.openapi.json b/packages/core/src/routes/organization/invitations.openapi.json
index b854aa8a744..52847d25d8b 100644
--- a/packages/core/src/routes/organization/invitations.openapi.json
+++ b/packages/core/src/routes/organization/invitations.openapi.json
@@ -114,6 +114,21 @@
           }
         }
       }
+    },
+    "/api/organization-invitations/{id}/message": {
+      "post": {
+        "summary": "Resend invitation message",
+        "description": "Resend the invitation message to the invitee.",
+        "requestBody": {
+          "description": "The message payload for the \"OrganizationInvitation\" template to use when sending the invitation via email.",
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": "The invitation message was resent successfully."
+          }
+        }
+      }
     }
   }
 }
diff --git a/packages/core/src/routes/organization/invitations.ts b/packages/core/src/routes/organization/invitations.ts
index 75f21dc34aa..4136532b053 100644
--- a/packages/core/src/routes/organization/invitations.ts
+++ b/packages/core/src/routes/organization/invitations.ts
@@ -29,12 +29,28 @@ export default function organizationInvitationRoutes<T extends AuthedRouter>(
   const router = new SchemaRouter(OrganizationInvitations, invitations, {
     errorHandler,
     disabled: {
+      get: true,
       post: true,
       patchById: true,
     },
     entityGuard: organizationInvitationEntityGuard,
   });
 
+  router.get(
+    '/',
+    koaGuard({
+      query: z
+        .object({ organizationId: z.string(), inviterId: z.string(), invitee: z.string() })
+        .partial(),
+      response: organizationInvitationEntityGuard.array(),
+      status: [200],
+    }),
+    async (ctx, next) => {
+      ctx.body = await invitations.findEntities(ctx.guard.query);
+      return next();
+    }
+  );
+
   router.post(
     '/',
     koaGuard({
@@ -51,7 +67,7 @@ export default function organizationInvitationRoutes<T extends AuthedRouter>(
           messagePayload: sendMessagePayloadGuard.or(z.literal(false)).default(false),
         }),
       response: organizationInvitationEntityGuard,
-      status: [201, 400, 501],
+      status: [201, 400, 422, 501],
     }),
     async (ctx, next) => {
       const {
@@ -72,6 +88,26 @@ export default function organizationInvitationRoutes<T extends AuthedRouter>(
     }
   );
 
+  router.post(
+    '/:id/message',
+    koaGuard({
+      params: z.object({ id: z.string() }),
+      body: sendMessagePayloadGuard,
+      status: [204],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { id },
+        body,
+      } = ctx.guard;
+      const { invitee } = await invitations.findById(id);
+
+      await organizationInvitations.sendEmail(invitee, body);
+      ctx.status = 204;
+      return next();
+    }
+  );
+
   router.put(
     '/:id/status',
     koaGuard({
diff --git a/packages/core/src/routes/organization/roles.openapi.json b/packages/core/src/routes/organization/roles.openapi.json
index dc5c338ccc9..fbdcbcf4dff 100644
--- a/packages/core/src/routes/organization/roles.openapi.json
+++ b/packages/core/src/routes/organization/roles.openapi.json
@@ -29,6 +29,12 @@
                   },
                   "description": {
                     "description": "The description of the organization role."
+                  },
+                  "organizationScopeIds": {
+                    "description": "An array of organization scope IDs to be assigned to the organization role."
+                  },
+                  "resourceScopeIds": {
+                    "description": "An array of resource scope IDs to be assigned to the organization role."
                   }
                 }
               }
@@ -164,6 +170,78 @@
           }
         }
       }
+    },
+    "/api/organization-roles/{id}/resource-scopes": {
+      "get": {
+        "summary": "Get organization role resource scopes",
+        "description": "Get all resource scopes that are assigned to the specified organization role.",
+        "responses": {
+          "200": {
+            "description": "A list of resource scopes."
+          }
+        }
+      },
+      "post": {
+        "summary": "Assign resource scopes to organization role",
+        "description": "Assign resource scopes to the specified organization role",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "scopeIds": {
+                    "description": "An array of resource scope IDs to be assigned. Existed scope IDs assignments will be ignored."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Resource scopes were assigned successfully."
+          },
+          "422": {
+            "description": "At least one of the IDs provided is invalid. For example, the resource scope ID does not exist;"
+          }
+        }
+      },
+      "put": {
+        "summary": "Replace resource scopes for organization role",
+        "description": "Replace all resource scopes that are assigned to the specified organization role with the given resource scopes. This effectively removes all existing organization scope assignments and replaces them with the new ones.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "scopeIds": {
+                    "description": "An array of resource scope IDs to replace existing scopes."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "204": {
+            "description": "Resource scopes were replaced successfully."
+          },
+          "422": {
+            "description": "At least one of the IDs provided is invalid. For example, the resource scope ID does not exist."
+          }
+        }
+      }
+    },
+    "/api/organization-roles/{id}/resource-scopes/{scopeId}": {
+      "delete": {
+        "summary": "Remove resource scope",
+        "description": "Remove a resource scope assignment from the specified organization role.",
+        "responses": {
+          "204": {
+            "description": "Resource scope assignment was removed successfully."
+          }
+        }
+      }
     }
   }
 }
diff --git a/packages/core/src/routes/organization/roles.ts b/packages/core/src/routes/organization/roles.ts
index a4e7b08adf8..48a85ad3b9c 100644
--- a/packages/core/src/routes/organization/roles.ts
+++ b/packages/core/src/routes/organization/roles.ts
@@ -2,14 +2,18 @@ import {
   type CreateOrganizationRole,
   OrganizationRoles,
   organizationRoleWithScopesGuard,
+  organizationRoleWithScopesGuardDeprecated,
 } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { z } from 'zod';
 
+import { EnvSet } from '#src/env-set/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import koaPagination from '#src/middleware/koa-pagination.js';
 import koaQuotaGuard from '#src/middleware/koa-quota-guard.js';
+import { organizationRoleSearchKeys } from '#src/queries/organization/index.js';
 import SchemaRouter from '#src/utils/SchemaRouter.js';
+import { parseSearchOptions } from '#src/utils/search.js';
 
 import { type AuthedRouter, type RouterInitArgs } from '../types.js';
 
@@ -22,7 +26,7 @@ export default function organizationRoleRoutes<T extends AuthedRouter>(
       queries: {
         organizations: {
           roles,
-          relations: { rolesScopes },
+          relations: { rolesScopes, rolesResourceScopes },
         },
       },
       libraries: { quota },
@@ -40,12 +44,19 @@ export default function organizationRoleRoutes<T extends AuthedRouter>(
     '/',
     koaPagination(),
     koaGuard({
-      response: organizationRoleWithScopesGuard.array(),
+      query: z.object({ q: z.string().optional() }),
+      // TODO @wangsijie - Remove this once the feature is ready
+      response: EnvSet.values.isDevFeaturesEnabled
+        ? organizationRoleWithScopesGuard.array()
+        : organizationRoleWithScopesGuardDeprecated.array(),
       status: [200],
     }),
     async (ctx, next) => {
       const { limit, offset } = ctx.pagination;
-      const [count, entities] = await roles.findAll(limit, offset);
+
+      const search = parseSearchOptions(organizationRoleSearchKeys, ctx.guard.query);
+
+      const [count, entities] = await roles.findAll(limit, offset, search);
 
       ctx.pagination.totalCount = count;
       ctx.body = entities;
@@ -56,8 +67,22 @@ export default function organizationRoleRoutes<T extends AuthedRouter>(
   /** Allows to carry an initial set of scopes for creating a new organization role. */
   type CreateOrganizationRolePayload = Omit<CreateOrganizationRole, 'id'> & {
     organizationScopeIds: string[];
+    resourceScopeIds: string[];
   };
 
+  // TODO @wangsijie - Remove this once the feature is ready
+  const originalCreateCard: z.ZodType<
+    Omit<CreateOrganizationRolePayload, 'resourceScopeIds'> & { resourceScopeIds?: string[] },
+    z.ZodTypeDef,
+    unknown
+  > = OrganizationRoles.createGuard
+    .omit({
+      id: true,
+    })
+    .extend({
+      organizationScopeIds: z.array(z.string()).default([]),
+    });
+
   const createGuard: z.ZodType<CreateOrganizationRolePayload, z.ZodTypeDef, unknown> =
     OrganizationRoles.createGuard
       .omit({
@@ -65,21 +90,31 @@ export default function organizationRoleRoutes<T extends AuthedRouter>(
       })
       .extend({
         organizationScopeIds: z.array(z.string()).default([]),
+        resourceScopeIds: z.array(z.string()).default([]),
       });
 
   router.post(
     '/',
     koaGuard({
-      body: createGuard,
+      body: EnvSet.values.isDevFeaturesEnabled ? createGuard : originalCreateCard,
       response: OrganizationRoles.guard,
       status: [201, 422],
     }),
     async (ctx, next) => {
-      const { organizationScopeIds: scopeIds, ...data } = ctx.guard.body;
+      const { organizationScopeIds, resourceScopeIds, ...data } = ctx.guard.body;
       const role = await roles.insert({ id: generateStandardId(), ...data });
 
-      if (scopeIds.length > 0) {
-        await rolesScopes.insert(...scopeIds.map<[string, string]>((id) => [role.id, id]));
+      if (organizationScopeIds.length > 0) {
+        await rolesScopes.insert(
+          ...organizationScopeIds.map<[string, string]>((id) => [role.id, id])
+        );
+      }
+
+      // TODO @wangsijie - Remove this once the feature is ready
+      if (EnvSet.values.isDevFeaturesEnabled && resourceScopeIds && resourceScopeIds.length > 0) {
+        await rolesResourceScopes.insert(
+          ...resourceScopeIds.map<[string, string]>((id) => [role.id, id])
+        );
       }
 
       ctx.body = role;
@@ -89,6 +124,9 @@ export default function organizationRoleRoutes<T extends AuthedRouter>(
   );
 
   router.addRelationRoutes(rolesScopes, 'scopes');
+  if (EnvSet.values.isDevFeaturesEnabled) {
+    router.addRelationRoutes(rolesResourceScopes, 'resource-scopes');
+  }
 
   originalRouter.use(router.routes());
 }
diff --git a/packages/core/src/routes/organization/utils.ts b/packages/core/src/routes/organization/utils.ts
index 7c0ff480ae0..84a741f5fad 100644
--- a/packages/core/src/routes/organization/utils.ts
+++ b/packages/core/src/routes/organization/utils.ts
@@ -1,7 +1,7 @@
 import {
   ForeignKeyIntegrityConstraintViolationError,
   UniqueIntegrityConstraintViolationError,
-} from 'slonik';
+} from '@silverhand/slonik';
 
 import RequestError from '#src/errors/RequestError/index.js';
 
diff --git a/packages/core/src/routes/role.scope.ts b/packages/core/src/routes/role.scope.ts
index 8cbafdf393b..61b731cb65d 100644
--- a/packages/core/src/routes/role.scope.ts
+++ b/packages/core/src/routes/role.scope.ts
@@ -1,4 +1,3 @@
-import type { Scope, ScopeResponse } from '@logto/schemas';
 import { scopeResponseGuard, Scopes } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { tryThat } from '@silverhand/essentials';
@@ -7,7 +6,6 @@ import { object, string } from 'zod';
 import RequestError from '#src/errors/RequestError/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import koaPagination from '#src/middleware/koa-pagination.js';
-import assertThat from '#src/utils/assert-that.js';
 import { parseSearchParamsForSearch } from '#src/utils/search.js';
 
 import type { AuthedRouter, RouterInitArgs } from './types.js';
@@ -16,7 +14,6 @@ export default function roleScopeRoutes<T extends AuthedRouter>(
   ...[router, { queries, libraries }]: RouterInitArgs<T>
 ) {
   const {
-    resources: { findResourcesByIds },
     rolesScopes: { deleteRolesScope, findRolesScopesByRoleId, insertRolesScopes },
     roles: { findRoleById },
     scopes: { findScopesByIds, countScopesByScopeIds, searchScopesByScopeIds },
@@ -24,22 +21,9 @@ export default function roleScopeRoutes<T extends AuthedRouter>(
   const {
     quota,
     roleScopes: { validateRoleScopeAssignment },
+    scopes: { attachResourceToScopes },
   } = libraries;
 
-  const attachResourceToScopes = async (scopes: readonly Scope[]): Promise<ScopeResponse[]> => {
-    const resources = await findResourcesByIds(scopes.map(({ resourceId }) => resourceId));
-    return scopes.map((scope) => {
-      const resource = resources.find(({ id }) => id === scope.resourceId);
-
-      assertThat(resource, new Error(`Cannot find resource for id ${scope.resourceId}`));
-
-      return {
-        ...scope,
-        resource,
-      };
-    });
-  };
-
   router.get(
     '/roles/:id/scopes',
     koaPagination({ isOptional: true }),
diff --git a/packages/core/src/routes/sso-connector/utils.test.ts b/packages/core/src/routes/sso-connector/utils.test.ts
index b8a54bf65e1..0064189fd60 100644
--- a/packages/core/src/routes/sso-connector/utils.test.ts
+++ b/packages/core/src/routes/sso-connector/utils.test.ts
@@ -20,11 +20,12 @@ const mockTenantId = 'mock_tenant_id';
 
 describe('parseFactoryDetail', () => {
   it.each(Object.values(SsoProviderName))('should return correct detail for %s', (providerName) => {
-    const { logo, logoDark, description, name } = ssoConnectorFactories[providerName];
+    const { logo, logoDark, description, name, providerType } = ssoConnectorFactories[providerName];
     const detail = parseFactoryDetail(ssoConnectorFactories[providerName], 'en');
 
     expect(detail).toEqual({
       providerName,
+      providerType,
       logo,
       logoDark,
       description: description.en,
@@ -35,11 +36,13 @@ describe('parseFactoryDetail', () => {
   it.each(Object.values(SsoProviderName))(
     'should return correct detail for %s with unknown locale',
     (providerName) => {
-      const { logo, logoDark, description, name } = ssoConnectorFactories[providerName];
+      const { logo, logoDark, description, name, providerType } =
+        ssoConnectorFactories[providerName];
       const detail = parseFactoryDetail(ssoConnectorFactories[providerName], 'zh');
 
       expect(detail).toEqual({
         providerName,
+        providerType,
         logo,
         logoDark,
         description: description.en,
diff --git a/packages/core/src/routes/sso-connector/utils.ts b/packages/core/src/routes/sso-connector/utils.ts
index 78014df1278..db2edb18c2a 100644
--- a/packages/core/src/routes/sso-connector/utils.ts
+++ b/packages/core/src/routes/sso-connector/utils.ts
@@ -11,7 +11,7 @@ import { trySafe } from '@silverhand/essentials';
 import RequestError from '#src/errors/RequestError/index.js';
 import SamlConnector from '#src/sso/SamlConnector/index.js';
 import { type SingleSignOnFactory, ssoConnectorFactories } from '#src/sso/index.js';
-import { type SingleSignOnConnectorData } from '#src/sso/types/index.js';
+import { type SingleSignOnConnectorData } from '#src/sso/types/connector.js';
 
 const isKeyOfI18nPhrases = (key: string, phrases: I18nPhrases): key is keyof I18nPhrases =>
   key in phrases;
@@ -20,10 +20,11 @@ export const parseFactoryDetail = (
   factory: SingleSignOnFactory<SsoProviderName>,
   locale: string
 ) => {
-  const { providerName, logo, logoDark, description, name } = factory;
+  const { providerName, logo, logoDark, description, name, providerType } = factory;
 
   return {
     providerName,
+    providerType,
     logo,
     logoDark,
     // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- falsy value expected
@@ -61,7 +62,7 @@ export const fetchConnectorProviderDetails = async (
 ): Promise<SsoConnectorWithProviderConfig> => {
   const { providerName } = connector;
 
-  const { logo, logoDark, constructor, name } = ssoConnectorFactories[providerName];
+  const { logo, logoDark, constructor, name, providerType } = ssoConnectorFactories[providerName];
 
   /* 
     Safely fetch and parse the detailed connector config from provider. 
@@ -76,6 +77,7 @@ export const fetchConnectorProviderDetails = async (
     ...connector,
     // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- falsy value expected
     name: (isKeyOfI18nPhrases(locale, name) && name[locale]) || name.en,
+    providerType,
     providerLogo: logo,
     providerLogoDark: logoDark,
     providerConfig,
diff --git a/packages/core/src/routes/swagger/index.ts b/packages/core/src/routes/swagger/index.ts
index 97b5a1099ac..195c92c5249 100644
--- a/packages/core/src/routes/swagger/index.ts
+++ b/packages/core/src/routes/swagger/index.ts
@@ -7,13 +7,14 @@ import deepmerge from 'deepmerge';
 import { findUp } from 'find-up';
 import type { IMiddleware } from 'koa-router';
 import type Router from 'koa-router';
-import type { OpenAPIV3 } from 'openapi-types';
+import { type OpenAPIV3 } from 'openapi-types';
 
 import { EnvSet } from '#src/env-set/index.js';
 import { isKoaAuthMiddleware } from '#src/middleware/koa-auth/index.js';
 import type { WithGuardConfig } from '#src/middleware/koa-guard.js';
 import { isGuardMiddleware } from '#src/middleware/koa-guard.js';
 import { isPaginationMiddleware } from '#src/middleware/koa-pagination.js';
+import { type DeepPartial } from '#src/test-utils/tenant.js';
 import assertThat from '#src/utils/assert-that.js';
 import { consoleLog } from '#src/utils/console.js';
 import { translationSchemas, zodTypeToSwagger } from '#src/utils/zod.js';
@@ -24,6 +25,7 @@ import {
   buildTag,
   findSupplementFiles,
   normalizePath,
+  removeCloudOnlyOperations,
   validateSupplement,
   validateSwaggerDocument,
 } from './utils/general.js';
@@ -193,9 +195,11 @@ export default function swaggerRoutes<T extends AnonymousRouter, R extends Route
 
     const supplementPaths = await findSupplementFiles(routesDirectory);
     const supplementDocuments = await Promise.all(
-      supplementPaths.map(
-        // eslint-disable-next-line no-restricted-syntax
-        async (path) => JSON.parse(await fs.readFile(path, 'utf8')) as Record<string, unknown>
+      supplementPaths.map(async (path) =>
+        removeCloudOnlyOperations(
+          // eslint-disable-next-line no-restricted-syntax -- trust the type here as we'll validate it later
+          JSON.parse(await fs.readFile(path, 'utf8')) as DeepPartial<OpenAPIV3.Document>
+        )
       )
     );
 
@@ -228,8 +232,11 @@ export default function swaggerRoutes<T extends AnonymousRouter, R extends Route
       tags: [...tags].map((tag) => ({ name: tag })),
     };
 
-    const data = supplementDocuments.reduce(
-      (document, supplement) => deepmerge(document, supplement, { arrayMerge: mergeParameters }),
+    const data = supplementDocuments.reduce<OpenAPIV3.Document>(
+      (document, supplement) =>
+        deepmerge<OpenAPIV3.Document, DeepPartial<OpenAPIV3.Document>>(document, supplement, {
+          arrayMerge: mergeParameters,
+        }),
       baseDocument
     );
 
diff --git a/packages/core/src/routes/swagger/utils/general.ts b/packages/core/src/routes/swagger/utils/general.ts
index 850ebc0827e..a658e24a33e 100644
--- a/packages/core/src/routes/swagger/utils/general.ts
+++ b/packages/core/src/routes/swagger/utils/general.ts
@@ -6,10 +6,15 @@ import { isKeyInObject, type Optional } from '@silverhand/essentials';
 import { OpenAPIV3 } from 'openapi-types';
 import { z } from 'zod';
 
+import { EnvSet } from '#src/env-set/index.js';
+import { type DeepPartial } from '#src/test-utils/tenant.js';
 import { consoleLog } from '#src/utils/console.js';
 
 const capitalize = (value: string) => value.charAt(0).toUpperCase() + value.slice(1);
 
+/** The tag name used in the supplement document to indicate that the operation is cloud only. */
+const cloudOnlyTag = 'Cloud only';
+
 /**
  * Get the root component name from the given absolute path.
  * @example '/organizations/:id' -> 'organizations'
@@ -105,9 +110,14 @@ const validateSupplementPaths = (
           );
         }
 
-        if (isKeyInObject(operations[method], 'tags')) {
+        const operation = operations[method];
+        if (
+          isKeyInObject(operation, 'tags') &&
+          Array.isArray(operation.tags) &&
+          (operation.tags.length > 1 || operation.tags[0] !== cloudOnlyTag)
+        ) {
           throw new TypeError(
-            `Cannot use \`tags\` in supplement document on path \`${path}\` and operation \`${method}\`. Define tags in the document root instead.`
+            `Cannot use \`tags\` in supplement document on path \`${path}\` and operation \`${method}\` except for tag \`${cloudOnlyTag}\`.  Define tags in the document root instead.`
           );
         }
       }
@@ -124,7 +134,7 @@ const validateSupplementPaths = (
  */
 export const validateSupplement = (
   original: OpenAPIV3.Document,
-  supplement: Record<string, unknown>
+  supplement: DeepPartial<OpenAPIV3.Document>
 ) => {
   if (supplement.tags) {
     const supplementTags = z.array(z.object({ name: z.string() })).parse(supplement.tags);
@@ -201,3 +211,34 @@ export const validateSwaggerDocument = (document: OpenAPIV3.Document) => {
     }
   }
 };
+
+/**
+ * **CAUTION**: This function mutates the input document.
+ *
+ * Remove operations (path + method) that are tagged with `Cloud only` if the application is not
+ * running in the cloud. This will prevent the swagger validation from failing in the OSS
+ * environment.
+ */
+export const removeCloudOnlyOperations = (
+  document: DeepPartial<OpenAPIV3.Document>
+): DeepPartial<OpenAPIV3.Document> => {
+  if (EnvSet.values.isCloud || !document.paths) {
+    return document;
+  }
+
+  for (const [path, pathItem] of Object.entries(document.paths)) {
+    for (const method of Object.values(OpenAPIV3.HttpMethods)) {
+      if (pathItem?.[method]?.tags?.includes(cloudOnlyTag)) {
+        // eslint-disable-next-line @silverhand/fp/no-delete, @typescript-eslint/no-dynamic-delete -- intended
+        delete pathItem[method];
+      }
+    }
+
+    if (Object.keys(pathItem ?? {}).length === 0) {
+      // eslint-disable-next-line @silverhand/fp/no-delete, @typescript-eslint/no-dynamic-delete -- intended
+      delete document.paths[path];
+    }
+  }
+
+  return document;
+};
diff --git a/packages/core/src/routes/user-assets.ts b/packages/core/src/routes/user-assets.ts
index d69841729e5..fa52bde44e1 100644
--- a/packages/core/src/routes/user-assets.ts
+++ b/packages/core/src/routes/user-assets.ts
@@ -63,7 +63,7 @@ export default function userAssetsRoutes<T extends AuthedRouter>(...[router]: Ro
         'guard.mime_type_not_allowed'
       );
 
-      const tenantId = await getTenantId(ctx.URL);
+      const [tenantId] = await getTenantId(ctx.URL);
       assertThat(tenantId, 'guard.can_not_get_tenant_id');
 
       const { storageProviderConfig } = SystemContext.shared;
diff --git a/packages/core/src/sentinel/basic-sentinel.ts b/packages/core/src/sentinel/basic-sentinel.ts
index b91b2383b3f..33b1fb8d7da 100644
--- a/packages/core/src/sentinel/basic-sentinel.ts
+++ b/packages/core/src/sentinel/basic-sentinel.ts
@@ -8,12 +8,13 @@ import {
   SentinelActionResult,
   SentinelActivityAction,
 } from '@logto/schemas';
-import { convertToIdentifiers, generateStandardId } from '@logto/shared';
+import { generateStandardId } from '@logto/shared';
 import { type Nullable } from '@silverhand/essentials';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 import { addMinutes } from 'date-fns';
-import { sql, type CommonQueryMethods } from 'slonik';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
 
 const { fields, table } = convertToIdentifiers(SentinelActivities);
 
diff --git a/packages/core/src/sso/AzureAdSsoConnector/index.ts b/packages/core/src/sso/AzureAdSsoConnector/index.ts
index db3435d7037..328bb10abef 100644
--- a/packages/core/src/sso/AzureAdSsoConnector/index.ts
+++ b/packages/core/src/sso/AzureAdSsoConnector/index.ts
@@ -1,4 +1,4 @@
-import { SsoProviderName } from '@logto/schemas';
+import { SsoProviderName, SsoProviderType } from '@logto/schemas';
 
 import { SamlSsoConnector } from '../SamlSsoConnector/index.js';
 import { type SingleSignOnFactory } from '../index.js';
@@ -8,6 +8,7 @@ export class AzureAdSsoConnector extends SamlSsoConnector {}
 
 export const azureAdSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.AZURE_AD> = {
   providerName: SsoProviderName.AZURE_AD,
+  providerType: SsoProviderType.SAML,
   logo: 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTUuMDY5MzQgMTguNzA5N0M1LjU4NjY3IDE5LjAzMjMgNi40NDY2NyAxOS4zOTEgNy4zNTYgMTkuMzkxQzguMTg0IDE5LjM5MSA4Ljk1MzM0IDE5LjE1MSA5LjU5MDY3IDE4Ljc0MTdDOS41OTA2NyAxOC43NDE3IDkuNTkyIDE4Ljc0MTcgOS41OTMzNCAxOC43NDAzTDEyIDE3LjIzNjNWMjIuNjY3QzExLjYxODcgMjIuNjY3IDExLjIzNDcgMjIuNTYzIDEwLjkwMTMgMjIuMzU1TDUuMDY5MzQgMTguNzA5N1oiIGZpbGw9IiMyMjUwODYiLz4KPHBhdGggZD0iTTEwLjQ3MDcgMi4wMDkwMUwwLjQ3MDY2MiAxMy4yODlDLTAuMzAxMzM4IDE0LjE2MSAtMC4xMDAwMDUgMTUuNDc4MyAwLjkwMTMyOCAxNi4xMDM3QzAuOTAxMzI4IDE2LjEwMzcgNC42MDI2NiAxOC40MTcgNS4wNjkzMyAxOC43MDlDNS41ODY2NiAxOS4wMzE3IDYuNDQ2NjYgMTkuMzkwMyA3LjM1NTk5IDE5LjM5MDNDOC4xODM5OSAxOS4zOTAzIDguOTUzMzMgMTkuMTUwMyA5LjU5MDY2IDE4Ljc0MUM5LjU5MDY2IDE4Ljc0MSA5LjU5MTk5IDE4Ljc0MSA5LjU5MzMzIDE4LjczOTdMMTIgMTcuMjM1N0w2LjE4MTMzIDEzLjU5ODNMMTIuMDAxMyA3LjAzMzAxVjEuMzMzMDFDMTEuNDM2IDEuMzMzMDEgMTAuODcwNyAxLjU1ODM0IDEwLjQ3MDcgMi4wMDkwMVoiIGZpbGw9IiM2NkRERkYiLz4KPHBhdGggZD0iTTYuMTgxMjcgMTMuNTk5NUw2LjI1MDYxIDEzLjY0MjJMMTEuOTk5OSAxNy4yMzY4SDEyLjAwMTNWNy4wMzU1MUwxMS45OTk5IDcuMDM0MThMNi4xODEyNyAxMy41OTk1WiIgZmlsbD0iI0NCRjhGRiIvPgo8cGF0aCBkPSJNMjMuMDk4NyAxNi4xMDRDMjQuMSAxNS40Nzg3IDI0LjMwMTMgMTQuMTYxMyAyMy41MjkzIDEzLjI4OTNMMTYuOTY4IDUuODg4QzE2LjQzODcgNS42NDEzMyAxNS44NDUzIDUuNSAxNS4yMTczIDUuNUMxMy45ODQgNS41IDEyLjg4MTMgNi4wMzIgMTIuMTQ4IDYuODY4TDEyLjAwMjcgNy4wMzJMMTcuODIxMyAxMy41OTczTDEyLjAwMTMgMTcuMjM0N1YyMi42NjUzQzEyLjM4NCAyMi42NjUzIDEyLjc2NTMgMjIuNTYxMyAxMy4wOTg3IDIyLjM1MzNMMjMuMDk4NyAxNi4xMDI3VjE2LjEwNFoiIGZpbGw9IiMwNzQ3OTMiLz4KPHBhdGggZD0iTTEyLjAwMTMgMS4zMzMwMVY3LjAzMzAxTDEyLjE0NjcgNi44NjkwMUMxMi44OCA2LjAzMzAxIDEzLjk4MjcgNS41MDEwMSAxNS4yMTYgNS41MDEwMUMxNS44NDUzIDUuNTAxMDEgMTYuNDM3MyA1LjY0MzY3IDE2Ljk2NjcgNS44ODkwMUwxMy41MjggMi4wMTAzNEMxMy4xMjkzIDEuNTU5NjcgMTIuNTY0IDEuMzM0MzQgMTIgMS4zMzQzNEwxMi4wMDEzIDEuMzMzMDFaIiBmaWxsPSIjMDI5NEU0Ii8+CjxwYXRoIGQ9Ik0xNy44MiAxMy41OTkyTDEyLjAwMTMgNy4wMzUxNlYxNy4yMzUyTDE3LjgyIDEzLjU5OTJaIiBmaWxsPSIjOTZCQ0MyIi8+Cjwvc3ZnPgo=',
   logoDark:
     'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTUuMDY5MzQgMTguNzA5N0M1LjU4NjY3IDE5LjAzMjMgNi40NDY2NyAxOS4zOTEgNy4zNTYgMTkuMzkxQzguMTg0IDE5LjM5MSA4Ljk1MzM0IDE5LjE1MSA5LjU5MDY3IDE4Ljc0MTdDOS41OTA2NyAxOC43NDE3IDkuNTkyIDE4Ljc0MTcgOS41OTMzNCAxOC43NDAzTDEyIDE3LjIzNjNWMjIuNjY3QzExLjYxODcgMjIuNjY3IDExLjIzNDcgMjIuNTYzIDEwLjkwMTMgMjIuMzU1TDUuMDY5MzQgMTguNzA5N1oiIGZpbGw9IiMyMjUwODYiLz4KPHBhdGggZD0iTTEwLjQ3MDcgMi4wMDkwMUwwLjQ3MDY2MiAxMy4yODlDLTAuMzAxMzM4IDE0LjE2MSAtMC4xMDAwMDUgMTUuNDc4MyAwLjkwMTMyOCAxNi4xMDM3QzAuOTAxMzI4IDE2LjEwMzcgNC42MDI2NiAxOC40MTcgNS4wNjkzMyAxOC43MDlDNS41ODY2NiAxOS4wMzE3IDYuNDQ2NjYgMTkuMzkwMyA3LjM1NTk5IDE5LjM5MDNDOC4xODM5OSAxOS4zOTAzIDguOTUzMzMgMTkuMTUwMyA5LjU5MDY2IDE4Ljc0MUM5LjU5MDY2IDE4Ljc0MSA5LjU5MTk5IDE4Ljc0MSA5LjU5MzMzIDE4LjczOTdMMTIgMTcuMjM1N0w2LjE4MTMzIDEzLjU5ODNMMTIuMDAxMyA3LjAzMzAxVjEuMzMzMDFDMTEuNDM2IDEuMzMzMDEgMTAuODcwNyAxLjU1ODM0IDEwLjQ3MDcgMi4wMDkwMVoiIGZpbGw9IiM2NkRERkYiLz4KPHBhdGggZD0iTTYuMTgxMjcgMTMuNTk5NUw2LjI1MDYxIDEzLjY0MjJMMTEuOTk5OSAxNy4yMzY4SDEyLjAwMTNWNy4wMzU1MUwxMS45OTk5IDcuMDM0MThMNi4xODEyNyAxMy41OTk1WiIgZmlsbD0iI0NCRjhGRiIvPgo8cGF0aCBkPSJNMjMuMDk4NyAxNi4xMDRDMjQuMSAxNS40Nzg3IDI0LjMwMTMgMTQuMTYxMyAyMy41MjkzIDEzLjI4OTNMMTYuOTY4IDUuODg4QzE2LjQzODcgNS42NDEzMyAxNS44NDUzIDUuNSAxNS4yMTczIDUuNUMxMy45ODQgNS41IDEyLjg4MTMgNi4wMzIgMTIuMTQ4IDYuODY4TDEyLjAwMjcgNy4wMzJMMTcuODIxMyAxMy41OTczTDEyLjAwMTMgMTcuMjM0N1YyMi42NjUzQzEyLjM4NCAyMi42NjUzIDEyLjc2NTMgMjIuNTYxMyAxMy4wOTg3IDIyLjM1MzNMMjMuMDk4NyAxNi4xMDI3VjE2LjEwNFoiIGZpbGw9IiMwNzQ3OTMiLz4KPHBhdGggZD0iTTEyLjAwMTMgMS4zMzMwMVY3LjAzMzAxTDEyLjE0NjcgNi44NjkwMUMxMi44OCA2LjAzMzAxIDEzLjk4MjcgNS41MDEwMSAxNS4yMTYgNS41MDEwMUMxNS44NDUzIDUuNTAxMDEgMTYuNDM3MyA1LjY0MzY3IDE2Ljk2NjcgNS44ODkwMUwxMy41MjggMi4wMTAzNEMxMy4xMjkzIDEuNTU5NjcgMTIuNTY0IDEuMzM0MzQgMTIgMS4zMzQzNEwxMi4wMDEzIDEuMzMzMDFaIiBmaWxsPSIjMDI5NEU0Ii8+CjxwYXRoIGQ9Ik0xNy44MiAxMy41OTkyTDEyLjAwMTMgNy4wMzUxNlYxNy4yMzUyTDE3LjgyIDEzLjU5OTJaIiBmaWxsPSIjOTZCQ0MyIi8+Cjwvc3ZnPgo=',
@@ -31,7 +32,7 @@ export const azureAdSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.AZU
     'zh-TW': '以前是 Azure AD，全面的基於雲端的身份管理服務。',
   },
   name: {
-    en: 'Microsoft Entra ID',
+    en: 'Microsoft Entra ID (SAML)',
   },
   configGuard: samlConnectorConfigGuard,
   constructor: AzureAdSsoConnector,
diff --git a/packages/core/src/sso/AzureOidcSsoConnector/index.ts b/packages/core/src/sso/AzureOidcSsoConnector/index.ts
new file mode 100644
index 00000000000..be11e75e8c1
--- /dev/null
+++ b/packages/core/src/sso/AzureOidcSsoConnector/index.ts
@@ -0,0 +1,98 @@
+import { SsoProviderName, SsoProviderType } from '@logto/schemas';
+import { conditional } from '@silverhand/essentials';
+import camelcaseKeys from 'camelcase-keys';
+
+import assertThat from '#src/utils/assert-that.js';
+
+import { fetchToken, getIdTokenClaims, getUserInfo } from '../OidcConnector/utils.js';
+import { OidcSsoConnector } from '../OidcSsoConnector/index.js';
+import { type SingleSignOnFactory } from '../index.js';
+import { SsoConnectorError, SsoConnectorErrorCodes } from '../types/error.js';
+import { basicOidcConnectorConfigGuard } from '../types/oidc.js';
+import { type ExtendedSocialUserInfo } from '../types/saml.js';
+import { type SingleSignOnConnectorSession } from '../types/session.js';
+
+export class AzureOidcSsoConnector extends OidcSsoConnector {
+  /**
+   * Handle the sign-in callback from the OIDC provider and return the user info
+   *
+   * @param data unknown oidc authorization response
+   * @param connectorSession The connector session data from the oidc provider session storage
+   * @returns The user info from the OIDC provider
+   *
+   * @remarks folked from OidcSsoConnector. Override the getUserInfo method's sync user info logic.
+   * The email_verified and phone_verified are returned from Azure AD's userinfo endpoint.
+   * @see https://learn.microsoft.com/en-us/answers/questions/812672/microsoft-openid-connect-getting-verified-email
+   * It is unsafe to trust the unverified email and phone number in Logto's context. As we are using the verified email and phone number to identify the user.
+   * Store extra unverified_email and unverified_phone fields in the user SSO identity profile instead.
+   */
+  override async getUserInfo(
+    connectorSession: SingleSignOnConnectorSession,
+    data: unknown
+  ): Promise<ExtendedSocialUserInfo> {
+    const oidcConfig = await this.getOidcConfig();
+    const { nonce, redirectUri } = connectorSession;
+
+    // Fetch token from the OIDC provider using authorization code
+    const { idToken, accessToken } = await fetchToken(oidcConfig, data, redirectUri);
+
+    assertThat(
+      accessToken,
+      new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
+        message: 'The access token is missing from the response.',
+      })
+    );
+
+    // Verify the id token and get the user id
+    const { sub: id } = await getIdTokenClaims(idToken, oidcConfig, nonce);
+
+    // Fetch user info from the userinfo endpoint
+    const { sub, name, picture, email, email_verified, phone, phone_verified, ...rest } =
+      await getUserInfo(accessToken, oidcConfig.userinfoEndpoint);
+
+    return {
+      id,
+      ...conditional(name && { name }),
+      ...conditional(picture && { avatar: picture }),
+      ...conditional(email && email_verified && { email }),
+      ...conditional(phone && phone_verified && { phone }),
+      ...camelcaseKeys(rest),
+      ...conditional(email && !email_verified && { unverifiedEmail: email }),
+      ...conditional(phone && !phone_verified && { unverifiedPhone: phone }),
+    };
+  }
+}
+
+export const azureOidcSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.AZURE_AD_OIDC> = {
+  providerName: SsoProviderName.AZURE_AD_OIDC,
+  providerType: SsoProviderType.OIDC,
+  logo: 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTUuMDY5MzQgMTguNzA5N0M1LjU4NjY3IDE5LjAzMjMgNi40NDY2NyAxOS4zOTEgNy4zNTYgMTkuMzkxQzguMTg0IDE5LjM5MSA4Ljk1MzM0IDE5LjE1MSA5LjU5MDY3IDE4Ljc0MTdDOS41OTA2NyAxOC43NDE3IDkuNTkyIDE4Ljc0MTcgOS41OTMzNCAxOC43NDAzTDEyIDE3LjIzNjNWMjIuNjY3QzExLjYxODcgMjIuNjY3IDExLjIzNDcgMjIuNTYzIDEwLjkwMTMgMjIuMzU1TDUuMDY5MzQgMTguNzA5N1oiIGZpbGw9IiMyMjUwODYiLz4KPHBhdGggZD0iTTEwLjQ3MDcgMi4wMDkwMUwwLjQ3MDY2MiAxMy4yODlDLTAuMzAxMzM4IDE0LjE2MSAtMC4xMDAwMDUgMTUuNDc4MyAwLjkwMTMyOCAxNi4xMDM3QzAuOTAxMzI4IDE2LjEwMzcgNC42MDI2NiAxOC40MTcgNS4wNjkzMyAxOC43MDlDNS41ODY2NiAxOS4wMzE3IDYuNDQ2NjYgMTkuMzkwMyA3LjM1NTk5IDE5LjM5MDNDOC4xODM5OSAxOS4zOTAzIDguOTUzMzMgMTkuMTUwMyA5LjU5MDY2IDE4Ljc0MUM5LjU5MDY2IDE4Ljc0MSA5LjU5MTk5IDE4Ljc0MSA5LjU5MzMzIDE4LjczOTdMMTIgMTcuMjM1N0w2LjE4MTMzIDEzLjU5ODNMMTIuMDAxMyA3LjAzMzAxVjEuMzMzMDFDMTEuNDM2IDEuMzMzMDEgMTAuODcwNyAxLjU1ODM0IDEwLjQ3MDcgMi4wMDkwMVoiIGZpbGw9IiM2NkRERkYiLz4KPHBhdGggZD0iTTYuMTgxMjcgMTMuNTk5NUw2LjI1MDYxIDEzLjY0MjJMMTEuOTk5OSAxNy4yMzY4SDEyLjAwMTNWNy4wMzU1MUwxMS45OTk5IDcuMDM0MThMNi4xODEyNyAxMy41OTk1WiIgZmlsbD0iI0NCRjhGRiIvPgo8cGF0aCBkPSJNMjMuMDk4NyAxNi4xMDRDMjQuMSAxNS40Nzg3IDI0LjMwMTMgMTQuMTYxMyAyMy41MjkzIDEzLjI4OTNMMTYuOTY4IDUuODg4QzE2LjQzODcgNS42NDEzMyAxNS44NDUzIDUuNSAxNS4yMTczIDUuNUMxMy45ODQgNS41IDEyLjg4MTMgNi4wMzIgMTIuMTQ4IDYuODY4TDEyLjAwMjcgNy4wMzJMMTcuODIxMyAxMy41OTczTDEyLjAwMTMgMTcuMjM0N1YyMi42NjUzQzEyLjM4NCAyMi42NjUzIDEyLjc2NTMgMjIuNTYxMyAxMy4wOTg3IDIyLjM1MzNMMjMuMDk4NyAxNi4xMDI3VjE2LjEwNFoiIGZpbGw9IiMwNzQ3OTMiLz4KPHBhdGggZD0iTTEyLjAwMTMgMS4zMzMwMVY3LjAzMzAxTDEyLjE0NjcgNi44NjkwMUMxMi44OCA2LjAzMzAxIDEzLjk4MjcgNS41MDEwMSAxNS4yMTYgNS41MDEwMUMxNS44NDUzIDUuNTAxMDEgMTYuNDM3MyA1LjY0MzY3IDE2Ljk2NjcgNS44ODkwMUwxMy41MjggMi4wMTAzNEMxMy4xMjkzIDEuNTU5NjcgMTIuNTY0IDEuMzM0MzQgMTIgMS4zMzQzNEwxMi4wMDEzIDEuMzMzMDFaIiBmaWxsPSIjMDI5NEU0Ii8+CjxwYXRoIGQ9Ik0xNy44MiAxMy41OTkyTDEyLjAwMTMgNy4wMzUxNlYxNy4yMzUyTDE3LjgyIDEzLjU5OTJaIiBmaWxsPSIjOTZCQ0MyIi8+Cjwvc3ZnPgo=',
+  logoDark:
+    'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTUuMDY5MzQgMTguNzA5N0M1LjU4NjY3IDE5LjAzMjMgNi40NDY2NyAxOS4zOTEgNy4zNTYgMTkuMzkxQzguMTg0IDE5LjM5MSA4Ljk1MzM0IDE5LjE1MSA5LjU5MDY3IDE4Ljc0MTdDOS41OTA2NyAxOC43NDE3IDkuNTkyIDE4Ljc0MTcgOS41OTMzNCAxOC43NDAzTDEyIDE3LjIzNjNWMjIuNjY3QzExLjYxODcgMjIuNjY3IDExLjIzNDcgMjIuNTYzIDEwLjkwMTMgMjIuMzU1TDUuMDY5MzQgMTguNzA5N1oiIGZpbGw9IiMyMjUwODYiLz4KPHBhdGggZD0iTTEwLjQ3MDcgMi4wMDkwMUwwLjQ3MDY2MiAxMy4yODlDLTAuMzAxMzM4IDE0LjE2MSAtMC4xMDAwMDUgMTUuNDc4MyAwLjkwMTMyOCAxNi4xMDM3QzAuOTAxMzI4IDE2LjEwMzcgNC42MDI2NiAxOC40MTcgNS4wNjkzMyAxOC43MDlDNS41ODY2NiAxOS4wMzE3IDYuNDQ2NjYgMTkuMzkwMyA3LjM1NTk5IDE5LjM5MDNDOC4xODM5OSAxOS4zOTAzIDguOTUzMzMgMTkuMTUwMyA5LjU5MDY2IDE4Ljc0MUM5LjU5MDY2IDE4Ljc0MSA5LjU5MTk5IDE4Ljc0MSA5LjU5MzMzIDE4LjczOTdMMTIgMTcuMjM1N0w2LjE4MTMzIDEzLjU5ODNMMTIuMDAxMyA3LjAzMzAxVjEuMzMzMDFDMTEuNDM2IDEuMzMzMDEgMTAuODcwNyAxLjU1ODM0IDEwLjQ3MDcgMi4wMDkwMVoiIGZpbGw9IiM2NkRERkYiLz4KPHBhdGggZD0iTTYuMTgxMjcgMTMuNTk5NUw2LjI1MDYxIDEzLjY0MjJMMTEuOTk5OSAxNy4yMzY4SDEyLjAwMTNWNy4wMzU1MUwxMS45OTk5IDcuMDM0MThMNi4xODEyNyAxMy41OTk1WiIgZmlsbD0iI0NCRjhGRiIvPgo8cGF0aCBkPSJNMjMuMDk4NyAxNi4xMDRDMjQuMSAxNS40Nzg3IDI0LjMwMTMgMTQuMTYxMyAyMy41MjkzIDEzLjI4OTNMMTYuOTY4IDUuODg4QzE2LjQzODcgNS42NDEzMyAxNS44NDUzIDUuNSAxNS4yMTczIDUuNUMxMy45ODQgNS41IDEyLjg4MTMgNi4wMzIgMTIuMTQ4IDYuODY4TDEyLjAwMjcgNy4wMzJMMTcuODIxMyAxMy41OTczTDEyLjAwMTMgMTcuMjM0N1YyMi42NjUzQzEyLjM4NCAyMi42NjUzIDEyLjc2NTMgMjIuNTYxMyAxMy4wOTg3IDIyLjM1MzNMMjMuMDk4NyAxNi4xMDI3VjE2LjEwNFoiIGZpbGw9IiMwNzQ3OTMiLz4KPHBhdGggZD0iTTEyLjAwMTMgMS4zMzMwMVY3LjAzMzAxTDEyLjE0NjcgNi44NjkwMUMxMi44OCA2LjAzMzAxIDEzLjk4MjcgNS41MDEwMSAxNS4yMTYgNS41MDEwMUMxNS44NDUzIDUuNTAxMDEgMTYuNDM3MyA1LjY0MzY3IDE2Ljk2NjcgNS44ODkwMUwxMy41MjggMi4wMTAzNEMxMy4xMjkzIDEuNTU5NjcgMTIuNTY0IDEuMzM0MzQgMTIgMS4zMzQzNEwxMi4wMDEzIDEuMzMzMDFaIiBmaWxsPSIjMDI5NEU0Ii8+CjxwYXRoIGQ9Ik0xNy44MiAxMy41OTkyTDEyLjAwMTMgNy4wMzUxNlYxNy4yMzUyTDE3LjgyIDEzLjU5OTJaIiBmaWxsPSIjOTZCQ0MyIi8+Cjwvc3ZnPgo=',
+  description: {
+    en: 'OpenID Connect on the Microsoft identity platform. Formerly known as Azure AD OIDC.',
+    de: 'OpenID Connect auf der Microsoft-Identitätsplattform. Früher bekannt als Azure AD OIDC.',
+    es: 'OpenID Connect en la plataforma de identidad de Microsoft. Anteriormente conocido como Azure AD OIDC.',
+    fr: 'OpenID Connect sur la plateforme d’identité Microsoft. Anciennement connu sous le nom de Azure AD OIDC.',
+    it: 'OpenID Connect sulla piattaforma di identità Microsoft. Precedentemente noto come Azure AD OIDC.',
+    ja: 'Microsoft アイデンティティ プラットフォーム上の OpenID Connect. 以前は Azure AD OIDC として知られていました。',
+    ko: 'Microsoft Identity 플랫폼에서 OpenID Connect. 이전에는 Azure AD OIDC로 알려져 있었습니다.',
+    'pl-PL': 'OpenID Connect na platformie tożsamości Microsoft. Dawniej znany jako Azure AD OIDC.',
+    'pt-BR':
+      'OpenID Connect na plataforma de identidade da Microsoft. Anteriormente conhecido como Azure AD OIDC.',
+    'pt-PT':
+      'OpenID Connect na plataforma de identidade da Microsoft. Anteriormente conhecido como Azure AD OIDC.',
+    ru: 'OpenID Connect на платформе идентификации Microsoft. Ранее известный как Azure AD OIDC.',
+    'tr-TR':
+      'Microsoft kimlik platformunda OpenID Connect. Eskiden Azure AD OIDC olarak bilinirdi.',
+    'zh-CN': 'Microsoft 身份平台上的 OpenID Connect. 以前称为 Azure AD OIDC。',
+    'zh-HK': 'Microsoft 身份平台上的 OpenID Connect. 以前稱為 Azure AD OIDC。',
+    'zh-TW': 'Microsoft 身份平台上的 OpenID Connect. 以前稱為 Azure AD OIDC。',
+  },
+
+  name: {
+    en: 'Microsoft Entra ID (OIDC)',
+  },
+  configGuard: basicOidcConnectorConfigGuard,
+  constructor: AzureOidcSsoConnector,
+};
diff --git a/packages/core/src/sso/GoogleWorkspaceSsoConnector/index.ts b/packages/core/src/sso/GoogleWorkspaceSsoConnector/index.ts
index f2e4d6d56ad..fb56861ead4 100644
--- a/packages/core/src/sso/GoogleWorkspaceSsoConnector/index.ts
+++ b/packages/core/src/sso/GoogleWorkspaceSsoConnector/index.ts
@@ -1,14 +1,11 @@
 import { ConnectorError, ConnectorErrorCodes } from '@logto/connector-kit';
-import { SsoProviderName } from '@logto/schemas';
+import { SsoProviderName, SsoProviderType } from '@logto/schemas';
 
 import OidcConnector from '../OidcConnector/index.js';
 import { type SingleSignOnFactory } from '../index.js';
-import {
-  type CreateSingleSignOnSession,
-  type SingleSignOn,
-  type SingleSignOnConnectorData,
-} from '../types/index.js';
+import { type SingleSignOn, type SingleSignOnConnectorData } from '../types/connector.js';
 import { basicOidcConnectorConfigGuard } from '../types/oidc.js';
+import { type CreateSingleSignOnSession } from '../types/session.js';
 
 // Google use static issue endpoint.
 const googleIssuer = 'https://accounts.google.com';
@@ -53,6 +50,7 @@ export const googleWorkspaceSsoConnectorConfigGuard = basicOidcConnectorConfigGu
 export const googleWorkSpaceSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.GOOGLE_WORKSPACE> =
   {
     providerName: SsoProviderName.GOOGLE_WORKSPACE,
+    providerType: SsoProviderType.OIDC,
     logo: 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yMy41MiAxMi4yNzI5QzIzLjUyIDExLjQyMiAyMy40NDM2IDEwLjYwMzggMjMuMzAxOCA5LjgxODM2SDEyVjE0LjQ2MDJIMTguNDU4MkMxOC4xOCAxNS45NjAyIDE3LjMzNDUgMTcuMjMxMSAxNi4wNjM2IDE4LjA4MlYyMS4wOTI5SDE5Ljk0MThDMjIuMjEwOSAxOS4wMDM4IDIzLjUyIDE1LjkyNzQgMjMuNTIgMTIuMjcyOVYxMi4yNzI5WiIgZmlsbD0iIzQyODVGNCIvPgo8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTEyIDIzLjk5OTNDMTUuMjQgMjMuOTk5MyAxNy45NTY0IDIyLjkyNDggMTkuOTQxOCAyMS4wOTJMMTYuMDYzNiAxOC4wODExQzE0Ljk4OTEgMTguODAxMSAxMy42MTQ1IDE5LjIyNjYgMTIgMTkuMjI2NkM4Ljg3NDU1IDE5LjIyNjYgNi4yMjkwOSAxNy4xMTU3IDUuMjg1NDYgMTQuMjc5M0gxLjI3NjM3VjE3LjM4ODRDMy4yNTA5MSAyMS4zMTAyIDcuMzA5MDkgMjMuOTk5MyAxMiAyMy45OTkzVjIzLjk5OTNaIiBmaWxsPSIjMzRBODUzIi8+CjxwYXRoIGZpbGwtcnVsZT0iZXZlbm9kZCIgY2xpcC1ydWxlPSJldmVub2RkIiBkPSJNNS4yODU0NSAxNC4yODA0QzUuMDQ1NDUgMTMuNTYwNCA0LjkwOTA5IDEyLjc5MTMgNC45MDkwOSAxMi4wMDA0QzQuOTA5MDkgMTEuMjA5NSA1LjA0NTQ1IDEwLjQ0MDQgNS4yODU0NSA5LjcyMDQyVjYuNjExMzNIMS4yNzYzNkMwLjQ2MzYzNiA4LjIzMTMzIDAgMTAuMDY0MSAwIDEyLjAwMDRDMCAxMy45MzY4IDAuNDYzNjM2IDE1Ljc2OTUgMS4yNzYzNiAxNy4zODk1TDUuMjg1NDUgMTQuMjgwNFYxNC4yODA0WiIgZmlsbD0iI0ZCQkMwNSIvPgo8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTEyIDQuNzcyNzNDMTMuNzYxOCA0Ljc3MjczIDE1LjM0MzYgNS4zNzgxOCAxNi41ODczIDYuNTY3MjdMMjAuMDI5MSAzLjEyNTQ1QzE3Ljk1MDkgMS4xODkwOSAxNS4yMzQ1IDAgMTIgMEM3LjMwOTA5IDAgMy4yNTA5MSAyLjY4OTA5IDEuMjc2MzcgNi42MTA5MUw1LjI4NTQ2IDkuNzJDNi4yMjkwOSA2Ljg4MzY0IDguODc0NTUgNC43NzI3MyAxMiA0Ljc3MjczVjQuNzcyNzNaIiBmaWxsPSIjRUE0MzM1Ii8+Cjwvc3ZnPgo=',
     logoDark:
       'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yMy41MiAxMi4yNzI5QzIzLjUyIDExLjQyMiAyMy40NDM2IDEwLjYwMzggMjMuMzAxOCA5LjgxODM2SDEyVjE0LjQ2MDJIMTguNDU4MkMxOC4xOCAxNS45NjAyIDE3LjMzNDUgMTcuMjMxMSAxNi4wNjM2IDE4LjA4MlYyMS4wOTI5SDE5Ljk0MThDMjIuMjEwOSAxOS4wMDM4IDIzLjUyIDE1LjkyNzQgMjMuNTIgMTIuMjcyOVYxMi4yNzI5WiIgZmlsbD0iIzQyODVGNCIvPgo8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTEyIDI0LjAwMDNDMTUuMjQgMjQuMDAwMyAxNy45NTY0IDIyLjkyNTcgMTkuOTQxOCAyMS4wOTNMMTYuMDYzNiAxOC4wODIxQzE0Ljk4OTEgMTguODAyMSAxMy42MTQ1IDE5LjIyNzUgMTIgMTkuMjI3NUM4Ljg3NDU1IDE5LjIyNzUgNi4yMjkwOSAxNy4xMTY2IDUuMjg1NDYgMTQuMjgwM0gxLjI3NjM3VjE3LjM4OTRDMy4yNTA5MSAyMS4zMTEyIDcuMzA5MDkgMjQuMDAwMyAxMiAyNC4wMDAzVjI0LjAwMDNaIiBmaWxsPSIjMzRBODUzIi8+CjxwYXRoIGZpbGwtcnVsZT0iZXZlbm9kZCIgY2xpcC1ydWxlPSJldmVub2RkIiBkPSJNNS4yODU0NSAxNC4yNzk0QzUuMDQ1NDUgMTMuNTU5NCA0LjkwOTA5IDEyLjc5MDQgNC45MDkwOSAxMS45OTk0QzQuOTA5MDkgMTEuMjA4NSA1LjA0NTQ1IDEwLjQzOTQgNS4yODU0NSA5LjcxOTQ0VjYuNjEwMzVIMS4yNzYzNkMwLjQ2MzYzNiA4LjIzMDM1IDAgMTAuMDYzMSAwIDExLjk5OTRDMCAxMy45MzU4IDAuNDYzNjM2IDE1Ljc2ODUgMS4yNzYzNiAxNy4zODg1TDUuMjg1NDUgMTQuMjc5NFYxNC4yNzk0WiIgZmlsbD0iI0ZCQkMwNSIvPgo8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTEyIDQuNzcyNzNDMTMuNzYxOCA0Ljc3MjczIDE1LjM0MzYgNS4zNzgxOCAxNi41ODczIDYuNTY3MjdMMjAuMDI5MSAzLjEyNTQ1QzE3Ljk1MDkgMS4xODkwOSAxNS4yMzQ1IDAgMTIgMEM3LjMwOTA5IDAgMy4yNTA5MSAyLjY4OTA5IDEuMjc2MzcgNi42MTA5MUw1LjI4NTQ2IDkuNzJDNi4yMjkwOSA2Ljg4MzY0IDguODc0NTUgNC43NzI3MyAxMiA0Ljc3MjczVjQuNzcyNzNaIiBmaWxsPSIjRUE0MzM1Ii8+Cjwvc3ZnPgo=',
diff --git a/packages/core/src/sso/OidcConnector/index.ts b/packages/core/src/sso/OidcConnector/index.ts
index f0c3d3d7b2c..480318ed2fa 100644
--- a/packages/core/src/sso/OidcConnector/index.ts
+++ b/packages/core/src/sso/OidcConnector/index.ts
@@ -1,7 +1,11 @@
 import { generateStandardId } from '@logto/shared/universal';
 import { conditional } from '@silverhand/essentials';
+import camelcaseKeys from 'camelcase-keys';
 import snakecaseKeys from 'snakecase-keys';
 
+import assertThat from '#src/utils/assert-that.js';
+
+import { SsoConnectorError, SsoConnectorErrorCodes } from '../types/error.js';
 import {
   type BaseOidcConfig,
   type BasicOidcConnectorConfig,
@@ -13,7 +17,7 @@ import {
   type CreateSingleSignOnSession,
 } from '../types/session.js';
 
-import { fetchOidcConfig, fetchToken, getIdTokenClaims } from './utils.js';
+import { fetchOidcConfig, fetchToken, getIdTokenClaims, getUserInfo } from './utils.js';
 
 /**
  * OIDC connector
@@ -91,8 +95,6 @@ class OidcConnector {
    * @param data unknown oidc authorization response
    * @param connectorSession The connector session data from the oidc provider session storage
    * @returns The user info from the OIDC provider
-   * @remark Forked from @logto/oidc-connector
-   *
    */
   async getUserInfo(
     connectorSession: SingleSignOnConnectorSession,
@@ -102,18 +104,29 @@ class OidcConnector {
     const { nonce, redirectUri } = connectorSession;
 
     // Fetch token from the OIDC provider using authorization code
-    const { idToken } = await fetchToken(oidcConfig, data, redirectUri);
+    const { idToken, accessToken } = await fetchToken(oidcConfig, data, redirectUri);
+
+    assertThat(
+      accessToken,
+      new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
+        message: 'The access token is missing from the response.',
+      })
+    );
+
+    // Verify the id token and get the user id
+    const { sub: id } = await getIdTokenClaims(idToken, oidcConfig, nonce);
 
-    // Decode and verify the id token
-    const { sub, name, picture, email, email_verified, phone, phone_verified } =
-      await getIdTokenClaims(idToken, oidcConfig, nonce);
+    // Fetch user info from the userinfo endpoint
+    const { sub, name, picture, email, email_verified, phone, phone_verified, ...rest } =
+      await getUserInfo(accessToken, oidcConfig.userinfoEndpoint);
 
     return {
-      id: sub,
+      id,
       ...conditional(name && { name }),
       ...conditional(picture && { avatar: picture }),
       ...conditional(email && email_verified && { email }),
       ...conditional(phone && phone_verified && { phone }),
+      ...camelcaseKeys(rest),
     };
   }
 }
diff --git a/packages/core/src/sso/OidcSsoConnector/index.ts b/packages/core/src/sso/OidcSsoConnector/index.ts
index b27e4efd421..7daf715a447 100644
--- a/packages/core/src/sso/OidcSsoConnector/index.ts
+++ b/packages/core/src/sso/OidcSsoConnector/index.ts
@@ -1,13 +1,13 @@
-import { SsoProviderName } from '@logto/schemas';
+import { SsoProviderName, SsoProviderType } from '@logto/schemas';
 
 import OidcConnector from '../OidcConnector/index.js';
 import { type SingleSignOnFactory } from '../index.js';
+import { type SingleSignOn, type SingleSignOnConnectorData } from '../types/connector.js';
 import {
   SsoConnectorError,
   SsoConnectorErrorCodes,
   SsoConnectorConfigErrorCodes,
 } from '../types/error.js';
-import { type SingleSignOn, type SingleSignOnConnectorData } from '../types/index.js';
 import { basicOidcConnectorConfigGuard } from '../types/oidc.js';
 
 export class OidcSsoConnector extends OidcConnector implements SingleSignOn {
@@ -36,6 +36,7 @@ export class OidcSsoConnector extends OidcConnector implements SingleSignOn {
 
 export const oidcSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.OIDC> = {
   providerName: SsoProviderName.OIDC,
+  providerType: SsoProviderType.OIDC,
   logo: 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzk5MTRfMjA2MTMpIj4KPHBhdGggZD0iTTI0IDEzLjc5OTJMMjMuNCA4LjM5OTIyTDIxLjY2IDkuNTM5MjJDMjAuMDQgOC41MTkyMiAxOCA3Ljc5OTIyIDE1LjcyIDcuNDM5MjJDMTUuNzIgNy40MzkyMiAxNC41OCA3LjE5OTIyIDEzLjA4IDcuMTk5MjJDMTEuNTggNy4xOTkyMiAxMC4yIDcuMzc5MjIgMTAuMiA3LjM3OTIyQzQuMzggOC4wOTkyMiAwIDExLjM5OTIgMCAxNS4zNTkyQzAgMTkuNDM5MiA0LjUgMjIuNzk5MiAxMS40IDIzLjM5OTJWMjEuMDU5MkM2LjY2IDIwLjM5OTIgMy42NiAxOC4xNzkyIDMuNjYgMTUuMzU5MkMzLjY2IDEyLjcxOTIgNi40MiAxMC40OTkyIDEwLjIgOS43NzkyMkMxMC4yIDkuNzc5MjIgMTMuMTQgOS4xMTkyMiAxNS43MiA5Ljg5OTIyQzE2Ljk4IDEwLjE5OTIgMTguMTIgMTAuNjE5MiAxOS4wOCAxMS4yMTkyTDE2LjggMTIuNTk5MkwyNCAxMy43OTkyWiIgZmlsbD0iIzlFOUU5RSIvPgo8cGF0aCBkPSJNMTEuMzk5OSAyLjM5OTYxVjIzLjM5OTZMMTQuOTk5OSAyMS41OTk2VjAuNTk5NjA5TDExLjM5OTkgMi4zOTk2MVoiIGZpbGw9IiNGRjk4MDAiLz4KPC9nPgo8ZGVmcz4KPGNsaXBQYXRoIGlkPSJjbGlwMF85OTE0XzIwNjEzIj4KPHJlY3Qgd2lkdGg9IjI0IiBoZWlnaHQ9IjI0IiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo=',
   logoDark:
     'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzk5MTRfMjA2MTIpIj4KPHBhdGggZD0iTTI0IDEzLjc5OTJMMjMuNCA4LjM5OTIyTDIxLjY2IDkuNTM5MjJDMjAuMDQgOC41MTkyMiAxOCA3Ljc5OTIyIDE1LjcyIDcuNDM5MjJDMTUuNzIgNy40MzkyMiAxNC41OCA3LjE5OTIyIDEzLjA4IDcuMTk5MjJDMTEuNTggNy4xOTkyMiAxMC4yIDcuMzc5MjIgMTAuMiA3LjM3OTIyQzQuMzggOC4wOTkyMiAwIDExLjM5OTIgMCAxNS4zNTkyQzAgMTkuNDM5MiA0LjUgMjIuNzk5MiAxMS40IDIzLjM5OTJWMjEuMDU5MkM2LjY2IDIwLjM5OTIgMy42NiAxOC4xNzkyIDMuNjYgMTUuMzU5MkMzLjY2IDEyLjcxOTIgNi40MiAxMC40OTkyIDEwLjIgOS43NzkyMkMxMC4yIDkuNzc5MjIgMTMuMTQgOS4xMTkyMiAxNS43MiA5Ljg5OTIyQzE2Ljk4IDEwLjE5OTIgMTguMTIgMTAuNjE5MiAxOS4wOCAxMS4yMTkyTDE2LjggMTIuNTk5MkwyNCAxMy43OTkyWiIgZmlsbD0iIzlFOUU5RSIvPgo8cGF0aCBkPSJNMTEuMzk5OSAyLjM5OTYxVjIzLjM5OTZMMTQuOTk5OSAyMS41OTk2VjAuNTk5NjA5TDExLjM5OTkgMi4zOTk2MVoiIGZpbGw9IiNGRjk4MDAiLz4KPC9nPgo8ZGVmcz4KPGNsaXBQYXRoIGlkPSJjbGlwMF85OTE0XzIwNjEyIj4KPHJlY3Qgd2lkdGg9IjI0IiBoZWlnaHQ9IjI0IiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo=',
diff --git a/packages/core/src/sso/OktaSsoConnector/index.ts b/packages/core/src/sso/OktaSsoConnector/index.ts
index 1d96558bee2..ac3b8e45677 100644
--- a/packages/core/src/sso/OktaSsoConnector/index.ts
+++ b/packages/core/src/sso/OktaSsoConnector/index.ts
@@ -1,63 +1,16 @@
-import { SsoProviderName } from '@logto/schemas';
-import { conditional } from '@silverhand/essentials';
-import camelcaseKeys from 'camelcase-keys';
+import { SsoProviderName, SsoProviderType } from '@logto/schemas';
 
-import assertThat from '#src/utils/assert-that.js';
-
-import { fetchToken, getUserInfo, getIdTokenClaims } from '../OidcConnector/utils.js';
 import { OidcSsoConnector } from '../OidcSsoConnector/index.js';
 import { type SingleSignOnFactory } from '../index.js';
-import { SsoConnectorError, SsoConnectorErrorCodes } from '../types/error.js';
 import { basicOidcConnectorConfigGuard } from '../types/oidc.js';
-import { type ExtendedSocialUserInfo } from '../types/saml.js';
-import { type SingleSignOnConnectorSession } from '../types/session.js';
 
 import { logoBase64, logoDarkBase64 } from './consts.js';
 
-export class OktaSsoConnector extends OidcSsoConnector {
-  /**
-   * Override the getUserInfo method from the OidcSsoConnector class
-   *
-   * @remark Okta's IdToken does not include the sufficient user claims like email_verified, phone_verified, etc. {@link https://devforum.okta.com/t/email-verified-claim/3516/2}
-   * This method will fetch the user info from the userinfo endpoint instead.
-   */
-  override async getUserInfo(
-    connectorSession: SingleSignOnConnectorSession,
-    data: unknown
-  ): Promise<ExtendedSocialUserInfo> {
-    const oidcConfig = await this.getOidcConfig();
-    const { nonce, redirectUri } = connectorSession;
-
-    // Fetch token from the OIDC provider using authorization code
-    const { idToken, accessToken } = await fetchToken(oidcConfig, data, redirectUri);
-
-    assertThat(
-      accessToken,
-      new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
-        message: 'The access token is missing from the response.',
-      })
-    );
-
-    // Verify the id token and get the user id
-    const { sub: id } = await getIdTokenClaims(idToken, oidcConfig, nonce);
-
-    // Fetch user info from the userinfo endpoint
-    const { sub, name, picture, email, email_verified, phone, phone_verified, ...rest } =
-      await getUserInfo(accessToken, oidcConfig.userinfoEndpoint);
-
-    return {
-      id,
-      ...conditional(name && { name }),
-      ...conditional(picture && { avatar: picture }),
-      ...conditional(email && email_verified && { email }),
-      ...conditional(phone && phone_verified && { phone }),
-      ...camelcaseKeys(rest),
-    };
-  }
-}
+export class OktaSsoConnector extends OidcSsoConnector {}
 
 export const oktaSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.OKTA> = {
   providerName: SsoProviderName.OKTA,
+  providerType: SsoProviderType.OIDC,
   logo: logoBase64,
   logoDark: logoDarkBase64,
   description: {
diff --git a/packages/core/src/sso/SamlSsoConnector/index.ts b/packages/core/src/sso/SamlSsoConnector/index.ts
index d073dae5fd6..d6ff8434194 100644
--- a/packages/core/src/sso/SamlSsoConnector/index.ts
+++ b/packages/core/src/sso/SamlSsoConnector/index.ts
@@ -1,4 +1,4 @@
-import { SsoProviderName } from '@logto/schemas';
+import { SsoProviderName, SsoProviderType } from '@logto/schemas';
 import { conditional, trySafe } from '@silverhand/essentials';
 
 import RequestError from '#src/errors/RequestError/index.js';
@@ -6,7 +6,7 @@ import assertThat from '#src/utils/assert-that.js';
 
 import SamlConnector from '../SamlConnector/index.js';
 import { type SingleSignOnFactory } from '../index.js';
-import { type SingleSignOn, type SingleSignOnConnectorData } from '../types/index.js';
+import { type SingleSignOn, type SingleSignOnConnectorData } from '../types/connector.js';
 import {
   defaultAttributeMapping,
   samlConnectorConfigGuard,
@@ -105,6 +105,7 @@ export class SamlSsoConnector extends SamlConnector implements SingleSignOn {
 
 export const samlSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.SAML> = {
   providerName: SsoProviderName.SAML,
+  providerType: SsoProviderType.SAML,
   logo: 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTAgMjAuMDk4OEMwIDE3LjQ2MzIgMi41MTQzNCA3LjYzMDE1IDcuNzEyOTEgMS4wNDEwMkM0LjA0MzMzIDcuOTY4MDYgMS45MDg3MSAxMi42NTgzIDMuNDY1NzEgMTYuMzE0M0M0LjY4ODkxIDE5LjE4NjUgMTAuOTc0OCAxOC4yNzQxIDE0LjM3MjUgMTcuMTI1M0M4LjMyNDUxIDE5Ljg2MjMgMi4xMTc5NCAyMC4yMzQgMCAyMC4wOTg4WiIgZmlsbD0iI0MxMjcyRCIvPgo8cGF0aCBkPSJNMTEuMjYwNSAwLjc1QzEzLjU1NTcgMi4wNjc4MyAyMC44NjEzIDkuMTQ5ODMgMjQgMTYuOTIxN0MxOS44MDI2IDEwLjI5NzcgMTYuNzg1NSA2LjExNDE2IDEyLjgyMzMgNS42MjcxM0M5LjcxMDU1IDUuMjQ0NTIgNy4zNjIxMSAxMS4xMTQ0IDYuNjYzNyAxNC42MTUyQzcuMzA0MjQgOC4wMzc4IDEwLjA4MzggMi41MDY1IDExLjI2MDUgMC43NVoiIGZpbGw9IiNDMTI3MkQiLz4KPHBhdGggZD0iTTIyLjUzMiAyMC4wNzUyQzIwLjIzNjggMjEuMzkzMSAxMC40MTY4IDI0LjE0NDEgMi4wNzk1OSAyMi45NjE0QzkuOTQ2NiAyMi42NTgzIDE1LjA5ODMgMjIuMTUxNiAxNy41MDM1IDE4Ljk4MjZDMTkuMzkzMSAxNi40OTMxIDE1LjQ1NTYgMTEuNTM1NSAxMi43NTYzIDkuMTgzNTlDMTguMTYzOCAxMy4wMjQgMjEuNTkwNyAxOC4xODM2IDIyLjUzMiAyMC4wNzUyWiIgZmlsbD0iI0MxMjcyRCIvPgo8L3N2Zz4K',
   logoDark:
     'data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTAgMjAuMDk4OEMwIDE3LjQ2MzIgMi41MTQzNCA3LjYzMDE1IDcuNzEyOTEgMS4wNDEwMkM0LjA0MzMzIDcuOTY4MDYgMS45MDg3MSAxMi42NTgzIDMuNDY1NzEgMTYuMzE0M0M0LjY4ODkxIDE5LjE4NjUgMTAuOTc0OCAxOC4yNzQxIDE0LjM3MjUgMTcuMTI1M0M4LjMyNDUxIDE5Ljg2MjMgMi4xMTc5NCAyMC4yMzQgMCAyMC4wOTg4WiIgZmlsbD0iI0MxMjcyRCIvPgo8cGF0aCBkPSJNMTEuMjYwNSAwLjc1QzEzLjU1NTcgMi4wNjc4MyAyMC44NjEzIDkuMTQ5ODMgMjQgMTYuOTIxN0MxOS44MDI2IDEwLjI5NzcgMTYuNzg1NSA2LjExNDE2IDEyLjgyMzMgNS42MjcxM0M5LjcxMDU1IDUuMjQ0NTIgNy4zNjIxMSAxMS4xMTQ0IDYuNjYzNyAxNC42MTUyQzcuMzA0MjQgOC4wMzc4IDEwLjA4MzggMi41MDY1IDExLjI2MDUgMC43NVoiIGZpbGw9IiNDMTI3MkQiLz4KPHBhdGggZD0iTTIyLjUzMTkgMjAuMDc1MkMyMC4yMzY3IDIxLjM5MzEgMTAuNDE2NyAyNC4xNDQxIDIuMDc5NDcgMjIuOTYxNEM5Ljk0NjQ4IDIyLjY1ODMgMTUuMDk4MSAyMi4xNTE2IDE3LjUwMzQgMTguOTgyNkMxOS4zOTI5IDE2LjQ5MzEgMTUuNDU1NSAxMS41MzU1IDEyLjc1NjIgOS4xODM1OUMxOC4xNjM2IDEzLjAyNCAyMS41OTA2IDE4LjE4MzYgMjIuNTMxOSAyMC4wNzUyWiIgZmlsbD0iI0MxMjcyRCIvPgo8L3N2Zz4K',
diff --git a/packages/core/src/sso/index.ts b/packages/core/src/sso/index.ts
index 28864642b05..92155889d7e 100644
--- a/packages/core/src/sso/index.ts
+++ b/packages/core/src/sso/index.ts
@@ -1,46 +1,15 @@
-import { type I18nPhrases } from '@logto/connector-kit';
 import { SsoProviderName } from '@logto/schemas';
 
-import {
-  type AzureAdSsoConnector,
-  azureAdSsoConnectorFactory,
-} from './AzureAdSsoConnector/index.js';
-import {
-  type GoogleWorkspaceSsoConnector,
-  googleWorkSpaceSsoConnectorFactory,
-  type googleWorkspaceSsoConnectorConfigGuard,
-} from './GoogleWorkspaceSsoConnector/index.js';
-import { oidcSsoConnectorFactory, type OidcSsoConnector } from './OidcSsoConnector/index.js';
-import { oktaSsoConnectorFactory, type OktaSsoConnector } from './OktaSsoConnector/index.js';
-import { type SamlSsoConnector, samlSsoConnectorFactory } from './SamlSsoConnector/index.js';
-import { type basicOidcConnectorConfigGuard } from './types/oidc.js';
-import { type samlConnectorConfigGuard } from './types/saml.js';
+import { azureAdSsoConnectorFactory } from './AzureAdSsoConnector/index.js';
+import { azureOidcSsoConnectorFactory } from './AzureOidcSsoConnector/index.js';
+import { googleWorkSpaceSsoConnectorFactory } from './GoogleWorkspaceSsoConnector/index.js';
+import { oidcSsoConnectorFactory } from './OidcSsoConnector/index.js';
+import { oktaSsoConnectorFactory } from './OktaSsoConnector/index.js';
+import { samlSsoConnectorFactory } from './SamlSsoConnector/index.js';
+import { type SingleSignOnFactory } from './types/index.js';
 
-type SingleSignOnConstructor = {
-  [SsoProviderName.OIDC]: typeof OidcSsoConnector;
-  [SsoProviderName.SAML]: typeof SamlSsoConnector;
-  [SsoProviderName.AZURE_AD]: typeof AzureAdSsoConnector;
-  [SsoProviderName.GOOGLE_WORKSPACE]: typeof GoogleWorkspaceSsoConnector;
-  [SsoProviderName.OKTA]: typeof OktaSsoConnector;
-};
-
-export type SingleSignOnConnectorConfig = {
-  [SsoProviderName.OIDC]: typeof basicOidcConnectorConfigGuard;
-  [SsoProviderName.SAML]: typeof samlConnectorConfigGuard;
-  [SsoProviderName.AZURE_AD]: typeof samlConnectorConfigGuard;
-  [SsoProviderName.GOOGLE_WORKSPACE]: typeof googleWorkspaceSsoConnectorConfigGuard;
-  [SsoProviderName.OKTA]: typeof basicOidcConnectorConfigGuard;
-};
-
-export type SingleSignOnFactory<T extends SsoProviderName> = {
-  providerName: T;
-  logo: string;
-  logoDark: string;
-  description: I18nPhrases;
-  name: I18nPhrases; // This `name` is for console and experience display use, while `providerName` is for internal use.
-  configGuard: SingleSignOnConnectorConfig[T];
-  constructor: SingleSignOnConstructor[T];
-};
+export { type SingleSignOnConnectorConfig, type SingleSignOnFactory } from './types/index.js';
+export * from './types/session.js';
 
 export const ssoConnectorFactories: {
   [key in SsoProviderName]: SingleSignOnFactory<key>;
@@ -48,6 +17,7 @@ export const ssoConnectorFactories: {
   [SsoProviderName.OIDC]: oidcSsoConnectorFactory,
   [SsoProviderName.SAML]: samlSsoConnectorFactory,
   [SsoProviderName.AZURE_AD]: azureAdSsoConnectorFactory,
+  [SsoProviderName.AZURE_AD_OIDC]: azureOidcSsoConnectorFactory,
   [SsoProviderName.GOOGLE_WORKSPACE]: googleWorkSpaceSsoConnectorFactory,
   [SsoProviderName.OKTA]: oktaSsoConnectorFactory,
 };
diff --git a/packages/core/src/sso/types/connector.ts b/packages/core/src/sso/types/connector.ts
new file mode 100644
index 00000000000..ab83215f55c
--- /dev/null
+++ b/packages/core/src/sso/types/connector.ts
@@ -0,0 +1,20 @@
+import { type SsoProviderName, type JsonObject, type SsoConnector } from '@logto/schemas';
+
+// Pick the required fields from SsoConnector Schema
+// providerName must be supported by the SSO connector factories
+export type SingleSignOnConnectorData = Pick<SsoConnector, 'config' | 'id'> & {
+  providerName: SsoProviderName;
+};
+
+/**
+ * Single sign-on connector interface
+ * @interface SingleSignOn
+ *
+ * @property {SsoConnector} data - SSO connector data schema
+ * @method {getConfig} getConfig - Get the full-list of SSO config from the SSO provider
+ */
+export abstract class SingleSignOn {
+  abstract data: SingleSignOnConnectorData;
+  abstract getConfig: () => Promise<JsonObject>;
+  abstract getIssuer: () => Promise<string>;
+}
diff --git a/packages/core/src/sso/types/index.ts b/packages/core/src/sso/types/index.ts
index 50684b1b0ef..5273845c4cd 100644
--- a/packages/core/src/sso/types/index.ts
+++ b/packages/core/src/sso/types/index.ts
@@ -1,22 +1,44 @@
-import { type SsoProviderName, type JsonObject, type SsoConnector } from '@logto/schemas';
+import { type I18nPhrases } from '@logto/connector-kit';
+import { type SsoProviderType, type SsoProviderName } from '@logto/schemas';
 
-export * from './session.js';
+import { type AzureAdSsoConnector } from '../AzureAdSsoConnector/index.js';
+import { type AzureOidcSsoConnector } from '../AzureOidcSsoConnector/index.js';
+import {
+  type googleWorkspaceSsoConnectorConfigGuard,
+  type GoogleWorkspaceSsoConnector,
+} from '../GoogleWorkspaceSsoConnector/index.js';
+import { type OidcSsoConnector } from '../OidcSsoConnector/index.js';
+import { type OktaSsoConnector } from '../OktaSsoConnector/index.js';
+import { type SamlSsoConnector } from '../SamlSsoConnector/index.js';
 
-/**
- * Single sign-on connector interface
- * @interface SingleSignOn
- *
- * @property {SsoConnector} data - SSO connector data schema
- * @method {getConfig} getConfig - Get the full-list of SSO config from the SSO provider
- */
-export abstract class SingleSignOn {
-  abstract data: SingleSignOnConnectorData;
-  abstract getConfig: () => Promise<JsonObject>;
-  abstract getIssuer: () => Promise<string>;
-}
+import { type basicOidcConnectorConfigGuard } from './oidc.js';
+import { type samlConnectorConfigGuard } from './saml.js';
 
-// Pick the required fields from SsoConnector Schema
-// providerName must be supported by the SSO connector factories
-export type SingleSignOnConnectorData = Pick<SsoConnector, 'config' | 'id'> & {
-  providerName: SsoProviderName;
+type SingleSignOnConstructor = {
+  [SsoProviderName.OIDC]: typeof OidcSsoConnector;
+  [SsoProviderName.SAML]: typeof SamlSsoConnector;
+  [SsoProviderName.AZURE_AD]: typeof AzureAdSsoConnector;
+  [SsoProviderName.GOOGLE_WORKSPACE]: typeof GoogleWorkspaceSsoConnector;
+  [SsoProviderName.OKTA]: typeof OktaSsoConnector;
+  [SsoProviderName.AZURE_AD_OIDC]: typeof AzureOidcSsoConnector;
+};
+
+export type SingleSignOnConnectorConfig = {
+  [SsoProviderName.OIDC]: typeof basicOidcConnectorConfigGuard;
+  [SsoProviderName.SAML]: typeof samlConnectorConfigGuard;
+  [SsoProviderName.AZURE_AD]: typeof samlConnectorConfigGuard;
+  [SsoProviderName.GOOGLE_WORKSPACE]: typeof googleWorkspaceSsoConnectorConfigGuard;
+  [SsoProviderName.OKTA]: typeof basicOidcConnectorConfigGuard;
+  [SsoProviderName.AZURE_AD_OIDC]: typeof basicOidcConnectorConfigGuard;
+};
+
+export type SingleSignOnFactory<T extends SsoProviderName> = {
+  providerName: T;
+  providerType: SsoProviderType;
+  logo: string;
+  logoDark: string;
+  description: I18nPhrases;
+  name: I18nPhrases; // This `name` is for console and experience display use, while `providerName` is for internal use.
+  configGuard: SingleSignOnConnectorConfig[T];
+  constructor: SingleSignOnConstructor[T];
 };
diff --git a/packages/core/src/sso/types/session.ts b/packages/core/src/sso/types/session.ts
index 71913831ea2..077d2908665 100644
--- a/packages/core/src/sso/types/session.ts
+++ b/packages/core/src/sso/types/session.ts
@@ -29,16 +29,8 @@ export const singleSignOnConnectorSessionGuard = z.object({
 
 export type SingleSignOnConnectorSession = z.infer<typeof singleSignOnConnectorSessionGuard>;
 
-export const samlConnectorAssertionSessionGuard = z.object({
-  state: z.string(),
-  redirectUri: z.string(),
-  connectorId: z.string(),
-});
-
 export type CreateSingleSignOnSession = (storage: SingleSignOnConnectorSession) => Promise<void>;
 
-export type GetSingleSignOnSession = () => Promise<SingleSignOnConnectorSession>;
-
 /**
  * Single sign on interaction identifier session
  *
diff --git a/packages/core/src/tenants/Libraries.ts b/packages/core/src/tenants/Libraries.ts
index b14f68d4eff..12a70374847 100644
--- a/packages/core/src/tenants/Libraries.ts
+++ b/packages/core/src/tenants/Libraries.ts
@@ -3,12 +3,14 @@ import { type CloudConnectionLibrary } from '#src/libraries/cloud-connection.js'
 import type { ConnectorLibrary } from '#src/libraries/connector.js';
 import { createDomainLibrary } from '#src/libraries/domain.js';
 import { createHookLibrary } from '#src/libraries/hook/index.js';
+import { createJwtCustomizerLibrary } from '#src/libraries/jwt-customizer.js';
 import { OrganizationInvitationLibrary } from '#src/libraries/organization-invitation.js';
 import { createPasscodeLibrary } from '#src/libraries/passcode.js';
 import { createPhraseLibrary } from '#src/libraries/phrase.js';
 import { createProtectedAppLibrary } from '#src/libraries/protected-app.js';
 import { createQuotaLibrary } from '#src/libraries/quota.js';
 import { createRoleScopeLibrary } from '#src/libraries/role-scope.js';
+import { createScopeLibrary } from '#src/libraries/scope.js';
 import { createSignInExperienceLibrary } from '#src/libraries/sign-in-experience/index.js';
 import { createSocialLibrary } from '#src/libraries/social.js';
 import { createSsoConnectorLibrary } from '#src/libraries/sso-connector.js';
@@ -21,7 +23,9 @@ export default class Libraries {
   users = createUserLibrary(this.queries);
   phrases = createPhraseLibrary(this.queries);
   hooks = createHookLibrary(this.queries);
+  scopes = createScopeLibrary(this.queries);
   socials = createSocialLibrary(this.queries, this.connectors);
+  jwtCustomizers = createJwtCustomizerLibrary(this.queries, this.users, this.scopes);
   passcodes = createPasscodeLibrary(this.queries, this.connectors);
   applications = createApplicationLibrary(this.queries);
   verificationStatuses = createVerificationStatusLibrary(this.queries);
diff --git a/packages/core/src/tenants/Queries.ts b/packages/core/src/tenants/Queries.ts
index a5528235687..12f66addacc 100644
--- a/packages/core/src/tenants/Queries.ts
+++ b/packages/core/src/tenants/Queries.ts
@@ -1,4 +1,4 @@
-import type { CommonQueryMethods } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
 
 import { type WellKnownCache } from '#src/caches/well-known.js';
 import createApplicationSignInExperienceQueries from '#src/queries/application-sign-in-experience.js';
diff --git a/packages/core/src/tenants/SystemContex.test.ts b/packages/core/src/tenants/SystemContex.test.ts
index b83b79c8370..a92edc6ab6e 100644
--- a/packages/core/src/tenants/SystemContex.test.ts
+++ b/packages/core/src/tenants/SystemContex.test.ts
@@ -1,6 +1,6 @@
 import { CloudflareKey, StorageProviderKey } from '@logto/schemas';
 import { createMockUtils, pickDefault } from '@logto/shared/esm';
-import { createMockPool } from 'slonik';
+import { createMockPool } from '@silverhand/slonik';
 
 import { mockHostnameProviderData, mockStorageProviderData } from '#src/__mocks__/system.js';
 
diff --git a/packages/core/src/tenants/SystemContext.ts b/packages/core/src/tenants/SystemContext.ts
index 7714080fbd9..2c9661aa9f9 100644
--- a/packages/core/src/tenants/SystemContext.ts
+++ b/packages/core/src/tenants/SystemContext.ts
@@ -9,7 +9,7 @@ import {
   type ProtectedAppConfigProviderData,
   protectedAppConfigProviderDataGuard,
 } from '@logto/schemas';
-import type { CommonQueryMethods } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
 import { type ZodType } from 'zod';
 
 import { createSystemsQuery } from '#src/queries/system.js';
diff --git a/packages/core/src/tenants/Tenant.ts b/packages/core/src/tenants/Tenant.ts
index 4963febf471..e911a5a5110 100644
--- a/packages/core/src/tenants/Tenant.ts
+++ b/packages/core/src/tenants/Tenant.ts
@@ -1,4 +1,4 @@
-import { adminTenantId } from '@logto/schemas';
+import { adminTenantId, experience } from '@logto/schemas';
 import type { MiddlewareType } from 'koa';
 import Koa from 'koa';
 import compose from 'koa-compose';
@@ -25,7 +25,6 @@ import koaSpaProxy from '#src/middleware/koa-spa-proxy.js';
 import koaSpaSessionGuard from '#src/middleware/koa-spa-session-guard.js';
 import initOidc from '#src/oidc/init.js';
 import { mountCallbackRouter } from '#src/routes/callback.js';
-import { routes } from '#src/routes/consts.js';
 import initApis from '#src/routes/init.js';
 import initMeApis from '#src/routes-me/init.js';
 import BasicSentinel from '#src/sentinel/basic-sentinel.js';
@@ -36,10 +35,11 @@ import type TenantContext from './TenantContext.js';
 import { getTenantDatabaseDsn } from './utils.js';
 
 export default class Tenant implements TenantContext {
-  static async create(id: string, redisCache: RedisCache): Promise<Tenant> {
+  static async create(id: string, redisCache: RedisCache, customDomain?: string): Promise<Tenant> {
     // Treat the default database URL as the management URL
     const envSet = new EnvSet(id, await getTenantDatabaseDsn(id));
-    await envSet.load();
+    // Custom endpoint is used for building OIDC issuer URL when the request is a custom domain
+    await envSet.load(customDomain);
 
     return new Tenant(envSet, id, new WellKnownCache(id, redisCache));
   }
@@ -86,7 +86,7 @@ export default class Tenant implements TenantContext {
     app.use(koaSecurityHeaders(mountedApps, id));
 
     // Mount OIDC
-    const provider = initOidc(envSet, queries, libraries);
+    const provider = initOidc(envSet, queries, libraries, logtoConfigs, cloudConnection);
     app.use(mount('/oidc', provider.app));
 
     const tenantContext: TenantContext = {
@@ -146,7 +146,7 @@ export default class Tenant implements TenantContext {
     app.use(
       compose([
         koaSpaSessionGuard(provider, queries),
-        mount(`${routes.consent}`, koaAutoConsent(provider, queries)),
+        mount(`/${experience.routes.consent}`, koaAutoConsent(provider, queries)),
         koaSpaProxy(mountedApps),
       ])
     );
diff --git a/packages/core/src/tenants/index.ts b/packages/core/src/tenants/index.ts
index 31d7586e16a..5225a2d6cbd 100644
--- a/packages/core/src/tenants/index.ts
+++ b/packages/core/src/tenants/index.ts
@@ -15,8 +15,9 @@ export class TenantPool {
     },
   });
 
-  async get(tenantId: string): Promise<Tenant> {
-    const tenantPromise = this.cache.get(tenantId);
+  async get(tenantId: string, customDomain?: string): Promise<Tenant> {
+    const cacheKey = `${tenantId}-${customDomain ?? 'default'}`;
+    const tenantPromise = this.cache.get(cacheKey);
 
     if (tenantPromise) {
       const tenant = await tenantPromise;
@@ -27,9 +28,9 @@ export class TenantPool {
       // Otherwise, create a new tenant instance and store in LRU cache, using the code below.
     }
 
-    consoleLog.info('Init tenant:', tenantId);
-    const newTenantPromise = Tenant.create(tenantId, redisCache);
-    this.cache.set(tenantId, newTenantPromise);
+    consoleLog.info('Init tenant:', tenantId, customDomain);
+    const newTenantPromise = Tenant.create(tenantId, redisCache, customDomain);
+    this.cache.set(cacheKey, newTenantPromise);
 
     return newTenantPromise;
   }
diff --git a/packages/core/src/tenants/utils.ts b/packages/core/src/tenants/utils.ts
index 64aa2ac8584..f5491da367d 100644
--- a/packages/core/src/tenants/utils.ts
+++ b/packages/core/src/tenants/utils.ts
@@ -2,8 +2,8 @@ import { ServiceLogs, Systems } from '@logto/schemas';
 import { Tenants } from '@logto/schemas/models';
 import { isKeyInObject } from '@logto/shared';
 import { conditional, conditionalString } from '@silverhand/essentials';
-import type { CommonQueryMethods } from 'slonik';
-import { parseDsn, sql, stringifyDsn } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { parseDsn, sql, stringifyDsn } from '@silverhand/slonik';
 import { z } from 'zod';
 
 import { EnvSet } from '#src/env-set/index.js';
diff --git a/packages/core/src/test-utils/tenant.ts b/packages/core/src/test-utils/tenant.ts
index 0310f5ab5fc..720142c23b4 100644
--- a/packages/core/src/test-utils/tenant.ts
+++ b/packages/core/src/test-utils/tenant.ts
@@ -1,6 +1,6 @@
 import { type Sentinel } from '@logto/schemas';
 import { TtlCache } from '@logto/shared';
-import { createMockPool, createMockQueryResult } from 'slonik';
+import { createMockPool, createMockQueryResult } from '@silverhand/slonik';
 
 import { WellKnownCache } from '#src/caches/well-known.js';
 import type { CloudConnectionLibrary } from '#src/libraries/cloud-connection.js';
diff --git a/packages/core/src/utils/RelationQueries.ts b/packages/core/src/utils/RelationQueries.ts
index 7273f6c1862..739a7cec113 100644
--- a/packages/core/src/utils/RelationQueries.ts
+++ b/packages/core/src/utils/RelationQueries.ts
@@ -1,19 +1,21 @@
-import { type Table, conditionalSql } from '@logto/shared';
+import { type SchemaLike, type Table } from '@logto/shared';
 import { type KeysToCamelCase } from '@silverhand/essentials';
-import { sql, type CommonQueryMethods } from 'slonik';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 import snakecaseKeys from 'snakecase-keys';
 import { type z } from 'zod';
 
 import { expandFields } from '#src/database/utils.js';
 import { DeletionError } from '#src/errors/SlonikError/index.js';
 
+import { conditionalSql } from './sql.js';
+
 type AtLeast2<T extends unknown[]> = `${T['length']}` extends '0' | '1' ? never : T;
 
 type TableInfo<
   TableName extends string,
   TableSingular extends string,
   Key extends string,
-  Schema,
+  Schema extends SchemaLike<string>,
 > = Table<Key, TableName> & {
   tableSingular: TableSingular;
   guard: z.ZodType<Schema, z.ZodTypeDef, unknown>;
@@ -72,7 +74,7 @@ export type GetEntitiesOptions = {
  * group with the id `group-id-1`.
  */
 export default class RelationQueries<
-  Schemas extends Array<TableInfo<string, string, string, unknown>>,
+  Schemas extends Array<TableInfo<string, string, string, SchemaLike<string>>>,
   Length = AtLeast2<Schemas>['length'],
 > {
   protected get table() {
@@ -265,8 +267,8 @@ export default class RelationQueries<
  * @see {@link RelationQueries} for more information.
  */
 export class TwoRelationsQueries<
-  Schema1 extends TableInfo<string, string, string, unknown>,
-  Schema2 extends TableInfo<string, string, string, unknown>,
+  Schema1 extends TableInfo<string, string, string, SchemaLike<string>>,
+  Schema2 extends TableInfo<string, string, string, SchemaLike<string>>,
 > extends RelationQueries<[Schema1, Schema2]> {
   /**
    * Replace all relations for a specific `Schema1` entity with the given `Schema2` entities.
diff --git a/packages/core/src/utils/SchemaQueries.ts b/packages/core/src/utils/SchemaQueries.ts
index f9c48177897..20d11405057 100644
--- a/packages/core/src/utils/SchemaQueries.ts
+++ b/packages/core/src/utils/SchemaQueries.ts
@@ -1,6 +1,6 @@
 import { type GeneratedSchema } from '@logto/schemas';
-import { type UpdateWhereData, type OmitAutoSetFields, type SchemaLike } from '@logto/shared';
-import { type CommonQueryMethods } from 'slonik';
+import { type UpdateWhereData, type SchemaLike } from '@logto/shared';
+import { type CommonQueryMethods } from '@silverhand/slonik';
 
 import { buildDeleteByIdWithPool } from '#src/database/delete-by-id.js';
 import { buildFindAllEntitiesWithPool } from '#src/database/find-all-entities.js';
@@ -13,6 +13,8 @@ import { buildGetTotalRowCountWithPool } from '#src/database/row-count.js';
 import { buildUpdateWhereWithPool } from '#src/database/update-where.js';
 import { type SearchOptions } from '#src/database/utils.js';
 
+import { type OmitAutoSetFields } from './sql.js';
+
 /**
  * Query class that contains all the necessary CRUD queries for a schema. It is
  * designed to be used with a SchemaRouter. You can also extend this class to add
diff --git a/packages/core/src/utils/password.ts b/packages/core/src/utils/password.ts
index 27a809cc51c..e5eb462016e 100644
--- a/packages/core/src/utils/password.ts
+++ b/packages/core/src/utils/password.ts
@@ -11,7 +11,6 @@ export const encryptPassword = async (
   method: UsersPasswordEncryptionMethod
 ): Promise<string> => {
   assertThat(
-    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
     method === UsersPasswordEncryptionMethod.Argon2i,
     new RequestError({ code: 'password.unsupported_encryption_method', method })
   );
diff --git a/packages/core/src/utils/saml-assertion-handler.ts b/packages/core/src/utils/saml-assertion-handler.ts
index 507228625af..a08c4832dde 100644
--- a/packages/core/src/utils/saml-assertion-handler.ts
+++ b/packages/core/src/utils/saml-assertion-handler.ts
@@ -10,7 +10,7 @@ import {
 import {
   type SingleSignOnConnectorSession,
   singleSignOnConnectorSessionGuard,
-} from '#src/sso/types/index.js';
+} from '#src/sso/index.js';
 import { type ExtendedSocialUserInfo } from '#src/sso/types/saml.js';
 
 import assertThat from './assert-that.js';
diff --git a/packages/core/src/utils/search.test.ts b/packages/core/src/utils/search.test.ts
index 4d5d4786a89..67597e59020 100644
--- a/packages/core/src/utils/search.test.ts
+++ b/packages/core/src/utils/search.test.ts
@@ -1,6 +1,6 @@
 import { SearchJointMode, SearchMatchMode } from '@logto/schemas';
-import type { ListSqlToken, TaggedTemplateLiteralInvocation } from 'slonik';
-import { sql } from 'slonik';
+import type { ListSqlToken, TaggedTemplateLiteralInvocation } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 // Will add `params` to the exception list
 
diff --git a/packages/core/src/utils/search.ts b/packages/core/src/utils/search.ts
index f3c56ca93ff..414c2fe8ffd 100644
--- a/packages/core/src/utils/search.ts
+++ b/packages/core/src/utils/search.ts
@@ -1,7 +1,7 @@
 import { SearchJointMode, SearchMatchMode } from '@logto/schemas';
 import type { Nullable, Optional } from '@silverhand/essentials';
 import { yes, conditionalString, cond } from '@silverhand/essentials';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 import { snakeCase } from 'snake-case';
 
 import { type SearchOptions } from '#src/database/utils.js';
diff --git a/packages/shared/src/database/sql.test.ts b/packages/core/src/utils/sql.test.ts
similarity index 96%
rename from packages/shared/src/database/sql.test.ts
rename to packages/core/src/utils/sql.test.ts
index 6fb0b88f23c..09fbe4d6023 100644
--- a/packages/shared/src/database/sql.test.ts
+++ b/packages/core/src/utils/sql.test.ts
@@ -1,5 +1,6 @@
-import { sql } from 'slonik';
-import { SqlToken } from 'slonik/dist/src/tokens.js';
+import type { Table } from '@logto/shared';
+import { sql } from '@silverhand/slonik';
+import { SqlToken } from '@silverhand/slonik/dist/src/tokens.js';
 
 import {
   excludeAutoSetFields,
@@ -9,7 +10,6 @@ import {
   convertToTimestamp,
   conditionalSql,
 } from './sql.js';
-import type { Table } from './types.js';
 
 const { jest } = import.meta;
 
diff --git a/packages/shared/src/database/sql.ts b/packages/core/src/utils/sql.ts
similarity index 87%
rename from packages/shared/src/database/sql.ts
rename to packages/core/src/utils/sql.ts
index 028bd4980c7..3b2cd256d9d 100644
--- a/packages/shared/src/database/sql.ts
+++ b/packages/core/src/utils/sql.ts
@@ -1,12 +1,12 @@
+import type { SchemaValue, SchemaValuePrimitive, Table } from '@logto/shared';
 import type { Falsy } from '@silverhand/essentials';
 import { notFalsy } from '@silverhand/essentials';
-import type { SqlSqlToken, SqlToken, QueryResult, IdentifierSqlToken } from 'slonik';
-import { sql } from 'slonik';
-
-import type { FieldIdentifiers, SchemaValue, SchemaValuePrimitive, Table } from './types.js';
+import type { SqlSqlToken, SqlToken, IdentifierSqlToken, QueryResult } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 export const conditionalSql = <T>(value: T, buildSql: (value: Exclude<T, Falsy>) => SqlSqlToken) =>
   notFalsy(value) ? buildSql(value) : sql``;
+
 export const conditionalArraySql = <T>(
   value: T[],
   buildSql: (value: Exclude<T[], Falsy>) => SqlSqlToken
@@ -14,7 +14,8 @@ export const conditionalArraySql = <T>(
 
 export const autoSetFields = Object.freeze(['tenantId', 'createdAt', 'updatedAt'] as const);
 export type OmitAutoSetFields<T> = Omit<T, (typeof autoSetFields)[number]>;
-export type ExcludeAutoSetFields<T> = Exclude<T, (typeof autoSetFields)[number]>;
+type ExcludeAutoSetFields<T> = Exclude<T, (typeof autoSetFields)[number]>;
+
 export const excludeAutoSetFields = <T extends string>(fields: readonly T[]) =>
   Object.freeze(
     fields.filter(
@@ -33,10 +34,10 @@ export const excludeAutoSetFields = <T extends string>(fields: readonly T[]) =>
  * @param value The value to convert.
  * @returns A primitive that can be saved into database.
  */
-
 export const convertToPrimitiveOrSql = (
   key: string,
   value: SchemaValue
+  // eslint-disable-next-line @typescript-eslint/ban-types
 ): NonNullable<SchemaValuePrimitive> | SqlToken | null => {
   if (value === null) {
     return null;
@@ -68,6 +69,10 @@ export const convertToPrimitiveOrSql = (
   throw new Error(`Cannot convert ${key} to primitive`);
 };
 
+type FieldIdentifiers<Key extends string> = {
+  [key in Key]: IdentifierSqlToken;
+};
+
 export const convertToIdentifiers = <Key extends string>(
   { table, fields }: Table<Key>,
   withPrefix = false
diff --git a/packages/core/src/utils/tenant.test.ts b/packages/core/src/utils/tenant.test.ts
index fac17554665..f91b2771bde 100644
--- a/packages/core/src/utils/tenant.test.ts
+++ b/packages/core/src/utils/tenant.test.ts
@@ -23,6 +23,11 @@ mockEsm('#src/queries/domains.js', () => ({
 
 const { getTenantId } = await import('./tenant.js');
 
+const getTenantIdFirstElement = async (url: URL) => {
+  const [tenantId] = await getTenantId(url);
+  return tenantId;
+};
+
 describe('getTenantId()', () => {
   const backupEnv = process.env;
 
@@ -37,7 +42,7 @@ describe('getTenantId()', () => {
       DEVELOPMENT_TENANT_ID: 'foo',
     };
 
-    await expect(getTenantId(new URL('https://some.random.url'))).resolves.toBe('foo');
+    await expect(getTenantIdFirstElement(new URL('https://some.random.url'))).resolves.toBe('foo');
 
     process.env = {
       ...backupEnv,
@@ -46,20 +51,22 @@ describe('getTenantId()', () => {
       DEVELOPMENT_TENANT_ID: 'bar',
     };
 
-    await expect(getTenantId(new URL('https://some.random.url'))).resolves.toBe('bar');
+    await expect(getTenantIdFirstElement(new URL('https://some.random.url'))).resolves.toBe('bar');
   });
 
   it('should resolve proper tenant ID for similar localhost endpoints', async () => {
-    await expect(getTenantId(new URL('http://localhost:3002/some/path////'))).resolves.toBe(
-      adminTenantId
-    );
-    await expect(getTenantId(new URL('http://localhost:30021/some/path'))).resolves.toBe(
-      defaultTenantId
-    );
-    await expect(getTenantId(new URL('http://localhostt:30021/some/path'))).resolves.toBe(
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhost:3002/some/path////'))
+    ).resolves.toBe(adminTenantId);
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhost:30021/some/path'))
+    ).resolves.toBe(defaultTenantId);
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhostt:30021/some/path'))
+    ).resolves.toBe(defaultTenantId);
+    await expect(getTenantIdFirstElement(new URL('https://localhost:3002'))).resolves.toBe(
       defaultTenantId
     );
-    await expect(getTenantId(new URL('https://localhost:3002'))).resolves.toBe(defaultTenantId);
   });
 
   it('should resolve proper tenant ID for similar domain endpoints', async () => {
@@ -69,24 +76,30 @@ describe('getTenantId()', () => {
       ENDPOINT: 'https://foo.*.logto.mock/app',
     };
 
-    await expect(getTenantId(new URL('https://foo.foo.logto.mock/app///asdasd'))).resolves.toBe(
-      'foo'
-    );
-    await expect(getTenantId(new URL('https://foo.*.logto.mock/app'))).resolves.toBe(undefined);
-    await expect(getTenantId(new URL('https://foo.foo.logto.mockk/app///asdasd'))).resolves.toBe(
-      undefined
-    );
-    await expect(getTenantId(new URL('https://foo.foo.logto.mock/appp'))).resolves.toBe(undefined);
-    await expect(getTenantId(new URL('https://foo.foo.logto.mock:1/app/'))).resolves.toBe(
+    await expect(
+      getTenantIdFirstElement(new URL('https://foo.foo.logto.mock/app///asdasd'))
+    ).resolves.toBe('foo');
+    await expect(getTenantIdFirstElement(new URL('https://foo.*.logto.mock/app'))).resolves.toBe(
       undefined
     );
-    await expect(getTenantId(new URL('http://foo.foo.logto.mock/app'))).resolves.toBe(undefined);
-    await expect(getTenantId(new URL('https://user.foo.bar.logto.mock/app'))).resolves.toBe(
+    await expect(
+      getTenantIdFirstElement(new URL('https://foo.foo.logto.mockk/app///asdasd'))
+    ).resolves.toBe(undefined);
+    await expect(getTenantIdFirstElement(new URL('https://foo.foo.logto.mock/appp'))).resolves.toBe(
       undefined
     );
-    await expect(getTenantId(new URL('https://foo.bar.bar.logto.mock/app'))).resolves.toBe(
+    await expect(
+      getTenantIdFirstElement(new URL('https://foo.foo.logto.mock:1/app/'))
+    ).resolves.toBe(undefined);
+    await expect(getTenantIdFirstElement(new URL('http://foo.foo.logto.mock/app'))).resolves.toBe(
       undefined
     );
+    await expect(
+      getTenantIdFirstElement(new URL('https://user.foo.bar.logto.mock/app'))
+    ).resolves.toBe(undefined);
+    await expect(
+      getTenantIdFirstElement(new URL('https://foo.bar.bar.logto.mock/app'))
+    ).resolves.toBe(undefined);
   });
 
   it('should resolve proper tenant ID if admin localhost is disabled', async () => {
@@ -99,17 +112,21 @@ describe('getTenantId()', () => {
       ADMIN_DISABLE_LOCALHOST: '1',
     };
 
-    await expect(getTenantId(new URL('http://localhost:5000/app///asdasd'))).resolves.toBe(
-      undefined
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhost:5000/app///asdasd'))
+    ).resolves.toBe(undefined);
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhost:3002/app///asdasd'))
+    ).resolves.toBe(undefined);
+    await expect(getTenantIdFirstElement(new URL('https://user.foo.logto.mock/app'))).resolves.toBe(
+      'foo'
     );
-    await expect(getTenantId(new URL('http://localhost:3002/app///asdasd'))).resolves.toBe(
-      undefined
+    await expect(
+      getTenantIdFirstElement(new URL('https://user.admin.logto.mock/app//'))
+    ).resolves.toBe(undefined); // Admin endpoint is explicitly set
+    await expect(getTenantIdFirstElement(new URL('https://admin.logto.mock/app'))).resolves.toBe(
+      adminTenantId
     );
-    await expect(getTenantId(new URL('https://user.foo.logto.mock/app'))).resolves.toBe('foo');
-    await expect(getTenantId(new URL('https://user.admin.logto.mock/app//'))).resolves.toBe(
-      undefined
-    ); // Admin endpoint is explicitly set
-    await expect(getTenantId(new URL('https://admin.logto.mock/app'))).resolves.toBe(adminTenantId);
 
     process.env = {
       ...backupEnv,
@@ -118,9 +135,9 @@ describe('getTenantId()', () => {
       ENDPOINT: 'https://user.*.logto.mock/app',
       ADMIN_DISABLE_LOCALHOST: '1',
     };
-    await expect(getTenantId(new URL('https://user.admin.logto.mock/app//'))).resolves.toBe(
-      'admin'
-    );
+    await expect(
+      getTenantIdFirstElement(new URL('https://user.admin.logto.mock/app//'))
+    ).resolves.toBe('admin');
   });
 
   it('should resolve proper tenant ID for path-based multi-tenancy', async () => {
@@ -132,16 +149,24 @@ describe('getTenantId()', () => {
       PATH_BASED_MULTI_TENANCY: '1',
     };
 
-    await expect(getTenantId(new URL('http://localhost:5000/app///asdasd'))).resolves.toBe('app');
-    await expect(getTenantId(new URL('http://localhost:3002///bar///asdasd'))).resolves.toBe(
-      adminTenantId
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhost:5000/app///asdasd'))
+    ).resolves.toBe('app');
+    await expect(
+      getTenantIdFirstElement(new URL('http://localhost:3002///bar///asdasd'))
+    ).resolves.toBe(adminTenantId);
+    await expect(getTenantIdFirstElement(new URL('https://user.foo.logto.mock/app'))).resolves.toBe(
+      undefined
     );
-    await expect(getTenantId(new URL('https://user.foo.logto.mock/app'))).resolves.toBe(undefined);
-    await expect(getTenantId(new URL('https://user.admin.logto.mock/app//'))).resolves.toBe(
+    await expect(
+      getTenantIdFirstElement(new URL('https://user.admin.logto.mock/app//'))
+    ).resolves.toBe(undefined);
+    await expect(getTenantIdFirstElement(new URL('https://user.logto.mock/app'))).resolves.toBe(
       undefined
     );
-    await expect(getTenantId(new URL('https://user.logto.mock/app'))).resolves.toBe(undefined);
-    await expect(getTenantId(new URL('https://user.logto.mock/app/admin'))).resolves.toBe('admin');
+    await expect(
+      getTenantIdFirstElement(new URL('https://user.logto.mock/app/admin'))
+    ).resolves.toBe('admin');
   });
 
   it('should resolve proper custom domain', async () => {
@@ -151,6 +176,6 @@ describe('getTenantId()', () => {
       NODE_ENV: 'production',
     };
     findActiveDomain.mockResolvedValueOnce({ domain: 'logto.mock.com', tenantId: 'mock' });
-    await expect(getTenantId(new URL('https://logto.mock.com'))).resolves.toBe('mock');
+    await expect(getTenantIdFirstElement(new URL('https://logto.mock.com'))).resolves.toBe('mock');
   });
 });
diff --git a/packages/core/src/utils/tenant.ts b/packages/core/src/utils/tenant.ts
index d33c66e42b7..9ac387c0a23 100644
--- a/packages/core/src/utils/tenant.ts
+++ b/packages/core/src/utils/tenant.ts
@@ -1,7 +1,7 @@
 import { adminTenantId, defaultTenantId } from '@logto/schemas';
 import { type UrlSet } from '@logto/shared';
 import { conditionalString, trySafe } from '@silverhand/essentials';
-import { type CommonQueryMethods } from 'slonik';
+import { type CommonQueryMethods } from '@silverhand/slonik';
 
 import { redisCache } from '#src/caches/index.js';
 import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js';
@@ -53,6 +53,9 @@ export const clearCustomDomainCache = async (url: URL | string) => {
   await trySafe(async () => redisCache.delete(getDomainCacheKey(url)));
 };
 
+/**
+ * Get tenant ID from the custom domain URL.
+ */
 const getTenantIdFromCustomDomain = async (
   url: URL,
   pool: CommonQueryMethods
@@ -74,7 +77,15 @@ const getTenantIdFromCustomDomain = async (
   return domain?.tenantId;
 };
 
-export const getTenantId = async (url: URL) => {
+/**
+ * Get tenant ID from the current request's URL.
+ *
+ * @param url The current request's URL
+ * @returns The tenant ID and whether the URL is a custom domain
+ */
+export const getTenantId = async (
+  url: URL
+): Promise<[tenantId: string | undefined, isCustomDomain: boolean]> => {
   const {
     values: {
       isMultiTenancy,
@@ -90,28 +101,28 @@ export const getTenantId = async (url: URL) => {
   const pool = await sharedPool;
 
   if (adminUrlSet.deduplicated().some((endpoint) => isEndpointOf(url, endpoint))) {
-    return adminTenantId;
+    return [adminTenantId, false];
   }
 
   if ((!isProduction || isIntegrationTest) && developmentTenantId) {
     consoleLog.warn(`Found dev tenant ID ${developmentTenantId}.`);
 
-    return developmentTenantId;
+    return [developmentTenantId, false];
   }
 
   if (!isMultiTenancy) {
-    return defaultTenantId;
+    return [defaultTenantId, false];
   }
 
   if (isPathBasedMultiTenancy) {
-    return matchPathBasedTenantId(urlSet, url);
+    return [matchPathBasedTenantId(urlSet, url), false];
   }
 
   const customDomainTenantId = await getTenantIdFromCustomDomain(url, pool);
 
   if (customDomainTenantId) {
-    return customDomainTenantId;
+    return [customDomainTenantId, true];
   }
 
-  return matchDomainBasedTenantId(urlSet.endpoint, url);
+  return [matchDomainBasedTenantId(urlSet.endpoint, url), false];
 };
diff --git a/packages/core/src/utils/test-utils.ts b/packages/core/src/utils/test-utils.ts
index 17a98cf3b67..eee58a63b93 100644
--- a/packages/core/src/utils/test-utils.ts
+++ b/packages/core/src/utils/test-utils.ts
@@ -1,13 +1,13 @@
+import type { QueryResult, QueryResultRow } from '@silverhand/slonik';
+import { createMockPool, createMockQueryResult } from '@silverhand/slonik';
+import type {
+  PrimitiveValueExpression,
+  TaggedTemplateLiteralInvocation,
+} from '@silverhand/slonik/dist/src/types.js';
 import type { MiddlewareType, Context, Middleware } from 'koa';
 import Koa from 'koa';
 import type { IRouterParamContext } from 'koa-router';
 import Router from 'koa-router';
-import type { QueryResult, QueryResultRow } from 'slonik';
-import { createMockPool, createMockQueryResult } from 'slonik';
-import type {
-  PrimitiveValueExpression,
-  TaggedTemplateLiteralInvocation,
-} from 'slonik/dist/src/types.js';
 import request from 'supertest';
 
 import type { AuthedRouter, AnonymousRouter } from '#src/routes/types.js';
diff --git a/packages/core/src/utils/zod.ts b/packages/core/src/utils/zod.ts
index 901550715df..d8331a037ed 100644
--- a/packages/core/src/utils/zod.ts
+++ b/packages/core/src/utils/zod.ts
@@ -21,6 +21,7 @@ import {
   ZodUnion,
   ZodUnknown,
   ZodDefault,
+  ZodIntersection,
 } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
@@ -279,5 +280,11 @@ export const zodTypeToSwagger = (
     };
   }
 
+  if (config instanceof ZodIntersection) {
+    return {
+      allOf: [zodTypeToSwagger(config._def.left), zodTypeToSwagger(config._def.right)],
+    };
+  }
+
   throw new RequestError('swagger.invalid_zod_type', config);
 };
diff --git a/packages/create/CHANGELOG.md b/packages/create/CHANGELOG.md
index 77a79e15820..c5a425275d2 100644
--- a/packages/create/CHANGELOG.md
+++ b/packages/create/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## 1.15.0
+
+### Patch Changes
+
+- @logto/cli@1.15.0
+
 ## 1.14.0
 
 ### Patch Changes
diff --git a/packages/create/package.json b/packages/create/package.json
index 28f41b9bbb9..bbd1ad8189c 100644
--- a/packages/create/package.json
+++ b/packages/create/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/create",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -15,6 +15,6 @@
     "node": "^20.9.0"
   },
   "dependencies": {
-    "@logto/cli": "workspace:^1.14.0"
+    "@logto/cli": "workspace:^1.15.0"
   }
 }
diff --git a/packages/demo-app/CHANGELOG.md b/packages/demo-app/CHANGELOG.md
index 8ad890536bf..8f254676a19 100644
--- a/packages/demo-app/CHANGELOG.md
+++ b/packages/demo-app/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
 
+## 1.2.0
+
+### Minor Changes
+
+- 2cbc591ff: carry over search params to the authentication request
+
+  When entering the Logto demo app with search parameters, if the user is not authenticated, the search parameters are now carried over to the authentication request. This allows manual testing of the OIDC authentication flow with specific parameters.
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/demo-app/package.json b/packages/demo-app/package.json
index 1a00edadeb5..8531591a2f1 100644
--- a/packages/demo-app/package.json
+++ b/packages/demo-app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/demo-app",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Logto demo app.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
@@ -19,11 +19,11 @@
     "stylelint": "stylelint \"src/**/*.scss\""
   },
   "devDependencies": {
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/language-kit": "workspace:^1.1.0",
-    "@logto/phrases": "workspace:^1.9.0",
-    "@logto/react": "^3.0.0",
-    "@logto/schemas": "workspace:^1.13.0",
+    "@logto/phrases": "workspace:^1.10.0",
+    "@logto/react": "^3.0.5",
+    "@logto/schemas": "workspace:^1.15.0",
     "@parcel/core": "2.9.3",
     "@parcel/transformer-sass": "2.9.3",
     "@silverhand/eslint-config": "5.0.0",
diff --git a/packages/demo-app/src/App.tsx b/packages/demo-app/src/App.tsx
index 1060d4aa2d2..50c2b8055de 100644
--- a/packages/demo-app/src/App.tsx
+++ b/packages/demo-app/src/App.tsx
@@ -38,7 +38,10 @@ const Main = () => {
 
     // If user is not authenticated, redirect to sign-in page
     if (!isAuthenticated) {
-      void signIn(window.location.href);
+      void signIn({
+        redirectUri: window.location.origin + window.location.pathname,
+        extraParams: Object.fromEntries(new URLSearchParams(window.location.search).entries()),
+      });
     }
   }, [getIdTokenClaims, isAuthenticated, isInCallback, isLoading, signIn, user]);
 
diff --git a/packages/experience/CHANGELOG.md b/packages/experience/CHANGELOG.md
index 3ac55717405..444e95c4a7e 100644
--- a/packages/experience/CHANGELOG.md
+++ b/packages/experience/CHANGELOG.md
@@ -1,5 +1,33 @@
 # Change Log
 
+## 1.6.0
+
+### Minor Changes
+
+- 7756f50f8: support direct sign-in for sso
+- 2cbc591ff: support direct sign-in
+
+  Instead of showing a screen for the user to choose between the sign-in methods, a specific sign-in method can be initiated directly by setting the `direct_sign_in` parameter in the OIDC authentication request.
+
+  This parameter follows the format of `direct_sign_in=<method>:<target>`, where:
+
+  - `<method>` is the sign-in method to trigger. Currently the only supported value is `social`.
+  - `<target>` is the target value for the sign-in method. If the method is `social`, the value is the social connector's `target`.
+
+  When a valid `direct_sign_in` parameter is set, the first screen will be skipped and the specified sign-in method will be triggered immediately upon entering the sign-in experience. If the parameter is invalid, the default behavior of showing the first screen will be used.
+
+### Patch Changes
+
+- 5a7204571: skip non-object messages in the native environment
+
+  In the `WKWebView` of new iOS versions, some script will constantly post messages to the
+  window object with increasing numbers as the message content ("1", "2", "3", ...).
+
+  Ideally, we should check the source of the message with Logto-specific identifier in the
+  `event.data`; however, this change will result a breaking change for the existing
+  native SDK implementations. Add the `isObject` check to prevent the crazy messages while
+  keeping the backward compatibility.
+
 ## 1.5.0
 
 ### Minor Changes
diff --git a/packages/experience/package.json b/packages/experience/package.json
index 0a8b0980403..89c371b11e8 100644
--- a/packages/experience/package.json
+++ b/packages/experience/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/experience",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "license": "MPL-2.0",
   "type": "module",
   "private": true,
@@ -22,12 +22,12 @@
   "devDependencies": {
     "@jest/types": "^29.5.0",
     "@logto/app-insights": "workspace:^1.4.0",
-    "@logto/connector-kit": "workspace:^2.1.0",
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/language-kit": "workspace:^1.1.0",
-    "@logto/phrases": "workspace:^1.9.0",
-    "@logto/phrases-experience": "workspace:^1.6.0",
-    "@logto/schemas": "workspace:^1.13.0",
+    "@logto/phrases": "workspace:^1.10.0",
+    "@logto/phrases-experience": "workspace:^1.6.1",
+    "@logto/schemas": "workspace:^1.15.0",
     "@parcel/compressor-brotli": "2.9.3",
     "@parcel/compressor-gzip": "2.9.3",
     "@parcel/core": "2.9.3",
@@ -67,7 +67,7 @@
     "jest-transform-stub": "^2.0.0",
     "jest-transformer-svg": "^2.0.0",
     "js-base64": "^3.7.5",
-    "ky": "^1.0.0",
+    "ky": "^1.2.3",
     "libphonenumber-js": "^1.10.51",
     "lint-staged": "^15.0.0",
     "parcel": "2.9.3",
diff --git a/packages/experience/src/App.tsx b/packages/experience/src/App.tsx
index 6fe19045c55..db44a29aab6 100644
--- a/packages/experience/src/App.tsx
+++ b/packages/experience/src/App.tsx
@@ -1,5 +1,5 @@
 import { AppInsightsBoundary } from '@logto/app-insights/react';
-import { MfaFactor } from '@logto/schemas';
+import { MfaFactor, experience } from '@logto/schemas';
 import { Route, Routes, BrowserRouter } from 'react-router-dom';
 
 import AppLayout from './Layout/AppLayout';
@@ -8,10 +8,10 @@ import LoadingLayerProvider from './Providers/LoadingLayerProvider';
 import PageContextProvider from './Providers/PageContextProvider';
 import SettingsProvider from './Providers/SettingsProvider';
 import SingleSignOnContextProvider from './Providers/SingleSignOnContextProvider';
-import { singleSignOnPath } from './constants/env';
 import Callback from './pages/Callback';
 import Consent from './pages/Consent';
 import Continue from './pages/Continue';
+import DirectSignIn from './pages/DirectSignIn';
 import ErrorPage from './pages/ErrorPage';
 import ForgotPassword from './pages/ForgotPassword';
 import MfaBinding from './pages/MfaBinding';
@@ -31,7 +31,7 @@ import SingleSignOnConnectors from './pages/SingleSignOnConnectors';
 import SingleSignOnEmail from './pages/SingleSignOnEmail';
 import SocialLanding from './pages/SocialLanding';
 import SocialLinkAccount from './pages/SocialLinkAccount';
-import SocialSignIn from './pages/SocialSignInCallback';
+import SocialSignInWebCallback from './pages/SocialSignInWebCallback';
 import Springboard from './pages/Springboard';
 import VerificationCode from './pages/VerificationCode';
 import { UserMfaFlow } from './types';
@@ -50,23 +50,29 @@ const App = () => {
             <AppBoundary>
               <AppInsightsBoundary cloudRole="ui">
                 <Routes>
-                  <Route element={<AppLayout />}>
+                  <Route element={<LoadingLayerProvider />}>
+                    <Route path="springboard" element={<Springboard />} />
+                    <Route path="callback/:connectorId" element={<Callback />} />
                     <Route
-                      path="unknown-session"
-                      element={<ErrorPage message="error.invalid_session" />}
+                      path="callback/social/:connectorId"
+                      element={<SocialSignInWebCallback />}
                     />
-                    <Route path="springboard" element={<Springboard />} />
+                    <Route path="direct/:method/:target?" element={<DirectSignIn />} />
+
+                    <Route element={<AppLayout />}>
+                      <Route
+                        path="unknown-session"
+                        element={<ErrorPage message="error.invalid_session" />}
+                      />
 
-                    <Route element={<LoadingLayerProvider />}>
                       {/* Sign-in */}
-                      <Route path="sign-in">
+                      <Route path={experience.routes.signIn}>
                         <Route index element={<SignIn />} />
                         <Route path="password" element={<SignInPassword />} />
-                        <Route path="social/:connectorId" element={<SocialSignIn />} />
                       </Route>
 
                       {/* Register */}
-                      <Route path="register">
+                      <Route path={experience.routes.register}>
                         <Route index element={<Register />} />
                         <Route path="password" element={<RegisterPassword />} />
                       </Route>
@@ -106,19 +112,18 @@ const App = () => {
                         <Route path="link/:connectorId" element={<SocialLinkAccount />} />
                         <Route path="landing/:connectorId" element={<SocialLanding />} />
                       </Route>
-                      <Route path="callback/:connectorId" element={<Callback />} />
-                    </Route>
 
-                    {/* Single sign-on */}
-                    <Route path={singleSignOnPath} element={<LoadingLayerProvider />}>
-                      <Route path="email" element={<SingleSignOnEmail />} />
-                      <Route path="connectors" element={<SingleSignOnConnectors />} />
-                    </Route>
+                      {/* Single sign-on */}
+                      <Route path={experience.routes.sso} element={<LoadingLayerProvider />}>
+                        <Route path="email" element={<SingleSignOnEmail />} />
+                        <Route path="connectors" element={<SingleSignOnConnectors />} />
+                      </Route>
 
-                    {/* Consent */}
-                    <Route path="consent" element={<Consent />} />
+                      {/* Consent */}
+                      <Route path="consent" element={<Consent />} />
 
-                    <Route path="*" element={<ErrorPage />} />
+                      <Route path="*" element={<ErrorPage />} />
+                    </Route>
                   </Route>
                 </Routes>
               </AppInsightsBoundary>
diff --git a/packages/experience/src/__mocks__/RenderWithPageContext/SettingsProvider.tsx b/packages/experience/src/__mocks__/RenderWithPageContext/SettingsProvider.tsx
index 37d875c742d..3cb32059767 100644
--- a/packages/experience/src/__mocks__/RenderWithPageContext/SettingsProvider.tsx
+++ b/packages/experience/src/__mocks__/RenderWithPageContext/SettingsProvider.tsx
@@ -12,12 +12,17 @@ type Props = {
 };
 
 const SettingsProvider = ({ settings = mockSignInExperienceSettings, children }: Props) => {
-  const { setExperienceSettings } = useContext(PageContext);
+  const { setExperienceSettings, experienceSettings } = useContext(PageContext);
 
   useEffect(() => {
     setExperienceSettings(settings);
   }, [setExperienceSettings, settings]);
 
+  // Don't render children until the settings are set to avoid false positives
+  if (!experienceSettings) {
+    return null;
+  }
+
   return children;
 };
 
diff --git a/packages/experience/src/constants/env.ts b/packages/experience/src/constants/env.ts
index e1574f786b7..85636912e1b 100644
--- a/packages/experience/src/constants/env.ts
+++ b/packages/experience/src/constants/env.ts
@@ -4,5 +4,3 @@ export const isDevFeaturesEnabled =
   process.env.NODE_ENV !== 'production' ||
   yes(process.env.DEV_FEATURES_ENABLED) ||
   yes(process.env.INTEGRATION_TEST);
-
-export const singleSignOnPath = 'single-sign-on';
diff --git a/packages/experience/src/hooks/use-check-single-sign-on.ts b/packages/experience/src/hooks/use-check-single-sign-on.ts
index 23b06e43f8c..c103d35af79 100644
--- a/packages/experience/src/hooks/use-check-single-sign-on.ts
+++ b/packages/experience/src/hooks/use-check-single-sign-on.ts
@@ -1,11 +1,10 @@
-import { type SsoConnectorMetadata } from '@logto/schemas';
+import { experience, type SsoConnectorMetadata } from '@logto/schemas';
 import { useCallback, useState, useContext } from 'react';
 import { useTranslation } from 'react-i18next';
 import { useNavigate } from 'react-router-dom';
 
 import SingleSignOnContext from '@/Providers/SingleSignOnContextProvider/SingleSignOnContext';
 import { getSingleSignOnConnectors } from '@/apis/single-sign-on';
-import { singleSignOnPath } from '@/constants/env';
 import useApi from '@/hooks/use-api';
 import useErrorHandler from '@/hooks/use-error-handler';
 
@@ -81,7 +80,7 @@ const useCheckSingleSignOn = () => {
         return true;
       }
 
-      navigate(`/${singleSignOnPath}/connectors`);
+      navigate(`/${experience.routes.sso}/connectors`);
       return true;
     },
     [
diff --git a/packages/experience/src/hooks/use-native-message-listener.ts b/packages/experience/src/hooks/use-native-message-listener.ts
index d913dafe51c..f09d214776b 100644
--- a/packages/experience/src/hooks/use-native-message-listener.ts
+++ b/packages/experience/src/hooks/use-native-message-listener.ts
@@ -1,3 +1,4 @@
+import { isObject } from '@silverhand/essentials';
 import { useEffect } from 'react';
 
 import { isNativeWebview } from '@/utils/native-sdk';
@@ -23,7 +24,14 @@ const useNativeMessageListener = (bypass = false) => {
     }
 
     const nativeMessageHandler = (event: MessageEvent) => {
-      if (event.origin === window.location.origin) {
+      // In the `WKWebView` of new iOS versions, some script will constantly post messages to the
+      // window object with increasing numbers as the message content ("1", "2", "3", ...).
+      //
+      // Ideally, we should check the source of the message with Logto-specific identifier in the
+      // `event.data`; however, this change will result a breaking change for the existing
+      // native SDK implementations. Add the `isObject` check to prevent the crazy messages while
+      // keeping the backward compatibility.
+      if (event.origin === window.location.origin && isObject(event.data)) {
         try {
           setToast(JSON.stringify(event.data));
         } catch {}
diff --git a/packages/experience/src/hooks/use-single-sign-on-watch.ts b/packages/experience/src/hooks/use-single-sign-on-watch.ts
index 8c2069fd025..3941c3749e0 100644
--- a/packages/experience/src/hooks/use-single-sign-on-watch.ts
+++ b/packages/experience/src/hooks/use-single-sign-on-watch.ts
@@ -1,4 +1,4 @@
-import { SignInIdentifier, type SsoConnectorMetadata } from '@logto/schemas';
+import { SignInIdentifier, experience, type SsoConnectorMetadata } from '@logto/schemas';
 import { useEffect, useCallback, useContext } from 'react';
 import { useNavigate } from 'react-router-dom';
 
@@ -6,7 +6,6 @@ import SingleSignOnContext from '@/Providers/SingleSignOnContextProvider/SingleS
 import SingleSignOnFormModeContext from '@/Providers/SingleSignOnFormModeContextProvider/SingleSignOnFormModeContext';
 import { getSingleSignOnConnectors } from '@/apis/single-sign-on';
 import type { IdentifierInputValue } from '@/components/InputFields/SmartInputField';
-import { singleSignOnPath } from '@/constants/env';
 import useApi from '@/hooks/use-api';
 import useSingleSignOn from '@/hooks/use-single-sign-on';
 import { validateEmail } from '@/utils/form';
@@ -72,7 +71,7 @@ const useSingleSignOnWatch = (identifierInput?: IdentifierInputValue) => {
       return;
     }
 
-    navigate(`/${singleSignOnPath}/connectors`);
+    navigate(`/${experience.routes.sso}/connectors`);
   }, [navigate, showSingleSignOnForm, singleSignOn, ssoConnectors]);
 
   useEffect(() => {
diff --git a/packages/experience/src/pages/Callback/index.tsx b/packages/experience/src/pages/Callback/index.tsx
index c82f8a901c8..bc141106fc5 100644
--- a/packages/experience/src/pages/Callback/index.tsx
+++ b/packages/experience/src/pages/Callback/index.tsx
@@ -12,7 +12,7 @@ type Parameters = {
 };
 
 /**
- * Callback page for SocialSignIn and SingleSignOn
+ * Callback landing page for social sign-in and single sign-on.
  */
 const Callback = () => {
   const { connectorId } = useParams<Parameters>();
diff --git a/packages/experience/src/pages/Callback/use-social-callback-handler.ts b/packages/experience/src/pages/Callback/use-social-callback-handler.ts
index 27239ecf89f..d4422b63686 100644
--- a/packages/experience/src/pages/Callback/use-social-callback-handler.ts
+++ b/packages/experience/src/pages/Callback/use-social-callback-handler.ts
@@ -33,7 +33,7 @@ const useSocialCallbackHandler = () => {
       // Web flow
       navigate(
         {
-          pathname: `/sign-in/social/${connectorId}`,
+          pathname: `/callback/social/${connectorId}`,
           search,
         },
         {
diff --git a/packages/experience/src/pages/Consent/ScopesListCard/index.tsx b/packages/experience/src/pages/Consent/ScopesListCard/index.tsx
index 15c20614fe2..e5bcbd60694 100644
--- a/packages/experience/src/pages/Consent/ScopesListCard/index.tsx
+++ b/packages/experience/src/pages/Consent/ScopesListCard/index.tsx
@@ -1,5 +1,6 @@
 import { ReservedResource, UserScope } from '@logto/core-kit';
 import { type ConsentInfoResponse } from '@logto/schemas';
+import { type Nullable } from '@silverhand/essentials';
 import classNames from 'classnames';
 import { useCallback, useMemo, useState } from 'react';
 import { Trans, useTranslation } from 'react-i18next';
@@ -20,7 +21,7 @@ type ScopeGroupProps = {
   scopes: Array<{
     id: string;
     name: string;
-    description?: string;
+    description?: Nullable<string>; // Organization scope description cloud be `null`
   }>;
 };
 
diff --git a/packages/experience/src/pages/DirectSignIn/index.test.tsx b/packages/experience/src/pages/DirectSignIn/index.test.tsx
new file mode 100644
index 00000000000..566618a50d2
--- /dev/null
+++ b/packages/experience/src/pages/DirectSignIn/index.test.tsx
@@ -0,0 +1,112 @@
+import { useParams as useParamsMock } from 'react-router-dom';
+
+import renderWithPageContext from '@/__mocks__/RenderWithPageContext';
+import { mockSsoConnectors, socialConnectors } from '@/__mocks__/logto';
+
+import DirectSignIn from '.';
+
+jest.mock('@/hooks/use-sie', () => ({
+  useSieMethods: jest.fn().mockReturnValue({
+    socialConnectors,
+    ssoConnectors: mockSsoConnectors,
+  }),
+}));
+
+jest.mock('@/containers/SocialSignInList/use-social', () =>
+  jest.fn().mockReturnValue({
+    invokeSocialSignIn: jest.fn(() => {
+      window.location.assign('/social-redirect-to');
+    }),
+  })
+);
+
+jest.mock('@/hooks/use-single-sign-on', () =>
+  jest.fn().mockReturnValue(
+    jest.fn(() => {
+      window.location.assign('/sso-redirect-to');
+    })
+  )
+);
+
+jest.mock('react-router-dom', () => ({
+  ...jest.requireActual('react-router-dom'),
+  useParams: jest.fn().mockReturnValue({}),
+}));
+
+const useParams = useParamsMock as jest.Mock;
+
+const assign = jest.fn();
+const replace = jest.fn();
+const search = jest.fn();
+
+// eslint-disable-next-line @silverhand/fp/no-mutating-methods
+Object.defineProperty(window, 'location', {
+  value: {
+    assign,
+    replace,
+  },
+  writable: true,
+});
+
+// eslint-disable-next-line @silverhand/fp/no-mutating-methods
+Object.defineProperty(window.location, 'search', {
+  get: search,
+});
+
+describe('DirectSignIn', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should fallback to the first screen when `directSignIn` is not provided', () => {
+    renderWithPageContext(<DirectSignIn />);
+    expect(replace).toBeCalledWith('/sign-in');
+  });
+
+  it('should fallback to the first screen when `directSignIn` is invalid', () => {
+    useParams.mockReturnValue({ method: 'foo' });
+    renderWithPageContext(<DirectSignIn />);
+    expect(replace).toBeCalledWith('/sign-in');
+  });
+
+  it('should fallback to the first screen provided in the fallback parameter', () => {
+    useParams.mockReturnValue({ method: 'method', target: 'target' });
+    search.mockReturnValue('?fallback=register');
+    renderWithPageContext(<DirectSignIn />);
+    expect(replace).toBeCalledWith('/register');
+  });
+
+  it('should fallback to the first screen when method is valid but target is invalid (social)', () => {
+    useParams.mockReturnValue({ method: 'social', target: 'something' });
+    search.mockReturnValue('?fallback=sign-in');
+    renderWithPageContext(<DirectSignIn />);
+    expect(replace).toBeCalledWith('/sign-in');
+  });
+
+  it('should fallback to the first screen when method is valid but target is invalid (sso)', () => {
+    useParams.mockReturnValue({ method: 'sso', target: 'something' });
+    search.mockReturnValue('?fallback=sign-in');
+    renderWithPageContext(<DirectSignIn />);
+    expect(replace).toBeCalledWith('/sign-in');
+  });
+
+  it('should invoke social sign-in when method is social and target is valid (social)', () => {
+    useParams.mockReturnValue({ method: 'social', target: socialConnectors[0]!.target });
+    search.mockReturnValue(`?fallback=sign-in`);
+
+    renderWithPageContext(<DirectSignIn />);
+
+    expect(replace).not.toBeCalled();
+    expect(assign).toBeCalledWith('/social-redirect-to');
+  });
+
+  it('should invoke sso sign-in when method is sso and target is valid (sso)', () => {
+    useParams.mockReturnValue({ method: 'sso', target: mockSsoConnectors[0]!.id });
+    search.mockReturnValue(`?fallback=sign-in`);
+
+    renderWithPageContext(<DirectSignIn />);
+
+    expect(replace).not.toBeCalled();
+    expect(assign).toBeCalledWith('/sso-redirect-to');
+  });
+});
diff --git a/packages/experience/src/pages/DirectSignIn/index.tsx b/packages/experience/src/pages/DirectSignIn/index.tsx
new file mode 100644
index 00000000000..9665fc4d10d
--- /dev/null
+++ b/packages/experience/src/pages/DirectSignIn/index.tsx
@@ -0,0 +1,46 @@
+import { experience } from '@logto/schemas';
+import { useEffect, useMemo } from 'react';
+import { useParams } from 'react-router-dom';
+
+import LoadingLayer from '@/components/LoadingLayer';
+import useSocial from '@/containers/SocialSignInList/use-social';
+import { useSieMethods } from '@/hooks/use-sie';
+import useSingleSignOn from '@/hooks/use-single-sign-on';
+
+const DirectSignIn = () => {
+  const { method, target } = useParams();
+  const { socialConnectors, ssoConnectors } = useSieMethods();
+  const { invokeSocialSignIn } = useSocial();
+  const invokeSso = useSingleSignOn();
+  const fallback = useMemo(() => {
+    const fallbackKey = new URLSearchParams(window.location.search).get('fallback');
+    return (
+      Object.entries(experience.routes).find(([key]) => key === fallbackKey)?.[1] ??
+      experience.routes.signIn
+    );
+  }, []);
+
+  useEffect(() => {
+    if (method === 'social') {
+      const social = socialConnectors.find((connector) => connector.target === target);
+      if (social) {
+        void invokeSocialSignIn(social);
+        return;
+      }
+    }
+
+    if (method === 'sso') {
+      const sso = ssoConnectors.find((connector) => connector.id === target);
+
+      if (sso) {
+        void invokeSso(sso.id);
+        return;
+      }
+    }
+
+    window.location.replace('/' + fallback);
+  }, [fallback, invokeSocialSignIn, invokeSso, method, socialConnectors, ssoConnectors, target]);
+
+  return <LoadingLayer />;
+};
+export default DirectSignIn;
diff --git a/packages/experience/src/pages/Register/IdentifierRegisterForm/index.test.tsx b/packages/experience/src/pages/Register/IdentifierRegisterForm/index.test.tsx
index 4f48251ef70..c79f7bcbb2e 100644
--- a/packages/experience/src/pages/Register/IdentifierRegisterForm/index.test.tsx
+++ b/packages/experience/src/pages/Register/IdentifierRegisterForm/index.test.tsx
@@ -1,4 +1,4 @@
-import { SignInIdentifier, type SsoConnectorMetadata } from '@logto/schemas';
+import { SignInIdentifier, experience, type SsoConnectorMetadata } from '@logto/schemas';
 import { assert } from '@silverhand/essentials';
 import { fireEvent, act, waitFor } from '@testing-library/react';
 
@@ -10,7 +10,6 @@ import SettingsProvider from '@/__mocks__/RenderWithPageContext/SettingsProvider
 import { mockSignInExperienceSettings, mockSsoConnectors } from '@/__mocks__/logto';
 import { registerWithUsernamePassword } from '@/apis/interaction';
 import { sendVerificationCodeApi } from '@/apis/utils';
-import { singleSignOnPath } from '@/constants/env';
 import { UserFlow } from '@/types';
 import { getDefaultCountryCallingCode } from '@/utils/country-code';
 
@@ -401,7 +400,7 @@ describe('<IdentifierRegisterForm />', () => {
       });
 
       await waitFor(() => {
-        expect(mockedNavigate).toBeCalledWith(`/${singleSignOnPath}/connectors`);
+        expect(mockedNavigate).toBeCalledWith(`/${experience.routes.sso}/connectors`);
       });
     });
   });
diff --git a/packages/experience/src/pages/SignIn/IdentifierSignInForm/index.test.tsx b/packages/experience/src/pages/SignIn/IdentifierSignInForm/index.test.tsx
index b6d75925429..bfde9a783ab 100644
--- a/packages/experience/src/pages/SignIn/IdentifierSignInForm/index.test.tsx
+++ b/packages/experience/src/pages/SignIn/IdentifierSignInForm/index.test.tsx
@@ -1,5 +1,5 @@
 import type { SignIn, SsoConnectorMetadata } from '@logto/schemas';
-import { SignInIdentifier } from '@logto/schemas';
+import { SignInIdentifier, experience } from '@logto/schemas';
 import { assert } from '@silverhand/essentials';
 import { fireEvent, act, waitFor } from '@testing-library/react';
 
@@ -13,7 +13,6 @@ import {
   mockSsoConnectors,
 } from '@/__mocks__/logto';
 import { sendVerificationCodeApi } from '@/apis/utils';
-import { singleSignOnPath } from '@/constants/env';
 import { UserFlow } from '@/types';
 import { getDefaultCountryCallingCode } from '@/utils/country-code';
 
@@ -310,7 +309,7 @@ describe('IdentifierSignInForm', () => {
       });
 
       await waitFor(() => {
-        expect(mockedNavigate).toBeCalledWith(`/${singleSignOnPath}/connectors`);
+        expect(mockedNavigate).toBeCalledWith(`/${experience.routes.sso}/connectors`);
       });
     });
   });
diff --git a/packages/experience/src/pages/SignIn/PasswordSignInForm/index.test.tsx b/packages/experience/src/pages/SignIn/PasswordSignInForm/index.test.tsx
index d71cdd85c40..98a842071d5 100644
--- a/packages/experience/src/pages/SignIn/PasswordSignInForm/index.test.tsx
+++ b/packages/experience/src/pages/SignIn/PasswordSignInForm/index.test.tsx
@@ -1,4 +1,4 @@
-import { SignInIdentifier } from '@logto/schemas';
+import { SignInIdentifier, experience } from '@logto/schemas';
 import { assert } from '@silverhand/essentials';
 import { fireEvent, waitFor } from '@testing-library/react';
 import { act } from 'react-dom/test-utils';
@@ -9,7 +9,6 @@ import renderWithPageContext from '@/__mocks__/RenderWithPageContext';
 import SettingsProvider from '@/__mocks__/RenderWithPageContext/SettingsProvider';
 import { mockSignInExperienceSettings, mockSsoConnectors } from '@/__mocks__/logto';
 import { signInWithPasswordIdentifier } from '@/apis/interaction';
-import { singleSignOnPath } from '@/constants/env';
 import type { SignInExperienceResponse } from '@/types';
 import { getDefaultCountryCallingCode } from '@/utils/country-code';
 
@@ -260,7 +259,7 @@ describe('UsernamePasswordSignInForm', () => {
     });
 
     await waitFor(() => {
-      expect(mockedNavigate).toBeCalledWith(`/${singleSignOnPath}/connectors`);
+      expect(mockedNavigate).toBeCalledWith(`/${experience.routes.sso}/connectors`);
     });
   });
 
diff --git a/packages/experience/src/pages/SocialSignInCallback/SingleSignOn.tsx b/packages/experience/src/pages/SocialSignInWebCallback/SingleSignOn.tsx
similarity index 80%
rename from packages/experience/src/pages/SocialSignInCallback/SingleSignOn.tsx
rename to packages/experience/src/pages/SocialSignInWebCallback/SingleSignOn.tsx
index ca451abcf55..c64b84543e9 100644
--- a/packages/experience/src/pages/SocialSignInCallback/SingleSignOn.tsx
+++ b/packages/experience/src/pages/SocialSignInWebCallback/SingleSignOn.tsx
@@ -1,8 +1,7 @@
+import LoadingLayer from '@/components/LoadingLayer';
 import useNativeMessageListener from '@/hooks/use-native-message-listener';
 import { useSieMethods } from '@/hooks/use-sie';
 
-import SignIn from '../SignIn';
-
 import useSingleSignOnListener from './use-single-sign-on-listener';
 
 type Props = {
@@ -18,9 +17,9 @@ const SingleSignOn = ({ connectorId }: Props) => {
   */
   useNativeMessageListener(socialConnectors.length > 0);
 
-  useSingleSignOnListener(connectorId);
+  const { loading } = useSingleSignOnListener(connectorId);
 
-  return <SignIn />;
+  return loading ? <LoadingLayer /> : null;
 };
 
 export default SingleSignOn;
diff --git a/packages/experience/src/pages/SocialSignInCallback/SocialSignIn.tsx b/packages/experience/src/pages/SocialSignInWebCallback/SocialSignIn.tsx
similarity index 60%
rename from packages/experience/src/pages/SocialSignInCallback/SocialSignIn.tsx
rename to packages/experience/src/pages/SocialSignInWebCallback/SocialSignIn.tsx
index ec087811152..cdc19cb292a 100644
--- a/packages/experience/src/pages/SocialSignInCallback/SocialSignIn.tsx
+++ b/packages/experience/src/pages/SocialSignInWebCallback/SocialSignIn.tsx
@@ -1,4 +1,4 @@
-import SignIn from '../SignIn';
+import LoadingLayer from '@/components/LoadingLayer';
 
 import useSocialSignInListener from './use-social-sign-in-listener';
 
@@ -10,9 +10,9 @@ type Props = {
 };
 
 const SocialSignIn = ({ connectorId }: Props) => {
-  useSocialSignInListener(connectorId);
+  const { loading } = useSocialSignInListener(connectorId);
 
-  return <SignIn />;
+  return loading ? <LoadingLayer /> : null;
 };
 
 export default SocialSignIn;
diff --git a/packages/experience/src/pages/SocialSignInCallback/index.test.tsx b/packages/experience/src/pages/SocialSignInWebCallback/index.test.tsx
similarity index 83%
rename from packages/experience/src/pages/SocialSignInCallback/index.test.tsx
rename to packages/experience/src/pages/SocialSignInWebCallback/index.test.tsx
index e31463c9d7e..8f31efccae8 100644
--- a/packages/experience/src/pages/SocialSignInCallback/index.test.tsx
+++ b/packages/experience/src/pages/SocialSignInWebCallback/index.test.tsx
@@ -1,5 +1,5 @@
 import { waitFor } from '@testing-library/react';
-import { Route, Routes, useSearchParams } from 'react-router-dom';
+import { Navigate, Route, Routes, useSearchParams } from 'react-router-dom';
 
 import renderWithPageContext from '@/__mocks__/RenderWithPageContext';
 import SettingsProvider from '@/__mocks__/RenderWithPageContext/SettingsProvider';
@@ -28,11 +28,33 @@ jest.mock('@/apis/single-sign-on', () => ({
 jest.mock('react-router-dom', () => ({
   ...jest.requireActual('react-router-dom'),
   useSearchParams: jest.fn(),
+  Navigate: jest.fn(() => null),
 }));
 
 const mockUseSearchParameters = useSearchParams as jest.Mock;
+const mockNavigate = Navigate as jest.Mock;
 
 describe('SocialCallbackPage with code', () => {
+  describe('fallback', () => {
+    it('should redirect to /sign-in if connectorId is not found', async () => {
+      mockUseSearchParameters.mockReturnValue([new URLSearchParams('code=foo'), jest.fn()]);
+
+      renderWithPageContext(
+        <SettingsProvider>
+          <Routes>
+            <Route path="/sign-in/social/:connectorId" element={<SocialCallback />} />
+          </Routes>
+        </SettingsProvider>,
+        { initialEntries: ['/sign-in/social/invalid'] }
+      );
+
+      await waitFor(() => {
+        expect(signInWithSocial).not.toBeCalled();
+        expect(mockNavigate.mock.calls[0][0].to).toBe('/sign-in');
+      });
+    });
+  });
+
   describe('signIn with social', () => {
     const connectorId = socialConnectors[0]!.id;
     const state = generateState();
diff --git a/packages/experience/src/pages/SocialSignInCallback/index.tsx b/packages/experience/src/pages/SocialSignInWebCallback/index.tsx
similarity index 64%
rename from packages/experience/src/pages/SocialSignInCallback/index.tsx
rename to packages/experience/src/pages/SocialSignInWebCallback/index.tsx
index 61d9a6ba2c1..29a11949f5f 100644
--- a/packages/experience/src/pages/SocialSignInCallback/index.tsx
+++ b/packages/experience/src/pages/SocialSignInWebCallback/index.tsx
@@ -1,13 +1,13 @@
-import { useParams } from 'react-router-dom';
+import { experience } from '@logto/schemas';
+import { Navigate, useParams } from 'react-router-dom';
 
 import useConnectors from '@/hooks/use-connectors';
 
-import SignIn from '../SignIn';
-
 import SingleSignOn from './SingleSignOn';
 import SocialSignIn from './SocialSignIn';
 
-const SocialSignInCallback = () => {
+/** The real callback page for social sign-in in web browsers. */
+const SocialSignInWebCallback = () => {
   const parameters = useParams<{ connectorId: string }>();
   const { findConnectorById } = useConnectors();
   const result = findConnectorById(parameters.connectorId);
@@ -21,7 +21,7 @@ const SocialSignInCallback = () => {
   }
 
   // Connector not found, return sign in page
-  return <SignIn />;
+  return <Navigate to={'/' + experience.routes.signIn} />;
 };
 
-export default SocialSignInCallback;
+export default SocialSignInWebCallback;
diff --git a/packages/experience/src/pages/SocialSignInCallback/use-single-sign-on-listener.ts b/packages/experience/src/pages/SocialSignInWebCallback/use-single-sign-on-listener.ts
similarity index 86%
rename from packages/experience/src/pages/SocialSignInCallback/use-single-sign-on-listener.ts
rename to packages/experience/src/pages/SocialSignInWebCallback/use-single-sign-on-listener.ts
index 045b210964e..00f7b88f87d 100644
--- a/packages/experience/src/pages/SocialSignInCallback/use-single-sign-on-listener.ts
+++ b/packages/experience/src/pages/SocialSignInWebCallback/use-single-sign-on-listener.ts
@@ -1,7 +1,7 @@
-import { SignInMode } from '@logto/schemas';
-import { useState, useCallback, useEffect } from 'react';
+import { SignInMode, experience } from '@logto/schemas';
+import { useCallback, useEffect, useState } from 'react';
 import { useTranslation } from 'react-i18next';
-import { useSearchParams } from 'react-router-dom';
+import { useNavigate, useSearchParams } from 'react-router-dom';
 
 import { singleSignOnAuthorization, singleSignOnRegistration } from '@/apis/single-sign-on';
 import useApi from '@/hooks/use-api';
@@ -16,11 +16,13 @@ const useSingleSignOnRegister = () => {
   const handleError = useErrorHandler();
   const request = useApi(singleSignOnRegistration);
   const { termsValidation } = useTerms();
+  const navigate = useNavigate();
 
   return useCallback(
     async (connectorId: string) => {
       // Agree to terms and conditions first before proceeding
       if (!(await termsValidation())) {
+        navigate('/' + experience.routes.signIn);
         return;
       }
 
@@ -36,7 +38,7 @@ const useSingleSignOnRegister = () => {
         window.location.replace(result.redirectTo);
       }
     },
-    [handleError, request, termsValidation]
+    [handleError, navigate, request, termsValidation]
   );
 };
 
@@ -52,12 +54,14 @@ const useSingleSignOnRegister = () => {
 const useSingleSignOnListener = (connectorId: string) => {
   const { t } = useTranslation();
 
+  const [loading, setLoading] = useState(true);
   const [isConsumed, setIsConsumed] = useState(false);
   const [searchParameters, setSearchParameters] = useSearchParams();
   const { setToast } = useToast();
   const { signInMode } = useSieMethods();
 
   const handleError = useErrorHandler();
+  const navigate = useNavigate();
 
   const singleSignOnAuthorizationRequest = useApi(singleSignOnAuthorization);
   const registerSingleSignOnIdentity = useSingleSignOnRegister();
@@ -71,12 +75,13 @@ const useSingleSignOnListener = (connectorId: string) => {
       });
 
       if (error) {
+        setLoading(false);
         await handleError(error, {
           'user.identity_not_exist': async (error) => {
             // Should not let user register new social account under sign-in only mode
             if (signInMode === SignInMode.SignIn) {
               setToast(error.message);
-
+              navigate('/' + experience.routes.signIn);
               return;
             }
 
@@ -92,6 +97,7 @@ const useSingleSignOnListener = (connectorId: string) => {
     },
     [
       handleError,
+      navigate,
       registerSingleSignOnIdentity,
       setToast,
       signInMode,
@@ -115,6 +121,7 @@ const useSingleSignOnListener = (connectorId: string) => {
     // Validate the state parameter
     if (!state || !stateValidation(state, connectorId)) {
       setToast(t('error.invalid_connector_auth'));
+      navigate('/' + experience.routes.signIn);
       return;
     }
 
@@ -122,12 +129,15 @@ const useSingleSignOnListener = (connectorId: string) => {
   }, [
     connectorId,
     isConsumed,
+    navigate,
     searchParameters,
     setSearchParameters,
     setToast,
     singleSignOnHandler,
     t,
   ]);
+
+  return { loading };
 };
 
 export default useSingleSignOnListener;
diff --git a/packages/experience/src/pages/SocialSignInCallback/use-social-sign-in-listener.ts b/packages/experience/src/pages/SocialSignInWebCallback/use-social-sign-in-listener.ts
similarity index 88%
rename from packages/experience/src/pages/SocialSignInCallback/use-social-sign-in-listener.ts
rename to packages/experience/src/pages/SocialSignInWebCallback/use-social-sign-in-listener.ts
index d93dc51a0e9..240d5c2a9be 100644
--- a/packages/experience/src/pages/SocialSignInCallback/use-social-sign-in-listener.ts
+++ b/packages/experience/src/pages/SocialSignInWebCallback/use-social-sign-in-listener.ts
@@ -1,14 +1,14 @@
 import type { RequestErrorBody } from '@logto/schemas';
-import { SignInMode } from '@logto/schemas';
-import { useEffect, useCallback, useMemo, useState } from 'react';
+import { SignInMode, experience } from '@logto/schemas';
+import { useCallback, useEffect, useMemo, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import { useNavigate, useSearchParams } from 'react-router-dom';
 import { validate } from 'superstruct';
 
 import { signInWithSocial } from '@/apis/interaction';
 import useApi from '@/hooks/use-api';
-import useErrorHandler from '@/hooks/use-error-handler';
 import type { ErrorHandlers } from '@/hooks/use-error-handler';
+import useErrorHandler from '@/hooks/use-error-handler';
 import usePreSignInErrorHandler from '@/hooks/use-pre-sign-in-error-handler';
 import { useSieMethods } from '@/hooks/use-sie';
 import useSocialRegister from '@/hooks/use-social-register';
@@ -19,6 +19,7 @@ import { parseQueryParameters } from '@/utils';
 import { stateValidation } from '@/utils/social-connectors';
 
 const useSocialSignInListener = (connectorId: string) => {
+  const [loading, setLoading] = useState(true);
   const { setToast } = useToast();
   const { signInMode } = useSieMethods();
   const { t } = useTranslation();
@@ -62,12 +63,13 @@ const useSocialSignInListener = (connectorId: string) => {
         // Should not let user register new social account under sign-in only mode
         if (signInMode === SignInMode.SignIn) {
           setToast(error.message);
-
+          navigate('/' + experience.routes.signIn);
           return;
         }
 
         // Agree to terms and conditions first before proceeding
         if (!(await termsValidation())) {
+          navigate('/' + experience.routes.signIn);
           return;
         }
 
@@ -75,7 +77,14 @@ const useSocialSignInListener = (connectorId: string) => {
       },
       ...preSignInErrorHandler,
     }),
-    [preSignInErrorHandler, signInMode, termsValidation, accountNotExistErrorHandler, setToast]
+    [
+      preSignInErrorHandler,
+      signInMode,
+      termsValidation,
+      accountNotExistErrorHandler,
+      setToast,
+      navigate,
+    ]
   );
 
   const signInWithSocialHandler = useCallback(
@@ -90,6 +99,7 @@ const useSocialSignInListener = (connectorId: string) => {
       });
 
       if (error) {
+        setLoading(false);
         await handleError(error, signInWithSocialErrorHandlers);
 
         return;
@@ -117,6 +127,7 @@ const useSocialSignInListener = (connectorId: string) => {
 
     if (!state || !stateValidation(state, connectorId)) {
       setToast(t('error.invalid_connector_auth'));
+      navigate('/' + experience.routes.signIn);
       return;
     }
 
@@ -124,12 +135,15 @@ const useSocialSignInListener = (connectorId: string) => {
   }, [
     connectorId,
     isConsumed,
+    navigate,
     searchParameters,
     setSearchParameters,
     setToast,
     signInWithSocialHandler,
     t,
   ]);
+
+  return { loading };
 };
 
 export default useSocialSignInListener;
diff --git a/packages/integration-tests/CHANGELOG.md b/packages/integration-tests/CHANGELOG.md
index 610183f0437..ed211b8a2cc 100644
--- a/packages/integration-tests/CHANGELOG.md
+++ b/packages/integration-tests/CHANGELOG.md
@@ -1,5 +1,25 @@
 # Change Log
 
+## 1.6.0
+
+### Minor Changes
+
+- 468558721: Get organization roles with search keyword.
+- cc01acbd0: Create a new user through API with password digest and corresponding algorithm
+
+### Patch Changes
+
+- abffb9f95: full oidc standard claims support
+
+  We have added support for the remaining [OpenID Connect standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). Now, these claims are accessible in both ID tokens and the response from the `/me` endpoint.
+
+  Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the `profile` scope, and the `address` claim can be obtained by using the `address` scope.
+
+  For all newly introduced claims, we store them in the `user.profile` field.
+
+  > ![Note]
+  > Unlike other database fields (e.g. `name`), the claims stored in the `profile` field will fall back to `undefined` rather than `null`. We refrain from using `?? null` here to reduce the size of ID tokens, since `undefined` fields will be stripped in tokens.
+
 ## 1.5.0
 
 ### Minor Changes
diff --git a/packages/integration-tests/jest.setup.js b/packages/integration-tests/jest.setup.js
index f85fe37425e..ff4d9651c14 100644
--- a/packages/integration-tests/jest.setup.js
+++ b/packages/integration-tests/jest.setup.js
@@ -1,6 +1,5 @@
 import dotenv from 'dotenv';
 import { setDefaultOptions } from 'expect-puppeteer';
-import fetch from 'node-fetch';
 import { TextDecoder, TextEncoder } from 'text-encoder';
 
 const { jest } = import.meta;
@@ -8,9 +7,12 @@ const { jest } = import.meta;
 dotenv.config();
 
 /* eslint-disable @silverhand/fp/no-mutation */
-global.fetch = fetch;
 global.TextDecoder = TextDecoder;
 global.TextEncoder = TextEncoder;
+global.fail = (message) => {
+  throw new Error(message);
+};
+
 /* eslint-enable @silverhand/fp/no-mutation */
 
 // GitHub Actions default runners need more time for UI tests
diff --git a/packages/integration-tests/package.json b/packages/integration-tests/package.json
index fc3a6a60392..c1a244e6bd9 100644
--- a/packages/integration-tests/package.json
+++ b/packages/integration-tests/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/integration-tests",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "Integration tests for Logto.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
@@ -24,11 +24,11 @@
     "@apidevtools/swagger-parser": "^10.1.0",
     "@jest/test-sequencer": "^29.5.0",
     "@jest/types": "^29.1.2",
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "@logto/core-kit": "workspace:^",
-    "@logto/js": "^4.0.0",
-    "@logto/node": "^2.4.0",
-    "@logto/schemas": "workspace:^1.13.0",
+    "@logto/js": "^4.1.1",
+    "@logto/node": "^2.4.4",
+    "@logto/schemas": "workspace:^1.15.0",
     "@logto/shared": "workspace:^3.1.0",
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/essentials": "^2.9.0",
@@ -38,16 +38,15 @@
     "dotenv": "^16.0.0",
     "eslint": "^8.44.0",
     "expect-puppeteer": "^10.0.0",
-    "got": "^14.0.0",
     "jest": "^29.7.0",
     "jest-matcher-specific-error": "^1.0.0",
-    "jest-puppeteer": "^10.0.0",
+    "jest-puppeteer": "^10.0.1",
     "jose": "^5.0.0",
-    "node-fetch": "^3.3.0",
+    "ky": "^1.2.3",
     "openapi-schema-validator": "^12.1.3",
     "openapi-types": "^12.1.3",
     "prettier": "^3.0.0",
-    "puppeteer": "^21.0.0",
+    "puppeteer": "^22.6.0",
     "text-encoder": "^0.0.4",
     "typescript": "^5.3.3"
   },
diff --git a/packages/integration-tests/src/__mocks__/jwt-customizer.ts b/packages/integration-tests/src/__mocks__/jwt-customizer.ts
new file mode 100644
index 00000000000..398c2785460
--- /dev/null
+++ b/packages/integration-tests/src/__mocks__/jwt-customizer.ts
@@ -0,0 +1,28 @@
+export const clientCredentialsJwtCustomizerPayload = {
+  script: '',
+  environmentVariables: {},
+  contextSample: {},
+};
+
+export const accessTokenJwtCustomizerPayload = {
+  ...clientCredentialsJwtCustomizerPayload,
+  contextSample: {
+    user: {
+      id: '123',
+      username: 'foo',
+      primaryEmail: 'foo@logto.io',
+      primaryPhone: '+1234567890',
+      name: 'Foo Bar',
+      avatar: 'https://example.com/avatar.png',
+      customData: {},
+      identities: {},
+      profile: {},
+      applicationId: 'my-app',
+      ssoIdentities: [],
+      mfaVerificationFactors: [],
+      roles: [],
+      organizations: [],
+      organizationRoles: [],
+    },
+  },
+};
diff --git a/packages/integration-tests/src/api/admin-user.ts b/packages/integration-tests/src/api/admin-user.ts
index 4a46a5ee772..f9dd9d37120 100644
--- a/packages/integration-tests/src/api/admin-user.ts
+++ b/packages/integration-tests/src/api/admin-user.ts
@@ -6,6 +6,7 @@ import type {
   Role,
   User,
   UserSsoIdentity,
+  UsersPasswordEncryptionMethod,
 } from '@logto/schemas';
 import { conditional } from '@silverhand/essentials';
 
@@ -17,6 +18,8 @@ export type CreateUserPayload = Partial<{
   username: string;
   password: string;
   name: string;
+  passwordDigest: string;
+  passwordAlgorithm: UsersPasswordEncryptionMethod;
 }>;
 
 export const createUser = async (payload: CreateUserPayload = {}) =>
@@ -45,6 +48,13 @@ export const updateUser = async (userId: string, payload: Partial<User>) =>
     })
     .json<User>();
 
+export const updateUserProfile = async (userId: string, profile: Partial<User['profile']>) =>
+  authedAdminApi
+    .patch(`users/${userId}/profile`, {
+      json: { profile },
+    })
+    .json<User['profile']>();
+
 export const suspendUser = async (userId: string, isSuspended: boolean) =>
   authedAdminApi.patch(`users/${userId}/is-suspended`, { json: { isSuspended } }).json<User>();
 
diff --git a/packages/integration-tests/src/api/api.ts b/packages/integration-tests/src/api/api.ts
index 25d38aaeebc..e3993997681 100644
--- a/packages/integration-tests/src/api/api.ts
+++ b/packages/integration-tests/src/api/api.ts
@@ -1,9 +1,10 @@
-import { got } from 'got';
+import { appendPath } from '@silverhand/essentials';
+import ky from 'ky';
 
 import { logtoConsoleUrl, logtoUrl, logtoCloudUrl } from '#src/constants.js';
 
-const api = got.extend({
-  prefixUrl: new URL('/api', logtoUrl),
+const api = ky.extend({
+  prefixUrl: appendPath(new URL(logtoUrl), 'api'),
 });
 
 export default api;
@@ -15,8 +16,8 @@ export const authedAdminApi = api.extend({
   },
 });
 
-export const adminTenantApi = got.extend({
-  prefixUrl: new URL('/api', logtoConsoleUrl),
+export const adminTenantApi = ky.extend({
+  prefixUrl: appendPath(new URL(logtoConsoleUrl), 'api'),
 });
 
 export const authedAdminTenantApi = adminTenantApi.extend({
@@ -25,10 +26,10 @@ export const authedAdminTenantApi = adminTenantApi.extend({
   },
 });
 
-export const cloudApi = got.extend({
-  prefixUrl: new URL('/api', logtoCloudUrl),
+export const cloudApi = ky.extend({
+  prefixUrl: appendPath(new URL(logtoCloudUrl), 'api'),
 });
 
-export const oidcApi = got.extend({
-  prefixUrl: new URL('/oidc', logtoUrl),
+export const oidcApi = ky.extend({
+  prefixUrl: appendPath(new URL(logtoUrl), 'oidc'),
 });
diff --git a/packages/integration-tests/src/api/application.ts b/packages/integration-tests/src/api/application.ts
index 29112c3e090..91ba032b37a 100644
--- a/packages/integration-tests/src/api/application.ts
+++ b/packages/integration-tests/src/api/application.ts
@@ -99,10 +99,13 @@ export const generateM2mLog = async (applicationId: string) => {
 
   // This is a token request with insufficient parameters and should fail. We make the request to generate a log for the current machine to machine app.
   return oidcApi.post('token', {
-    form: {
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: new URLSearchParams({
       client_id: id,
       client_secret: secret,
       grant_type: 'client_credentials',
-    },
+    }),
   });
 };
diff --git a/packages/integration-tests/src/api/connector.ts b/packages/integration-tests/src/api/connector.ts
index 33a263c23dc..0a151d7cdca 100644
--- a/packages/integration-tests/src/api/connector.ts
+++ b/packages/integration-tests/src/api/connector.ts
@@ -31,14 +31,13 @@ export const postConnector = async (
   payload: Pick<CreateConnector, 'connectorId' | 'config' | 'metadata' | 'syncProfile'>
 ) =>
   authedAdminApi
-    .post({
-      url: `connectors`,
+    .post('connectors', {
       json: payload,
     })
     .json<Connector>();
 
 export const deleteConnectorById = async (id: string) =>
-  authedAdminApi.delete({ url: `connectors/${id}` }).json();
+  authedAdminApi.delete(`connectors/${id}`).json();
 
 export const updateConnectorConfig = async (
   id: string,
@@ -46,8 +45,7 @@ export const updateConnectorConfig = async (
   metadata?: Record<string, unknown>
 ) =>
   authedAdminApi
-    .patch({
-      url: `connectors/${id}`,
+    .patch(`connectors/${id}`, {
       json: { config, metadata },
     })
     .json<ConnectorResponse>();
@@ -70,8 +68,7 @@ const sendTestMessage = async (
   receiver: string,
   config: Record<string, unknown>
 ) =>
-  authedAdminApi.post({
-    url: `connectors/${connectorFactoryId}/test`,
+  authedAdminApi.post(`connectors/${connectorFactoryId}/test`, {
     json: { [receiverType]: receiver, config },
   });
 
@@ -81,8 +78,7 @@ export const getConnectorAuthorizationUri = async (
   redirectUri: string
 ) =>
   authedAdminApi
-    .post({
-      url: `connectors/${connectorId}/authorization-uri`,
+    .post(`connectors/${connectorId}/authorization-uri`, {
       json: { state, redirectUri },
     })
     .json<{ redirectTo: string }>();
diff --git a/packages/integration-tests/src/api/custom-phrase.ts b/packages/integration-tests/src/api/custom-phrase.ts
index 6e2beb26489..0a3da252a52 100644
--- a/packages/integration-tests/src/api/custom-phrase.ts
+++ b/packages/integration-tests/src/api/custom-phrase.ts
@@ -9,9 +9,7 @@ export const getCustomPhrase = async (languageTag: string) =>
   authedAdminApi.get(`custom-phrases/${languageTag}`).json<CustomPhrase>();
 
 export const createOrUpdateCustomPhrase = async (languageTag: string, translation: Translation) =>
-  authedAdminApi
-    .put({ url: `custom-phrases/${languageTag}`, json: translation })
-    .json<CustomPhrase>();
+  authedAdminApi.put(`custom-phrases/${languageTag}`, { json: translation }).json<CustomPhrase>();
 
 export const deleteCustomPhrase = async (languageTag: string) =>
   authedAdminApi.delete(`custom-phrases/${languageTag}`).json();
diff --git a/packages/integration-tests/src/api/factory.ts b/packages/integration-tests/src/api/factory.ts
index e2761d66c26..f7ccbaac498 100644
--- a/packages/integration-tests/src/api/factory.ts
+++ b/packages/integration-tests/src/api/factory.ts
@@ -1,5 +1,23 @@
 import { authedAdminApi } from './api.js';
 
+/**
+ * Transform the data to a new object or array without modifying the original data.
+ * This is useful since `.json()` returns an object that contains something which makes
+ * it impossible to use `.toStrictEqual()` directly.
+ */
+const transform = <T>(data: T): T => {
+  if (Array.isArray(data)) {
+    // eslint-disable-next-line no-restricted-syntax
+    return [...data] as T;
+  }
+
+  if (typeof data === 'object') {
+    return { ...data };
+  }
+
+  return data;
+};
+
 export class ApiFactory<
   Schema extends Record<string, unknown>,
   PostData extends Record<string, unknown>,
@@ -8,19 +26,23 @@ export class ApiFactory<
   constructor(public readonly path: string) {}
 
   async create(data: PostData): Promise<Schema> {
-    return authedAdminApi.post(this.path, { json: data }).json<Schema>();
+    return transform(await authedAdminApi.post(this.path, { json: data }).json<Schema>());
   }
 
   async getList(params?: URLSearchParams): Promise<Schema[]> {
-    return authedAdminApi.get(this.path + '?' + (params?.toString() ?? '')).json<Schema[]>();
+    return transform(
+      await authedAdminApi.get(this.path + '?' + (params?.toString() ?? '')).json<Schema[]>()
+    );
   }
 
   async get(id: string): Promise<Schema> {
-    return authedAdminApi.get(this.path + '/' + id).json<Schema>();
+    return transform(await authedAdminApi.get(this.path + '/' + id).json<Schema>());
   }
 
   async update(id: string, data: PatchData): Promise<Schema> {
-    return authedAdminApi.patch(this.path + '/' + id, { json: data }).json<Schema>();
+    return transform(
+      await authedAdminApi.patch(this.path + '/' + id, { json: data }).json<Schema>()
+    );
   }
 
   async delete(id: string): Promise<void> {
diff --git a/packages/integration-tests/src/api/interaction-sso.ts b/packages/integration-tests/src/api/interaction-sso.ts
index 474b9e6852f..9d2011c5d72 100644
--- a/packages/integration-tests/src/api/interaction-sso.ts
+++ b/packages/integration-tests/src/api/interaction-sso.ts
@@ -15,7 +15,6 @@ export const getSsoAuthorizationUrl = async (
     .post(`interaction/${ssoPath}/${connectorId}/authorization-url`, {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json<{ redirectTo: string }>();
 };
diff --git a/packages/integration-tests/src/api/interaction.ts b/packages/integration-tests/src/api/interaction.ts
index a355b5e6783..977b690e0f1 100644
--- a/packages/integration-tests/src/api/interaction.ts
+++ b/packages/integration-tests/src/api/interaction.ts
@@ -5,8 +5,9 @@ import type {
   RequestVerificationCodePayload,
   BindMfaPayload,
   VerifyMfaPayload,
+  ConsentInfoResponse,
 } from '@logto/schemas';
-import type { Got } from 'got';
+import { type KyInstance } from 'ky';
 
 import api from './api.js';
 
@@ -25,7 +26,6 @@ export const putInteraction = async (cookie: string, payload: InteractionPayload
     .put('interaction', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json();
 
@@ -33,21 +33,17 @@ export const deleteInteraction = async (cookie: string) =>
   api
     .delete('interaction', {
       headers: { cookie },
-      followRedirect: false,
     })
     .json();
 
 export const putInteractionEvent = async (cookie: string, payload: { event: InteractionEvent }) =>
-  api
-    .put('interaction/event', { headers: { cookie }, json: payload, followRedirect: false })
-    .json();
+  api.put('interaction/event', { headers: { cookie }, json: payload, redirect: 'manual' }).json();
 
 export const patchInteractionIdentifiers = async (cookie: string, payload: IdentifierPayload) =>
   api
     .patch('interaction/identifiers', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json();
 
@@ -56,7 +52,6 @@ export const patchInteractionProfile = async (cookie: string, payload: Profile)
     .patch('interaction/profile', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json();
 
@@ -65,7 +60,6 @@ export const putInteractionProfile = async (cookie: string, payload: Profile) =>
     .put('interaction/profile', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json();
 
@@ -74,7 +68,6 @@ export const postInteractionBindMfa = async (cookie: string, payload: BindMfaPay
     .post('interaction/bind-mfa', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json();
 
@@ -83,7 +76,6 @@ export const putInteractionMfa = async (cookie: string, payload: VerifyMfaPayloa
     .put('interaction/mfa', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
     })
     .json();
 
@@ -91,13 +83,12 @@ export const deleteInteractionProfile = async (cookie: string) =>
   api
     .delete('interaction/profile', {
       headers: { cookie },
-      followRedirect: false,
     })
     .json();
 
-export const submitInteraction = async (api: Got, cookie: string) =>
+export const submitInteraction = async (api: KyInstance, cookie: string) =>
   api
-    .post('interaction/submit', { headers: { cookie }, followRedirect: false })
+    .post('interaction/submit', { headers: { cookie }, redirect: 'manual' })
     .json<RedirectResponse>();
 
 export const sendVerificationCode = async (
@@ -107,7 +98,6 @@ export const sendVerificationCode = async (
   api.post('interaction/verification/verification-code', {
     headers: { cookie },
     json: payload,
-    followRedirect: false,
   });
 
 export type SocialAuthorizationUriPayload = {
@@ -123,7 +113,6 @@ export const createSocialAuthorizationUri = async (
   api.post('interaction/verification/social-authorization-uri', {
     headers: { cookie },
     json: payload,
-    followRedirect: false,
   });
 
 export const initTotp = async (cookie: string) =>
@@ -131,7 +120,8 @@ export const initTotp = async (cookie: string) =>
     .post('interaction/verification/totp', {
       headers: { cookie },
       json: {},
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     })
     .json<{ secret: string }>();
 
@@ -141,19 +131,26 @@ export const skipMfaBinding = async (cookie: string) =>
     json: {
       mfaSkipped: true,
     },
-    followRedirect: false,
   });
 
-export const consent = async (api: Got, cookie: string) =>
+export const consent = async (api: KyInstance, cookie: string) =>
   api
     .post('interaction/consent', {
       headers: {
         cookie,
       },
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     })
     .json<RedirectResponse>();
 
+export const getConsentInfo = async (cookie: string) =>
+  api
+    .get('interaction/consent', {
+      headers: { cookie },
+    })
+    .json<ConsentInfoResponse>();
+
 export const createSingleSignOnAuthorizationUri = async (
   cookie: string,
   payload: SocialAuthorizationUriPayload
@@ -161,5 +158,4 @@ export const createSingleSignOnAuthorizationUri = async (
   api.post('interaction/verification/sso-authorization-uri', {
     headers: { cookie },
     json: payload,
-    followRedirect: false,
   });
diff --git a/packages/integration-tests/src/api/logto-config.ts b/packages/integration-tests/src/api/logto-config.ts
index d2867f103a4..78ce7c7ec58 100644
--- a/packages/integration-tests/src/api/logto-config.ts
+++ b/packages/integration-tests/src/api/logto-config.ts
@@ -3,6 +3,9 @@ import {
   type AdminConsoleData,
   type OidcConfigKeysResponse,
   type LogtoOidcConfigKeyType,
+  type AccessTokenJwtCustomizer,
+  type ClientCredentialsJwtCustomizer,
+  type JwtCustomizerConfigs,
 } from '@logto/schemas';
 
 import { authedAdminApi } from './api.js';
@@ -30,3 +33,30 @@ export const rotateOidcKeys = async (
   authedAdminApi
     .post(`configs/oidc/${keyType}/rotate`, { json: { signingKeyAlgorithm } })
     .json<OidcConfigKeysResponse[]>();
+
+export const upsertJwtCustomizer = async (
+  keyTypePath: 'access-token' | 'client-credentials',
+  value: unknown
+) =>
+  authedAdminApi
+    .put(`configs/jwt-customizer/${keyTypePath}`, { json: value })
+    .json<AccessTokenJwtCustomizer | ClientCredentialsJwtCustomizer>();
+
+export const getJwtCustomizer = async (keyTypePath: 'access-token' | 'client-credentials') =>
+  authedAdminApi
+    .get(`configs/jwt-customizer/${keyTypePath}`)
+    .json<AccessTokenJwtCustomizer | ClientCredentialsJwtCustomizer>();
+
+export const getJwtCustomizers = async () =>
+  authedAdminApi.get(`configs/jwt-customizer`).json<JwtCustomizerConfigs[]>();
+
+export const deleteJwtCustomizer = async (keyTypePath: 'access-token' | 'client-credentials') =>
+  authedAdminApi.delete(`configs/jwt-customizer/${keyTypePath}`);
+
+export const updateJwtCustomizer = async (
+  keyTypePath: 'access-token' | 'client-credentials',
+  value: unknown
+) =>
+  authedAdminApi
+    .patch(`configs/jwt-customizer/${keyTypePath}`, { json: value })
+    .json<AccessTokenJwtCustomizer | ClientCredentialsJwtCustomizer>();
diff --git a/packages/integration-tests/src/api/organization-invitation.ts b/packages/integration-tests/src/api/organization-invitation.ts
index b3d9b541c56..89e5f437667 100644
--- a/packages/integration-tests/src/api/organization-invitation.ts
+++ b/packages/integration-tests/src/api/organization-invitation.ts
@@ -38,4 +38,12 @@ export class OrganizationInvitationApi extends ApiFactory<
       })
       .json<OrganizationInvitationEntity>();
   }
+
+  async resendMessage(id: string, messagePayload: SendMessagePayload) {
+    return authedAdminApi
+      .post(`${this.path}/${id}/message`, {
+        json: messagePayload,
+      })
+      .json();
+  }
 }
diff --git a/packages/integration-tests/src/api/organization-role.ts b/packages/integration-tests/src/api/organization-role.ts
index d2df14d9ee1..eabe04ae440 100644
--- a/packages/integration-tests/src/api/organization-role.ts
+++ b/packages/integration-tests/src/api/organization-role.ts
@@ -2,6 +2,7 @@ import {
   type OrganizationScope,
   type OrganizationRole,
   type OrganizationRoleWithScopes,
+  type Scope,
 } from '@logto/schemas';
 
 import { authedAdminApi } from './api.js';
@@ -11,6 +12,7 @@ export type CreateOrganizationRolePostData = {
   name: string;
   description?: string;
   organizationScopeIds?: string[];
+  resourceScopeIds?: string[];
 };
 
 export class OrganizationRoleApi extends ApiFactory<
@@ -44,4 +46,18 @@ export class OrganizationRoleApi extends ApiFactory<
   async deleteScope(id: string, scopeId: string): Promise<void> {
     await authedAdminApi.delete(`${this.path}/${id}/scopes/${scopeId}`);
   }
+
+  async addResourceScopes(id: string, scopeIds: string[]): Promise<void> {
+    await authedAdminApi.post(`${this.path}/${id}/resource-scopes`, { json: { scopeIds } });
+  }
+
+  async getResourceScopes(id: string, searchParams?: URLSearchParams): Promise<Scope[]> {
+    return authedAdminApi
+      .get(`${this.path}/${id}/resource-scopes`, { searchParams })
+      .json<Scope[]>();
+  }
+
+  async deleteResourceScope(id: string, scopeId: string): Promise<void> {
+    await authedAdminApi.delete(`${this.path}/${id}/resource-scopes/${scopeId}`);
+  }
 }
diff --git a/packages/integration-tests/src/api/organization.ts b/packages/integration-tests/src/api/organization.ts
index 5adc40d597d..776ffbeb6ee 100644
--- a/packages/integration-tests/src/api/organization.ts
+++ b/packages/integration-tests/src/api/organization.ts
@@ -37,7 +37,7 @@ export class OrganizationApi extends ApiFactory<
     query?: Query
   ): Promise<[rows: UserWithOrganizationRoles[], totalCount: number]> {
     const got = await authedAdminApi.get(`${this.path}/${id}/users`, { searchParams: query });
-    return [JSON.parse(got.body), Number(got.headers['total-number'] ?? 0)];
+    return [await got.json(), Number(got.headers.get('total-number') ?? 0)];
   }
 
   async deleteUser(id: string, userId: string): Promise<void> {
diff --git a/packages/integration-tests/src/api/resource.ts b/packages/integration-tests/src/api/resource.ts
index fd47632d667..66bdaa4f0ed 100644
--- a/packages/integration-tests/src/api/resource.ts
+++ b/packages/integration-tests/src/api/resource.ts
@@ -1,5 +1,5 @@
 import type { Resource, CreateResource } from '@logto/schemas';
-import type { OptionsOfTextResponseBody } from 'got';
+import { type Options } from 'ky';
 
 import { generateResourceIndicator, generateResourceName } from '#src/utils.js';
 
@@ -17,7 +17,7 @@ export const createResource = async (name?: string, indicator?: string) =>
 
 export const getResources = async () => authedAdminApi.get('resources').json<Resource[]>();
 
-export const getResource = async (resourceId: string, options?: OptionsOfTextResponseBody) =>
+export const getResource = async (resourceId: string, options?: Options) =>
   authedAdminApi.get(`resources/${resourceId}`, options).json<Resource>();
 
 export const updateResource = async (
diff --git a/packages/integration-tests/src/api/scope.ts b/packages/integration-tests/src/api/scope.ts
index e0edbe52442..27141ab5278 100644
--- a/packages/integration-tests/src/api/scope.ts
+++ b/packages/integration-tests/src/api/scope.ts
@@ -1,11 +1,11 @@
 import type { Scope, CreateScope } from '@logto/schemas';
-import type { OptionsOfTextResponseBody } from 'got';
+import { type Options } from 'ky';
 
 import { generateScopeName } from '#src/utils.js';
 
 import { authedAdminApi } from './api.js';
 
-export const getScopes = async (resourceId: string, options?: OptionsOfTextResponseBody) =>
+export const getScopes = async (resourceId: string, options?: Options) =>
   authedAdminApi.get(`resources/${resourceId}/scopes`, options).json<Scope[]>();
 
 export const createScope = async (resourceId: string, name?: string) => {
diff --git a/packages/integration-tests/src/client/index.ts b/packages/integration-tests/src/client/index.ts
index 4d71a2c479a..16d8ce5dd47 100644
--- a/packages/integration-tests/src/client/index.ts
+++ b/packages/integration-tests/src/client/index.ts
@@ -1,10 +1,9 @@
-import type { LogtoConfig } from '@logto/node';
+import type { LogtoConfig, SignInOptions } from '@logto/node';
 import LogtoClient from '@logto/node';
 import { demoAppApplicationId } from '@logto/schemas';
 import type { Nullable, Optional } from '@silverhand/essentials';
 import { assert } from '@silverhand/essentials';
-import type { Got } from 'got';
-import { got } from 'got';
+import ky, { type KyInstance } from 'ky';
 
 import { submitInteraction } from '#src/api/index.js';
 import { demoAppRedirectUri, logtoUrl } from '#src/constants.js';
@@ -23,12 +22,12 @@ export default class MockClient {
   protected readonly logto: LogtoClient;
 
   private navigateUrl?: string;
-  private readonly api: Got;
+  private readonly api: KyInstance;
 
   constructor(config?: Partial<LogtoConfig>) {
     this.storage = new MemoryStorage();
     this.config = { ...defaultConfig, ...config };
-    this.api = got.extend({ prefixUrl: this.config.endpoint + '/api' });
+    this.api = ky.extend({ prefixUrl: this.config.endpoint + '/api' });
 
     this.logto = new LogtoClient(this.config, {
       navigate: (url: string) => {
@@ -59,8 +58,11 @@ export default class MockClient {
     return map;
   }
 
-  public async initSession(callbackUri = demoAppRedirectUri) {
-    await this.logto.signIn(callbackUri);
+  public async initSession(
+    redirectUri = demoAppRedirectUri,
+    options: Omit<SignInOptions, 'redirectUri'> = {}
+  ) {
+    await this.logto.signIn({ redirectUri, ...options });
 
     assert(this.navigateUrl, new Error('Unable to navigate to sign in uri'));
     assert(
@@ -69,42 +71,57 @@ export default class MockClient {
     );
 
     // Mock SDK sign-in navigation
-    const response = await got(this.navigateUrl, {
-      followRedirect: false,
+    const response = await ky(this.navigateUrl, {
+      redirect: 'manual',
+      throwHttpErrors: false,
     });
 
     // Note: should redirect to sign-in page
     assert(
-      response.statusCode === 303 && response.headers.location?.startsWith('/sign-in'),
+      response.status === 303 &&
+        response.headers
+          .get('location')
+          ?.startsWith(options.directSignIn ? '/direct/' : '/sign-in'),
       new Error('Visit sign in uri failed')
     );
 
     // Get session cookie
-    this.rawCookies = response.headers['set-cookie'] ?? [];
+    this.rawCookies = response.headers.getSetCookie();
     assert(this.interactionCookie, new Error('Get cookie from authorization endpoint failed'));
   }
 
-  public async processSession(redirectTo: string) {
+  /**
+   *
+   * @param {string} redirectTo the sign-in or register redirect uri
+   * @param {boolean} [consent=true] whether to automatically consent. Need to manually handle the consent flow if set to false
+   */
+  public async processSession(redirectTo: string, consent = true) {
     // Note: should redirect to OIDC auth endpoint
     assert(
       redirectTo.startsWith(`${this.config.endpoint}/oidc/auth`),
       new Error('SignIn or Register failed')
     );
 
-    const authResponse = await got.get(redirectTo, {
+    const authResponse = await ky.get(redirectTo, {
       headers: {
         cookie: this.interactionCookie,
       },
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     });
 
     // Note: Should redirect to logto consent page
     assert(
-      authResponse.statusCode === 303 && authResponse.headers.location === '/consent',
+      authResponse.status === 303 && authResponse.headers.get('location') === '/consent',
       new Error('Invoke auth before consent failed')
     );
 
-    this.rawCookies = authResponse.headers['set-cookie'] ?? [];
+    this.rawCookies = authResponse.headers.getSetCookie();
+
+    // Manually handle the consent flow
+    if (!consent) {
+      return;
+    }
 
     const signInCallbackUri = await this.consent();
     await this.logto.handleSignInCallback(signInCallbackUri);
@@ -124,7 +141,7 @@ export default class MockClient {
     }
 
     await this.logto.signOut(postSignOutRedirectUri);
-    await got(this.navigateUrl);
+    await ky(this.navigateUrl);
   }
 
   public async isAuthenticated() {
@@ -162,30 +179,32 @@ export default class MockClient {
     assert(this.interactionCookie, new Error('Session not found'));
     assert(this.interactionCookie.includes('_session.sig'), new Error('Session not found'));
 
-    const consentResponse = await got.get(`${this.config.endpoint}/consent`, {
+    const consentResponse = await ky.get(`${this.config.endpoint}/consent`, {
       headers: {
         cookie: this.interactionCookie,
       },
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     });
 
     // Consent page should auto consent and redirect to auth endpoint
-    const redirectTo = consentResponse.headers.location;
+    const redirectTo = consentResponse.headers.get('location');
 
     if (!redirectTo?.startsWith(`${this.config.endpoint}/oidc/auth`)) {
       throw new Error('Consent failed');
     }
 
-    const authCodeResponse = await got.get(redirectTo, {
+    const authCodeResponse = await ky.get(redirectTo, {
       headers: {
         cookie: this.interactionCookie,
       },
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     });
 
     // Note: Should redirect to the signInCallbackUri
-    assert(authCodeResponse.statusCode === 303, new Error('Complete auth failed'));
-    const signInCallbackUri = authCodeResponse.headers.location;
+    assert(authCodeResponse.status === 303, new Error('Complete auth failed'));
+    const signInCallbackUri = authCodeResponse.headers.get('location');
     assert(signInCallbackUri, new Error('Get sign in callback uri failed'));
 
     return signInCallbackUri;
diff --git a/packages/integration-tests/src/constants.ts b/packages/integration-tests/src/constants.ts
index f2d140d8c5e..a947f45486d 100644
--- a/packages/integration-tests/src/constants.ts
+++ b/packages/integration-tests/src/constants.ts
@@ -1,8 +1,8 @@
 import {
   type CreateSsoConnector,
   SignInIdentifier,
-  demoAppApplicationId,
   SsoProviderName,
+  demoAppApplicationId,
 } from '@logto/schemas';
 import { appendPath, getEnv } from '@silverhand/essentials';
 
@@ -17,7 +17,7 @@ export const demoAppUrl = appendPath(new URL(logtoUrl), 'demo-app');
 
 export const discoveryUrl = `${logtoUrl}/oidc/.well-known/openid-configuration`;
 
-export const demoAppRedirectUri = `${logtoUrl}/${demoAppApplicationId}`;
+export const demoAppRedirectUri = appendPath(new URL(logtoUrl), demoAppApplicationId).href;
 export const adminConsoleRedirectUri = `${logtoConsoleUrl}/console/callback`;
 
 export const signUpIdentifiers = {
diff --git a/packages/integration-tests/src/helpers/admin-tenant.ts b/packages/integration-tests/src/helpers/admin-tenant.ts
index 6e75c57db70..d91840c06e5 100644
--- a/packages/integration-tests/src/helpers/admin-tenant.ts
+++ b/packages/integration-tests/src/helpers/admin-tenant.ts
@@ -62,7 +62,8 @@ export const putInteraction = async (cookie: string, payload: InteractionPayload
     .put('interaction', {
       headers: { cookie },
       json: payload,
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     })
     .json();
 
diff --git a/packages/integration-tests/src/helpers/client.ts b/packages/integration-tests/src/helpers/client.ts
index 46594ed2ab2..652f113f8b6 100644
--- a/packages/integration-tests/src/helpers/client.ts
+++ b/packages/integration-tests/src/helpers/client.ts
@@ -1,11 +1,15 @@
-import type { LogtoConfig } from '@logto/node';
+import type { LogtoConfig, SignInOptions } from '@logto/node';
 import { assert } from '@silverhand/essentials';
 
 import MockClient from '#src/client/index.js';
 
-export const initClient = async (config?: Partial<LogtoConfig>, redirectUri?: string) => {
+export const initClient = async (
+  config?: Partial<LogtoConfig>,
+  redirectUri?: string,
+  options: Omit<SignInOptions, 'redirectUri'> = {}
+) => {
   const client = new MockClient(config);
-  await client.initSession(redirectUri);
+  await client.initSession(redirectUri, options);
   assert(client.interactionCookie, new Error('Session not found'));
 
   return client;
diff --git a/packages/integration-tests/src/helpers/index.ts b/packages/integration-tests/src/helpers/index.ts
index b5f93ca23f3..d83decf2451 100644
--- a/packages/integration-tests/src/helpers/index.ts
+++ b/packages/integration-tests/src/helpers/index.ts
@@ -2,24 +2,35 @@ import fs from 'node:fs/promises';
 import { createServer, type RequestListener } from 'node:http';
 
 import { mockConnectorFilePaths, type SendMessagePayload } from '@logto/connector-kit';
-import { RequestError } from 'got';
+import {
+  type UserProfile,
+  type JsonObject,
+  type UsersPasswordEncryptionMethod,
+} from '@logto/schemas';
+import { HTTPError } from 'ky';
 
 import { createUser } from '#src/api/index.js';
 import { generateUsername } from '#src/utils.js';
 
 export const createUserByAdmin = async (
-  username?: string,
-  password?: string,
-  primaryEmail?: string,
-  primaryPhone?: string,
-  name?: string
+  payload: {
+    username?: string;
+    password?: string;
+    primaryEmail?: string;
+    primaryPhone?: string;
+    name?: string;
+    passwordDigest?: string;
+    passwordAlgorithm?: UsersPasswordEncryptionMethod;
+    customData?: JsonObject;
+    profile?: UserProfile;
+  } = {}
 ) => {
+  const { username, name, ...rest } = payload;
+
   return createUser({
+    ...rest,
     username: username ?? generateUsername(),
-    password,
     name: name ?? username ?? 'John',
-    primaryEmail,
-    primaryPhone,
   });
 };
 
@@ -66,7 +77,7 @@ export const removeConnectorMessage = async (
 
 type ExpectedErrorInfo = {
   code: string;
-  statusCode: number;
+  status: number;
   messageIncludes?: string;
 };
 
@@ -83,16 +94,16 @@ export const expectRejects = async <T = void>(
   fail();
 };
 
-export const expectRequestError = <T = void>(error: unknown, expected: ExpectedErrorInfo) => {
-  const { code, statusCode, messageIncludes } = expected;
+const expectRequestError = async <T = void>(error: unknown, expected: ExpectedErrorInfo) => {
+  const { code, status, messageIncludes } = expected;
 
-  if (!(error instanceof RequestError)) {
+  if (!(error instanceof HTTPError)) {
     fail('Error should be an instance of RequestError');
   }
 
   // JSON.parse returns `any`. Directly use `as` since we've already know the response body structure.
   // eslint-disable-next-line no-restricted-syntax
-  const body = JSON.parse(String(error.response?.body)) as {
+  const body = (await error.response.json()) as {
     code: string;
     message: string;
     data: T;
@@ -100,7 +111,7 @@ export const expectRequestError = <T = void>(error: unknown, expected: ExpectedE
 
   expect(body.code).toEqual(code);
 
-  expect(error.response?.statusCode).toEqual(statusCode);
+  expect(error.response.status).toEqual(status);
 
   if (messageIncludes) {
     expect(body.message.includes(messageIncludes)).toBeTruthy();
diff --git a/packages/integration-tests/src/helpers/interactions.ts b/packages/integration-tests/src/helpers/interactions.ts
index a0dfe1f94b8..a744d8bae95 100644
--- a/packages/integration-tests/src/helpers/interactions.ts
+++ b/packages/integration-tests/src/helpers/interactions.ts
@@ -80,7 +80,7 @@ export const createNewSocialUserWithUsernameAndPassword = async (connectorId: st
 
   await expectRejects(client.submitInteraction(), {
     code: 'user.identity_not_exist',
-    statusCode: 422,
+    status: 422,
   });
   await client.successSend(patchInteractionIdentifiers, { username, password });
   await client.successSend(putInteractionProfile, { connectorId });
diff --git a/packages/integration-tests/src/helpers/resource.ts b/packages/integration-tests/src/helpers/resource.ts
new file mode 100644
index 00000000000..5e420db707d
--- /dev/null
+++ b/packages/integration-tests/src/helpers/resource.ts
@@ -0,0 +1,50 @@
+import { type Scope } from '@logto/schemas';
+import { trySafe } from '@silverhand/essentials';
+
+import { createResource, deleteResource } from '#src/api/resource.js';
+import { createScope, deleteScope } from '#src/api/scope.js';
+
+export class ScopeApiTest {
+  #scopes: Scope[] = [];
+  #resourceId?: string;
+
+  /**
+   * Initialize the resource, scopes will be created under this resource.
+   */
+  async initResource(): Promise<void> {
+    const resource = await createResource();
+    this.#resourceId = resource.id;
+  }
+
+  get scopes(): Scope[] {
+    return this.#scopes;
+  }
+
+  async create(data: { name: string }): Promise<Scope> {
+    if (!this.#resourceId) {
+      throw new Error('Resource is not initialized');
+    }
+
+    const created = await createScope(this.#resourceId, data.name);
+    // eslint-disable-next-line @silverhand/fp/no-mutating-methods
+    this.scopes.push(created);
+    return created;
+  }
+
+  /**
+   * Delete all created scopes and the resource. This method will ignore errors when deleting scopes to avoid error
+   * when they are deleted by other tests.
+   */
+  async cleanUp(): Promise<void> {
+    // Use `trySafe` to avoid error when scope is deleted by other tests.
+    await Promise.all(
+      this.scopes.map(
+        async (scope) => this.#resourceId && trySafe(deleteScope(this.#resourceId, scope.id))
+      )
+    );
+    this.#scopes = [];
+
+    await trySafe(async () => this.#resourceId && deleteResource(this.#resourceId));
+    this.#resourceId = undefined;
+  }
+}
diff --git a/packages/integration-tests/src/helpers/sign-in-experience.ts b/packages/integration-tests/src/helpers/sign-in-experience.ts
index 3337a832cd0..73e142be22c 100644
--- a/packages/integration-tests/src/helpers/sign-in-experience.ts
+++ b/packages/integration-tests/src/helpers/sign-in-experience.ts
@@ -63,6 +63,15 @@ export const enableAllPasswordSignInMethods = async (
     mfa: { factors: [], policy: MfaPolicy.UserControlled },
   });
 
+export const resetPasswordPolicy = async () =>
+  updateSignInExperience({
+    passwordPolicy: {
+      length: { min: 8, max: 256 },
+      characterTypes: { min: 1 },
+      rejects: { pwned: true, repetitionAndSequence: true, userInfo: true },
+    },
+  });
+
 export const enableAllVerificationCodeSignInMethods = async (
   signUp: SignInExperience['signUp'] = defaultSignUpMethod
 ) =>
diff --git a/packages/integration-tests/src/include.d/node-fetch.d.ts b/packages/integration-tests/src/include.d/node-fetch.d.ts
deleted file mode 100644
index dd1a8efbe98..00000000000
--- a/packages/integration-tests/src/include.d/node-fetch.d.ts
+++ /dev/null
@@ -1,4 +0,0 @@
-declare module 'node-fetch' {
-  const nodeFetch: typeof fetch;
-  export = nodeFetch;
-}
diff --git a/packages/integration-tests/src/tests/api/admin-user.roles.test.ts b/packages/integration-tests/src/tests/api/admin-user.roles.test.ts
index dd44bea2718..820bcc70fa7 100644
--- a/packages/integration-tests/src/tests/api/admin-user.roles.test.ts
+++ b/packages/integration-tests/src/tests/api/admin-user.roles.test.ts
@@ -1,5 +1,5 @@
 import { RoleType } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { assignRolesToUser, getUserRoles, deleteRoleFromUser } from '#src/api/index.js';
 import { createRole } from '#src/api/role.js';
@@ -21,7 +21,7 @@ describe('admin console user management (roles)', () => {
     const m2mRole = await createRole({ type: RoleType.MachineToMachine });
     await expectRejects(assignRolesToUser(user.id, [m2mRole.id]), {
       code: 'user.invalid_role_type',
-      statusCode: 422,
+      status: 422,
     });
 
     await assignRolesToUser(user.id, [role1.id, role2.id]);
@@ -65,6 +65,6 @@ describe('admin console user management (roles)', () => {
     const role = await createRole({});
 
     const response = await deleteRoleFromUser(user.id, role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/admin-user.search.test.ts b/packages/integration-tests/src/tests/api/admin-user.search.test.ts
index ae7ec3fdc84..23b5f6f75eb 100644
--- a/packages/integration-tests/src/tests/api/admin-user.search.test.ts
+++ b/packages/integration-tests/src/tests/api/admin-user.search.test.ts
@@ -1,5 +1,3 @@
-import type { IncomingHttpHeaders } from 'node:http';
-
 import type { Role, User } from '@logto/schemas';
 
 import { assignRolesToUser, authedAdminApi, createUser, deleteUser } from '#src/api/index.js';
@@ -10,12 +8,12 @@ import { UserApiTest } from '#src/helpers/user.js';
 
 const getUsers = async <T>(
   init: string[][] | Record<string, string> | URLSearchParams
-): Promise<{ headers: IncomingHttpHeaders; json: T }> => {
-  const { headers, body } = await authedAdminApi.get('users', {
+): Promise<{ headers: Headers; json: T }> => {
+  const response = await authedAdminApi.get('users', {
     searchParams: new URLSearchParams(init),
   });
 
-  return { headers, json: JSON.parse(body) as T };
+  return { headers: response.headers, json: (await response.json()) as T };
 };
 
 describe('admin console user search params', () => {
@@ -52,7 +50,7 @@ describe('admin console user search params', () => {
         const primaryPhone =
           phonePrefix[index % phonePrefix.length]! + index.toString().padStart(5, '0');
 
-        return createUserByAdmin(prefix + username, undefined, primaryEmail, primaryPhone, name);
+        return createUserByAdmin({ username: prefix + username, primaryEmail, primaryPhone, name });
       })
     );
   });
@@ -64,21 +62,21 @@ describe('admin console user search params', () => {
   it('should return all users if nothing specified', async () => {
     const { headers } = await getUsers<User[]>([]);
 
-    expect(Number(headers['total-number'])).toBeGreaterThanOrEqual(10);
+    expect(Number(headers.get('total-number'))).toBeGreaterThanOrEqual(10);
   });
 
   describe('falling back to `like` mode and matches all available fields if only `search` is specified', () => {
     it('should search username', async () => {
       const { headers, json } = await getUsers<User[]>([['search', '%search_tom%']]);
 
-      expect(headers['total-number']).toEqual('5');
+      expect(headers.get('total-number')).toEqual('5');
       expect(json.length === 5 && json.every((user) => user.name === 'Tom Scott')).toBeTruthy();
     });
 
     it('should search primaryPhone', async () => {
       const { headers, json } = await getUsers<User[]>([['search', '%0000%']]);
 
-      expect(headers['total-number']).toEqual('10');
+      expect(headers.get('total-number')).toEqual('10');
       expect(
         json.length === 10 && json.every((user) => user.username?.startsWith('search_'))
       ).toBeTruthy();
@@ -92,7 +90,7 @@ describe('admin console user search params', () => {
       ['isCaseSensitive', 'true'],
     ]);
 
-    expect(headers['total-number']).toEqual('0');
+    expect(headers.get('total-number')).toEqual('0');
     expect(json.length === 0).toBeTruthy();
   });
 
@@ -102,7 +100,7 @@ describe('admin console user search params', () => {
       ['mode.name', 'exact'],
     ]);
 
-    expect(headers['total-number']).toEqual('2');
+    expect(headers.get('total-number')).toEqual('2');
     expect(json.length === 2 && json.every((user) => user.name === 'Jerry Swift')).toBeTruthy();
   });
 
@@ -117,7 +115,7 @@ describe('admin console user search params', () => {
       ['isCaseSensitive', 'true'],
     ]);
 
-    expect(headers['total-number']).toEqual('2');
+    expect(headers.get('total-number')).toEqual('2');
     expect(json.length === 2 && json.every((user) => user.name === 'Jerry Swift Jr')).toBeTruthy();
   });
 
@@ -130,7 +128,7 @@ describe('admin console user search params', () => {
       ['isCaseSensitive', 'true'],
     ]);
 
-    expect(headers['total-number']).toEqual('5');
+    expect(headers.get('total-number')).toEqual('5');
     expect(
       json.length === 5 && json.every((user) => user.username?.startsWith('search_'))
     ).toBeTruthy();
@@ -144,7 +142,7 @@ describe('admin console user search params', () => {
       ['mode.primaryEmail', 'exact'],
     ]);
 
-    expect(headers['total-number']).toEqual('3');
+    expect(headers.get('total-number')).toEqual('3');
     expect(
       json.length === 3 && json.every((user) => user.name?.startsWith('Jerry Swift Jr'))
     ).toBeTruthy();
@@ -161,7 +159,7 @@ describe('admin console user search params', () => {
       ['isCaseSensitive', 'true'],
     ]);
 
-    expect(headers['total-number']).toEqual('3');
+    expect(headers.get('total-number')).toEqual('3');
     expect(
       json.length === 3 && json.every((user) => user.username?.startsWith('search_'))
     ).toBeTruthy();
@@ -174,7 +172,7 @@ describe('admin console user search params', () => {
         ['search.primaryEmail', 'jerry_swift_jr_2@geek.best'],
         ['search.primaryEmail', 'jerry_swift_jr_jr@gmail.com'],
       ]),
-      { code: 'request.invalid_input', statusCode: 400, messageIncludes: '`exact`' }
+      { code: 'request.invalid_input', status: 400, messageIncludes: '`exact`' }
     );
   });
 
@@ -186,7 +184,7 @@ describe('admin console user search params', () => {
       ]),
       {
         code: 'request.invalid_input',
-        statusCode: 400,
+        status: 400,
         messageIncludes: 'cannot be empty',
       }
     );
@@ -200,7 +198,7 @@ describe('admin console user search params', () => {
       ]),
       {
         code: 'request.invalid_input',
-        statusCode: 400,
+        status: 400,
         messageIncludes: 'case-insensitive',
       }
     );
@@ -215,13 +213,13 @@ describe('admin console user search params', () => {
         ]),
         {
           code: 'request.invalid_input',
-          statusCode: 400,
+          status: 400,
           messageIncludes: 'is not valid',
         }
       ),
       expectRejects(getUsers<User[]>([['search.email', '%gmail%']]), {
         code: 'request.invalid_input',
-        statusCode: 400,
+        status: 400,
         messageIncludes: 'is not valid',
       }),
       expectRejects(
@@ -231,7 +229,7 @@ describe('admin console user search params', () => {
         ]),
         {
           code: 'request.invalid_input',
-          statusCode: 400,
+          status: 400,
           messageIncludes: 'is not valid',
         }
       ),
@@ -283,7 +281,7 @@ describe('admin console user search params - excludeRoleId', () => {
       ['excludeRoleId', roles[0]!.id],
     ]);
 
-    expect(headers['total-number']).toEqual('2');
+    expect(headers.get('total-number')).toEqual('2');
     expect(json).toHaveLength(2);
     expect(json).toContainEqual(expect.objectContaining({ id: users[1]!.id }));
     expect(json).toContainEqual(expect.objectContaining({ id: users[2]!.id }));
@@ -295,7 +293,7 @@ describe('admin console user search params - excludeRoleId', () => {
       ['excludeRoleId', roles[1]!.id],
     ]);
 
-    expect(headers['total-number']).toEqual('1');
+    expect(headers.get('total-number')).toEqual('1');
     expect(json).toHaveLength(1);
     expect(json).toContainEqual(expect.objectContaining({ id: users[2]!.id }));
   });
@@ -341,7 +339,7 @@ describe('admin console user search params - excludeOrganizationId', () => {
       ['excludeOrganizationId', organizationApi.organizations[0]!.id],
     ]);
 
-    expect(headers['total-number']).toEqual('1');
+    expect(headers.get('total-number')).toEqual('1');
     expect(json).toHaveLength(1);
     expect(json).toContainEqual(expect.objectContaining({ id: userApi.users[2]!.id }));
   });
@@ -352,7 +350,7 @@ describe('admin console user search params - excludeOrganizationId', () => {
       ['excludeOrganizationId', organizationApi.organizations[1]!.id],
     ]);
 
-    expect(headers['total-number']).toEqual('1');
+    expect(headers.get('total-number')).toEqual('1');
     expect(json).toHaveLength(1);
     expect(json).toContainEqual(expect.objectContaining({ id: userApi.users[0]!.id }));
   });
@@ -363,7 +361,7 @@ describe('admin console user search params - excludeOrganizationId', () => {
       ['excludeOrganizationId', organizationApi.organizations[2]!.id],
     ]);
 
-    expect(headers['total-number']).toEqual('2');
+    expect(headers.get('total-number')).toEqual('2');
     expect(json).toHaveLength(2);
     expect(json).toContainEqual(expect.objectContaining({ id: userApi.users[0]!.id }));
     expect(json).toContainEqual(expect.objectContaining({ id: userApi.users[1]!.id }));
diff --git a/packages/integration-tests/src/tests/api/admin-user.test.ts b/packages/integration-tests/src/tests/api/admin-user.test.ts
index 01be84c3f1d..9662010b8c9 100644
--- a/packages/integration-tests/src/tests/api/admin-user.test.ts
+++ b/packages/integration-tests/src/tests/api/admin-user.test.ts
@@ -1,4 +1,5 @@
-import { HTTPError } from 'got';
+import { UsersPasswordEncryptionMethod, ConnectorType } from '@logto/schemas';
+import { HTTPError } from 'ky';
 
 import {
   mockSocialConnectorConfig,
@@ -17,12 +18,24 @@ import {
   postUserIdentity,
   verifyUserPassword,
   putUserIdentity,
+  updateUserProfile,
 } from '#src/api/index.js';
+import { clearConnectorsByTypes } from '#src/helpers/connector.js';
 import { createUserByAdmin, expectRejects } from '#src/helpers/index.js';
 import { createNewSocialUserWithUsernameAndPassword } from '#src/helpers/interactions.js';
-import { generateUsername, generateEmail, generatePhone, generatePassword } from '#src/utils.js';
+import {
+  generateUsername,
+  generateEmail,
+  generatePhone,
+  generatePassword,
+  randomString,
+} from '#src/utils.js';
 
 describe('admin console user management', () => {
+  beforeAll(async () => {
+    await clearConnectorsByTypes([ConnectorType.Social]);
+  });
+
   it('should create and get user successfully', async () => {
     const user = await createUserByAdmin();
 
@@ -36,32 +49,51 @@ describe('admin console user management', () => {
     expect(userDetailsWithSsoIdentities.ssoIdentities).toStrictEqual([]);
   });
 
+  it('should create user with password digest successfully', async () => {
+    const user = await createUserByAdmin({
+      passwordDigest: '5f4dcc3b5aa765d61d8327deb882cf99',
+      passwordAlgorithm: UsersPasswordEncryptionMethod.MD5,
+    });
+
+    await expect(verifyUserPassword(user.id, 'password')).resolves.not.toThrow();
+  });
+
+  it('should create user with custom data and profile successfully', async () => {
+    const user = await createUserByAdmin({
+      customData: { foo: 'bar' },
+      profile: { gender: 'neutral' },
+    });
+    const { customData, profile } = await getUser(user.id);
+    expect({ ...customData }).toStrictEqual({ foo: 'bar' });
+    expect({ ...profile }).toStrictEqual({ gender: 'neutral' });
+  });
+
   it('should fail when create user with conflict identifiers', async () => {
-    const [username, password, email, phone] = [
+    const [username, password, primaryEmail, primaryPhone] = [
       generateUsername(),
       generatePassword(),
       generateEmail(),
       generatePhone(),
     ];
-    await createUserByAdmin(username, password, email, phone);
-    await expectRejects(createUserByAdmin(username, password), {
+    await createUserByAdmin({ username, password, primaryEmail, primaryPhone });
+    await expectRejects(createUserByAdmin({ username, password }), {
       code: 'user.username_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
-    await expectRejects(createUserByAdmin(undefined, undefined, email), {
+    await expectRejects(createUserByAdmin({ primaryEmail }), {
       code: 'user.email_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
-    await expectRejects(createUserByAdmin(undefined, undefined, undefined, phone), {
+    await expectRejects(createUserByAdmin({ primaryPhone }), {
       code: 'user.phone_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
   });
 
   it('should fail when get user by invalid id', async () => {
     await expectRejects(getUser('invalid-user-id'), {
       code: 'entity.not_found',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -77,39 +109,70 @@ describe('admin console user management', () => {
       customData: {
         level: 1,
       },
+      profile: {
+        familyName: 'new family name',
+        address: {
+          formatted: 'new formatted address',
+        },
+      },
     };
 
     const updatedUser = await updateUser(user.id, newUserData);
 
     expect(updatedUser).toMatchObject(newUserData);
+    expect(updatedUser.updatedAt).toBeGreaterThan(user.updatedAt);
+  });
+
+  it('should able to update profile partially', async () => {
+    const user = await createUserByAdmin();
+    const profile = {
+      familyName: 'new family name',
+      address: {
+        formatted: 'new formatted address',
+      },
+    };
+
+    const updatedProfile = await updateUserProfile(user.id, profile);
+    expect(updatedProfile).toMatchObject(profile);
+
+    const patchProfile = {
+      familyName: 'another name',
+      website: 'https://logto.io/',
+    };
+    const updatedProfile2 = await updateUserProfile(user.id, patchProfile);
+    expect(updatedProfile2).toMatchObject({ ...profile, ...patchProfile });
   });
 
   it('should respond 422 when no update data provided', async () => {
     const user = await createUserByAdmin();
     await expectRejects(updateUser(user.id, {}), {
       code: 'entity.invalid_input',
-      statusCode: 422,
+      status: 422,
     });
   });
 
   it('should fail when update userinfo with conflict identifiers', async () => {
-    const [username, email, phone] = [generateUsername(), generateEmail(), generatePhone()];
-    await createUserByAdmin(username, undefined, email, phone);
+    const [username, primaryEmail, primaryPhone] = [
+      generateUsername(),
+      generateEmail(),
+      generatePhone(),
+    ];
+    await createUserByAdmin({ username, primaryEmail, primaryPhone });
     const anotherUser = await createUserByAdmin();
 
     await expectRejects(updateUser(anotherUser.id, { username }), {
       code: 'user.username_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
 
-    await expectRejects(updateUser(anotherUser.id, { primaryEmail: email }), {
+    await expectRejects(updateUser(anotherUser.id, { primaryEmail }), {
       code: 'user.email_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
 
-    await expectRejects(updateUser(anotherUser.id, { primaryPhone: phone }), {
+    await expectRejects(updateUser(anotherUser.id, { primaryPhone }), {
       code: 'user.phone_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
   });
 
@@ -122,13 +185,14 @@ describe('admin console user management', () => {
     await deleteUser(user.id);
 
     const response = await getUser(user.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('should update user password successfully', async () => {
-    const user = await createUserByAdmin();
-    const userEntity = await updateUserPassword(user.id, 'new_password');
-    expect(userEntity).toMatchObject(user);
+    const { updatedAt, ...rest } = await createUserByAdmin();
+    const userEntity = await updateUserPassword(rest.id, 'new_password');
+    expect(userEntity).toMatchObject(rest);
+    expect(userEntity.updatedAt).toBeGreaterThan(updatedAt);
   });
 
   it('should link social identity successfully', async () => {
@@ -140,12 +204,12 @@ describe('admin console user management', () => {
     const state = 'random_state';
     const redirectUri = 'http://mock.social.com/callback/random_string';
     const code = 'random_code_from_social';
-    const socialUserId = 'social_platform_user_id';
-    const socialUserEmail = 'johndoe@gmail.com';
-    const anotherSocialUserId = 'another_social_platform_user_id';
+    const socialUserId = 'social_platform_user_id_' + randomString();
+    const socialUserEmail = `johndoe_${randomString()}@gmail.com`;
+    const anotherSocialUserId = 'another_social_platform_user_id_' + randomString();
     const socialTarget = 'social_target';
     const socialIdentity = {
-      userId: 'social_identity_user_id',
+      userId: 'social_identity_user_id_' + randomString(),
       details: {
         age: 21,
         email: 'foo@logto.io',
@@ -171,15 +235,35 @@ describe('admin console user management', () => {
       details: {
         id: socialUserId,
         email: socialUserEmail,
+        rawData: {
+          code,
+          email: socialUserEmail,
+          redirectUri,
+          state,
+          userId: socialUserId,
+        },
       },
     });
 
     const updatedIdentity = await putUserIdentity(userId, mockSocialConnectorTarget, {
       userId: anotherSocialUserId,
+      details: {
+        id: anotherSocialUserId,
+        rawData: {
+          userId: anotherSocialUserId,
+        },
+      },
     });
+
     expect(updatedIdentity).toHaveProperty(mockSocialConnectorTarget);
     expect(updatedIdentity[mockSocialConnectorTarget]).toMatchObject({
       userId: anotherSocialUserId,
+      details: {
+        id: anotherSocialUserId,
+        rawData: {
+          userId: anotherSocialUserId,
+        },
+      },
     });
 
     const updatedIdentities = await putUserIdentity(userId, socialTarget, socialIdentity);
@@ -214,16 +298,16 @@ describe('admin console user management', () => {
   });
 
   it('should return 204 if password is correct', async () => {
-    const user = await createUserByAdmin(undefined, 'new_password');
-    expect(await verifyUserPassword(user.id, 'new_password')).toHaveProperty('statusCode', 204);
+    const user = await createUserByAdmin({ password: 'new_password' });
+    expect(await verifyUserPassword(user.id, 'new_password')).toHaveProperty('status', 204);
     await deleteUser(user.id);
   });
 
   it('should return 422 if password is incorrect', async () => {
-    const user = await createUserByAdmin(undefined, 'new_password');
+    const user = await createUserByAdmin({ password: 'new_password' });
     await expectRejects(verifyUserPassword(user.id, 'wrong_password'), {
       code: 'session.invalid_credentials',
-      statusCode: 422,
+      status: 422,
     });
     await deleteUser(user.id);
   });
@@ -232,7 +316,7 @@ describe('admin console user management', () => {
     const user = await createUserByAdmin();
     await expectRejects(verifyUserPassword(user.id, ''), {
       code: 'guard.invalid_input',
-      statusCode: 400,
+      status: 400,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/admin-user.username-case.test.ts b/packages/integration-tests/src/tests/api/admin-user.username-case.test.ts
new file mode 100644
index 00000000000..a2f4f34f005
--- /dev/null
+++ b/packages/integration-tests/src/tests/api/admin-user.username-case.test.ts
@@ -0,0 +1,40 @@
+import { type User } from '@logto/schemas';
+
+import { authedAdminApi, deleteUser } from '#src/api/index.js';
+import { createUserByAdmin, expectRejects } from '#src/helpers/index.js';
+import { generateUsername } from '#src/utils.js';
+
+const getUsers = async <T>(
+  init: string[][] | Record<string, string> | URLSearchParams
+): Promise<{ headers: Headers; json: T }> => {
+  const response = await authedAdminApi.get('users', {
+    searchParams: new URLSearchParams(init),
+  });
+
+  return { headers: response.headers, json: (await response.json()) as T };
+};
+
+describe('admin console user management (username case sensitive)', () => {
+  const username = generateUsername();
+
+  it('should handle usernames case-sensitively', async () => {
+    const user = await createUserByAdmin({ username: username.toLowerCase() });
+    const user2 = await createUserByAdmin({ username: username.toUpperCase() });
+    await expectRejects(createUserByAdmin({ username: username.toUpperCase() }), {
+      code: 'user.username_already_in_use',
+      status: 422,
+    });
+    await deleteUser(user.id);
+    await deleteUser(user2.id);
+  });
+
+  it('should be able to search by case-insensitively', async () => {
+    const user = await createUserByAdmin({ username: username.toLowerCase() });
+    const user2 = await createUserByAdmin({ username: username.toUpperCase() });
+    const { json } = await getUsers<User[]>([['search', `%${username.toLowerCase()}%`]]);
+    expect(json[0]).toHaveProperty('username', username.toUpperCase());
+    expect(json[1]).toHaveProperty('username', username.toLowerCase());
+    await deleteUser(user.id);
+    await deleteUser(user2.id);
+  });
+});
diff --git a/packages/integration-tests/src/tests/api/application/application-sign-in-experience.test.ts b/packages/integration-tests/src/tests/api/application/application-sign-in-experience.test.ts
index d7fd80122d2..24966a87eda 100644
--- a/packages/integration-tests/src/tests/api/application/application-sign-in-experience.test.ts
+++ b/packages/integration-tests/src/tests/api/application/application-sign-in-experience.test.ts
@@ -51,7 +51,7 @@ describe('application sign in experience', () => {
       setApplicationSignInExperience('non-existent-application', applicationSignInExperiences),
       {
         code: 'entity.not_exists_with_id',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -64,7 +64,7 @@ describe('application sign in experience', () => {
       ),
       {
         code: 'application.third_party_application_only',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -112,7 +112,7 @@ describe('application sign in experience', () => {
 
     await expectRejects(getApplicationSignInExperience(application.id), {
       code: 'entity.not_exists_with_id',
-      statusCode: 404,
+      status: 404,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/application/application-user-consent-organization.test.ts b/packages/integration-tests/src/tests/api/application/application-user-consent-organization.test.ts
index 84aaa7c7c3e..49103a856f8 100644
--- a/packages/integration-tests/src/tests/api/application/application-user-consent-organization.test.ts
+++ b/packages/integration-tests/src/tests/api/application/application-user-consent-organization.test.ts
@@ -76,7 +76,7 @@ describe('assign user consent organizations to application', () => {
         }),
         {
           code: 'entity.not_exists_with_id',
-          statusCode: 404,
+          status: 404,
         }
       );
     });
@@ -88,7 +88,7 @@ describe('assign user consent organizations to application', () => {
         }),
         {
           code: 'entity.not_found',
-          statusCode: 404,
+          status: 404,
         }
       );
     });
@@ -104,7 +104,7 @@ describe('assign user consent organizations to application', () => {
         ),
         {
           code: 'application.third_party_application_only',
-          statusCode: 422,
+          status: 422,
         }
       );
     });
@@ -120,7 +120,7 @@ describe('assign user consent organizations to application', () => {
         ),
         {
           code: 'organization.require_membership',
-          statusCode: 422,
+          status: 422,
         }
       );
     });
diff --git a/packages/integration-tests/src/tests/api/application/application-user-consent-scope.test.ts b/packages/integration-tests/src/tests/api/application/application-user-consent-scope.test.ts
index ef7535c0fa4..cf574493654 100644
--- a/packages/integration-tests/src/tests/api/application/application-user-consent-scope.test.ts
+++ b/packages/integration-tests/src/tests/api/application/application-user-consent-scope.test.ts
@@ -78,7 +78,7 @@ describe('assign user consent scopes to application', () => {
       }),
       {
         code: 'application.third_party_application_only',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -90,7 +90,7 @@ describe('assign user consent scopes to application', () => {
       }),
       {
         code: 'application.user_consent_scopes_not_found',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -102,7 +102,7 @@ describe('assign user consent scopes to application', () => {
       }),
       {
         code: 'application.user_consent_scopes_not_found',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -130,7 +130,7 @@ describe('assign user consent scopes to application', () => {
   it('should return 404 when trying to get consent scopes from non-existing application', async () => {
     await expectRejects(getUserConsentScopes('non-existing-application'), {
       code: 'entity.not_exists_with_id',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -184,7 +184,7 @@ describe('assign user consent scopes to application', () => {
       ),
       {
         code: 'entity.not_exists_with_id',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -198,7 +198,7 @@ describe('assign user consent scopes to application', () => {
       ),
       {
         code: 'entity.not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
 
@@ -210,7 +210,7 @@ describe('assign user consent scopes to application', () => {
       ),
       {
         code: 'entity.not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
 
@@ -222,7 +222,7 @@ describe('assign user consent scopes to application', () => {
       ),
       {
         code: 'entity.not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/application/application.roles.test.ts b/packages/integration-tests/src/tests/api/application/application.roles.test.ts
index ea5a9331c9e..6fe86b4620b 100644
--- a/packages/integration-tests/src/tests/api/application/application.roles.test.ts
+++ b/packages/integration-tests/src/tests/api/application/application.roles.test.ts
@@ -1,6 +1,6 @@
 import { ApplicationType, RoleType } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import {
   createApplication,
@@ -27,7 +27,7 @@ describe('admin console application management (roles)', () => {
     const application = await createApplication(generateStandardId(), applicationType);
 
     const response = await getApplicationRoles(application.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 422).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 422).toBe(true);
   });
 
   it('should assign roles to app and get list successfully', async () => {
@@ -59,7 +59,7 @@ describe('admin console application management (roles)', () => {
     await assignRolesToApplication(application.id, [role.id]);
     await expectRejects(assignRolesToApplication(application.id, [role.id]), {
       code: 'application.role_exists',
-      statusCode: 422,
+      status: 422,
     });
   });
 
@@ -70,7 +70,7 @@ describe('admin console application management (roles)', () => {
 
     await expectRejects(assignRolesToApplication(application.id, [role.id]), {
       code: 'application.invalid_type',
-      statusCode: 422,
+      status: 422,
     });
   });
 
@@ -114,7 +114,7 @@ describe('admin console application management (roles)', () => {
     const response = await deleteRoleFromApplication(application.id, role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   // This case tests GET operation on applications and filter by `types` parameter and `search` parameter.
diff --git a/packages/integration-tests/src/tests/api/application/application.test.ts b/packages/integration-tests/src/tests/api/application/application.test.ts
index 8f2d56517f3..f896188335c 100644
--- a/packages/integration-tests/src/tests/api/application/application.test.ts
+++ b/packages/integration-tests/src/tests/api/application/application.test.ts
@@ -1,5 +1,5 @@
 import { ApplicationType } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import {
   createApplication,
@@ -31,7 +31,7 @@ describe('admin console application', () => {
       createApplication('test-create-app', ApplicationType.Native, {
         isThirdParty: true,
       }),
-      { code: 'application.invalid_third_party_application_type', statusCode: 400 }
+      { code: 'application.invalid_third_party_application_type', status: 400 }
     );
   });
 
@@ -86,7 +86,7 @@ describe('admin console application', () => {
       }),
       {
         code: 'application.protected_application_subdomain_exists',
-        statusCode: 422,
+        status: 422,
       }
     );
     await deleteApplication(application.id);
@@ -95,7 +95,7 @@ describe('admin console application', () => {
   it('should throw error when creating a protected application with invalid type', async () => {
     await expectRejects(createApplication('test-create-app', ApplicationType.Protected), {
       code: 'application.protected_app_metadata_is_required',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -120,7 +120,7 @@ describe('admin console application', () => {
 
     expect(updatedApplication.description).toBe(newApplicationDescription);
     expect(updatedApplication.oidcClientMetadata.redirectUris).toEqual(newRedirectUris);
-    expect(updatedApplication.customClientMetadata).toStrictEqual({
+    expect({ ...updatedApplication.customClientMetadata }).toStrictEqual({
       rotateRefreshToken: true,
       refreshTokenTtlInDays: 10,
     });
@@ -256,6 +256,6 @@ describe('admin console application', () => {
     await deleteApplication(application.id);
 
     const response = await getApplication(application.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/callback.test.ts b/packages/integration-tests/src/tests/api/callback.test.ts
index 3a3f344172f..00cadf01d4e 100644
--- a/packages/integration-tests/src/tests/api/callback.test.ts
+++ b/packages/integration-tests/src/tests/api/callback.test.ts
@@ -1,19 +1,20 @@
-import { got } from 'got';
+import ky from 'ky';
 
 import { logtoConsoleUrl } from '#src/constants.js';
 
 describe('social connector form post callback', () => {
-  const request = got.extend({
+  const request = ky.extend({
     prefixUrl: new URL(logtoConsoleUrl),
   });
 
   it('should redirect to the same path with query string', async () => {
     const response = await request.post('callback/some_connector_id', {
       json: { some: 'data' },
-      followRedirect: false,
+      redirect: 'manual',
+      throwHttpErrors: false,
     });
 
-    expect(response.statusCode).toBe(303);
-    expect(response.headers.location).toBe('/callback/some_connector_id?some=data');
+    expect(response.status).toBe(303);
+    expect(response.headers.get('location')).toBe('/callback/some_connector_id?some=data');
   });
 });
diff --git a/packages/integration-tests/src/tests/api/connector.test.ts b/packages/integration-tests/src/tests/api/connector.test.ts
index 240945a6ba0..585072f2020 100644
--- a/packages/integration-tests/src/tests/api/connector.test.ts
+++ b/packages/integration-tests/src/tests/api/connector.test.ts
@@ -1,4 +1,4 @@
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import {
   mockEmailConnectorConfig,
@@ -160,7 +160,7 @@ test('create connector with non-exist connectorId', async () => {
   await cleanUpConnectorTable();
   await expectRejects(postConnector({ connectorId: 'non-exist-id' }), {
     code: 'connector.not_found_with_connector_id',
-    statusCode: 422,
+    status: 422,
   });
 });
 
@@ -170,7 +170,7 @@ test('create non standard social connector with target', async () => {
     postConnector({ connectorId: mockSocialConnectorId, metadata: { target: 'target' } }),
     {
       code: 'connector.cannot_overwrite_metadata_for_non_standard_connector',
-      statusCode: 400,
+      status: 400,
     }
   );
 });
@@ -180,7 +180,7 @@ test('create duplicated social connector', async () => {
   await postConnector({ connectorId: mockSocialConnectorId });
   await expectRejects(postConnector({ connectorId: mockSocialConnectorId }), {
     code: 'connector.multiple_instances_not_supported',
-    statusCode: 422,
+    status: 422,
   });
 });
 
@@ -189,7 +189,7 @@ test('override metadata for non-standard social connector', async () => {
   const { id } = await postConnector({ connectorId: mockSocialConnectorId });
   await expectRejects(updateConnectorConfig(id, {}, { target: 'target' }), {
     code: 'connector.cannot_overwrite_metadata_for_non_standard_connector',
-    statusCode: 400,
+    status: 400,
   });
 });
 
diff --git a/packages/integration-tests/src/tests/api/custom-phrase.test.ts b/packages/integration-tests/src/tests/api/custom-phrase.test.ts
index be8b9c244d9..b8edd0ecf00 100644
--- a/packages/integration-tests/src/tests/api/custom-phrase.test.ts
+++ b/packages/integration-tests/src/tests/api/custom-phrase.test.ts
@@ -1,4 +1,4 @@
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import {
   listCustomPhrases,
diff --git a/packages/integration-tests/src/tests/api/dashboard.test.ts b/packages/integration-tests/src/tests/api/dashboard.test.ts
index d95e9bc41da..f6cfda52337 100644
--- a/packages/integration-tests/src/tests/api/dashboard.test.ts
+++ b/packages/integration-tests/src/tests/api/dashboard.test.ts
@@ -19,15 +19,15 @@ describe('admin console dashboard', () => {
   it('non authorized request should return 401', async () => {
     await expectRejects(api.get('dashboard/users/total'), {
       code: 'auth.authorization_header_missing',
-      statusCode: 401,
+      status: 401,
     });
     await expectRejects(api.get('dashboard/users/new'), {
       code: 'auth.authorization_header_missing',
-      statusCode: 401,
+      status: 401,
     });
     await expectRejects(api.get('dashboard/users/active'), {
       code: 'auth.authorization_header_missing',
-      statusCode: 401,
+      status: 401,
     });
   });
 
@@ -36,7 +36,7 @@ describe('admin console dashboard', () => {
 
     const password = generatePassword();
     const username = generateUsername();
-    await createUserByAdmin(username, password);
+    await createUserByAdmin({ username, password });
 
     const { totalUserCount } = await getTotalUsersCount();
 
@@ -63,7 +63,7 @@ describe('admin console dashboard', () => {
 
     const password = generatePassword();
     const username = generateUsername();
-    await createUserByAdmin(username, password);
+    await createUserByAdmin({ username, password });
 
     await signInWithPassword({ username, password });
 
diff --git a/packages/integration-tests/src/tests/api/domains.test.ts b/packages/integration-tests/src/tests/api/domains.test.ts
index ccb63d4e015..43d45fb7658 100644
--- a/packages/integration-tests/src/tests/api/domains.test.ts
+++ b/packages/integration-tests/src/tests/api/domains.test.ts
@@ -1,4 +1,4 @@
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { createDomain, deleteDomain, getDomain, getDomains } from '#src/api/domain.js';
 import { generateDomain } from '#src/utils.js';
@@ -27,7 +27,7 @@ describe('domains', () => {
     await createDomain();
 
     const response = await createDomain().catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(422);
+    expect(response instanceof HTTPError && response.response.status).toBe(422);
   });
 
   it('should get domain detail successfully', async () => {
@@ -40,7 +40,7 @@ describe('domains', () => {
   it('should return 404 if domain does not exist', async () => {
     const response = await getDomain('non_existent_domain').catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should delete domain successfully', async () => {
@@ -49,6 +49,6 @@ describe('domains', () => {
     await deleteDomain(domain.id);
 
     const response = await getDomain(domain.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/health-check.test.ts b/packages/integration-tests/src/tests/api/health-check.test.ts
index cf4c3c1bc8b..f5577a91e36 100644
--- a/packages/integration-tests/src/tests/api/health-check.test.ts
+++ b/packages/integration-tests/src/tests/api/health-check.test.ts
@@ -2,6 +2,6 @@ import { api } from '#src/api/index.js';
 
 describe('health check', () => {
   it('should have a health state', async () => {
-    expect(await api.get('status')).toHaveProperty('statusCode', 204);
+    expect(await api.get('status')).toHaveProperty('status', 204);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/hook/hook.test.ts b/packages/integration-tests/src/tests/api/hook/hook.test.ts
index 3b2d0f95538..4f018dab903 100644
--- a/packages/integration-tests/src/tests/api/hook/hook.test.ts
+++ b/packages/integration-tests/src/tests/api/hook/hook.test.ts
@@ -19,10 +19,10 @@ describe('hooks', () => {
         .patch(`hooks/${created.id}`, { json: { events: [HookEvent.PostSignIn] } })
         .json<Hook>()
     ).toMatchObject({ ...created, events: [HookEvent.PostSignIn] });
-    expect(await authedAdminApi.delete(`hooks/${created.id}`)).toHaveProperty('statusCode', 204);
+    expect(await authedAdminApi.delete(`hooks/${created.id}`)).toHaveProperty('status', 204);
     await expectRejects(authedAdminApi.get(`hooks/${created.id}`), {
       code: 'entity.not_exists_with_id',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -48,10 +48,10 @@ describe('hooks', () => {
       ...created,
       event: HookEvent.PostSignIn,
     });
-    expect(await authedAdminApi.delete(`hooks/${created.id}`)).toHaveProperty('statusCode', 204);
+    expect(await authedAdminApi.delete(`hooks/${created.id}`)).toHaveProperty('status', 204);
     await expectRejects(authedAdminApi.get(`hooks/${created.id}`), {
       code: 'entity.not_exists_with_id',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -61,8 +61,8 @@ describe('hooks', () => {
 
     const response = await authedAdminApi.get('hooks?page=1&page_size=20');
 
-    expect(response.statusCode).toBe(200);
-    expect(response.headers).toHaveProperty('total-number');
+    expect(response.status).toBe(200);
+    expect(response.headers.get('total-number')).toEqual(expect.any(String));
 
     // Clean up
     await authedAdminApi.delete(`hooks/${created.id}`);
@@ -78,7 +78,7 @@ describe('hooks', () => {
     };
     await expectRejects(authedAdminApi.post('hooks', { json: payload }), {
       code: 'guard.invalid_input',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -91,7 +91,7 @@ describe('hooks', () => {
     };
     await expectRejects(authedAdminApi.post('hooks', { json: payload }), {
       code: 'hook.missing_events',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -102,14 +102,14 @@ describe('hooks', () => {
 
     await expectRejects(authedAdminApi.patch('hooks/invalid_id', { json: payload }), {
       code: 'entity.not_exists',
-      statusCode: 404,
+      status: 404,
     });
   });
 
   it('should throw error if regenerate a hook signing key with a invalid hook id', async () => {
     await expectRejects(authedAdminApi.patch('hooks/invalid_id/signing-key'), {
       code: 'entity.not_exists',
-      statusCode: 404,
+      status: 404,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/hook/hook.testing.test.ts b/packages/integration-tests/src/tests/api/hook/hook.testing.test.ts
index 889e5f7103e..d4c3d180e67 100644
--- a/packages/integration-tests/src/tests/api/hook/hook.testing.test.ts
+++ b/packages/integration-tests/src/tests/api/hook/hook.testing.test.ts
@@ -37,7 +37,7 @@ describe('hook testing', () => {
     const response = await authedAdminApi.post(`hooks/${created.id}/test`, {
       json: { events: [HookEvent.PostSignIn], config: { url: responseSuccessEndpoint } },
     });
-    expect(response.statusCode).toBe(204);
+    expect(response.status).toBe(204);
 
     // Clean Up
     await authedAdminApi.delete(`hooks/${created.id}`);
@@ -51,7 +51,7 @@ describe('hook testing', () => {
       }),
       {
         code: 'entity.not_exists_with_id',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -65,7 +65,7 @@ describe('hook testing', () => {
       }),
       {
         code: 'hook.send_test_payload_failed',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -82,7 +82,7 @@ describe('hook testing', () => {
       }),
       {
         code: 'hook.endpoint_responded_with_error',
-        statusCode: 422,
+        status: 422,
       }
     );
 
diff --git a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-details-guard.test.ts b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-details-guard.test.ts
index 48b7dc3a5dc..c9c80b20cb6 100644
--- a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-details-guard.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-details-guard.test.ts
@@ -30,7 +30,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -38,7 +38,7 @@ describe('Interaction details guard checking', () => {
   it('DELETE /interaction', async () => {
     await expectRejects(client.send(deleteInteraction), {
       code: 'session.not_found',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -49,7 +49,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -62,7 +62,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -75,7 +75,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -88,7 +88,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -96,14 +96,14 @@ describe('Interaction details guard checking', () => {
   it('DELETE /interaction/profile', async () => {
     await expectRejects(client.send(deleteInteractionProfile), {
       code: 'session.not_found',
-      statusCode: 400,
+      status: 400,
     });
   });
 
   it('POST /interaction/submit', async () => {
     await expectRejects(client.submitInteraction(), {
       code: 'session.not_found',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -116,7 +116,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -128,7 +128,7 @@ describe('Interaction details guard checking', () => {
       }),
       {
         code: 'session.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-results-checking.test.ts b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-results-checking.test.ts
index 0100aa594f7..14b83e93143 100644
--- a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-results-checking.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/interaction-results-checking.test.ts
@@ -26,7 +26,7 @@ describe('Interaction details results checking', () => {
       }),
       {
         code: 'session.verification_session_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -41,7 +41,7 @@ describe('Interaction details results checking', () => {
       }),
       {
         code: 'session.verification_session_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -55,7 +55,7 @@ describe('Interaction details results checking', () => {
       }),
       {
         code: 'session.verification_session_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -69,7 +69,7 @@ describe('Interaction details results checking', () => {
       }),
       {
         code: 'session.verification_session_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -78,7 +78,7 @@ describe('Interaction details results checking', () => {
     const client = await initClient();
     await expectRejects(client.send(deleteInteractionProfile), {
       code: 'session.verification_session_not_found',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -86,7 +86,7 @@ describe('Interaction details results checking', () => {
     const client = await initClient();
     await expectRejects(client.submitInteraction(), {
       code: 'session.verification_session_not_found',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -100,7 +100,7 @@ describe('Interaction details results checking', () => {
       }),
       {
         code: 'session.verification_session_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -113,7 +113,7 @@ describe('Interaction details results checking', () => {
       }),
       {
         code: 'session.verification_session_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/patch-interaction-identifiers.test.ts b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/patch-interaction-identifiers.test.ts
index ae9d028daf3..02f7f87188f 100644
--- a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/patch-interaction-identifiers.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/patch-interaction-identifiers.test.ts
@@ -31,7 +31,7 @@ describe('PATCH /interaction/identifiers', () => {
       }),
       {
         code: 'user.suspended',
-        statusCode: 401,
+        status: 401,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/post-send-verification-code.test.ts b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/post-send-verification-code.test.ts
index 8348dfcc4b1..deebbf922d3 100644
--- a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/post-send-verification-code.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/post-send-verification-code.test.ts
@@ -1,10 +1,15 @@
-import { InteractionEvent } from '@logto/schemas';
+import { ConnectorType, InteractionEvent } from '@logto/schemas';
 
 import { putInteraction, sendVerificationCode } from '#src/api/interaction.js';
 import { initClient } from '#src/helpers/client.js';
+import { clearConnectorsByTypes } from '#src/helpers/connector.js';
 import { expectRejects } from '#src/helpers/index.js';
 import { generateEmail, generatePhone } from '#src/utils.js';
 
+beforeAll(async () => {
+  await clearConnectorsByTypes([ConnectorType.Email, ConnectorType.Sms]);
+});
+
 /**
  * Note: These test cases are designed to cover exceptional scenarios of API calls that
  * cannot be covered within the auth flow.
@@ -23,7 +28,7 @@ describe('POST /interaction/verification/verification-code', () => {
       }),
       {
         code: 'connector.not_found',
-        statusCode: 501,
+        status: 501,
       }
     );
   });
@@ -41,7 +46,7 @@ describe('POST /interaction/verification/verification-code', () => {
       }),
       {
         code: 'connector.not_found',
-        statusCode: 501,
+        status: 501,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction-event.test.ts b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction-event.test.ts
index 777fb849460..b25c85d3a41 100644
--- a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction-event.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction-event.test.ts
@@ -27,7 +27,7 @@ describe('PUT /interaction/event', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -41,7 +41,7 @@ describe('PUT /interaction/event', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -65,7 +65,7 @@ describe('PUT /interaction/event', () => {
       }),
       {
         code: 'session.interaction_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
 
@@ -75,7 +75,7 @@ describe('PUT /interaction/event', () => {
       }),
       {
         code: 'session.interaction_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -96,7 +96,7 @@ describe('PUT /interaction/event', () => {
       }),
       {
         code: 'session.interaction_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
 
@@ -111,7 +111,7 @@ describe('PUT /interaction/event', () => {
       }),
       {
         code: 'session.interaction_not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction.test.ts b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction.test.ts
index 536de204bd8..6be7b8a8aed 100644
--- a/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/api-counter-cases/put-interaction.test.ts
@@ -54,7 +54,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -69,7 +69,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -100,7 +100,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -114,7 +114,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -140,7 +140,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'verification_code.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -155,7 +155,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'verification_code.not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -177,7 +177,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'session.invalid_connector_id',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -194,7 +194,7 @@ describe('PUT /interaction', () => {
       }),
       {
         code: 'session.connector_session_not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/forgot-password/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/forgot-password/happy-path.test.ts
index 822a6ed5aa1..6417218e83f 100644
--- a/packages/integration-tests/src/tests/api/interaction/forgot-password/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/forgot-password/happy-path.test.ts
@@ -64,14 +64,14 @@ describe('reset password', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.new_password_required_in_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(putInteractionProfile, { password: userProfile.password });
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.same_password',
-      statusCode: 422,
+      status: 422,
     });
 
     const newPasswordRecord = generatePassword();
@@ -124,14 +124,14 @@ describe('reset password', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.new_password_required_in_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(putInteractionProfile, { password: userProfile.password });
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.same_password',
-      statusCode: 422,
+      status: 422,
     });
 
     const newPasswordRecord = generatePassword();
diff --git a/packages/integration-tests/src/tests/api/interaction/forgot-password/sad-path.test.ts b/packages/integration-tests/src/tests/api/interaction/forgot-password/sad-path.test.ts
index ffd91ac30c0..5a3bb2ff16c 100644
--- a/packages/integration-tests/src/tests/api/interaction/forgot-password/sad-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/forgot-password/sad-path.test.ts
@@ -40,7 +40,7 @@ describe('reset password flow sad path', () => {
     await client.successSend(putInteractionProfile, { password: generatePassword() });
     await expectRejects(client.submitInteraction(), {
       code: 'user.user_not_exist',
-      statusCode: 404,
+      status: 404,
     });
 
     // Clear
@@ -68,7 +68,7 @@ describe('reset password flow sad path', () => {
     await client.successSend(putInteractionProfile, { password: generatePassword() });
     await expectRejects(client.submitInteraction(), {
       code: 'user.user_not_exist',
-      statusCode: 404,
+      status: 404,
     });
 
     // Clear
@@ -104,7 +104,7 @@ describe('reset password flow sad path', () => {
     await client.successSend(putInteractionProfile, { password: generatePassword() });
     await expectRejects(client.submitInteraction(), {
       code: 'user.suspended',
-      statusCode: 401,
+      status: 401,
     });
 
     // Clear
diff --git a/packages/integration-tests/src/tests/api/interaction/mfa/backup-code.test.ts b/packages/integration-tests/src/tests/api/interaction/mfa/backup-code.test.ts
index 13f3cfb6e42..2e961e426ca 100644
--- a/packages/integration-tests/src/tests/api/interaction/mfa/backup-code.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/mfa/backup-code.test.ts
@@ -39,7 +39,7 @@ const registerWithMfa = async () => {
 
   const { codes } = await expectRejects<{ codes: string[] }>(client.submitInteraction(), {
     code: 'session.mfa.backup_code_required',
-    statusCode: 400,
+    status: 400,
   });
 
   await client.send(postInteractionBindMfa, {
@@ -81,7 +81,7 @@ describe('sign in and verify mfa (Backup Code)', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'session.mfa.require_mfa_verification',
-      statusCode: 403,
+      status: 403,
     });
 
     await deleteUser(id);
diff --git a/packages/integration-tests/src/tests/api/interaction/mfa/totp.test.ts b/packages/integration-tests/src/tests/api/interaction/mfa/totp.test.ts
index e1aad0a52e9..db4619779e1 100644
--- a/packages/integration-tests/src/tests/api/interaction/mfa/totp.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/mfa/totp.test.ts
@@ -70,7 +70,7 @@ describe('register with mfa (mandatory TOTP)', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_mfa',
-      statusCode: 422,
+      status: 422,
     });
   });
 
@@ -94,7 +94,7 @@ describe('register with mfa (mandatory TOTP)', () => {
       }),
       {
         code: 'session.mfa.invalid_totp_code',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -151,7 +151,7 @@ describe('sign in and fulfill mfa (mandatory TOTP)', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_mfa',
-      statusCode: 422,
+      status: 422,
     });
 
     await deleteUser(user.id);
@@ -187,7 +187,7 @@ describe('sign in and fulfill mfa (user-controlled TOTP)', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_mfa',
-      statusCode: 422,
+      status: 422,
     });
 
     await deleteUser(user.id);
@@ -207,7 +207,7 @@ describe('sign in and fulfill mfa (user-controlled TOTP)', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_mfa',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(skipMfaBinding);
@@ -241,7 +241,7 @@ describe('sign in and verify mfa (TOTP)', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'session.mfa.require_mfa_verification',
-      statusCode: 403,
+      status: 403,
     });
 
     await deleteUser(id);
diff --git a/packages/integration-tests/src/tests/api/interaction/register-with-identifier/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/register-with-identifier/happy-path.test.ts
index da82e77cdef..761086c5613 100644
--- a/packages/integration-tests/src/tests/api/interaction/register-with-identifier/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/register-with-identifier/happy-path.test.ts
@@ -21,6 +21,7 @@ import { readConnectorMessage, expectRejects } from '#src/helpers/index.js';
 import {
   enableAllVerificationCodeSignInMethods,
   enableAllPasswordSignInMethods,
+  resetPasswordPolicy,
 } from '#src/helpers/sign-in-experience.js';
 import { generateNewUserProfile, generateNewUser } from '#src/helpers/user.js';
 
@@ -31,6 +32,8 @@ describe('register with username and password', () => {
       password: true,
       verify: false,
     });
+    // Run it sequentially to avoid race condition
+    await resetPasswordPolicy();
 
     const { username, password } = generateNewUserProfile({ username: true, password: true });
     const client = await initClient();
@@ -56,7 +59,10 @@ describe('register with passwordless identifier', () => {
     await clearConnectorsByTypes([ConnectorType.Email, ConnectorType.Sms]);
     await setEmailConnector();
     await setSmsConnector();
+    // Run it sequentially to avoid race condition
+    await resetPasswordPolicy();
   });
+
   afterAll(async () => {
     await clearConnectorsByTypes([ConnectorType.Email, ConnectorType.Sms]);
   });
@@ -140,7 +146,7 @@ describe('register with passwordless identifier', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(patchInteractionProfile, {
@@ -245,7 +251,7 @@ describe('register with passwordless identifier', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(patchInteractionProfile, {
@@ -316,7 +322,7 @@ describe('register with passwordless identifier', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.email_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(deleteInteractionProfile);
@@ -371,7 +377,7 @@ describe('register with passwordless identifier', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.phone_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(deleteInteractionProfile);
diff --git a/packages/integration-tests/src/tests/api/interaction/register-with-identifier/sad-path.test.ts b/packages/integration-tests/src/tests/api/interaction/register-with-identifier/sad-path.test.ts
index dbb18fa9771..db091eaa021 100644
--- a/packages/integration-tests/src/tests/api/interaction/register-with-identifier/sad-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/register-with-identifier/sad-path.test.ts
@@ -40,7 +40,7 @@ describe('Register with identifiers sad path', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -67,7 +67,7 @@ describe('Register with identifiers sad path', () => {
         }),
         {
           code: 'user.sign_in_method_not_enabled',
-          statusCode: 422,
+          status: 422,
         }
       );
     });
@@ -94,7 +94,7 @@ describe('Register with identifiers sad path', () => {
         }),
         {
           code: 'user.sign_in_method_not_enabled',
-          statusCode: 422,
+          status: 422,
         }
       );
 
@@ -125,7 +125,7 @@ describe('Register with identifiers sad path', () => {
         }),
         {
           code: 'user.sign_in_method_not_enabled',
-          statusCode: 422,
+          status: 422,
         }
       );
 
diff --git a/packages/integration-tests/src/tests/api/interaction/register-with-identifier/single-sign-on.test.ts b/packages/integration-tests/src/tests/api/interaction/register-with-identifier/single-sign-on.test.ts
index c67b6ea8bae..5da4816238c 100644
--- a/packages/integration-tests/src/tests/api/interaction/register-with-identifier/single-sign-on.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/register-with-identifier/single-sign-on.test.ts
@@ -133,7 +133,7 @@ describe('test register with email with SSO feature', () => {
       }),
       {
         code: 'session.sso_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/happy-path.test.ts
index 94182d8bf13..62b3d357214 100644
--- a/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/happy-path.test.ts
@@ -127,7 +127,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.user_not_exist',
-      statusCode: 404,
+      status: 404,
     });
 
     await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -169,7 +169,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.user_not_exist',
-      statusCode: 404,
+      status: 404,
     });
 
     await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -214,7 +214,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     // Fulfill user profile
@@ -276,7 +276,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     // Fulfill user profile with existing password
@@ -287,7 +287,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.password_exists_in_profile',
-      statusCode: 400,
+      status: 400,
     });
 
     await client.successSend(putInteractionProfile, {
@@ -333,7 +333,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     // Fulfill user profile with existing password
@@ -344,7 +344,7 @@ describe('Sign-in flow using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.username_already_in_use',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(putInteractionProfile, {
diff --git a/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/sad-path.test.ts b/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/sad-path.test.ts
index 3dcaacfc6b4..d8cd4759927 100644
--- a/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/sad-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/sad-path.test.ts
@@ -43,7 +43,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -81,7 +81,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -99,7 +99,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -130,7 +130,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'verification_code.code_mismatch',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -141,7 +141,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'verification_code.email_mismatch',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -169,7 +169,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'verification_code.code_mismatch',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -180,7 +180,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
       }),
       {
         code: 'verification_code.phone_mismatch',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -207,7 +207,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.user_not_exist',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -233,7 +233,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.user_not_exist',
-      statusCode: 404,
+      status: 404,
     });
   });
 
@@ -263,7 +263,7 @@ describe('Sign-in flow sad path using verification-code identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.suspended',
-      statusCode: 401,
+      status: 401,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/single-sign-on.test.ts b/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/single-sign-on.test.ts
index a3e58e75380..39b18c2cdb6 100644
--- a/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/single-sign-on.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/sign-in-with-passcode-identifier/single-sign-on.test.ts
@@ -100,7 +100,7 @@ describe('test sign-in with email passcode identifier with SSO feature', () => {
       }),
       {
         code: 'session.sso_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
diff --git a/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/happy-path.test.ts
index 98d1e23ae47..fe66b572a6e 100644
--- a/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/happy-path.test.ts
@@ -1,4 +1,9 @@
-import { InteractionEvent, ConnectorType, SignInIdentifier } from '@logto/schemas';
+import {
+  InteractionEvent,
+  ConnectorType,
+  SignInIdentifier,
+  UsersPasswordEncryptionMethod,
+} from '@logto/schemas';
 
 import {
   putInteraction,
@@ -13,12 +18,13 @@ import {
   setSmsConnector,
   setEmailConnector,
 } from '#src/helpers/connector.js';
-import { readConnectorMessage, expectRejects } from '#src/helpers/index.js';
+import { readConnectorMessage, expectRejects, createUserByAdmin } from '#src/helpers/index.js';
 import {
   enableAllPasswordSignInMethods,
   enableAllVerificationCodeSignInMethods,
 } from '#src/helpers/sign-in-experience.js';
 import { generateNewUser, generateNewUserProfile } from '#src/helpers/user.js';
+import { generateUsername } from '#src/utils.js';
 
 describe('Sign-in flow using password identifiers', () => {
   beforeAll(async () => {
@@ -52,6 +58,47 @@ describe('Sign-in flow using password identifiers', () => {
     await deleteUser(user.id);
   });
 
+  it('sign-in with username and password twice to test algorithm transition', async () => {
+    const username = generateUsername();
+    const password = 'password';
+    const user = await createUserByAdmin({
+      username,
+      passwordDigest: '5f4dcc3b5aa765d61d8327deb882cf99',
+      passwordAlgorithm: UsersPasswordEncryptionMethod.MD5,
+    });
+    const client = await initClient();
+
+    await client.successSend(putInteraction, {
+      event: InteractionEvent.SignIn,
+      identifier: {
+        username,
+        password,
+      },
+    });
+
+    const { redirectTo } = await client.submitInteraction();
+
+    await processSession(client, redirectTo);
+    await logoutClient(client);
+
+    const client2 = await initClient();
+
+    await client2.successSend(putInteraction, {
+      event: InteractionEvent.SignIn,
+      identifier: {
+        username,
+        password,
+      },
+    });
+
+    const { redirectTo: redirectTo2 } = await client2.submitInteraction();
+
+    await processSession(client2, redirectTo2);
+    await logoutClient(client2);
+
+    await deleteUser(user.id);
+  });
+
   it('sign-in with email and password', async () => {
     const { userProfile, user } = await generateNewUser({ primaryEmail: true, password: true });
     const client = await initClient();
@@ -114,7 +161,7 @@ describe('Sign-in flow using password identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(sendVerificationCode, {
@@ -176,7 +223,7 @@ describe('Sign-in flow using password identifiers', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.missing_profile',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(sendVerificationCode, {
diff --git a/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/sad-path.test.ts b/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/sad-path.test.ts
index d11d8a1c5de..293b0e2d77e 100644
--- a/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/sad-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/sad-path.test.ts
@@ -35,7 +35,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -51,7 +51,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -67,7 +67,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'auth.forbidden',
-        statusCode: 403,
+        status: 403,
       }
     );
 
@@ -91,7 +91,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -107,7 +107,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -123,7 +123,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'user.sign_in_method_not_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
 
@@ -141,7 +141,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'session.invalid_credentials',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -159,7 +159,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'session.invalid_credentials',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -177,7 +177,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'session.invalid_credentials',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -199,7 +199,7 @@ describe('Sign-in flow sad path using password identifiers', () => {
       }),
       {
         code: 'user.suspended',
-        statusCode: 401,
+        status: 401,
       }
     );
   });
diff --git a/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/single-sign-on.test.ts b/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/single-sign-on.test.ts
index 19205d1778c..7d39e7a8bcc 100644
--- a/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/single-sign-on.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/sign-in-with-password-identifier/single-sign-on.test.ts
@@ -99,7 +99,7 @@ describe('test sign-in with email passcode identifier with SSO feature', () => {
       }),
       {
         code: 'session.sso_enabled',
-        statusCode: 422,
+        status: 422,
       }
     );
     await deleteUser(user.id);
diff --git a/packages/integration-tests/src/tests/api/interaction/single-sign-on/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/single-sign-on/happy-path.test.ts
index cd31ad8de83..966044b3b53 100644
--- a/packages/integration-tests/src/tests/api/interaction/single-sign-on/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/single-sign-on/happy-path.test.ts
@@ -6,18 +6,20 @@ import { updateSignInExperience } from '#src/api/sign-in-experience.js';
 import { createSsoConnector, deleteSsoConnectorById } from '#src/api/sso-connector.js';
 import { logtoUrl } from '#src/constants.js';
 import { initClient } from '#src/helpers/client.js';
+import { randomString } from '#src/utils.js';
 
 describe('Single Sign On Happy Path', () => {
   const connectorIdMap = new Map<string, SsoConnectorMetadata>();
 
   const state = 'foo_state';
   const redirectUri = 'http://foo.dev/callback';
+  const domain = `foo${randomString()}.com`;
 
   beforeAll(async () => {
     const { id, connectorName } = await createSsoConnector({
       providerName: SsoProviderName.OIDC,
-      connectorName: 'test-oidc',
-      domains: ['foo.com'],
+      connectorName: `test-oidc-${randomString()}`,
+      domains: [domain],
       config: {
         clientId: 'foo',
         clientSecret: 'bar',
@@ -60,7 +62,7 @@ describe('Single Sign On Happy Path', () => {
     const client = await initClient();
 
     const response = await client.send(getSsoConnectorsByEmail, {
-      email: 'bar@foo.com',
+      email: 'bar@' + domain,
     });
 
     expect(response.length).toBeGreaterThan(0);
@@ -88,7 +90,7 @@ describe('Single Sign On Happy Path', () => {
     });
 
     const response = await client.send(getSsoConnectorsByEmail, {
-      email: 'bar@foo.com',
+      email: 'bar@' + domain,
     });
 
     expect(response.length).toBe(0);
diff --git a/packages/integration-tests/src/tests/api/interaction/single-sign-on/sad-path.test.ts b/packages/integration-tests/src/tests/api/interaction/single-sign-on/sad-path.test.ts
index b0acc703be3..a9fc8ff3e87 100644
--- a/packages/integration-tests/src/tests/api/interaction/single-sign-on/sad-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/single-sign-on/sad-path.test.ts
@@ -9,6 +9,7 @@ import { putInteraction } from '#src/api/interaction.js';
 import { createSsoConnector, deleteSsoConnectorById } from '#src/api/sso-connector.js';
 import { initClient } from '#src/helpers/client.js';
 import { expectRejects } from '#src/helpers/index.js';
+import { randomString } from '#src/utils.js';
 
 describe('Single Sign On Sad Path', () => {
   const state = 'foo_state';
@@ -34,7 +35,7 @@ describe('Single Sign On Sad Path', () => {
     it('should throw if connector config is invalid', async () => {
       const { id } = await createSsoConnector({
         providerName: SsoProviderName.OIDC,
-        connectorName: 'test-oidc',
+        connectorName: `test-oidc-${randomString()}`,
       });
 
       const client = await initClient();
@@ -82,7 +83,7 @@ describe('Single Sign On Sad Path', () => {
         postSamlAssertion({ connectorId, RelayState: 'foo', SAMLResponse: samlAssertion }),
         {
           code: 'session.not_found',
-          statusCode: 400,
+          status: 400,
         }
       );
     });
@@ -103,7 +104,7 @@ describe('Single Sign On Sad Path', () => {
         postSamlAssertion({ connectorId, RelayState, SAMLResponse: samlAssertion }),
         {
           code: 'connector.authorization_failed',
-          statusCode: 401,
+          status: 401,
         }
       );
     });
diff --git a/packages/integration-tests/src/tests/api/interaction/social-interaction/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/social-sign-in/happy-path.test.ts
similarity index 84%
rename from packages/integration-tests/src/tests/api/interaction/social-interaction/happy-path.test.ts
rename to packages/integration-tests/src/tests/api/interaction/social-sign-in/happy-path.test.ts
index 8fe614651b2..7eca5f1a742 100644
--- a/packages/integration-tests/src/tests/api/interaction/social-interaction/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/social-sign-in/happy-path.test.ts
@@ -1,6 +1,9 @@
 import { ConnectorType, InteractionEvent, SignInIdentifier } from '@logto/schemas';
 
-import { mockSocialConnectorId } from '#src/__mocks__/connectors-mock.js';
+import {
+  mockSocialConnectorId,
+  mockSocialConnectorTarget,
+} from '#src/__mocks__/connectors-mock.js';
 import {
   createSocialAuthorizationUri,
   putInteraction,
@@ -27,7 +30,7 @@ const state = 'foo_state';
 const redirectUri = 'http://foo.dev/callback';
 const code = 'auth_code_foo';
 
-describe('Social Identifier Interactions', () => {
+describe('social sign-in', () => {
   const connectorIdMap = new Map<string, string>();
 
   beforeAll(async () => {
@@ -44,7 +47,7 @@ describe('Social Identifier Interactions', () => {
     await clearConnectorsByTypes([ConnectorType.Social, ConnectorType.Email, ConnectorType.Sms]);
   });
 
-  describe('register new and sign-in', () => {
+  describe('register and sign-in', () => {
     const socialUserId = generateUserId();
 
     it('register with social', async () => {
@@ -65,7 +68,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -121,7 +124,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -131,8 +134,24 @@ describe('Social Identifier Interactions', () => {
 
       const uid = await processSession(client, redirectTo);
 
-      const { primaryEmail } = await getUser(uid);
+      const { primaryEmail, identities } = await getUser(uid);
       expect(primaryEmail).toBe(socialEmail);
+      /* eslint-disable @typescript-eslint/no-unsafe-assignment */
+      expect(identities[mockSocialConnectorTarget]).toMatchObject({
+        details: {
+          email: expect.any(String),
+          id: expect.any(String),
+          rawData: {
+            code: 'auth_code_foo',
+            email: expect.any(String),
+            redirectUri: 'http://foo.dev/callback',
+            state: 'foo_state',
+            userId: expect.any(String),
+          },
+        },
+        userId: expect.any(String),
+      });
+      /* eslint-enable @typescript-eslint/no-unsafe-assignment */
 
       await logoutClient(client);
       await deleteUser(uid);
@@ -157,7 +176,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -173,6 +192,39 @@ describe('Social Identifier Interactions', () => {
       await logoutClient(client);
       await deleteUser(uid);
     });
+
+    it('can perform direct sign-in with a new social account', async () => {
+      const connectorId = connectorIdMap.get(mockSocialConnectorId) ?? '';
+
+      const client = await initClient(undefined, undefined, {
+        directSignIn: { method: 'social', target: mockSocialConnectorTarget },
+      });
+
+      await client.successSend(putInteraction, {
+        event: InteractionEvent.SignIn,
+      });
+
+      await client.successSend(createSocialAuthorizationUri, { state, redirectUri, connectorId });
+
+      await client.successSend(patchInteractionIdentifiers, {
+        connectorId,
+        connectorData: { state, redirectUri, code, userId: socialUserId },
+      });
+
+      await expectRejects(client.submitInteraction(), {
+        code: 'user.identity_not_exist',
+        status: 422,
+      });
+
+      await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
+      await client.successSend(putInteractionProfile, { connectorId });
+
+      const { redirectTo } = await client.submitInteraction();
+
+      const id = await processSession(client, redirectTo);
+      await logoutClient(client);
+      await deleteUser(id);
+    });
   });
 
   describe('bind with existing email account', () => {
@@ -203,7 +255,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(patchInteractionIdentifiers, {
@@ -267,7 +319,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -275,7 +327,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.missing_profile',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(patchInteractionProfile, { username: generateUsername() });
@@ -311,7 +363,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -348,7 +400,7 @@ describe('Social Identifier Interactions', () => {
 
       await expectRejects(client.submitInteraction(), {
         code: 'user.identity_not_exist',
-        statusCode: 422,
+        status: 422,
       });
 
       await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
diff --git a/packages/integration-tests/src/tests/api/interaction/social-interaction/sad-path.test.ts b/packages/integration-tests/src/tests/api/interaction/social-sign-in/sad-path.test.ts
similarity index 96%
rename from packages/integration-tests/src/tests/api/interaction/social-interaction/sad-path.test.ts
rename to packages/integration-tests/src/tests/api/interaction/social-sign-in/sad-path.test.ts
index 1296a94df83..b9be50cf815 100644
--- a/packages/integration-tests/src/tests/api/interaction/social-interaction/sad-path.test.ts
+++ b/packages/integration-tests/src/tests/api/interaction/social-sign-in/sad-path.test.ts
@@ -73,7 +73,7 @@ describe('Social identifier interaction sad path', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.identity_not_exist',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -101,7 +101,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.insufficient_info',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -121,7 +121,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'guard.invalid_input',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -141,7 +141,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'connector.unexpected_type',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -154,7 +154,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'connector.unexpected_type',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -173,7 +173,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'entity.not_found',
-        statusCode: 404,
+        status: 404,
       }
     );
   });
@@ -195,7 +195,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.invalid_connector_id',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -217,7 +217,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.invalid_connector_id',
-        statusCode: 422,
+        status: 422,
       }
     );
   });
@@ -240,7 +240,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.connector_session_not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -252,7 +252,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.connector_session_not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -281,7 +281,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.connector_session_not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
 
@@ -293,7 +293,7 @@ describe('Social identifier interaction sad path', () => {
       }),
       {
         code: 'session.connector_session_not_found',
-        statusCode: 400,
+        status: 400,
       }
     );
   });
@@ -318,7 +318,7 @@ describe('Social identifier interaction sad path', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.suspended',
-      statusCode: 401,
+      status: 401,
     });
 
     // Reset
@@ -350,7 +350,7 @@ describe('Social identifier interaction sad path', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'user.identity_not_exist',
-      statusCode: 422,
+      status: 422,
     });
 
     await client.successSend(putInteractionEvent, { event: InteractionEvent.Register });
@@ -361,7 +361,7 @@ describe('Social identifier interaction sad path', () => {
 
     await expectRejects(client.submitInteraction(), {
       code: 'session.connector_session_not_found',
-      statusCode: 404,
+      status: 404,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/interaction/third-party-sign-in/happy-path.test.ts b/packages/integration-tests/src/tests/api/interaction/third-party-sign-in/happy-path.test.ts
new file mode 100644
index 00000000000..44d998e3455
--- /dev/null
+++ b/packages/integration-tests/src/tests/api/interaction/third-party-sign-in/happy-path.test.ts
@@ -0,0 +1,134 @@
+import { ReservedResource, UserScope } from '@logto/core-kit';
+import { type Application, InteractionEvent, ApplicationType } from '@logto/schemas';
+import { assert } from '@silverhand/essentials';
+
+import { deleteUser } from '#src/api/admin-user.js';
+import { assignUserConsentScopes } from '#src/api/application-user-consent-scope.js';
+import { createApplication, deleteApplication } from '#src/api/application.js';
+import { getConsentInfo, putInteraction } from '#src/api/interaction.js';
+import { OrganizationScopeApi } from '#src/api/organization-scope.js';
+import { initClient } from '#src/helpers/client.js';
+import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
+import { generateNewUser } from '#src/helpers/user.js';
+
+describe('consent api', () => {
+  const applications = new Map<string, Application>();
+  const thirdPartyApplicationName = 'consent-third-party-app';
+  const redirectUri = 'http://example.com';
+
+  const bootStrapApplication = async () => {
+    const thirdPartyApplication = await createApplication(
+      thirdPartyApplicationName,
+      ApplicationType.Traditional,
+      {
+        isThirdParty: true,
+        oidcClientMetadata: {
+          redirectUris: [redirectUri],
+          postLogoutRedirectUris: [],
+        },
+      }
+    );
+
+    applications.set(thirdPartyApplicationName, thirdPartyApplication);
+
+    await assignUserConsentScopes(thirdPartyApplication.id, {
+      userScopes: [UserScope.Profile],
+    });
+  };
+
+  beforeAll(async () => {
+    await Promise.all([enableAllPasswordSignInMethods(), bootStrapApplication()]);
+  });
+
+  it('get consent info', async () => {
+    const application = applications.get(thirdPartyApplicationName);
+    assert(application, new Error('application.not_found'));
+
+    const { userProfile, user } = await generateNewUser({ username: true, password: true });
+
+    const client = await initClient(
+      {
+        appId: application.id,
+        appSecret: application.secret,
+      },
+      redirectUri
+    );
+
+    await client.successSend(putInteraction, {
+      event: InteractionEvent.SignIn,
+      identifier: {
+        username: userProfile.username,
+        password: userProfile.password,
+      },
+    });
+
+    const { redirectTo } = await client.submitInteraction();
+
+    await client.processSession(redirectTo, false);
+
+    const result = await client.send(getConsentInfo);
+
+    expect(result.application.id).toBe(application.id);
+    expect(result.user.id).toBe(user.id);
+    expect(result.redirectUri).toBe(redirectUri);
+    expect(result.missingOIDCScope).toEqual([UserScope.Profile]);
+
+    await deleteUser(user.id);
+  });
+
+  it('get consent info with organization scope', async () => {
+    const application = applications.get(thirdPartyApplicationName);
+    assert(application, new Error('application.not_found'));
+
+    const organizationScopeApi = new OrganizationScopeApi();
+
+    const organizationScope = await organizationScopeApi.create({
+      name: 'organization-scope',
+    });
+
+    await assignUserConsentScopes(application.id, {
+      organizationScopes: [organizationScope.id],
+      userScopes: [UserScope.Organizations],
+    });
+
+    const { userProfile, user } = await generateNewUser({ username: true, password: true });
+
+    const client = await initClient(
+      {
+        appId: application.id,
+        appSecret: application.secret,
+        scopes: [UserScope.Organizations, UserScope.Profile, organizationScope.name],
+      },
+      redirectUri
+    );
+
+    await client.successSend(putInteraction, {
+      event: InteractionEvent.SignIn,
+      identifier: {
+        username: userProfile.username,
+        password: userProfile.password,
+      },
+    });
+
+    const { redirectTo } = await client.submitInteraction();
+
+    await client.processSession(redirectTo, false);
+
+    const result = await client.send(getConsentInfo);
+
+    expect(
+      result.missingResourceScopes?.find(
+        ({ resource }) => resource.name === ReservedResource.Organization
+      )
+    ).not.toBeUndefined();
+
+    await organizationScopeApi.delete(organizationScope.id);
+    await deleteUser(user.id);
+  });
+
+  afterAll(async () => {
+    for (const application of applications.values()) {
+      void deleteApplication(application.id);
+    }
+  });
+});
diff --git a/packages/integration-tests/src/tests/api/log.test.ts b/packages/integration-tests/src/tests/api/log.test.ts
index a9c06cd2e12..1171eb318f8 100644
--- a/packages/integration-tests/src/tests/api/log.test.ts
+++ b/packages/integration-tests/src/tests/api/log.test.ts
@@ -22,7 +22,7 @@ describe('logs', () => {
   it('should throw on getting non-exist log detail', async () => {
     await expectRejects(getLog('non-exist-log-id'), {
       code: 'entity.not_exists_with_id',
-      statusCode: 404,
+      status: 404,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/logto-config.test.ts b/packages/integration-tests/src/tests/api/logto-config.test.ts
index 6b5adfa2e30..3cb093077de 100644
--- a/packages/integration-tests/src/tests/api/logto-config.test.ts
+++ b/packages/integration-tests/src/tests/api/logto-config.test.ts
@@ -2,14 +2,24 @@ import {
   SupportedSigningKeyAlgorithm,
   type AdminConsoleData,
   LogtoOidcConfigKeyType,
+  LogtoJwtTokenKey,
 } from '@logto/schemas';
 
+import {
+  accessTokenJwtCustomizerPayload,
+  clientCredentialsJwtCustomizerPayload,
+} from '#src/__mocks__/jwt-customizer.js';
 import {
   deleteOidcKey,
   getAdminConsoleConfig,
   getOidcKeys,
   rotateOidcKeys,
   updateAdminConsoleConfig,
+  upsertJwtCustomizer,
+  updateJwtCustomizer,
+  getJwtCustomizer,
+  getJwtCustomizers,
+  deleteJwtCustomizer,
 } from '#src/api/index.js';
 import { expectRejects } from '#src/helpers/index.js';
 
@@ -58,14 +68,14 @@ describe('admin console sign-in experience', () => {
     expect(privateKeys).toHaveLength(1);
     await expectRejects(deleteOidcKey(LogtoOidcConfigKeyType.PrivateKeys, privateKeys[0]!.id), {
       code: 'oidc.key_required',
-      statusCode: 422,
+      status: 422,
     });
 
     const cookieKeys = await getOidcKeys(LogtoOidcConfigKeyType.CookieKeys);
     expect(cookieKeys).toHaveLength(1);
     await expectRejects(deleteOidcKey(LogtoOidcConfigKeyType.CookieKeys, cookieKeys[0]!.id), {
       code: 'oidc.key_required',
-      statusCode: 422,
+      status: 422,
     });
   });
 
@@ -123,4 +133,112 @@ describe('admin console sign-in experience', () => {
     ]);
     expect(privateKeys2[1]?.id).toBe(privateKeys[0]?.id);
   });
+
+  it('should successfully PUT/GET/DELETE a JWT customizer (access token)', async () => {
+    await expectRejects(getJwtCustomizer('access-token'), {
+      code: 'entity.not_exists_with_id',
+      status: 404,
+    });
+    await expectRejects(deleteJwtCustomizer('access-token'), {
+      code: 'entity.not_found',
+      status: 404,
+    });
+    const accessToken = await upsertJwtCustomizer('access-token', accessTokenJwtCustomizerPayload);
+    expect(accessToken).toMatchObject(accessTokenJwtCustomizerPayload);
+    const newAccessTokenJwtCustomizerPayload = {
+      ...accessTokenJwtCustomizerPayload,
+      script: 'new script',
+    };
+    const updatedAccessToken = await upsertJwtCustomizer(
+      'access-token',
+      newAccessTokenJwtCustomizerPayload
+    );
+    expect(updatedAccessToken).toMatchObject(newAccessTokenJwtCustomizerPayload);
+    const overwritePayload = { script: 'abc' };
+    const updatedValue = await updateJwtCustomizer('access-token', overwritePayload);
+    expect(updatedValue).toMatchObject({
+      ...newAccessTokenJwtCustomizerPayload,
+      script: 'abc',
+    });
+    await expect(getJwtCustomizer('access-token')).resolves.toMatchObject({
+      ...newAccessTokenJwtCustomizerPayload,
+      script: 'abc',
+    });
+    await expect(deleteJwtCustomizer('access-token')).resolves.not.toThrow();
+    await expectRejects(getJwtCustomizer('access-token'), {
+      code: 'entity.not_exists_with_id',
+      status: 404,
+    });
+  });
+
+  it('should successfully PUT/GET/DELETE a JWT customizer (client credentials)', async () => {
+    await expectRejects(getJwtCustomizer('client-credentials'), {
+      code: 'entity.not_exists_with_id',
+      status: 404,
+    });
+    await expectRejects(deleteJwtCustomizer('client-credentials'), {
+      code: 'entity.not_found',
+      status: 404,
+    });
+    const clientCredentials = await upsertJwtCustomizer(
+      'client-credentials',
+      clientCredentialsJwtCustomizerPayload
+    );
+    expect(clientCredentials).toMatchObject(clientCredentialsJwtCustomizerPayload);
+    const newClientCredentialsJwtCustomizerPayload = {
+      ...clientCredentialsJwtCustomizerPayload,
+      script: 'new script client credentials',
+    };
+    const updatedClientCredentials = await upsertJwtCustomizer(
+      'client-credentials',
+      newClientCredentialsJwtCustomizerPayload
+    );
+    expect(updatedClientCredentials).toMatchObject(newClientCredentialsJwtCustomizerPayload);
+    const overwritePayload = { script: 'abc' };
+    const updatedValue = await updateJwtCustomizer('client-credentials', overwritePayload);
+    expect(updatedValue).toMatchObject({
+      ...newClientCredentialsJwtCustomizerPayload,
+      script: 'abc',
+    });
+    await expect(getJwtCustomizer('client-credentials')).resolves.toMatchObject({
+      ...newClientCredentialsJwtCustomizerPayload,
+      script: 'abc',
+    });
+    await expect(deleteJwtCustomizer('client-credentials')).resolves.not.toThrow();
+    await expectRejects(getJwtCustomizer('client-credentials'), {
+      code: 'entity.not_exists_with_id',
+      status: 404,
+    });
+  });
+
+  it('should successfully GET all JWT customizers', async () => {
+    await expect(getJwtCustomizers()).resolves.toEqual([]);
+    await upsertJwtCustomizer('access-token', accessTokenJwtCustomizerPayload);
+    await expect(getJwtCustomizers()).resolves.toEqual([
+      {
+        key: LogtoJwtTokenKey.AccessToken,
+        value: accessTokenJwtCustomizerPayload,
+      },
+    ]);
+    await upsertJwtCustomizer('client-credentials', clientCredentialsJwtCustomizerPayload);
+    const jwtCustomizers = await getJwtCustomizers();
+    expect(jwtCustomizers).toHaveLength(2);
+    expect(jwtCustomizers).toContainEqual({
+      key: LogtoJwtTokenKey.AccessToken,
+      value: accessTokenJwtCustomizerPayload,
+    });
+    expect(jwtCustomizers).toContainEqual({
+      key: LogtoJwtTokenKey.ClientCredentials,
+      value: clientCredentialsJwtCustomizerPayload,
+    });
+    await deleteJwtCustomizer('access-token');
+    await expect(getJwtCustomizers()).resolves.toEqual([
+      {
+        key: LogtoJwtTokenKey.ClientCredentials,
+        value: clientCredentialsJwtCustomizerPayload,
+      },
+    ]);
+    await deleteJwtCustomizer('client-credentials');
+    await expect(getJwtCustomizers()).resolves.toEqual([]);
+  });
 });
diff --git a/packages/integration-tests/src/tests/api/me.test.ts b/packages/integration-tests/src/tests/api/me.test.ts
index 6c01f8c1ff0..f4032002c48 100644
--- a/packages/integration-tests/src/tests/api/me.test.ts
+++ b/packages/integration-tests/src/tests/api/me.test.ts
@@ -1,4 +1,4 @@
-import { got } from 'got';
+import ky from 'ky';
 
 import { logtoConsoleUrl, logtoUrl } from '#src/constants.js';
 import {
@@ -11,35 +11,35 @@ import { expectRejects } from '#src/helpers/index.js';
 
 describe('me', () => {
   it('should only be available in admin tenant', async () => {
-    await expectRejects(got.get(new URL('/me/custom-data', logtoConsoleUrl)), {
+    await expectRejects(ky.get(new URL('/me/custom-data', logtoConsoleUrl)), {
       code: 'auth.authorization_header_missing',
-      statusCode: 401,
+      status: 401,
     });
 
     // Redirect to UI
-    const response = await got.get(new URL('/me/custom-data', logtoUrl));
-    expect(response.statusCode).toBe(200);
-    expect(response.headers['content-type']?.startsWith('text/html;')).toBeTruthy();
+    const response = await ky.get(new URL('/me/custom-data', logtoUrl));
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')?.startsWith('text/html;')).toBeTruthy();
   });
 
   it('should only recognize the access token with correct resource and scope', async () => {
     const { id, client } = await createUserWithAllRolesAndSignInToClient();
 
     await expectRejects(
-      got.get(logtoConsoleUrl + '/me/custom-data', {
+      ky.get(logtoConsoleUrl + '/me/custom-data', {
         headers: { authorization: `Bearer ${await client.getAccessToken(resourceDefault)}` },
       }),
       {
         code: 'auth.unauthorized',
-        statusCode: 401,
+        status: 401,
       }
     );
 
     await expect(
-      got.get(logtoConsoleUrl + '/me/custom-data', {
+      ky.get(logtoConsoleUrl + '/me/custom-data', {
         headers: { authorization: `Bearer ${await client.getAccessToken(resourceMe)}` },
       })
-    ).resolves.toHaveProperty('statusCode', 200);
+    ).resolves.toHaveProperty('status', 200);
 
     await deleteUser(id);
   });
@@ -48,14 +48,14 @@ describe('me', () => {
     const { id, client } = await createUserWithAllRolesAndSignInToClient();
     const headers = { authorization: `Bearer ${await client.getAccessToken(resourceMe)}` };
 
-    const data = await got
+    const data = await ky
       .get(logtoConsoleUrl + '/me/custom-data', { headers })
       .json<Record<string, unknown>>();
-    const newData = await got
+    const newData = await ky
       .patch(logtoConsoleUrl + '/me/custom-data', { headers, json: { foo: 'bar' } })
-      .json();
+      .json<Record<string, unknown>>();
 
-    expect({ ...data, foo: 'bar' }).toStrictEqual(newData);
+    expect({ ...data, foo: 'bar' }).toStrictEqual({ ...newData });
 
     await deleteUser(id);
   });
diff --git a/packages/integration-tests/src/tests/api/oidc/always-issue-refresh-token.test.ts b/packages/integration-tests/src/tests/api/oidc/always-issue-refresh-token.test.ts
index 7a48be1c90e..65919e2f7f2 100644
--- a/packages/integration-tests/src/tests/api/oidc/always-issue-refresh-token.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/always-issue-refresh-token.test.ts
@@ -34,7 +34,7 @@ describe('always issue Refresh Token config', () => {
   };
 
   beforeAll(async () => {
-    await createUserByAdmin(username, password);
+    await createUserByAdmin({ username, password });
     await enableAllPasswordSignInMethods();
   });
 
diff --git a/packages/integration-tests/src/tests/api/oidc/content-type-json.test.ts b/packages/integration-tests/src/tests/api/oidc/content-type-json.test.ts
index c423d8e8a90..e33734c5f3e 100644
--- a/packages/integration-tests/src/tests/api/oidc/content-type-json.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/content-type-json.test.ts
@@ -1,32 +1,30 @@
 import { demoAppApplicationId } from '@logto/schemas';
 import { trySafe } from '@silverhand/essentials';
-import { HTTPError, type Headers, got } from 'got';
+import ky, { HTTPError } from 'ky';
+import { type KyHeadersInit } from 'node_modules/ky/distribution/types/options.js';
 
 import { logtoUrl } from '#src/constants.js';
 
 describe('content-type: application/json compatibility', () => {
-  const api = got.extend({
+  const api = ky.extend({
     prefixUrl: new URL('/oidc', logtoUrl),
   });
 
   const expectErrorMessageForPayload = async (
     payload: Record<string, unknown>,
     errorMessage: string,
-    headers: Headers = {}
+    headers: KyHeadersInit = {}
   ) => {
     return trySafe(
       api.post('token', {
         headers,
         json: payload,
       }),
-      (error) => {
+      async (error) => {
         if (!(error instanceof HTTPError)) {
           throw new TypeError('Error is not a HTTPError instance.');
         }
-        expect(JSON.parse(String(error.response.body))).toHaveProperty(
-          'error_description',
-          errorMessage
-        );
+        expect(await error.response.json()).toHaveProperty('error_description', errorMessage);
       }
     );
   };
diff --git a/packages/integration-tests/src/tests/api/oidc/get-access-token.test.ts b/packages/integration-tests/src/tests/api/oidc/get-access-token.test.ts
index 7bd2a9569be..63da8bb4f22 100644
--- a/packages/integration-tests/src/tests/api/oidc/get-access-token.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/get-access-token.test.ts
@@ -3,11 +3,11 @@ import path from 'node:path';
 import { fetchTokenByRefreshToken } from '@logto/js';
 import { InteractionEvent, type Resource, RoleType } from '@logto/schemas';
 import { assert } from '@silverhand/essentials';
-import fetch from 'node-fetch';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
 
-import { createResource, putInteraction } from '#src/api/index.js';
-import { assignUsersToRole, createRole } from '#src/api/role.js';
-import { createScope } from '#src/api/scope.js';
+import { createResource, deleteResource, deleteUser, putInteraction } from '#src/api/index.js';
+import { assignUsersToRole, createRole, deleteRole } from '#src/api/role.js';
+import { createScope, deleteScope } from '#src/api/scope.js';
 import MockClient, { defaultConfig } from '#src/client/index.js';
 import { logtoUrl } from '#src/constants.js';
 import { processSession } from '#src/helpers/client.js';
@@ -25,24 +25,50 @@ describe('get access token', () => {
   };
   const testApiScopeNames = ['read', 'write', 'delete', 'update'];
 
+  /* eslint-disable @silverhand/fp/no-let */
+  let testApiResourceId: string;
+  let testApiScopeIds: string[];
+  let testApiUserRoleId: string;
+  let guestUserId: string;
+  /* eslint-enable @silverhand/fp/no-let */
+
+  /* eslint-disable @silverhand/fp/no-mutation */
   beforeAll(async () => {
-    await createUserByAdmin(guestUsername, password);
-    const user = await createUserByAdmin(username, password);
+    const guestUser = await createUserByAdmin({ username: guestUsername, password });
+    guestUserId = guestUser.id;
+    const user = await createUserByAdmin({ username, password });
     const testApiResource = await createResource(
       testApiResourceInfo.name,
       testApiResourceInfo.indicator
     );
+    testApiResourceId = testApiResource.id;
     const testApiScopes = await Promise.all(
       testApiScopeNames.map(async (name) => createScope(testApiResource.id, name))
     );
+    testApiScopeIds = testApiScopes.map(({ id }) => id);
     const testApiUserRole = await createRole({
       name: 'test-api-user-role',
       type: RoleType.User,
       scopeIds: testApiScopes.map(({ id }) => id),
     });
+    testApiUserRoleId = testApiUserRole.id;
     await assignUsersToRole([user.id], testApiUserRole.id);
     await enableAllPasswordSignInMethods();
   });
+  /* eslint-enable @silverhand/fp/no-mutation */
+
+  afterAll(async () => {
+    if (testApiUserRoleId) {
+      await deleteRole(testApiUserRoleId);
+    }
+    if (testApiResourceId) {
+      await Promise.all(testApiScopeIds.map(async (id) => deleteScope(testApiResourceId, id)));
+      await deleteResource(testApiResourceId);
+    }
+    if (guestUserId) {
+      await deleteUser(guestUserId);
+    }
+  });
 
   it('can sign in and getAccessToken with admin user', async () => {
     const client = new MockClient({
@@ -84,6 +110,29 @@ describe('get access token', () => {
     );
   });
 
+  it('sign in and verify jwt', async () => {
+    const client = new MockClient({
+      resources: [testApiResourceInfo.indicator],
+      scopes: testApiScopeNames,
+    });
+    await client.initSession();
+    await client.successSend(putInteraction, {
+      event: InteractionEvent.SignIn,
+      identifier: { username: guestUsername, password },
+    });
+    const { redirectTo } = await client.submitInteraction();
+    await processSession(client, redirectTo);
+    const accessToken = await client.getAccessToken(testApiResourceInfo.indicator);
+    await expect(
+      jwtVerify(accessToken, createRemoteJWKSet(new URL('/oidc/jwks', logtoUrl)), {
+        issuer: new URL('/oidc', logtoUrl).href,
+        audience: testApiResourceInfo.indicator,
+        requiredClaims: ['scope', 'client_id'],
+        subject: guestUserId,
+      })
+    ).resolves.toBeTruthy();
+  });
+
   it('can sign in and get multiple Access Tokens by the same Refresh Token within refreshTokenReuseInterval', async () => {
     const client = new MockClient({ resources: [testApiResourceInfo.indicator] });
 
diff --git a/packages/integration-tests/src/tests/api/oidc/id-token.test.ts b/packages/integration-tests/src/tests/api/oidc/id-token.test.ts
index 2f7059e579d..89156eea1bc 100644
--- a/packages/integration-tests/src/tests/api/oidc/id-token.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/id-token.test.ts
@@ -39,7 +39,7 @@ describe('OpenID Connect ID token', () => {
   };
 
   beforeAll(async () => {
-    const { id } = await createUserByAdmin(username, password);
+    const { id } = await createUserByAdmin({ username, password });
     // eslint-disable-next-line @silverhand/fp/no-mutation
     userId = id;
     await enableAllPasswordSignInMethods();
diff --git a/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts b/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts
index 08fda3b4ee5..3b5febf6239 100644
--- a/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts
@@ -4,8 +4,8 @@ import { decodeAccessToken } from '@logto/js';
 import { type LogtoConfig, Prompt, PersistKey } from '@logto/node';
 import { GrantType, InteractionEvent, demoAppApplicationId } from '@logto/schemas';
 import { isKeyInObject, removeUndefinedKeys } from '@silverhand/essentials';
-import { HTTPError, got } from 'got';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
+import ky, { HTTPError } from 'ky';
 
 import { putInteraction } from '#src/api/index.js';
 import MockClient, { defaultConfig } from '#src/client/index.js';
@@ -19,7 +19,7 @@ import { generateUsername, generatePassword } from '#src/utils.js';
 /** A helper class to simplify the test on grant errors. */
 class GrantError extends Error {
   constructor(
-    public readonly statusCode: number,
+    public readonly status: number,
     public readonly body: unknown
   ) {
     super();
@@ -27,9 +27,9 @@ class GrantError extends Error {
 }
 
 /** Create a grant error matcher that matches certain elements of the error response. */
-const grantErrorContaining = (code: string, description: string, statusCode = 400) =>
+const grantErrorContaining = (code: string, description: string, status = 400) =>
   new GrantError(
-    statusCode,
+    status,
     expect.objectContaining({
       code,
       error_description: description,
@@ -49,15 +49,20 @@ class MockOrganizationClient extends MockClient {
   async fetchOrganizationToken(organizationId?: string, scopes?: string[]) {
     const refreshToken = await this.getRefreshToken();
     try {
-      const json = await got
+      const json = await ky
         .post(`${this.config.endpoint}/oidc/token`, {
-          form: removeUndefinedKeys({
-            grant_type: GrantType.RefreshToken,
-            client_id: this.config.appId,
-            refresh_token: refreshToken,
-            organization_id: organizationId,
-            scope: scopes?.join(' '),
-          }),
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+          body: new URLSearchParams(
+            removeUndefinedKeys({
+              grant_type: GrantType.RefreshToken,
+              client_id: this.config.appId,
+              refresh_token: refreshToken ?? undefined,
+              organization_id: organizationId,
+              scope: scopes?.join(' '),
+            })
+          ),
         })
         .json();
       if (isKeyInObject(json, 'refresh_token')) {
@@ -66,7 +71,9 @@ class MockOrganizationClient extends MockClient {
       return json;
     } catch (error) {
       if (error instanceof HTTPError) {
-        throw new GrantError(error.response.statusCode, JSON.parse(String(error.response.body)));
+        const json: unknown = JSON.parse(await error.response.text());
+        console.error('HTTPError:', error.response.status, JSON.stringify(json, undefined, 2));
+        throw new GrantError(error.response.status, json);
       }
       throw error;
     }
diff --git a/packages/integration-tests/src/tests/api/organization/organization-invitation.creation.test.ts b/packages/integration-tests/src/tests/api/organization/organization-invitation.creation.test.ts
index a1489abd800..fee13d6ef1f 100644
--- a/packages/integration-tests/src/tests/api/organization/organization-invitation.creation.test.ts
+++ b/packages/integration-tests/src/tests/api/organization/organization-invitation.creation.test.ts
@@ -2,20 +2,19 @@ import assert from 'node:assert';
 
 import { ConnectorType } from '@logto/connector-kit';
 import { generateStandardId } from '@logto/shared';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
+import { createUser } from '#src/api/admin-user.js';
 import { clearConnectorsByTypes, setEmailConnector } from '#src/helpers/connector.js';
 import { readConnectorMessage } from '#src/helpers/index.js';
 import { OrganizationApiTest, OrganizationInvitationApiTest } from '#src/helpers/organization.js';
 
 const randomId = () => generateStandardId(4);
 
-const expectErrorResponse = (error: unknown, status: number, code: string) => {
+const expectErrorResponse = async (error: unknown, statusCode: number, code: string) => {
   assert(error instanceof HTTPError);
-  const { statusCode, body: raw } = error.response;
-  const body: unknown = JSON.parse(String(raw));
-  expect(statusCode).toBe(status);
-  expect(body).toMatchObject({ code });
+  expect(error.response.status).toBe(statusCode);
+  expect(await error.response.json()).toMatchObject({ code });
 };
 
 describe('organization invitation creation', () => {
@@ -59,6 +58,37 @@ describe('organization invitation creation', () => {
     });
   });
 
+  it('should be able to resend an email after creating an invitation', async () => {
+    await setEmailConnector();
+
+    const organization = await organizationApi.create({ name: 'test' });
+    const email = `${randomId()}@example.com`;
+    const invitation = await invitationApi.create({
+      organizationId: organization.id,
+      invitee: email,
+      expiresAt: Date.now() + 1_000_000,
+      messagePayload: {
+        link: 'https://example.com',
+      },
+    });
+    expect(await readConnectorMessage('Email')).toMatchObject({
+      type: 'OrganizationInvitation',
+      payload: {
+        link: 'https://example.com',
+      },
+    });
+
+    await invitationApi.resendMessage(invitation.id, {
+      link: 'https://example1.com',
+    });
+    expect(await readConnectorMessage('Email')).toMatchObject({
+      type: 'OrganizationInvitation',
+      payload: {
+        link: 'https://example1.com',
+      },
+    });
+  });
+
   it('should throw error if email connector is not set', async () => {
     await clearConnectorsByTypes([ConnectorType.Email]);
     const organization = await organizationApi.create({ name: 'test' });
@@ -73,7 +103,7 @@ describe('organization invitation creation', () => {
       })
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 501, 'connector.not_found');
+    await expectErrorResponse(error, 501, 'connector.not_found');
   });
 
   it('should not be able to create invitations with the same email', async () => {
@@ -92,7 +122,7 @@ describe('organization invitation creation', () => {
       })
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 422, 'entity.unique_integrity_violation');
+    await expectErrorResponse(error, 422, 'entity.unique_integrity_violation');
   });
 
   it('should be able to create invitations with the same email for different organizations', async () => {
@@ -125,7 +155,24 @@ describe('organization invitation creation', () => {
       })
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 400, 'request.invalid_input');
+    await expectErrorResponse(error, 400, 'request.invalid_input');
+  });
+
+  it('should not be able to create invitations if the invitee is already a member of the organization', async () => {
+    const organization = await organizationApi.create({ name: 'test' });
+    const email = `${randomId()}@example.com`;
+    const user = await createUser({ primaryEmail: email });
+    await organizationApi.addUsers(organization.id, [user.id]);
+
+    const error = await invitationApi
+      .create({
+        organizationId: organization.id,
+        invitee: email,
+        expiresAt: Date.now() + 1_000_000,
+      })
+      .catch((error: unknown) => error);
+
+    await expectErrorResponse(error, 422, 'request.invalid_input');
   });
 
   it('should not be able to create invitations with an invalid email', async () => {
@@ -138,7 +185,7 @@ describe('organization invitation creation', () => {
       })
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 400, 'guard.invalid_input');
+    await expectErrorResponse(error, 400, 'guard.invalid_input');
   });
 
   it('should not be able to create invitations with an invalid organization id', async () => {
@@ -150,7 +197,7 @@ describe('organization invitation creation', () => {
       })
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 422, 'entity.relation_foreign_key_not_found');
+    await expectErrorResponse(error, 422, 'entity.relation_foreign_key_not_found');
   });
 
   it('should be able to create invitations with organization role ids', async () => {
diff --git a/packages/integration-tests/src/tests/api/organization/organization-invitation.get.test.ts b/packages/integration-tests/src/tests/api/organization/organization-invitation.get.test.ts
new file mode 100644
index 00000000000..e59e3c4c1a0
--- /dev/null
+++ b/packages/integration-tests/src/tests/api/organization/organization-invitation.get.test.ts
@@ -0,0 +1,95 @@
+import { generateStandardId } from '@logto/shared';
+
+import { createUser, deleteUser } from '#src/api/admin-user.js';
+import { OrganizationApiTest, OrganizationInvitationApiTest } from '#src/helpers/organization.js';
+
+const randomId = () => generateStandardId(4);
+
+describe('organization invitation creation', () => {
+  const invitationApi = new OrganizationInvitationApiTest();
+  const organizationApi = new OrganizationApiTest();
+
+  afterEach(async () => {
+    await Promise.all([
+      organizationApi.cleanUp(),
+      organizationApi.roleApi.cleanUp(),
+      invitationApi.cleanUp(),
+    ]);
+  });
+
+  it('should be able to get invitations by organization id and inviter id', async () => {
+    const organization1 = await organizationApi.create({ name: 'test' });
+    const organization2 = await organizationApi.create({ name: 'test' });
+    const inviter = await createUser({ primaryEmail: 'foo@bar.io' });
+    const inviter2 = await createUser({ primaryEmail: 'bar@baz.io' });
+
+    // eslint-disable-next-line unicorn/consistent-function-scoping
+    const buildPayload = (inviterId: string, organizationId: string) => ({
+      organizationId,
+      inviterId,
+      invitee: `${randomId()}@example.com`,
+      expiresAt: Date.now() + 1_000_000,
+    });
+
+    await Promise.all([
+      invitationApi.create(buildPayload(inviter.id, organization1.id)),
+      invitationApi.create(buildPayload(inviter.id, organization2.id)),
+      invitationApi.create(buildPayload(inviter2.id, organization1.id)),
+    ]);
+
+    const invitationsByOrganization1 = await invitationApi.getList(
+      new URLSearchParams({ organizationId: organization1.id })
+    );
+    expect(invitationsByOrganization1.length).toBe(2);
+    expect(
+      invitationsByOrganization1.every(
+        (invitation) => invitation.organizationId === organization1.id
+      )
+    ).toBe(true);
+
+    const invitationsByInviter = await invitationApi.getList(
+      new URLSearchParams({ inviterId: inviter.id })
+    );
+    expect(invitationsByInviter.length).toBe(2);
+    expect(invitationsByInviter.every((invitation) => invitation.inviterId === inviter.id)).toBe(
+      true
+    );
+
+    const allInvitations = await invitationApi.getList();
+    expect(allInvitations.length).toBe(3);
+
+    await Promise.all([deleteUser(inviter.id), deleteUser(inviter2.id)]);
+  });
+
+  it('should be able to get invitations by invitee', async () => {
+    const organization = await organizationApi.create({ name: 'test' });
+    const invitee = `${randomId()}@example.com`;
+    await invitationApi.create({
+      organizationId: organization.id,
+      invitee,
+      expiresAt: Date.now() + 1_000_000,
+    });
+
+    const invitations = await invitationApi.getList(new URLSearchParams({ invitee }));
+    expect(invitations.length).toBe(1);
+    expect(invitations[0]?.invitee).toBe(invitee);
+  });
+
+  it('should have no pagination', async () => {
+    const organization = await organizationApi.create({ name: 'test' });
+    await Promise.all(
+      Array.from({ length: 30 }, async () =>
+        invitationApi.create({
+          organizationId: organization.id,
+          invitee: `${randomId()}@example.com`,
+          expiresAt: Date.now() + 1_000_000,
+        })
+      )
+    );
+
+    const invitations = await invitationApi.getList(
+      new URLSearchParams({ organizationId: organization.id })
+    );
+    expect(invitations.length).toBe(30);
+  });
+});
diff --git a/packages/integration-tests/src/tests/api/organization/organization-invitation.status.test.ts b/packages/integration-tests/src/tests/api/organization/organization-invitation.status.test.ts
index d9082ee5fcc..9ce6b265886 100644
--- a/packages/integration-tests/src/tests/api/organization/organization-invitation.status.test.ts
+++ b/packages/integration-tests/src/tests/api/organization/organization-invitation.status.test.ts
@@ -2,19 +2,17 @@ import assert from 'node:assert';
 
 import { OrganizationInvitationStatus } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { OrganizationApiTest, OrganizationInvitationApiTest } from '#src/helpers/organization.js';
 import { UserApiTest } from '#src/helpers/user.js';
 
 const randomId = () => generateStandardId(4);
 
-const expectErrorResponse = (error: unknown, status: number, code: string) => {
+const expectErrorResponse = async (error: unknown, statusCode: number, code: string) => {
   assert(error instanceof HTTPError);
-  const { statusCode, body: raw } = error.response;
-  const body: unknown = JSON.parse(String(raw));
-  expect(statusCode).toBe(status);
-  expect(body).toMatchObject({ code });
+  expect(error.response.status).toBe(statusCode);
+  expect(await error.response.json()).toMatchObject({ code });
 };
 
 describe('organization invitation status update', () => {
@@ -50,7 +48,7 @@ describe('organization invitation status update', () => {
     const error = await invitationApi
       .updateStatus(invitation.id, OrganizationInvitationStatus.Accepted)
       .catch((error: unknown) => error);
-    expectErrorResponse(error, 422, 'request.invalid_input');
+    await expectErrorResponse(error, 422, 'request.invalid_input');
   });
 
   it('should be able to accept an invitation', async () => {
@@ -130,7 +128,7 @@ describe('organization invitation status update', () => {
       .updateStatus(invitation.id, OrganizationInvitationStatus.Accepted, user.id)
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 422, 'request.invalid_input');
+    await expectErrorResponse(error, 422, 'request.invalid_input');
   });
 
   it('should not be able to accept an invitation with an invalid user id', async () => {
@@ -146,7 +144,7 @@ describe('organization invitation status update', () => {
       .updateStatus(invitation.id, OrganizationInvitationStatus.Accepted, 'invalid')
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 404, 'entity.not_found');
+    await expectErrorResponse(error, 404, 'entity.not_found');
   });
 
   it('should not be able to update the status of an ended invitation', async () => {
@@ -164,6 +162,6 @@ describe('organization invitation status update', () => {
       .updateStatus(invitation.id, OrganizationInvitationStatus.Accepted)
       .catch((error: unknown) => error);
 
-    expectErrorResponse(error, 422, 'request.invalid_input');
+    await expectErrorResponse(error, 422, 'request.invalid_input');
   });
 });
diff --git a/packages/integration-tests/src/tests/api/organization/organization-role.test.ts b/packages/integration-tests/src/tests/api/organization/organization-role.test.ts
index 328d473758b..2ff9abf5343 100644
--- a/packages/integration-tests/src/tests/api/organization/organization-role.test.ts
+++ b/packages/integration-tests/src/tests/api/organization/organization-role.test.ts
@@ -2,9 +2,10 @@ import assert from 'node:assert';
 
 import { generateStandardId } from '@logto/shared';
 import { isKeyInObject, pick } from '@silverhand/essentials';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { OrganizationRoleApiTest, OrganizationScopeApiTest } from '#src/helpers/organization.js';
+import { ScopeApiTest } from '#src/helpers/resource.js';
 
 const randomId = () => generateStandardId(4);
 
@@ -13,6 +14,15 @@ describe('organization role APIs', () => {
   describe('organization roles', () => {
     const roleApi = new OrganizationRoleApiTest();
     const scopeApi = new OrganizationScopeApiTest();
+    const resourceScopeApi = new ScopeApiTest();
+
+    beforeAll(async () => {
+      await resourceScopeApi.initResource();
+    });
+
+    afterAll(async () => {
+      await resourceScopeApi.cleanUp();
+    });
 
     afterEach(async () => {
       await Promise.all([roleApi.cleanUp(), scopeApi.cleanUp()]);
@@ -25,9 +35,8 @@ describe('organization role APIs', () => {
 
       assert(response instanceof HTTPError);
 
-      const { statusCode, body: raw } = response.response;
-      const body: unknown = JSON.parse(String(raw));
-      expect(statusCode).toBe(422);
+      const body: unknown = await response.response.json();
+      expect(response.response.status).toBe(422);
       expect(isKeyInObject(body, 'code') && body.code).toBe('entity.unique_integrity_violation');
     });
 
@@ -65,6 +74,18 @@ describe('organization role APIs', () => {
       expect(roles2[0]?.id).toBe(roles[10]?.id);
     });
 
+    it('should be able to get organization roles with search keyword', async () => {
+      const [name1, name2] = ['test' + randomId(), 'test' + randomId()];
+      await Promise.all([
+        roleApi.create({ name: name1, description: 'A test organization role.' }),
+        roleApi.create({ name: name2 }),
+      ]);
+      const roles = await roleApi.getList(new URLSearchParams({ q: name1 }));
+
+      expect(roles).toHaveLength(1);
+      expect(roles[0]).toHaveProperty('name', name1);
+    });
+
     it('should be able to create and get organization roles by id', async () => {
       const createdRole = await roleApi.create({ name: 'test' + randomId() });
       const { scopes, ...role } = await roleApi.get(createdRole.id);
@@ -72,17 +93,23 @@ describe('organization role APIs', () => {
       expect(role).toStrictEqual(createdRole);
     });
 
-    it('should be able to create a new organization with initial scopes', async () => {
+    it('should be able to create a new organization with initial organization scopes and resource scopes', async () => {
       const [scope1, scope2] = await Promise.all([
         scopeApi.create({ name: 'test' + randomId() }),
         scopeApi.create({ name: 'test' + randomId() }),
       ]);
+      const [resourceScope1, resourceScope2] = await Promise.all([
+        resourceScopeApi.create({ name: 'test' + randomId() }),
+        resourceScopeApi.create({ name: 'test' + randomId() }),
+      ]);
       const createdRole = await roleApi.create({
         name: 'test' + randomId(),
         description: 'test description.',
         organizationScopeIds: [scope1.id, scope2.id],
+        resourceScopeIds: [resourceScope1.id, resourceScope2.id],
       });
       const scopes = await roleApi.getScopes(createdRole.id);
+      const resourceScopes = await roleApi.getResourceScopes(createdRole.id);
       const roles = await roleApi.getList();
       const roleWithScopes = roles.find((role) => role.id === createdRole.id);
 
@@ -92,12 +119,19 @@ describe('organization role APIs', () => {
         );
         expect(scopes).toContainEqual(expect.objectContaining(pick(scope, 'id', 'name')));
       }
+
+      for (const scope of [resourceScope1, resourceScope2]) {
+        expect(roleWithScopes?.resourceScopes).toContainEqual(
+          expect.objectContaining(pick(scope, 'id', 'name'))
+        );
+        expect(resourceScopes).toContainEqual(expect.objectContaining(pick(scope, 'id', 'name')));
+      }
     });
 
     it('should fail when try to get an organization role that does not exist', async () => {
       const response = await roleApi.get('0').catch((error: unknown) => error);
 
-      expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+      expect(response instanceof HTTPError && response.response.status).toBe(404);
     });
 
     it('should be able to update organization role', async () => {
@@ -126,8 +160,8 @@ describe('organization role APIs', () => {
         .catch((error: unknown) => error);
 
       assert(response instanceof HTTPError);
-      expect(response.response.statusCode).toBe(422);
-      expect(JSON.parse(String(response.response.body))).toMatchObject(
+      expect(response.response.status).toBe(422);
+      expect(await response.response.json()).toMatchObject(
         expect.objectContaining({
           code: 'entity.unique_integrity_violation',
         })
@@ -138,12 +172,12 @@ describe('organization role APIs', () => {
       const createdRole = await roleApi.create({ name: 'test' + randomId() });
       await roleApi.delete(createdRole.id);
       const response = await roleApi.get(createdRole.id).catch((error: unknown) => error);
-      expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+      expect(response instanceof HTTPError && response.response.status).toBe(404);
     });
 
     it('should fail when try to delete an organization role that does not exist', async () => {
       const response = await roleApi.delete('0').catch((error: unknown) => error);
-      expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+      expect(response instanceof HTTPError && response.response.status).toBe(404);
     });
   });
 
@@ -212,8 +246,8 @@ describe('organization role APIs', () => {
         .catch((error: unknown) => error);
 
       assert(response instanceof HTTPError);
-      expect(response.response.statusCode).toBe(422);
-      expect(JSON.parse(String(response.response.body))).toMatchObject(
+      expect(response.response.status).toBe(422);
+      expect(await response.response.json()).toMatchObject(
         expect.objectContaining({
           code: 'entity.relation_foreign_key_not_found',
         })
@@ -248,7 +282,118 @@ describe('organization role APIs', () => {
       const response = await roleApi.deleteScope(role.id, '0').catch((error: unknown) => error);
 
       assert(response instanceof HTTPError);
-      expect(response.response.statusCode).toBe(404);
+      expect(response.response.status).toBe(404);
+    });
+  });
+
+  describe('organization role - resource scope relations', () => {
+    const roleApi = new OrganizationRoleApiTest();
+    const scopeApi = new ScopeApiTest();
+
+    beforeEach(async () => {
+      await scopeApi.initResource();
+    });
+
+    afterEach(async () => {
+      await Promise.all([roleApi.cleanUp(), scopeApi.cleanUp()]);
+    });
+
+    it('should be able to add and get scopes of a role', async () => {
+      const [role, scope1, scope2] = await Promise.all([
+        roleApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+      ]);
+      await roleApi.addResourceScopes(role.id, [scope1.id, scope2.id]);
+      const scopes = await roleApi.getResourceScopes(role.id);
+
+      expect(scopes).toContainEqual(
+        expect.objectContaining({
+          name: scope1.name,
+        })
+      );
+      expect(scopes).toContainEqual(
+        expect.objectContaining({
+          name: scope2.name,
+        })
+      );
+    });
+
+    it('should safely add scopes to a role when some of them already exist', async () => {
+      const [role, scope1, scope2] = await Promise.all([
+        roleApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+      ]);
+
+      await roleApi.addResourceScopes(role.id, [scope1.id, scope2.id]);
+
+      await expect(roleApi.addResourceScopes(role.id, [scope2.id])).resolves.not.toThrow();
+
+      const scopes = await roleApi.getResourceScopes(role.id);
+
+      expect(scopes).toContainEqual(
+        expect.objectContaining({
+          name: scope1.name,
+        })
+      );
+      expect(scopes).toContainEqual(
+        expect.objectContaining({
+          name: scope2.name,
+        })
+      );
+    });
+
+    it('should fail when try to add non-existent scopes to a role', async () => {
+      const [role, scope1, scope2] = await Promise.all([
+        roleApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+      ]);
+      const response = await roleApi
+        .addResourceScopes(role.id, [scope1.id, scope2.id, '0'])
+        .catch((error: unknown) => error);
+
+      assert(response instanceof HTTPError);
+      expect(response.response.status).toBe(422);
+      expect(await response.response.json()).toMatchObject(
+        expect.objectContaining({
+          code: 'entity.relation_foreign_key_not_found',
+        })
+      );
+    });
+
+    it('should be able to remove scopes from a role', async () => {
+      const [role, scope1, scope2] = await Promise.all([
+        roleApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+        scopeApi.create({ name: 'test' + randomId() }),
+      ]);
+      await roleApi.addResourceScopes(role.id, [scope1.id, scope2.id]);
+      await roleApi.deleteResourceScope(role.id, scope1.id);
+      const scopes = await roleApi.getResourceScopes(role.id);
+
+      expect(scopes).not.toContainEqual(
+        expect.objectContaining({
+          name: scope1.name,
+        })
+      );
+      expect(scopes).toContainEqual(
+        expect.objectContaining({
+          name: scope2.name,
+        })
+      );
+    });
+
+    it('should fail when try to remove non-existent scopes from a role', async () => {
+      const [role] = await Promise.all([roleApi.create({ name: 'test' + randomId() })]);
+
+      const response = await roleApi
+        .deleteResourceScope(role.id, '0')
+        .catch((error: unknown) => error);
+
+      assert(response instanceof HTTPError);
+      expect(response.response.status).toBe(404);
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/organization/organization-scope.test.ts b/packages/integration-tests/src/tests/api/organization/organization-scope.test.ts
index 264683424ea..146f4997958 100644
--- a/packages/integration-tests/src/tests/api/organization/organization-scope.test.ts
+++ b/packages/integration-tests/src/tests/api/organization/organization-scope.test.ts
@@ -2,7 +2,7 @@ import assert from 'node:assert';
 
 import { generateStandardId } from '@logto/shared';
 import { isKeyInObject } from '@silverhand/essentials';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { OrganizationScopeApiTest } from '#src/helpers/organization.js';
 
@@ -22,9 +22,8 @@ describe('organization scope APIs', () => {
 
     assert(response instanceof HTTPError);
 
-    const { statusCode, body: raw } = response.response;
-    const body: unknown = JSON.parse(String(raw));
-    expect(statusCode).toBe(422);
+    const body: unknown = await response.response.json();
+    expect(response.response.status).toBe(422);
     expect(isKeyInObject(body, 'code') && body.code).toBe('entity.unique_integrity_violation');
   });
 
@@ -70,7 +69,7 @@ describe('organization scope APIs', () => {
   it('should fail when try to get an organization scope that does not exist', async () => {
     const response = await scopeApi.get('0').catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should be able to update organization scope', async () => {
@@ -99,8 +98,8 @@ describe('organization scope APIs', () => {
       .catch((error: unknown) => error);
 
     assert(response instanceof HTTPError);
-    expect(response.response.statusCode).toBe(422);
-    expect(JSON.parse(String(response.response.body))).toMatchObject(
+    expect(response.response.status).toBe(422);
+    expect(await response.response.json()).toMatchObject(
       expect.objectContaining({
         code: 'entity.unique_integrity_violation',
       })
@@ -111,11 +110,11 @@ describe('organization scope APIs', () => {
     const createdScope = await scopeApi.create({ name: 'test' + randomId() });
     await scopeApi.delete(createdScope.id);
     const response = await scopeApi.get(createdScope.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail when try to delete an organization scope that does not exist', async () => {
     const response = await scopeApi.delete('0').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/organization/organization-user.test.ts b/packages/integration-tests/src/tests/api/organization/organization-user.test.ts
index 2c5d9866442..72292542f9b 100644
--- a/packages/integration-tests/src/tests/api/organization/organization-user.test.ts
+++ b/packages/integration-tests/src/tests/api/organization/organization-user.test.ts
@@ -1,6 +1,6 @@
 import assert from 'node:assert';
 
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { OrganizationApiTest } from '#src/helpers/organization.js';
 import { UserApiTest } from '#src/helpers/user.js';
@@ -95,14 +95,14 @@ describe('organization user APIs', () => {
       const response = await organizationApi
         .addUsers(organization.id, [])
         .catch((error: unknown) => error);
-      expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+      expect(response instanceof HTTPError && response.response.status).toBe(400);
     });
 
     it('should fail when try to add user to an organization that does not exist', async () => {
       const response = await organizationApi.addUsers('0', ['0']).catch((error: unknown) => error);
       assert(response instanceof HTTPError);
-      expect(response.response.statusCode).toBe(422);
-      expect(JSON.parse(String(response.response.body))).toMatchObject(
+      expect(response.response.status).toBe(422);
+      expect(await response.response.json()).toMatchObject(
         expect.objectContaining({ code: 'entity.relation_foreign_key_not_found' })
       );
     });
@@ -120,7 +120,7 @@ describe('organization user APIs', () => {
     it('should fail when try to delete user from an organization that does not exist', async () => {
       const response = await organizationApi.deleteUser('0', '0').catch((error: unknown) => error);
       assert(response instanceof HTTPError);
-      expect(response.response.statusCode).toBe(404);
+      expect(response.response.status).toBe(404);
     });
   });
 
@@ -146,8 +146,8 @@ describe('organization user APIs', () => {
         .catch((error: unknown) => error);
 
       assert(response instanceof HTTPError);
-      expect(response.response.statusCode).toBe(422);
-      expect(JSON.parse(String(response.response.body))).toMatchObject(
+      expect(response.response.status).toBe(422);
+      expect(await response.response.json()).toMatchObject(
         expect.objectContaining({ code: 'organization.require_membership' })
       );
 
@@ -244,7 +244,7 @@ describe('organization user APIs', () => {
       const response = await organizationApi
         .getUserRoles(organization.id, user.id)
         .catch((error: unknown) => error);
-      expect(response instanceof HTTPError && response.response.statusCode).toBe(422); // Require membership
+      expect(response instanceof HTTPError && response.response.status).toBe(422); // Require membership
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/organization/organization.test.ts b/packages/integration-tests/src/tests/api/organization/organization.test.ts
index 107b8c110b2..892a98ba57b 100644
--- a/packages/integration-tests/src/tests/api/organization/organization.test.ts
+++ b/packages/integration-tests/src/tests/api/organization/organization.test.ts
@@ -1,4 +1,4 @@
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { OrganizationApiTest } from '#src/helpers/organization.js';
 import { UserApiTest } from '#src/helpers/user.js';
@@ -95,7 +95,7 @@ describe('organization APIs', () => {
   it('should fail when try to get an organization that does not exist', async () => {
     const response = await organizationApi.get('0').catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should be able to update organization', async () => {
@@ -117,11 +117,11 @@ describe('organization APIs', () => {
     const response = await organizationApi
       .get(createdOrganization.id)
       .catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail when try to delete an organization that does not exist', async () => {
     const response = await organizationApi.delete('0').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/resource.scope.test.ts b/packages/integration-tests/src/tests/api/resource.scope.test.ts
index 2e65ddbdf39..96eaeb747d2 100644
--- a/packages/integration-tests/src/tests/api/resource.scope.test.ts
+++ b/packages/integration-tests/src/tests/api/resource.scope.test.ts
@@ -1,11 +1,11 @@
 import assert from 'node:assert';
 
 import { defaultManagementApi } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { createResource } from '#src/api/index.js';
 import { createScope, deleteScope, getScopes, updateScope } from '#src/api/scope.js';
-import { generateScopeName } from '#src/utils.js';
+import { generateName, generateScopeName } from '#src/utils.js';
 
 describe('scopes', () => {
   it('should get management api resource scopes successfully', async () => {
@@ -32,28 +32,28 @@ describe('scopes', () => {
     const response = await createScope(resource.id, createdScope.name).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode === 422).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 422).toBe(true);
   });
 
   it('should return 404 when create scope with invalid resource id', async () => {
     const response = await createScope('invalid_resource_id', 'invalid_scope_name').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('should return 400 if scope name is empty', async () => {
     const resource = await createResource();
 
     const response = await createScope(resource.id, '').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 400).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 400).toBe(true);
   });
 
   it('should return 400 if scope name has empty space', async () => {
     const resource = await createResource();
 
     const response = await createScope(resource.id, 'scope id').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 400).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 400).toBe(true);
   });
 
   it('should update scope successfully', async () => {
@@ -63,7 +63,7 @@ describe('scopes', () => {
     expect(scope).toBeTruthy();
 
     const newScopeName = `new_${scope.name}`;
-    const newScopeDescription = `new_${scope.description}`;
+    const newScopeDescription = scope.description ? `new_${scope.description}` : generateName();
 
     const updatesScope = await updateScope(resource.id, scope.id, {
       name: newScopeName,
@@ -82,7 +82,7 @@ describe('scopes', () => {
     const response = await updateScope(resource.id, createdScope2.id, {
       name: createdScope.name,
     }).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 422).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 422).toBe(true);
   });
 
   it('should return 400 if update scope name that has empty space', async () => {
@@ -93,7 +93,7 @@ describe('scopes', () => {
     }).catch((error: unknown) => error);
 
     assert(response instanceof HTTPError);
-    expect(response.response.statusCode).toBe(400);
+    expect(response.response.status).toBe(400);
   });
 
   it('should return 404 when update scope with invalid resource id', async () => {
@@ -101,7 +101,7 @@ describe('scopes', () => {
       name: 'scope',
     }).catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('should return 404 when update scope with invalid scope id', async () => {
@@ -111,7 +111,7 @@ describe('scopes', () => {
       name: 'scope',
     }).catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('should delete scope successfully', async () => {
diff --git a/packages/integration-tests/src/tests/api/resource.test.ts b/packages/integration-tests/src/tests/api/resource.test.ts
index b83469a07db..f4f1219655e 100644
--- a/packages/integration-tests/src/tests/api/resource.test.ts
+++ b/packages/integration-tests/src/tests/api/resource.test.ts
@@ -1,5 +1,5 @@
 import { defaultManagementApi } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import {
   createResource,
@@ -21,7 +21,7 @@ describe('admin console api resources', () => {
 
   it('should return 404 if resource not found', async () => {
     const response = await getResource('not_found').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('should create api resource successfully', async () => {
@@ -49,7 +49,7 @@ describe('admin console api resources', () => {
     const resourceName2 = generateResourceName();
     await expectRejects(createResource(resourceName2, resourceIndicator), {
       code: 'resource.resource_identifier_in_use',
-      statusCode: 422,
+      status: 422,
     });
   });
 
@@ -93,7 +93,7 @@ describe('admin console api resources', () => {
       name: 123,
     }).catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode === 400).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 400).toBe(true);
   });
 
   it('should not update api resource indicator', async () => {
@@ -119,19 +119,19 @@ describe('admin console api resources', () => {
     await deleteResource(createdResource.id);
 
     const response = await getResource(createdResource.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('should throw when deleting management api resource', async () => {
     const response = await deleteResource(defaultManagementApi.resource.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode === 400).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 400).toBe(true);
   });
 
   it('should throw 404 when delete api resource not found', async () => {
     const response = await deleteResource('dummy_id').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('be able to set only one default api resource', async () => {
diff --git a/packages/integration-tests/src/tests/api/role.application.test.ts b/packages/integration-tests/src/tests/api/role.application.test.ts
index 4939ae1e154..c53fb6df616 100644
--- a/packages/integration-tests/src/tests/api/role.application.test.ts
+++ b/packages/integration-tests/src/tests/api/role.application.test.ts
@@ -1,6 +1,6 @@
 import { ApplicationType, RoleType } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { assignRolesToApplication, createApplication } from '#src/api/index.js';
 import {
@@ -27,7 +27,7 @@ describe('roles applications', () => {
 
   it('should return 404 if role not found', async () => {
     const response = await getRoleApplications('not-found').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should assign applications to role successfully', async () => {
@@ -52,13 +52,13 @@ describe('roles applications', () => {
   it('should fail when try to assign empty applications', async () => {
     const role = await createRole({ type: RoleType.MachineToMachine });
     const response = await assignApplicationsToRole([], role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should fail with invalid application input', async () => {
     const role = await createRole({ type: RoleType.MachineToMachine });
     const response = await assignApplicationsToRole([''], role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should fail if role not found', async () => {
@@ -66,7 +66,7 @@ describe('roles applications', () => {
     const response = await assignApplicationsToRole([m2mApp.id], 'not-found').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail if application not found', async () => {
@@ -74,7 +74,7 @@ describe('roles applications', () => {
     const response = await assignApplicationsToRole(['not-found'], role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should remove application from role successfully', async () => {
@@ -95,7 +95,7 @@ describe('roles applications', () => {
     const response = await deleteApplicationFromRole(m2mApp.id, 'not-found').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail if application not found when trying to remove application from role', async () => {
@@ -103,7 +103,7 @@ describe('roles applications', () => {
     const response = await deleteApplicationFromRole('not-found', role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   // This case tests GET operation on roles and filter by `type` parameter and `search` parameter.
diff --git a/packages/integration-tests/src/tests/api/role.scope.test.ts b/packages/integration-tests/src/tests/api/role.scope.test.ts
index c154ff17b54..1b4f6a4ef59 100644
--- a/packages/integration-tests/src/tests/api/role.scope.test.ts
+++ b/packages/integration-tests/src/tests/api/role.scope.test.ts
@@ -1,5 +1,5 @@
 import { defaultManagementApi } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { createResource } from '#src/api/index.js';
 import {
@@ -24,7 +24,7 @@ describe('roles scopes', () => {
 
   it('should return 404 if role not found', async () => {
     const response = await getRoleScopes('not-found').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should return empty if role has no scopes', async () => {
@@ -46,13 +46,13 @@ describe('roles scopes', () => {
   it('should fail when try to assign empty scopes', async () => {
     const role = await createRole({});
     const response = await assignScopesToRole([], role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should fail with invalid scope input', async () => {
     const role = await createRole({});
     const response = await assignScopesToRole([''], role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should fail if role not found', async () => {
@@ -61,7 +61,7 @@ describe('roles scopes', () => {
     const response = await assignScopesToRole([scope.id], 'not-found').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail if scope not found', async () => {
@@ -69,7 +69,7 @@ describe('roles scopes', () => {
     const response = await assignScopesToRole(['not-found'], role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail if scope already assigned to role', async () => {
@@ -81,7 +81,7 @@ describe('roles scopes', () => {
     const response = await assignScopesToRole([scope1.id, scope2.id], role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(422);
+    expect(response instanceof HTTPError && response.response.status).toBe(422);
   });
 
   it('should fail if try to assign management API scope(s) to user role', async () => {
@@ -91,7 +91,7 @@ describe('roles scopes', () => {
       [defaultManagementApi.scopes[0]!.id],
       userRole.id
     ).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should remove scope from role successfully', async () => {
@@ -113,7 +113,7 @@ describe('roles scopes', () => {
     const resource = await createResource();
     const scope = await createScope(resource.id);
     const response = await deleteScopeFromRole(scope.id, role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail when try to remove scope from role that is not found', async () => {
@@ -122,7 +122,7 @@ describe('roles scopes', () => {
     const response = await deleteScopeFromRole(scope.id, 'not-found').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail when try to assign a scope to an internal role', async () => {
@@ -132,6 +132,6 @@ describe('roles scopes', () => {
       (error: unknown) => error
     );
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(403);
+    expect(response instanceof HTTPError && response.response.status).toBe(403);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/role.test.ts b/packages/integration-tests/src/tests/api/role.test.ts
index 0526866e698..7cc163ddc1e 100644
--- a/packages/integration-tests/src/tests/api/role.test.ts
+++ b/packages/integration-tests/src/tests/api/role.test.ts
@@ -1,5 +1,5 @@
 import { defaultManagementApi } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { createResource } from '#src/api/resource.js';
 import {
@@ -49,13 +49,13 @@ describe('roles', () => {
     const { name } = await createRole({});
 
     const response = await createRole({ name }).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(422);
+    expect(response instanceof HTTPError && response.response.status).toBe(422);
   });
 
   it('should fail when try to create an internal role', async () => {
     const response = await createRole({ name: '#internal:foo' }).catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(403);
+    expect(response instanceof HTTPError && response.response.status).toBe(403);
   });
 
   it('should fail when try to create role with management API scope(s)', async () => {
@@ -63,7 +63,7 @@ describe('roles', () => {
       (error: unknown) => error
     );
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should get role detail successfully', async () => {
@@ -77,7 +77,7 @@ describe('roles', () => {
   it('should return 404 if role does not exist', async () => {
     const response = await getRole('non_existent_role').catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should update role details successfully', async () => {
@@ -103,14 +103,14 @@ describe('roles', () => {
     const response = await updateRole(role2.id, {
       name: role1.name,
     }).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(422);
+    expect(response instanceof HTTPError && response.response.status).toBe(422);
   });
 
   it('should fail when update a non-existent role', async () => {
     const response = await updateRole('non_existent_role', {
       name: 'new_name',
     }).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail when try to update an internal role', async () => {
@@ -120,7 +120,7 @@ describe('roles', () => {
       name: '#internal:foo',
     }).catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(403);
+    expect(response instanceof HTTPError && response.response.status).toBe(403);
   });
 
   it('should delete role successfully', async () => {
@@ -129,12 +129,12 @@ describe('roles', () => {
     await deleteRole(role.id);
 
     const response = await getRole(role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should return 404 if role does not exist', async () => {
     const response = await deleteRole('non_existent_role').catch((error: unknown) => error);
 
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/role.user.test.ts b/packages/integration-tests/src/tests/api/role.user.test.ts
index dfa2f8cecf2..a046839d30c 100644
--- a/packages/integration-tests/src/tests/api/role.user.test.ts
+++ b/packages/integration-tests/src/tests/api/role.user.test.ts
@@ -1,5 +1,5 @@
 import { RoleType } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import { createUser } from '#src/api/index.js';
 import {
@@ -28,7 +28,7 @@ describe('roles users', () => {
 
   it('should return 404 if role not found', async () => {
     const response = await getRoleUsers('not-found').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should assign users to role successfully', async () => {
@@ -66,7 +66,7 @@ describe('roles users', () => {
     const user = await createUser(generateNewUserProfile({}));
     await expectRejects(assignUsersToRole([user.id], m2mRole.id), {
       code: 'entity.db_constraint_violated',
-      statusCode: 422,
+      status: 422,
     });
     const users = await getRoleUsers(m2mRole.id);
 
@@ -76,13 +76,13 @@ describe('roles users', () => {
   it('should fail when try to assign empty users', async () => {
     const role = await createRole({});
     const response = await assignUsersToRole([], role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should fail with invalid user input', async () => {
     const role = await createRole({});
     const response = await assignUsersToRole([''], role.id).catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(400);
+    expect(response instanceof HTTPError && response.response.status).toBe(400);
   });
 
   it('should fail if role not found', async () => {
@@ -90,7 +90,7 @@ describe('roles users', () => {
     const response = await assignUsersToRole([user.id], 'not-found').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail if user not found', async () => {
@@ -98,7 +98,7 @@ describe('roles users', () => {
     const response = await assignUsersToRole(['not-found'], role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should remove user from role successfully', async () => {
@@ -119,7 +119,7 @@ describe('roles users', () => {
     const response = await deleteUserFromRole(user.id, 'not-found').catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 
   it('should fail if user not found when trying to remove user from role', async () => {
@@ -127,6 +127,6 @@ describe('roles users', () => {
     const response = await deleteUserFromRole('not-found', role.id).catch(
       (error: unknown) => error
     );
-    expect(response instanceof HTTPError && response.response.statusCode).toBe(404);
+    expect(response instanceof HTTPError && response.response.status).toBe(404);
   });
 });
diff --git a/packages/integration-tests/src/tests/api/sign-in-experience.test.ts b/packages/integration-tests/src/tests/api/sign-in-experience.test.ts
index d110a4701ea..ec369087ac2 100644
--- a/packages/integration-tests/src/tests/api/sign-in-experience.test.ts
+++ b/packages/integration-tests/src/tests/api/sign-in-experience.test.ts
@@ -45,7 +45,7 @@ describe('admin console sign-in experience', () => {
 
     await expectRejects(updateSignInExperience(newSignInExperience), {
       code: 'sign_in_experiences.username_requires_password',
-      statusCode: 400,
+      status: 400,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/sso-connectors.test.ts b/packages/integration-tests/src/tests/api/sso-connectors.test.ts
index edb368523b2..03315de7d43 100644
--- a/packages/integration-tests/src/tests/api/sso-connectors.test.ts
+++ b/packages/integration-tests/src/tests/api/sso-connectors.test.ts
@@ -1,5 +1,5 @@
 import { SsoProviderName } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import {
   providerNames,
@@ -64,7 +64,7 @@ describe('post sso-connectors', () => {
         providerName: 'OIDC',
         connectorName: 'test connector name',
       }),
-      { code: 'single_sign_on.duplicate_connector_name', statusCode: 409 }
+      { code: 'single_sign_on.duplicate_connector_name', status: 409 }
     );
 
     await deleteSsoConnectorById(id);
@@ -202,7 +202,7 @@ describe('patch sso-connector by id', () => {
       patchSsoConnectorById(id2, {
         connectorName: 'test connector name',
       }),
-      { code: 'single_sign_on.duplicate_connector_name', statusCode: 409 }
+      { code: 'single_sign_on.duplicate_connector_name', status: 409 }
     );
 
     await deleteSsoConnectorById(id);
diff --git a/packages/integration-tests/src/tests/api/swagger-check.test.ts b/packages/integration-tests/src/tests/api/swagger-check.test.ts
index fadd7a8ca04..22b17267889 100644
--- a/packages/integration-tests/src/tests/api/swagger-check.test.ts
+++ b/packages/integration-tests/src/tests/api/swagger-check.test.ts
@@ -9,11 +9,11 @@ const { default: OpenApiSchemaValidator } = Validator;
 describe('Swagger check', () => {
   it('should provide a valid swagger.json', async () => {
     const response = await api.get('swagger.json');
-    expect(response).toHaveProperty('statusCode', 200);
-    expect(response.headers['content-type']).toContain('application/json');
+    expect(response).toHaveProperty('status', 200);
+    expect(response.headers.get('content-type')).toContain('application/json');
 
     // Use multiple validators to be more confident
-    const object: unknown = JSON.parse(response.body);
+    const object: unknown = await response.json();
 
     const validator = new OpenApiSchemaValidator({ version: 3 });
     const result = validator.validate(object as OpenAPI.Document);
diff --git a/packages/integration-tests/src/tests/api/verification-code.test.ts b/packages/integration-tests/src/tests/api/verification-code.test.ts
index cd131d62000..95719459c22 100644
--- a/packages/integration-tests/src/tests/api/verification-code.test.ts
+++ b/packages/integration-tests/src/tests/api/verification-code.test.ts
@@ -32,7 +32,7 @@ describe('Generic verification code through management API', () => {
   it('should create an email verification code on server side', async () => {
     const payload: RequestVerificationCodePayload = { email: mockEmail };
     const response = await requestVerificationCode(payload);
-    expect(response.statusCode).toBe(204);
+    expect(response.status).toBe(204);
 
     const { code, type, address } = await readConnectorMessage('Email');
 
@@ -44,7 +44,7 @@ describe('Generic verification code through management API', () => {
   it('should create an SMS verification code on server side', async () => {
     const payload: RequestVerificationCodePayload = { phone: mockPhone };
     const response = await requestVerificationCode(payload);
-    expect(response.statusCode).toBe(204);
+    expect(response.status).toBe(204);
 
     const { code, type, phone } = await readConnectorMessage('Sms');
 
@@ -56,7 +56,7 @@ describe('Generic verification code through management API', () => {
   it('should fail to create a verification code on server side when the email and phone are not provided', async () => {
     await expectRejects(requestVerificationCode({ username: 'any_string' }), {
       code: 'guard.invalid_input',
-      statusCode: 400,
+      status: 400,
     });
 
     await expect(readConnectorMessage('Email')).rejects.toThrow();
@@ -68,20 +68,17 @@ describe('Generic verification code through management API', () => {
     await clearConnectorsByTypes([ConnectorType.Email]);
     await expectRejects(requestVerificationCode({ email: emailForTestSendCode }), {
       code: 'connector.not_found',
-      statusCode: 501,
+      status: 501,
     });
 
-    await expect(
-      verifyVerificationCode({ email: emailForTestSendCode, verificationCode: 'any_string' })
-    ).rejects.toMatchObject({
-      response: {
-        statusCode: 400,
-        body: JSON.stringify({
-          message: 'Invalid verification code.',
-          code: 'verification_code.code_mismatch',
-        }),
-      },
-    });
+    await expectRejects(
+      verifyVerificationCode({ email: emailForTestSendCode, verificationCode: 'any_string' }),
+      {
+        messageIncludes: 'Invalid verification code.',
+        code: 'verification_code.code_mismatch',
+        status: 400,
+      }
+    );
 
     // Restore the email connector
     await setEmailConnector();
@@ -92,20 +89,17 @@ describe('Generic verification code through management API', () => {
     await clearConnectorsByTypes([ConnectorType.Sms]);
     await expectRejects(requestVerificationCode({ phone: phoneForTestSendCode }), {
       code: 'connector.not_found',
-      statusCode: 501,
+      status: 501,
     });
 
-    await expect(
-      verifyVerificationCode({ phone: phoneForTestSendCode, verificationCode: 'any_string' })
-    ).rejects.toMatchObject({
-      response: {
-        statusCode: 400,
-        body: JSON.stringify({
-          message: 'Invalid verification code.',
-          code: 'verification_code.code_mismatch',
-        }),
-      },
-    });
+    await expectRejects(
+      verifyVerificationCode({ phone: phoneForTestSendCode, verificationCode: 'any_string' }),
+      {
+        messageIncludes: 'Invalid verification code.',
+        code: 'verification_code.code_mismatch',
+        status: 400,
+      }
+    );
 
     // Restore the SMS connector
     await setSmsConnector();
@@ -136,7 +130,7 @@ describe('Generic verification code through management API', () => {
     await readConnectorMessage('Sms');
     await expectRejects(verifyVerificationCode({ phone: mockPhone, verificationCode: '666' }), {
       code: 'verification_code.code_mismatch',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -148,7 +142,7 @@ describe('Generic verification code through management API', () => {
     expect(phoneToGetCode).toEqual(phone);
     await expectRejects(verifyVerificationCode({ phone: phoneToVerify, verificationCode: code }), {
       code: 'verification_code.not_found',
-      statusCode: 400,
+      status: 400,
     });
   });
 
@@ -160,7 +154,7 @@ describe('Generic verification code through management API', () => {
     expect(emailToGetCode).toEqual(address);
     await expectRejects(verifyVerificationCode({ email: emailToVerify, verificationCode: code }), {
       code: 'verification_code.not_found',
-      statusCode: 400,
+      status: 400,
     });
   });
 });
diff --git a/packages/integration-tests/src/tests/api/well-known.test.ts b/packages/integration-tests/src/tests/api/well-known.test.ts
index d2529a43699..4aaf7ce7589 100644
--- a/packages/integration-tests/src/tests/api/well-known.test.ts
+++ b/packages/integration-tests/src/tests/api/well-known.test.ts
@@ -1,5 +1,5 @@
 import { type SignInExperience, type Translation, type SsoConnectorMetadata } from '@logto/schemas';
-import { HTTPError } from 'got';
+import { HTTPError } from 'ky';
 
 import api, { adminTenantApi, authedAdminApi } from '#src/api/api.js';
 import { updateSignInExperience } from '#src/api/index.js';
@@ -15,7 +15,7 @@ describe('.well-known api', () => {
 
   it('should not found API route in non-admin tenant', async () => {
     const response = await api.get('.well-known/endpoints/123').catch((error: unknown) => error);
-    expect(response instanceof HTTPError && response.response.statusCode === 404).toBe(true);
+    expect(response instanceof HTTPError && response.response.status === 404).toBe(true);
   });
 
   it('get /.well-known/sign-in-exp for console', async () => {
diff --git a/packages/integration-tests/src/tests/console/applications/index.test.ts b/packages/integration-tests/src/tests/console/applications/index.test.ts
index b0a16189f6b..6855427e637 100644
--- a/packages/integration-tests/src/tests/console/applications/index.test.ts
+++ b/packages/integration-tests/src/tests/console/applications/index.test.ts
@@ -13,7 +13,7 @@ import {
   goToAdminConsole,
   waitForToast,
 } from '#src/ui-helpers/index.js';
-import { expectNavigation, appendPathname, dcls } from '#src/utils.js';
+import { expectNavigation, appendPathname, dcls, waitFor, cls } from '#src/utils.js';
 
 import {
   type ApplicationMetadata,
@@ -85,7 +85,7 @@ describe('applications', () => {
      */
     await page.reload();
 
-    await expect(page).toMatchElement('table div[class$=item] a[class$=title]', {
+    await expect(page).toMatchElement(`table div[class$=item] a${cls('title')}`, {
       text: initialApp.name,
     });
   });
@@ -145,7 +145,7 @@ describe('applications', () => {
     await expect(page).toClick('div[class$=header] button span', { text: 'Check guide' });
 
     // Wait for the guide drawer to be ready
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     // Close guide
     await expect(page).toClick(
@@ -201,7 +201,7 @@ describe('applications', () => {
     await waitForToast(page, { text: 'Saved' });
 
     // Wait for the redirect uri field to be updated
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     // Remove Redirect Uri
     await expect(page).toFill(`input[value="${testApp.redirectUri}"]`, '');
@@ -345,7 +345,7 @@ describe('applications', () => {
   });
 
   it('delete the initial application', async () => {
-    await expect(page).toClick('table tbody tr td div[class$=item] a[class$=title]', {
+    await expect(page).toClick(`table tbody tr td div[class$=item] a${cls('title')}`, {
       text: initialApp.name,
     });
 
diff --git a/packages/integration-tests/src/tests/console/bootstrap.test.ts b/packages/integration-tests/src/tests/console/bootstrap.test.ts
index 0af94ca6532..aafb737697a 100644
--- a/packages/integration-tests/src/tests/console/bootstrap.test.ts
+++ b/packages/integration-tests/src/tests/console/bootstrap.test.ts
@@ -7,7 +7,7 @@ import {
   consoleUsername,
   logtoConsoleUrl as logtoConsoleUrlString,
 } from '#src/constants.js';
-import { appendPathname, cls, dcls, expectNavigation } from '#src/utils.js';
+import { appendPathname, cls, dcls, expectNavigation, waitFor } from '#src/utils.js';
 
 /**
  * NOTE: This test suite assumes test cases will run sequentially (which is Jest default).
@@ -85,7 +85,7 @@ describe('smoke testing for console admin account creation and sign-in', () => {
     await expect(page).toClick('div[class$=topbar] > div[class$=container]');
 
     // Try awaiting for 500ms before clicking sign-out button
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     await expectNavigation(
       expect(page).toClick(
diff --git a/packages/integration-tests/src/tests/console/machine-to-machine-rbac/utils.ts b/packages/integration-tests/src/tests/console/rbac/helper.ts
similarity index 83%
rename from packages/integration-tests/src/tests/console/machine-to-machine-rbac/utils.ts
rename to packages/integration-tests/src/tests/console/rbac/helper.ts
index a79e3589360..30f22b69df6 100644
--- a/packages/integration-tests/src/tests/console/machine-to-machine-rbac/utils.ts
+++ b/packages/integration-tests/src/tests/console/rbac/helper.ts
@@ -6,8 +6,23 @@ import {
   expectToClickModalAction,
   waitForToast,
 } from '#src/ui-helpers/index.js';
+import { selectDropdownMenuItem } from '#src/ui-helpers/select-dropdown-menu-item.js';
 import { expectNavigation, appendPathname } from '#src/utils.js';
 
+export const expectToSelectPermissionAction = async (
+  page: Page,
+  { permissionName, action }: { permissionName: string; action: string }
+) => {
+  const permissionRow = await expect(page).toMatchElement('table tbody tr:has(td div)', {
+    text: permissionName,
+  });
+
+  // Click the action button from the permission row
+  await expect(permissionRow).toClick('td[class$=actionColumn] button');
+
+  await selectDropdownMenuItem(page, 'div[role=menuitem]', action);
+};
+
 /**
  * Create a machine-to-machine role and assign permissions to it by operating on the Web
  *
diff --git a/packages/integration-tests/src/tests/console/machine-to-machine-rbac/machime-to-machime-rbac.test.ts b/packages/integration-tests/src/tests/console/rbac/machime-to-machime-rbac.test.ts
similarity index 92%
rename from packages/integration-tests/src/tests/console/machine-to-machine-rbac/machime-to-machime-rbac.test.ts
rename to packages/integration-tests/src/tests/console/rbac/machime-to-machime-rbac.test.ts
index 33138402f53..f20b879dc13 100644
--- a/packages/integration-tests/src/tests/console/machine-to-machine-rbac/machime-to-machime-rbac.test.ts
+++ b/packages/integration-tests/src/tests/console/rbac/machime-to-machime-rbac.test.ts
@@ -3,6 +3,7 @@ import {
   expectConfirmModalAndAct,
   expectModalWithTitle,
   expectToClickModalAction,
+  expectToClickNavTab,
   goToAdminConsole,
   waitForToast,
 } from '#src/ui-helpers/index.js';
@@ -14,6 +15,7 @@ import {
   generateScopeName,
   generateRoleName,
   dcls,
+  cls,
 } from '#src/utils.js';
 
 import {
@@ -21,7 +23,7 @@ import {
   expectToProceedApplicationCreationFrom,
 } from '../applications/helpers.js';
 
-import { createM2mRoleAndAssignPermissions } from './utils.js';
+import { createM2mRoleAndAssignPermissions, expectToSelectPermissionAction } from './helper.js';
 
 await page.setViewport({ width: 1920, height: 1080 });
 
@@ -90,9 +92,7 @@ describe('M2M RBAC', () => {
     });
 
     it('create permission for api resource', async () => {
-      await expect(page).toClick('nav div[class$=item] div[class$=link] a', {
-        text: 'Permissions',
-      });
+      await expectToClickNavTab(page, 'Permissions');
 
       await expect(page).toClick('div[class$=filter] button[class$=createButton] span', {
         text: 'Create permission',
@@ -183,20 +183,18 @@ describe('M2M RBAC', () => {
       await expect(page).toFill('div[class$=filter] input', roleName);
       await expect(page).toClick('button', { text: 'Search' });
 
-      await expect(page).toClick('table tbody tr td div[class$=meta]:has(a[class$=title])', {
+      await expect(page).toClick(`table tbody tr td div[class$=meta]:has(a${cls('title')})`, {
         text: roleName,
       });
     });
 
     it('delete a permission from a role on the role details page', async () => {
-      await expect(page).toClick('nav div[class$=item] div[class$=link] a', {
-        text: 'Permissions',
-      });
+      await expectToClickNavTab(page, 'Permissions');
 
-      const permissionRow = await expect(page).toMatchElement('table tbody tr:has(td div)', {
-        text: permissionName,
+      await expectToSelectPermissionAction(page, {
+        permissionName,
+        action: 'Remove permission',
       });
-      await expect(permissionRow).toClick('td[class$=deleteColumn] button');
 
       await expectConfirmModalAndAct(page, {
         title: 'Reminder',
@@ -272,7 +270,7 @@ describe('M2M RBAC', () => {
       });
 
       await expect(page).toMatchElement(
-        'div[class$=applicationsTable] td div[class$=item] a[class$=title]',
+        [dcls('applicationsTable'), 'td', dcls('item'), `a${cls('title')}`].join(' '),
         {
           text: rbacTestAppname,
         }
@@ -302,7 +300,7 @@ describe('M2M RBAC', () => {
         page.goto(appendPathname('/console/applications', logtoConsoleUrl).href)
       );
 
-      await expect(page).toClick('table tbody tr td a[class$=title]', {
+      await expect(page).toClick(['table', 'tbody', 'tr', 'td', `a${cls('title')}`].join(' '), {
         text: rbacTestAppname,
       });
     });
@@ -341,7 +339,7 @@ describe('M2M RBAC', () => {
         }
       );
 
-      const roleRow = await expect(page).toMatchElement('table tbody tr:has(td a[class$=title])', {
+      const roleRow = await expect(page).toMatchElement(`table tbody tr:has(td a${cls('title')})`, {
         text: roleName,
       });
 
diff --git a/packages/integration-tests/src/tests/console/rbac.test.ts b/packages/integration-tests/src/tests/console/rbac/user-rbac.test.ts
similarity index 86%
rename from packages/integration-tests/src/tests/console/rbac.test.ts
rename to packages/integration-tests/src/tests/console/rbac/user-rbac.test.ts
index 9d8dc6a882d..fe13364a3c4 100644
--- a/packages/integration-tests/src/tests/console/rbac.test.ts
+++ b/packages/integration-tests/src/tests/console/rbac/user-rbac.test.ts
@@ -4,6 +4,7 @@ import {
   expectModalWithTitle,
   expectToClickDetailsPageOption,
   expectToClickModalAction,
+  expectToClickNavTab,
   goToAdminConsole,
   waitForToast,
 } from '#src/ui-helpers/index.js';
@@ -15,11 +16,14 @@ import {
   generateResourceIndicator,
   generateScopeName,
   generateRoleName,
+  cls,
 } from '#src/utils.js';
 
+import { expectToSelectPermissionAction } from './helper.js';
+
 await page.setViewport({ width: 1920, height: 1080 });
 
-describe('RBAC', () => {
+describe('User RBAC', () => {
   const logtoConsoleUrl = new URL(logtoConsoleUrlString);
   const apiResourceName = generateResourceName();
   const apiResourceIndicator = generateResourceIndicator();
@@ -77,7 +81,7 @@ describe('RBAC', () => {
   });
 
   it('create api permissions', async () => {
-    await expect(page).toClick('nav div[class$=item] div[class$=link] a', {
+    await expect(page).toClick('nav div[class$=item] div[class*=link] a', {
       text: 'Permissions',
     });
 
@@ -103,6 +107,18 @@ describe('RBAC', () => {
     });
   });
 
+  it('be able to edit the permission description', async () => {
+    await expectToSelectPermissionAction(page, { permissionName, action: 'Edit permission' });
+    await expectModalWithTitle(page, 'Edit API permission');
+    const newDescription = `New: ${permissionDescription}`;
+    await expect(page).toFillForm('.ReactModalPortal form', { description: newDescription });
+    await expect(page).toClick('.ReactModalPortal button[type=submit]');
+    await waitForToast(page, { text: 'Permission updated.', type: 'success' });
+    await expect(page).toMatchElement('table tbody tr td div', {
+      text: newDescription,
+    });
+  });
+
   it('navigate to user management page', async () => {
     await expectNavigation(page.goto(appendPathname('/console/users', logtoConsoleUrl).href));
     await expect(page).toMatchElement(
@@ -179,14 +195,12 @@ describe('RBAC', () => {
   });
 
   it('delete a permission from a role on the role details page', async () => {
-    await expect(page).toClick('nav div[class$=item] div[class$=link] a', {
-      text: 'Permissions',
-    });
+    await expectToClickNavTab(page, 'Permissions');
 
-    const permissionRow = await expect(page).toMatchElement('table tbody tr:has(td div)', {
-      text: permissionName,
+    await expectToSelectPermissionAction(page, {
+      permissionName,
+      action: 'Remove permission',
     });
-    await expect(permissionRow).toClick('td[class$=deleteColumn] button');
 
     await expectConfirmModalAndAct(page, {
       title: 'Reminder',
@@ -251,7 +265,7 @@ describe('RBAC', () => {
     });
 
     await expect(page).toMatchElement(
-      'div[class$=usersTable] td div[class$=item] a[class$=title]',
+      `div[class$=usersTable] td div[class$=item] a${cls('title')}`,
       {
         text: rbacTestUsername,
       }
@@ -260,7 +274,7 @@ describe('RBAC', () => {
 
   it('remove a role form a user on the user details page', async () => {
     // Navigate to user details page
-    await expect(page).toClick('table tbody tr td a[class$=title]', {
+    await expect(page).toClick(`table tbody tr td a${cls('title')}`, {
       text: rbacTestUsername,
     });
 
@@ -273,7 +287,7 @@ describe('RBAC', () => {
       text: 'Roles',
     });
 
-    const roleRow = await expect(page).toMatchElement('table tbody tr:has(td a[class$=title])', {
+    const roleRow = await expect(page).toMatchElement(`table tbody tr:has(td a${cls('title')})`, {
       text: roleName,
     });
 
@@ -333,7 +347,7 @@ describe('RBAC', () => {
       }
     );
 
-    await expect(page).toClick('table tbody tr td a[class$=title]', {
+    await expect(page).toClick(['table', 'tbody', 'tr', 'td', `a${cls('title')}`].join(' '), {
       text: roleName,
     });
 
@@ -366,7 +380,7 @@ describe('RBAC', () => {
       }
     );
 
-    await expect(page).toClick('table tbody tr td a[class$=title]', {
+    await expect(page).toClick(['table', 'tbody', 'tr', 'td', `a${cls('title')}`].join(' '), {
       text: apiResourceName,
     });
 
@@ -375,15 +389,17 @@ describe('RBAC', () => {
     });
 
     // Navigate to permissions tab
-    await expect(page).toClick('nav div[class$=item] div[class$=link] a', {
-      text: 'Permissions',
-    });
-    const permissionRow = await expect(page).toMatchElement('table tbody tr:has(td div)', {
-      text: permissionName,
+    await expectToClickNavTab(page, 'Permissions');
+
+    await expectToSelectPermissionAction(page, {
+      permissionName,
+      action: 'Delete permission',
     });
-    await expect(permissionRow).toClick('td[class$=deleteColumn] button');
 
-    await expectConfirmModalAndAct(page, { title: 'Reminder', actionText: 'Delete' });
+    await expectConfirmModalAndAct(page, {
+      title: 'Reminder',
+      actionText: 'Delete',
+    });
 
     await waitForToast(page, {
       text: `The permission "${permissionName}" was successfully deleted.`,
diff --git a/packages/integration-tests/src/tests/console/sign-in-experience/branding.test.ts b/packages/integration-tests/src/tests/console/sign-in-experience/branding.test.ts
index 2b24f5b293e..821ef6765e7 100644
--- a/packages/integration-tests/src/tests/console/sign-in-experience/branding.test.ts
+++ b/packages/integration-tests/src/tests/console/sign-in-experience/branding.test.ts
@@ -1,6 +1,6 @@
 import { logtoConsoleUrl as logtoConsoleUrlString } from '#src/constants.js';
 import { goToAdminConsole } from '#src/ui-helpers/index.js';
-import { expectNavigation, appendPathname } from '#src/utils.js';
+import { expectNavigation, appendPathname, waitFor } from '#src/utils.js';
 
 import { waitForFormCard, expectToSelectColor, expectToSaveSignInExperience } from './helpers.js';
 
@@ -64,7 +64,7 @@ describe('sign-in experience: branding', () => {
     await expect(page).toClick('div[class$=darkModeTip] button span', { text: 'Recalculate' });
 
     // Wait for the recalculate to finish
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     // Fill in the custom CSS
     await expect(page).toFill('div[class$=editor] textarea', 'body { background-color: #5B4D8E; }');
@@ -83,7 +83,7 @@ describe('sign-in experience: branding', () => {
     await expect(page).toClick('div[class$=darkModeTip] button span', { text: 'Recalculate' });
 
     // Wait for the recalculate to finish
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     // Fill in the custom CSS
     await expect(page).toFill('div[class$=editor] textarea', '');
diff --git a/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/connector-setup-helpers.ts b/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/connector-setup-helpers.ts
index 26be6960768..dc68ccfded3 100644
--- a/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/connector-setup-helpers.ts
+++ b/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/connector-setup-helpers.ts
@@ -3,7 +3,7 @@ import { type Page } from 'puppeteer';
 
 import { logtoConsoleUrl as logtoConsoleUrlString } from '#src/constants.js';
 import { expectToClickDetailsPageOption, waitForToast } from '#src/ui-helpers/index.js';
-import { expectNavigation, appendPathname } from '#src/utils.js';
+import { expectNavigation, appendPathname, cls } from '#src/utils.js';
 
 import {
   expectToConfirmConnectorDeletion,
@@ -129,7 +129,7 @@ export const expectToDeletePasswordlessConnector = async (page: Page, { name }:
     page.goto(appendPathname('/console/connectors/passwordless', logtoConsoleUrl).href)
   );
 
-  await expect(page).toClick('table tbody tr td div[class$=item] a[class$=title] span', {
+  await expect(page).toClick(`table tbody tr td div[class$=item] a${cls('title')} span`, {
     text: name,
   });
 
@@ -150,7 +150,7 @@ export const expectToDeleteSocialConnector = async (page: Page, { name }: TestCo
     page.goto(appendPathname('/console/connectors/social', logtoConsoleUrl).href)
   );
 
-  await expect(page).toClick('table tbody tr td div[class$=item] a[class$=title] span', {
+  await expect(page).toClick(`table tbody tr td div[class$=item] a${cls('title')} span`, {
     text: name,
   });
 
diff --git a/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/happy-path.test.ts b/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/happy-path.test.ts
index 5013e0adf25..1633fee8f89 100644
--- a/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/happy-path.test.ts
+++ b/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/happy-path.test.ts
@@ -560,16 +560,18 @@ describe('sign-in experience(happy path): sign-up and sign-in', () => {
       // Should have diffs about social sign-in connector
       await expectToSaveChanges(page);
       await expectModalWithTitle(page, 'Reminder');
-      // No social content in the before section
+
       const beforeSection = await expect(page).toMatchElement(
         'div[class$=section]:has(div[class$=title])',
         { text: 'Before' }
       );
-      await expect(
-        expect(beforeSection).toMatchElement('div[class$=title]', {
-          text: 'Social',
-        })
-      ).rejects.toThrow();
+
+      // Ensure no social-related content in the "Before" section. The modal is already visible, so
+      // the timeout can be short.
+      await expect(beforeSection).not.toMatchElement('div[class$=title]', {
+        text: 'Social',
+        timeout: 50,
+      });
 
       // Have social content in the after section
       const afterSection = await expect(page).toMatchElement(
diff --git a/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/helpers.ts b/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/helpers.ts
index 1e77fe9fe75..b18de8c067c 100644
--- a/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/helpers.ts
+++ b/packages/integration-tests/src/tests/console/sign-in-experience/sign-up-and-sign-in/helpers.ts
@@ -1,6 +1,7 @@
 import { type Page } from 'puppeteer';
 
 import { selectDropdownMenuItem } from '#src/ui-helpers/select-dropdown-menu-item.js';
+import { waitFor } from '#src/utils.js';
 
 import { expectToSaveSignInExperience } from '../helpers.js';
 
@@ -26,7 +27,7 @@ export const expectToSelectSignUpIdentifier = async (page: Page, identifier: str
   });
 
   // Wait for the config to update
-  await page.waitForTimeout(500);
+  await waitFor(100);
 };
 
 export const expectToClickSignUpAuthnOption = async (page: Page, option: string) => {
@@ -56,7 +57,7 @@ export const expectToAddSignInMethod = async (page: Page, method: string, isAddA
   });
 
   // Wait for the dropdown to be rendered in the correct position
-  await page.waitForTimeout(500);
+  await waitFor(100);
 
   await expect(page).toClick('.ReactModalPortal div[class$=dropdownContainer] div[role=menuitem]', {
     text: method,
@@ -88,7 +89,7 @@ export const expectToClickSignInMethodAuthnOption = async (
   });
 
   // Wait for the config to update
-  await page.waitForTimeout(500);
+  await waitFor(100);
 };
 
 export const expectToSwapSignInMethodAuthnOption = async (page: Page, method: string) => {
@@ -113,7 +114,7 @@ export const expectToRemoveSignInMethod = async (page: Page, method: string) =>
   await expect(methodItem).toClick('div[class$=anchor] button:last-of-type');
 
   // Wait for the config to update
-  await page.waitForTimeout(500);
+  await waitFor(100);
 };
 
 export const expectSignInMethodError = async (page: Page, method: string) => {
diff --git a/packages/integration-tests/src/tests/console/user-management.test.ts b/packages/integration-tests/src/tests/console/user-management.test.ts
index 6ed12e07c9b..43a7645142e 100644
--- a/packages/integration-tests/src/tests/console/user-management.test.ts
+++ b/packages/integration-tests/src/tests/console/user-management.test.ts
@@ -15,6 +15,7 @@ import {
   generateName,
   generatePhone,
   generateUsername,
+  waitFor,
 } from '#src/utils.js';
 
 await page.setViewport({ width: 1280, height: 720 });
@@ -158,14 +159,14 @@ describe('user management', () => {
       text: newEmail,
     });
 
-    await page.waitForTimeout(500);
+    await waitFor(500);
     await expect(page).toFillForm('form', { primaryEmail: '' });
     await expectToSaveChanges(page);
     // After removing email, top userinfo card shows the phone number as the title
     await expect(page).toMatchElement('div[class$=main] div[class$=metadata] div[class$=name]', {
       text: formatPhoneNumberToInternational(newPhone),
     });
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     await expect(page).toFillForm('form', { primaryPhone: '' });
     await expectToSaveChanges(page);
@@ -173,7 +174,7 @@ describe('user management', () => {
     await expect(page).toMatchElement('div[class$=main] div[class$=metadata] div[class$=name]', {
       text: newUsername,
     });
-    await page.waitForTimeout(500);
+    await waitFor(500);
 
     await expect(page).toFillForm('form', { username: '' });
     await expectToSaveChanges(page);
diff --git a/packages/integration-tests/src/tests/experience/direct-sign-in.test.ts b/packages/integration-tests/src/tests/experience/direct-sign-in.test.ts
new file mode 100644
index 00000000000..4bd3633c208
--- /dev/null
+++ b/packages/integration-tests/src/tests/experience/direct-sign-in.test.ts
@@ -0,0 +1,132 @@
+import crypto from 'node:crypto';
+
+import { ConnectorType } from '@logto/connector-kit';
+import { SignInIdentifier, SsoProviderName } from '@logto/schemas';
+import { appendPath } from '@silverhand/essentials';
+
+import { mockSocialConnectorTarget } from '#src/__mocks__/connectors-mock.js';
+import { updateSignInExperience } from '#src/api/sign-in-experience.js';
+import { createSsoConnector } from '#src/api/sso-connector.js';
+import { demoAppUrl, logtoUrl } from '#src/constants.js';
+import { clearConnectorsByTypes, setSocialConnector } from '#src/helpers/connector.js';
+import ExpectExperience from '#src/ui-helpers/expect-experience.js';
+import { dcls, dmodal } from '#src/utils.js';
+
+const randomString = () => crypto.randomBytes(8).toString('hex');
+
+/**
+ * NOTE: This test suite assumes test cases will run sequentially (which is Jest default).
+ * Parallel execution will lead to errors.
+ */
+// Tip: See https://github.com/argos-ci/jest-puppeteer/blob/main/packages/expect-puppeteer/README.md
+// for convenient expect methods
+describe('direct sign-in', () => {
+  const context = new (class Context {
+    ssoConnectorId?: string;
+  })();
+  const ssoOidcIssuer = `${logtoUrl}/oidc`;
+
+  beforeAll(async () => {
+    await clearConnectorsByTypes([ConnectorType.Social, ConnectorType.Email, ConnectorType.Sms]);
+    await setSocialConnector();
+    const ssoConnector = await createSsoConnector({
+      providerName: SsoProviderName.OIDC,
+      connectorName: 'test-oidc-' + randomString(),
+      domains: [`foo${randomString()}.com`],
+      config: {
+        clientId: 'foo',
+        clientSecret: 'bar',
+        issuer: ssoOidcIssuer,
+      },
+    });
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    context.ssoConnectorId = ssoConnector.id;
+    await updateSignInExperience({
+      termsOfUseUrl: 'https://example.com/terms',
+      privacyPolicyUrl: 'https://example.com/privacy',
+      signUp: { identifiers: [], password: true, verify: false },
+      signIn: {
+        methods: [
+          {
+            identifier: SignInIdentifier.Username,
+            password: true,
+            verificationCode: false,
+            isPasswordPrimary: true,
+          },
+        ],
+      },
+      singleSignOnEnabled: true,
+      socialSignInConnectorTargets: ['mock-social'],
+    });
+  });
+
+  it('should be landed to the social identity provider directly', async () => {
+    const socialUserId = 'foo_' + randomString();
+    const experience = new ExpectExperience(await browser.newPage());
+    const url = new URL(demoAppUrl);
+
+    url.searchParams.set('direct_sign_in', `social:${mockSocialConnectorTarget}`);
+    await experience.page.goto(url.href);
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+      clickButton: false,
+    });
+
+    // Redirected back to the social callback page
+    experience.toMatchUrl(new RegExp(appendPath(new URL(logtoUrl), 'callback/social/.*').href));
+
+    // Should have popped up the terms of use and privacy policy dialog
+    await experience.toMatchElement([dmodal(), dcls('content')].join(' '), {
+      text: /terms of use/i,
+    });
+    await experience.toClickButton(/agree/i);
+
+    experience.toMatchUrl(demoAppUrl);
+    await experience.toClick('div[role=button]', /sign out/i);
+    await experience.page.close();
+  });
+
+  it('should be landed to the sso identity provider directly', async () => {
+    const experience = new ExpectExperience(await browser.newPage());
+    const url = new URL(demoAppUrl);
+    const socialUserId = 'foo_' + randomString();
+
+    url.searchParams.set('direct_sign_in', `sso:${context.ssoConnectorId!}`);
+    await experience.page.goto(url.href);
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+      clickButton: false,
+      authUrl: ssoOidcIssuer + '/auth',
+    });
+
+    // The SSO sign-in flow won't succeed, but the user should be redirected back to the demo app
+    // with the code and user ID in the query string.
+    const callbackUrl = new URL(experience.page.url());
+    expect(callbackUrl.searchParams.get('code')).toBe('mock-code');
+    expect(callbackUrl.searchParams.get('userId')).toBe(socialUserId);
+    expect(new URL(callbackUrl.pathname, callbackUrl.origin).href).toBe(demoAppUrl.href);
+
+    await experience.page.close();
+  });
+
+  it('should fall back to the sign-in page if the direct sign-in target is invalid', async () => {
+    const experience = new ExpectExperience(await browser.newPage());
+    const url = new URL(demoAppUrl);
+
+    url.searchParams.set('direct_sign_in', 'social:invalid-target');
+    await experience.navigateTo(url.href);
+    experience.toBeAt('sign-in');
+    await experience.page.close();
+  });
+
+  it('should fall back to the register page if the direct sign-in target is invalid and `first_screen` is `register`', async () => {
+    const experience = new ExpectExperience(await browser.newPage());
+    const url = new URL(demoAppUrl);
+
+    url.searchParams.set('direct_sign_in', 'social:invalid-target');
+    url.searchParams.set('first_screen', 'register');
+    await experience.navigateTo(url.href);
+    experience.toBeAt('register');
+    await experience.page.close();
+  });
+});
diff --git a/packages/integration-tests/src/tests/experience/password-policy.test.ts b/packages/integration-tests/src/tests/experience/password-policy.test.ts
index 338b341c991..b2ea78e895f 100644
--- a/packages/integration-tests/src/tests/experience/password-policy.test.ts
+++ b/packages/integration-tests/src/tests/experience/password-policy.test.ts
@@ -7,11 +7,11 @@ import { demoAppUrl } from '#src/constants.js';
 import { clearConnectorsByTypes, setEmailConnector } from '#src/helpers/connector.js';
 import ExpectExperience from '#src/ui-helpers/expect-experience.js';
 import { setupUsernameAndEmailExperience } from '#src/ui-helpers/index.js';
-import { waitFor } from '#src/utils.js';
+import { randomString } from '#src/utils.js';
 
 describe('password policy', () => {
-  const username = 'test_pass_policy_30';
-  const emailName = 'a_good_foo_30';
+  const username = 'test_' + randomString();
+  const emailName = 'foo_' + randomString();
   const email = emailName + '@bar.com';
   const invalidPasswords: Array<[string, string | RegExp]> = [
     ['123', 'minimum length'],
@@ -44,7 +44,7 @@ describe('password policy', () => {
     await experience.toFillInput('id', username, { submit: true });
 
     // Password tests
-    experience.toBeAt('register/password');
+    await experience.waitForPathname('register/password');
     await experience.toFillNewPasswords(
       ...invalidPasswords,
       [username + 'A', /product context .* personal information/],
@@ -72,9 +72,7 @@ describe('password policy', () => {
     await experience.toFillInput('id', email, { submit: true });
     await experience.toCompleteVerification('register', 'Email');
 
-    // Wait for the password page to load
-    await waitFor(100);
-    experience.toBeAt('continue/password');
+    await experience.waitForPathname('continue/password');
     await experience.toFillNewPasswords(
       ...invalidPasswords,
       [emailName, 'personal information'],
@@ -101,8 +99,7 @@ describe('password policy', () => {
     await experience.toCompleteVerification('forgot-password', 'Email');
 
     // Wait for the password page to load
-    await waitFor(100);
-    experience.toBeAt('forgot-password/reset');
+    await experience.waitForPathname('forgot-password/reset');
     await experience.toFillNewPasswords(
       ...invalidPasswords,
       [emailName, 'personal information'],
@@ -110,7 +107,8 @@ describe('password policy', () => {
       emailName + 'ABCD135'
     );
 
-    experience.toBeAt('sign-in');
+    await experience.waitForPathname('sign-in');
+    await experience.waitForToast(/password changed/i);
     await experience.toFillInput('identifier', email, { submit: true });
     await experience.toFillInput('password', emailName + 'ABCD135', { submit: true });
     await experience.verifyThenEnd();
diff --git a/packages/integration-tests/src/tests/experience/social-sign-in.test.ts b/packages/integration-tests/src/tests/experience/social-sign-in.test.ts
new file mode 100644
index 00000000000..9f89563b2db
--- /dev/null
+++ b/packages/integration-tests/src/tests/experience/social-sign-in.test.ts
@@ -0,0 +1,163 @@
+import crypto from 'node:crypto';
+
+import { ConnectorType } from '@logto/connector-kit';
+import { SignInIdentifier, SignInMode, SsoProviderName } from '@logto/schemas';
+import { appendPath } from '@silverhand/essentials';
+
+import { updateSignInExperience } from '#src/api/sign-in-experience.js';
+import { createSsoConnector } from '#src/api/sso-connector.js';
+import { demoAppUrl, logtoUrl } from '#src/constants.js';
+import {
+  clearConnectorsByTypes,
+  setEmailConnector,
+  setSocialConnector,
+} from '#src/helpers/connector.js';
+import ExpectExperience from '#src/ui-helpers/expect-experience.js';
+import { dcls, dmodal, generateEmail } from '#src/utils.js';
+
+const randomString = () => crypto.randomBytes(8).toString('hex');
+
+/**
+ * NOTE: This test suite assumes test cases will run sequentially (which is Jest default).
+ * Parallel execution will lead to errors.
+ */
+// Tip: See https://github.com/argos-ci/jest-puppeteer/blob/main/packages/expect-puppeteer/README.md
+// for convenient expect methods
+describe('social sign-in (with email identifier)', () => {
+  const context = new (class Context {
+    ssoConnectorId?: string;
+  })();
+  const ssoOidcIssuer = `${logtoUrl}/oidc`;
+  // eslint-disable-next-line @silverhand/fp/no-let
+  let experience: ExpectExperience;
+  const socialUserId = 'foo_' + randomString();
+
+  beforeAll(async () => {
+    await clearConnectorsByTypes([ConnectorType.Social, ConnectorType.Email, ConnectorType.Sms]);
+    await setEmailConnector();
+    await setSocialConnector();
+    const ssoConnector = await createSsoConnector({
+      providerName: SsoProviderName.OIDC,
+      connectorName: 'test-oidc-' + randomString(),
+      domains: [`foo${randomString()}.com`],
+      config: {
+        clientId: 'foo',
+        clientSecret: 'bar',
+        issuer: ssoOidcIssuer,
+      },
+    });
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    context.ssoConnectorId = ssoConnector.id;
+    await updateSignInExperience({
+      termsOfUseUrl: 'https://example.com/terms',
+      privacyPolicyUrl: 'https://example.com/privacy',
+      signUp: { identifiers: [SignInIdentifier.Email], password: true, verify: true },
+      signIn: {
+        methods: [
+          {
+            identifier: SignInIdentifier.Username,
+            password: true,
+            verificationCode: false,
+            isPasswordPrimary: true,
+          },
+          {
+            identifier: SignInIdentifier.Email,
+            password: true,
+            verificationCode: false,
+            isPasswordPrimary: true,
+          },
+        ],
+      },
+      signInMode: SignInMode.SignIn,
+      singleSignOnEnabled: true,
+      socialSignInConnectorTargets: ['mock-social'],
+    });
+  });
+
+  it('should be able to start the social sign-in flow', async () => {
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    experience = new ExpectExperience(await browser.newPage());
+    await experience.startWith(demoAppUrl, 'sign-in');
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+    });
+
+    // Registration disabled, should be redirected back to the sign-in page
+    await experience.waitForToast('not been registered yet');
+    experience.toBeAt('sign-in');
+  });
+
+  it('should be able to cancel (disagree) the terms of use', async () => {
+    await updateSignInExperience({ signInMode: SignInMode.SignInAndRegister });
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+    });
+    // Redirected back to the social callback page
+    experience.toMatchUrl(new RegExp(appendPath(new URL(logtoUrl), 'callback/social/.*').href));
+
+    // Should have popped up the terms of use and privacy policy dialog
+    await experience.toMatchElement([dmodal(), dcls('content')].join(' '), {
+      text: /terms of use/i,
+    });
+    await experience.toClickButton(/cancel/i);
+    experience.toBeAt('sign-in');
+  });
+
+  it('should be able to start the social sign-in flow again if state mismatch', async () => {
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+      state: '', // Overriding the state to cause a mismatch
+    });
+    await experience.waitForToast(/invalid/);
+    experience.toBeAt('sign-in');
+  });
+
+  it('should be able to start the social sign-in flow again', async () => {
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+    });
+
+    // Redirected back to the social callback page
+    experience.toMatchUrl(new RegExp(appendPath(new URL(logtoUrl), 'callback/social/.*').href));
+
+    // Should have popped up the terms of use and privacy policy dialog
+    await experience.toMatchElement([dmodal(), dcls('content')].join(' '), {
+      text: /terms of use/i,
+    });
+    await experience.toClickButton(/agree/i);
+  });
+
+  it('should be able to verify the required email address', async () => {
+    await experience.toFillInput('identifier', generateEmail(), { submit: true });
+    await experience.toCompleteVerification('continue', 'Email');
+
+    await experience.verifyThenEnd();
+  });
+
+  it('should directly sign in for existing users without pop-up terms of use', async () => {
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    experience = new ExpectExperience(await browser.newPage());
+    await experience.startWith(demoAppUrl, 'sign-in');
+    await experience.toProcessSocialSignIn({
+      socialUserId,
+    });
+    await experience.verifyThenEnd();
+  });
+
+  it('should directly sign in for new users when terms of use has not been set', async () => {
+    await updateSignInExperience({
+      termsOfUseUrl: '',
+      privacyPolicyUrl: '',
+    });
+
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    experience = new ExpectExperience(await browser.newPage());
+    await experience.startWith(demoAppUrl, 'sign-in');
+    await experience.toProcessSocialSignIn({
+      socialUserId: 'bar_' + randomString(),
+    });
+    await experience.toFillInput('identifier', generateEmail(), { submit: true });
+    await experience.toCompleteVerification('continue', 'Email');
+    await experience.verifyThenEnd();
+  });
+});
diff --git a/packages/integration-tests/src/ui-helpers/expect-experience.ts b/packages/integration-tests/src/ui-helpers/expect-experience.ts
index 9a936807b14..c6588b4bda8 100644
--- a/packages/integration-tests/src/ui-helpers/expect-experience.ts
+++ b/packages/integration-tests/src/ui-helpers/expect-experience.ts
@@ -90,6 +90,24 @@ export default class ExpectExperience extends ExpectPage {
     this.#ongoing = { type, initialUrl };
   }
 
+  async waitForUrl(url: URL, retry = 3) {
+    // eslint-disable-next-line @silverhand/fp/no-let
+    let retries = retry;
+
+    do {
+      if (this.page.url() === url.href) {
+        return;
+      }
+
+      // eslint-disable-next-line no-await-in-loop
+      await this.page.waitForNavigation({ waitUntil: 'networkidle0' });
+    } while (retries--); // eslint-disable-line @silverhand/fp/no-mutation
+  }
+
+  async waitForPathname(pathname: string, retry = 3) {
+    return this.waitForUrl(this.buildExperienceUrl(pathname), retry);
+  }
+
   /**
    * Ensure the experience is ongoing and the page is at the initial URL; then try to click the "sign out"
    * button (case-insensitive) and close the page.
@@ -97,16 +115,11 @@ export default class ExpectExperience extends ExpectPage {
    * It will clear the ongoing experience if the experience is ended successfully.
    */
   async verifyThenEnd(closePage = true) {
-    /**
-     * Wait for the network to be idle since we need to process the sign-in consent
-     * and handle sign-in success callback, this may take a long time.
-     */
-    await this.page.waitForNetworkIdle();
     if (this.#ongoing === undefined) {
       return this.throwNoOngoingExperienceError();
     }
 
-    this.toMatchUrl(this.#ongoing.initialUrl);
+    await this.waitForUrl(this.#ongoing.initialUrl);
     await this.toClick('div[role=button]', /sign out/i);
 
     this.#ongoing = undefined;
@@ -227,32 +240,40 @@ export default class ExpectExperience extends ExpectPage {
   }
 
   /**
-   * Assert the page is at the sign-in page with the mock social sign-in method.
-   * Click the 'Mock Social' sign in method and visit the mocked 3rd-party social sign-in page and redirect
-   * back with the given user social data.
-   *
-   * @param socialUserData The given user social data.
+   * Optionally click the "Continue with [social name]" button on the page, then process the social
+   * sign-in flow with the given user social data.
    */
   async toProcessSocialSignIn({
     socialUserId,
     socialEmail,
     socialPhone,
+    clickButton = true,
+    authUrl = mockSocialAuthPageUrl,
+    state: stateOverride,
   }: {
     socialUserId: string;
     socialEmail?: string;
     socialPhone?: string;
+    /** Whether to click the "Continue with [social name]" button on the page. */
+    clickButton?: boolean;
+    /** The URL to wait for the social auth page. */
+    authUrl?: string;
+    /** The state parameter to override. */
+    state?: string;
   }) {
     const authPageRequestListener = this.page.waitForRequest((request) =>
-      request.url().startsWith(mockSocialAuthPageUrl)
+      request.url().startsWith(authUrl)
     );
 
-    await this.toClick('button', 'Continue with Mock Social');
+    if (clickButton) {
+      await this.toClick('button', 'Continue with Mock Social');
+    }
 
     const result = await authPageRequestListener;
 
     const { searchParams: authSearchParams } = new URL(result.url());
     const redirectUri = authSearchParams.get('redirect_uri') ?? '';
-    const state = authSearchParams.get('state') ?? '';
+    const state = stateOverride ?? authSearchParams.get('state') ?? '';
 
     // Mock social redirects
     const callbackUrl = new URL(redirectUri);
diff --git a/packages/integration-tests/src/ui-helpers/expect-page.ts b/packages/integration-tests/src/ui-helpers/expect-page.ts
index 2460f871327..94f82794c31 100644
--- a/packages/integration-tests/src/ui-helpers/expect-page.ts
+++ b/packages/integration-tests/src/ui-helpers/expect-page.ts
@@ -53,7 +53,7 @@ export default class ExpectPage {
    * @param shouldNavigate Whether the click should trigger a navigation. Defaults to `true`.
    * @see {@link ExpectPage.toClick}
    */
-  async toClickButton(text: string, shouldNavigate = true) {
+  async toClickButton(text: string | RegExp, shouldNavigate = true) {
     return this.toClick('button', text, shouldNavigate);
   }
 
@@ -136,6 +136,16 @@ export default class ExpectPage {
     return expect(this.page).toMatchElement('*[role=alert]', { text });
   }
 
+  /**
+   * Expect the page to match an element with the given selector and text.
+   *
+   * @alias `expect(this.page).toMatchElement()`
+   * @see {@link jest.Matchers.toMatchElement}
+   */
+  async toMatchElement(...args: Parameters<jest.Matchers<unknown>['toMatchElement']>) {
+    return expect(this.page).toMatchElement(...args);
+  }
+
   /**
    * Expect the page's URL to match the given URL.
    *
diff --git a/packages/integration-tests/src/ui-helpers/index.ts b/packages/integration-tests/src/ui-helpers/index.ts
index d9ee20dc327..e2337658ddd 100644
--- a/packages/integration-tests/src/ui-helpers/index.ts
+++ b/packages/integration-tests/src/ui-helpers/index.ts
@@ -115,7 +115,7 @@ export const expectConfirmModalAndAct = async (
 };
 
 export const expectToClickNavTab = async (page: Page, tab: string) => {
-  await expect(page).toClick('nav div[class$=item] div[class$=link] a', {
+  await expect(page).toClick('nav div[class$=item] div[class*=link] a', {
     text: tab,
   });
 };
@@ -160,6 +160,8 @@ export const setupUsernameAndEmailExperience = async (passwordPolicy?: PartialPa
   await clearConnectorsByTypes([ConnectorType.Email, ConnectorType.Sms]);
   await setEmailConnector();
   await updateSignInExperience({
+    termsOfUseUrl: '',
+    privacyPolicyUrl: '',
     signInMode: SignInMode.SignInAndRegister,
     signUp: {
       identifiers: [SignInIdentifier.Username],
diff --git a/packages/integration-tests/src/utils.ts b/packages/integration-tests/src/utils.ts
index 31c6b884126..d1e3e000158 100644
--- a/packages/integration-tests/src/utils.ts
+++ b/packages/integration-tests/src/utils.ts
@@ -113,6 +113,9 @@ export const cls = <C extends string>(className: C) => `[class*=_${className}]`
  */
 export const dcls = <C extends string>(className: C) => `div${cls(className)}` as const;
 
+/** Build the string for a CSS selector that matches a `<div>` element with `aria-modal=true`. */
+export const dmodal = () => `div[aria-modal=true]` as const;
+
 /**
  * Generate a random test name that starts with `test_` and followed by 4 random characters.
  *
@@ -122,3 +125,5 @@ export const dcls = <C extends string>(className: C) => `div${cls(className)}` a
  * ```
  */
 export const generateTestName = () => `test_${generateStandardId(4)}`;
+
+export const randomString = () => crypto.randomBytes(8).toString('hex');
diff --git a/packages/phrases-experience/CHANGELOG.md b/packages/phrases-experience/CHANGELOG.md
index f069eb30239..c02b6b8b3db 100644
--- a/packages/phrases-experience/CHANGELOG.md
+++ b/packages/phrases-experience/CHANGELOG.md
@@ -1,5 +1,23 @@
 # Change Log
 
+## 1.6.1
+
+### Patch Changes
+
+- abffb9f95: full oidc standard claims support
+
+  We have added support for the remaining [OpenID Connect standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). Now, these claims are accessible in both ID tokens and the response from the `/me` endpoint.
+
+  Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the `profile` scope, and the `address` claim can be obtained by using the `address` scope.
+
+  For all newly introduced claims, we store them in the `user.profile` field.
+
+  > ![Note]
+  > Unlike other database fields (e.g. `name`), the claims stored in the `profile` field will fall back to `undefined` rather than `null`. We refrain from using `?? null` here to reduce the size of ID tokens, since `undefined` fields will be stripped in tokens.
+
+- Updated dependencies [abffb9f95]
+  - @logto/core-kit@2.4.0
+
 ## 1.6.0
 
 ### Minor Changes
diff --git a/packages/phrases-experience/package.json b/packages/phrases-experience/package.json
index 8b7e8ddca05..c2b123615e7 100644
--- a/packages/phrases-experience/package.json
+++ b/packages/phrases-experience/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/phrases-experience",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "description": "Logto shared phrases (i18n) for experience.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
@@ -33,7 +33,7 @@
     "url": "https://github.com/logto-io/logto/issues"
   },
   "dependencies": {
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/language-kit": "workspace:^1.1.0",
     "@silverhand/essentials": "^2.9.0"
   },
diff --git a/packages/phrases-experience/src/locales/de/user-scopes.ts b/packages/phrases-experience/src/locales/de/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/de/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/de/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/en/user-scopes.ts b/packages/phrases-experience/src/locales/en/user-scopes.ts
index 6cccc23ef71..4d2483eb4b3 100644
--- a/packages/phrases-experience/src/locales/en/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/en/user-scopes.ts
@@ -1,15 +1,14 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
-    [UserScope.CustomData]: 'Your custom data',
-    [UserScope.Email]: 'Your email address',
-    [UserScope.Phone]: 'Your phone number',
-    [UserScope.Profile]: 'Your name, username and avatar',
-    [UserScope.Roles]: 'Your roles',
-    [UserScope.Identities]: 'Your linked social identities',
-    [UserScope.Organizations]: 'Your organizations info',
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    custom_data: 'Your custom data',
+    email: 'Your email address',
+    phone: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
+    roles: 'Your roles',
+    identities: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/es/user-scopes.ts b/packages/phrases-experience/src/locales/es/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/es/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/es/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/fr/user-scopes.ts b/packages/phrases-experience/src/locales/fr/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/fr/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/fr/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/it/user-scopes.ts b/packages/phrases-experience/src/locales/it/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/it/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/it/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/ja/user-scopes.ts b/packages/phrases-experience/src/locales/ja/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/ja/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/ja/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/ko/user-scopes.ts b/packages/phrases-experience/src/locales/ko/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/ko/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/ko/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/pl-pl/user-scopes.ts b/packages/phrases-experience/src/locales/pl-pl/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/pl-pl/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/pl-pl/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/pt-br/user-scopes.ts b/packages/phrases-experience/src/locales/pt-br/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/pt-br/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/pt-br/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/pt-pt/user-scopes.ts b/packages/phrases-experience/src/locales/pt-pt/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/pt-pt/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/pt-pt/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/ru/user-scopes.ts b/packages/phrases-experience/src/locales/ru/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/ru/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/ru/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/tr-tr/user-scopes.ts b/packages/phrases-experience/src/locales/tr-tr/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/tr-tr/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/tr-tr/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/zh-cn/description.ts b/packages/phrases-experience/src/locales/zh-cn/description.ts
index 16aa4dcf5fa..ba207ad56bb 100644
--- a/packages/phrases-experience/src/locales/zh-cn/description.ts
+++ b/packages/phrases-experience/src/locales/zh-cn/description.ts
@@ -61,26 +61,17 @@ const description = {
   use: '使用',
   single_sign_on_email_form: '输入你的企业电子邮件地址',
   single_sign_on_connectors_list:
-    '你的企业已为电子邮件账户{{email}}启用了单点登录。你可以继续使用以下SSO提供商进行登录。',
+    '你的企业已为电子邮件账户 {{email}} 启用了单点登录。你可以继续使用以下SSO提供商进行登录。',
   single_sign_on_enabled: '该帐户已启用单点登录',
-  /** UNTRANSLATED */
-  authorize_title: 'Authorize {{name}}',
-  /** UNTRANSLATED */
-  request_permission: '{{name}} is requesting access to:',
-  /** UNTRANSLATED */
-  grant_organization_access: 'Grant the organization access:',
-  /** UNTRANSLATED */
-  user_scopes: 'Personal user data',
-  /** UNTRANSLATED */
-  organization_scopes: 'Organization access',
-  /** UNTRANSLATED */
-  authorize_agreement: `By authorize the access, you agree to the {{name}}'s <link></link>.`,
-  /** UNTRANSLATED */
-  not_you: 'Not you?',
-  /** UNTRANSLATED */
-  user_id: 'User ID: {{id}}',
-  /** UNTRANSLATED */
-  redirect_to: 'You will be redirected to {{name}}.',
+  authorize_title: '授权给 {{name}}',
+  request_permission: '{{name}} 需要权限：',
+  grant_organization_access: '授予组织访问权限：',
+  user_scopes: '用户个人信息',
+  organization_scopes: '组织权限',
+  authorize_agreement: `你将同意授权给 {{name}} <link></link>.`,
+  not_you: '不是你本人吗？',
+  user_id: '用户 ID: {{id}}',
+  redirect_to: '你将被重定向到 {{name}}。',
 };
 
 export default Object.freeze(description);
diff --git a/packages/phrases-experience/src/locales/zh-cn/user-scopes.ts b/packages/phrases-experience/src/locales/zh-cn/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/zh-cn/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/zh-cn/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/zh-hk/user-scopes.ts b/packages/phrases-experience/src/locales/zh-hk/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/zh-hk/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/zh-hk/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases-experience/src/locales/zh-tw/user-scopes.ts b/packages/phrases-experience/src/locales/zh-tw/user-scopes.ts
index 3aa9e3a2efa..fb9a014a6e3 100644
--- a/packages/phrases-experience/src/locales/zh-tw/user-scopes.ts
+++ b/packages/phrases-experience/src/locales/zh-tw/user-scopes.ts
@@ -1,23 +1,23 @@
-import { UserScope } from '@logto/core-kit';
-
 const user_scopes = {
   descriptions: {
     /** UNTRANSLATED */
-    [UserScope.CustomData]: 'Your custom data',
+    custom_data: 'Your custom data',
+    /** UNTRANSLATED */
+    email: 'Your email address',
     /** UNTRANSLATED */
-    [UserScope.Email]: 'Your email address',
+    phone: 'Your phone number',
     /** UNTRANSLATED */
-    [UserScope.Phone]: 'Your phone number',
+    profile: 'Your name, username, avatar, and other profile info',
     /** UNTRANSLATED */
-    [UserScope.Profile]: 'Your name, username and avatar',
+    roles: 'Your roles',
     /** UNTRANSLATED */
-    [UserScope.Roles]: 'Your roles',
+    identities: 'Your linked social identities',
     /** UNTRANSLATED */
-    [UserScope.Identities]: 'Your linked social identities',
+    'urn:logto:scope:organizations': 'Your organizations info',
     /** UNTRANSLATED */
-    [UserScope.Organizations]: 'Your organizations info',
+    'urn:logto:scope:organization_roles': 'Your organization roles',
     /** UNTRANSLATED */
-    [UserScope.OrganizationRoles]: 'Your organization roles',
+    address: 'Your address',
   },
 };
 
diff --git a/packages/phrases/CHANGELOG.md b/packages/phrases/CHANGELOG.md
index 65c27ebfa30..3c45d4b5d28 100644
--- a/packages/phrases/CHANGELOG.md
+++ b/packages/phrases/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Change Log
 
+## 1.10.0
+
+### Minor Changes
+
+- 5758f84f5: feat(console): support signing-key rotation
+- cc01acbd0: Create a new user through API with password digest and corresponding algorithm
+
+### Patch Changes
+
+- 746483c49: api resource indicator must be a valid absolute uri
+
+  An invalid indicator will make Console crash without this check.
+
+  Note: We don't mark it as a breaking change as the api behavior has not changed, only adding the check on Console.
+
 ## 1.9.0
 
 ### Minor Changes
diff --git a/packages/phrases/package.json b/packages/phrases/package.json
index 5535ec6bd52..e91e8debcb7 100644
--- a/packages/phrases/package.json
+++ b/packages/phrases/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/phrases",
-  "version": "1.9.0",
+  "version": "1.10.0",
   "description": "Logto shared phrases (i18n).",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/phrases/src/locales/de/errors/index.ts b/packages/phrases/src/locales/de/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/de/errors/index.ts
+++ b/packages/phrases/src/locales/de/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/de/errors/jwt-customizer.ts b/packages/phrases/src/locales/de/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/de/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/de/errors/user.ts b/packages/phrases/src/locales/de/errors/user.ts
index 34f4b6dface..e43dd16ca02 100644
--- a/packages/phrases/src/locales/de/errors/user.ts
+++ b/packages/phrases/src/locales/de/errors/user.ts
@@ -37,6 +37,10 @@ const user = {
   missing_mfa: 'Sie müssen zusätzliches MFA verbinden, bevor Sie sich anmelden können.',
   totp_already_in_use: 'TOTP wird bereits verwendet.',
   backup_code_already_in_use: 'Backup-Code wird bereits verwendet.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/de/translation/admin-console/api-resource-details.ts
index be4c9171835..e9eaab59cb6 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API Ressourcendetails',
   back_to_api_resources: 'Zurück zu API Ressourcen',
-  settings_tab: 'Einstellungen',
+  general_tab: 'Allgemein',
   permissions_tab: 'Berechtigungen',
   settings: 'Einstellungen',
   settings_description:
diff --git a/packages/phrases/src/locales/de/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/de/translation/admin-console/api-resources.ts
index b7f20a5f140..7999e5ced9f 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Pro Mandant kann nur eine Standard-API festgelegt werden. Wenn eine Standard-API festgelegt ist, kann der Ressourcenparameter in der Authentifizierungsanfrage weggelassen werden. Folgende Token-Austauschvorgänge verwenden standardmäßig die API als Publikum, was zur Ausgabe von JWTs führt. <a>Erfahren Sie mehr</a>',
   api_resource_created: 'Die API-Ressource {{name}} wurde erfolgreich erstellt',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/general.ts b/packages/phrases/src/locales/de/translation/admin-console/general.ts
index cc01814ed42..6a3e528dcb1 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Anpassen',
   enable: 'Aktivieren',
   reminder: 'Erinnerung',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Löschen',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -70,6 +72,8 @@ const general = {
   edit_field: 'Bearbeite {{field}}',
   delete_field: 'Lösche {{field}}',
   coming_soon: 'Demnächst verfügbar',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/index.ts b/packages/phrases/src/locales/de/translation/admin-console/index.ts
index 7966b16f424..89eb78963d5 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/invitation.ts b/packages/phrases/src/locales/de/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/de/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/de/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/de/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/de/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..9b3efadeb65
--- /dev/null
+++ b/packages/phrases/src/locales/de/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Organisationsrollendetails',
+  back_to_org_roles: 'Zurück zu den Org-Rollen',
+  org_role: 'Org-Rolle',
+  delete_confirm:
+    'Dadurch werden die mit dieser Rolle verbundenen Berechtigungen von den betroffenen Benutzern entfernt und die Beziehungen zwischen Organisationsrollen, Mitgliedern in der Organisation und Organisationsberechtigungen gelöscht.',
+  deleted: 'Organisationsrolle {{name}} wurde erfolgreich gelöscht.',
+  permissions: {
+    tab: 'Berechtigungen',
+    name_column: 'Berechtigung',
+    description_column: 'Beschreibung',
+    type_column: 'Berechtigungstyp',
+    type: {
+      api: 'API-Berechtigung',
+      org: 'Org-Berechtigung',
+    },
+    assign_permissions: 'Berechtigungen zuweisen',
+    remove_permission: 'Berechtigung entfernen',
+    remove_confirmation:
+      'Wenn diese Berechtigung entfernt wird, verliert der Benutzer mit dieser Organisationsrolle den Zugriff, der durch diese Berechtigung gewährt wurde.',
+    removed: 'Die Berechtigung {{name}} wurde erfolgreich aus dieser Organisationsrolle entfernt',
+  },
+  general: {
+    tab: 'Allgemein',
+    settings: 'Einstellungen',
+    description:
+      'Die Organisationsrolle ist eine Gruppierung von Berechtigungen, die Benutzern zugewiesen werden können. Die Berechtigungen müssen aus den vordefinierten Organisationsberechtigungen stammen.',
+    name_field: 'Name',
+    description_field: 'Beschreibung',
+    description_field_placeholder: 'Benutzer mit nur Leseberechtigungen',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/de/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..86151003bda
--- /dev/null
+++ b/packages/phrases/src/locales/de/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Organisationsvorlage',
+  subtitle:
+    'In Multi-Tenant-SaaS-Anwendungen ist es üblich, dass mehrere Organisationen identische Zugriffskontrollrichtlinien teilen, einschließlich Berechtigungen und Rollen. In Logto wird dieses Konzept als "Organisationsvorlage" bezeichnet. Ihre Verwendung vereinfacht den Prozess des Aufbaus und Entwurfs Ihres Autorisierungsmodells.',
+  roles: {
+    tab_name: 'Org Rollen',
+    search_placeholder: 'Nach Rollennamen suchen',
+    create_title: 'Org Rolle erstellen',
+    role_column: 'Org Rolle',
+    permissions_column: 'Berechtigungen',
+    placeholder_title: 'Organisationsrolle',
+    placeholder_description:
+      'Eine Organisationsrolle ist eine Gruppierung von Berechtigungen, die Benutzern zugewiesen werden können. Die Berechtigungen müssen aus den vordefinierten Organisationsberechtigungen stammen.',
+    create_modal: {
+      title: 'Rolle der Organisation erstellen',
+      create: 'Rolle erstellen',
+      name_field: 'Rollenname',
+      description_field: 'Beschreibung',
+      created: 'Die Organisationsrolle {{name}} wurde erfolgreich erstellt.',
+    },
+  },
+  permissions: {
+    tab_name: 'Org Berechtigungen',
+    search_placeholder: 'Nach Berechtigungsnamen suchen',
+    create_org_permission: 'Org Berechtigung erstellen',
+    permission_column: 'Berechtigung',
+    description_column: 'Beschreibung',
+    placeholder_title: 'Organisationsberechtigung',
+    placeholder_description:
+      'Organisationsberechtigung bezieht sich auf die Autorisierung, auf eine Ressource im Kontext der Organisation zuzugreifen.',
+    delete_confirm:
+      'Wenn diese Berechtigung gelöscht wird, verlieren alle Organisationsrollen, die diese Berechtigung beinhalten, diese Berechtigung und Benutzer, die diese Berechtigung hatten, verlieren den Zugang, der durch sie gewährt wurde.',
+    create_title: 'Erstellen von Organisationsberechtigungen',
+    edit_title: 'Bearbeiten von Organisationsberechtigungen',
+    permission_field_name: 'Berechtigungsname',
+    description_field_name: 'Beschreibung',
+    description_field_placeholder: 'Terminhistorie lesen',
+    create_permission: 'Berechtigung erstellen',
+    created: 'Die Organisationsberechtigung {{name}} wurde erfolgreich erstellt.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/permissions.ts b/packages/phrases/src/locales/de/translation/admin-console/permissions.ts
index 0c29a7bdbd0..255205e258a 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Berechtigung',
   placeholder_description:
     'Berechtigung bezieht sich auf die Autorisierung zum Zugriff auf eine Ressource (wir nennen sie API-Ressource).',
+  edit: 'Bearbeitungsberechtigung',
+  delete: 'Löschberechtigung',
+  remove: 'Entfernungsberechtigung',
+  updated: 'Berechtigung aktualisiert.',
+  edit_title: 'API-Berechtigung bearbeiten',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/de/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..b1e6a3306a0
--- /dev/null
+++ b/packages/phrases/src/locales/de/translation/admin-console/signing-keys.ts
@@ -0,0 +1,44 @@
+const signing_keys = {
+  title: 'Signierschlüssel',
+  description:
+    'Verwalten Sie sicher die Signierschlüssel, die von Ihren Anwendungen verwendet werden.',
+  private_key: 'OIDC-Privatschlüssel',
+  private_keys_description: 'OIDC-Privatschlüssel werden zum Signieren von JWT-Token verwendet.',
+  cookie_key: 'OIDC-Cookieschlüssel',
+  cookie_keys_description: 'OIDC-Cookieschlüssel werden zum Signieren von Cookies verwendet.',
+  private_keys_in_use: 'Verwendete private Schlüssel',
+  cookie_keys_in_use: 'Verwendete Cookie-Schlüssel',
+  rotate_private_keys: 'Private Schlüssel rotieren',
+  rotate_cookie_keys: 'Cookie-Schlüssel rotieren',
+  rotate_private_keys_description:
+    'Diese Aktion erstellt einen neuen privaten Signierungsschlüssel, rotiert den aktuellen Schlüssel und entfernt Ihren vorherigen Schlüssel. Ihre JWT-Token, die mit dem aktuellen Schlüssel signiert sind, bleiben gültig, bis sie gelöscht oder erneut rotiert werden.',
+  rotate_cookie_keys_description:
+    'Diese Aktion erstellt einen neuen Cookie-Schlüssel, rotiert den aktuellen Schlüssel und entfernt Ihren vorherigen Schlüssel. Ihre Cookies mit dem aktuellen Schlüssel bleiben gültig, bis sie gelöscht oder erneut rotiert werden.',
+  select_private_key_algorithm: 'Signierungsalgorithmus für den neuen privaten Schlüssel auswählen',
+  rotate_button: 'Rotieren',
+  table_column: {
+    id: 'ID',
+    status: 'Status',
+    algorithm: 'Signierungsschlüssel Algorithmus',
+  },
+  status: {
+    current: 'Aktuell',
+    previous: 'Vorherige',
+  },
+  reminder: {
+    rotate_private_key:
+      'Sind Sie sicher, dass Sie die <strong>OIDC-Private Keys</strong> rotieren möchten? Neue ausgestellte JWT-Token werden vom neuen Schlüssel signiert. Bestehende JWT-Token bleiben gültig, bis Sie sie erneut rotieren.',
+    rotate_cookie_key:
+      'Sind Sie sicher, dass Sie die <strong>OIDC-Cookie-Keys</strong> rotieren möchten? Neue Cookies, die in Anmelde-Sitzungen generiert werden, werden mit dem neuen Cookie-Schlüssel signiert. Bestehende Cookies bleiben gültig, bis Sie sie erneut rotieren.',
+    delete_private_key:
+      'Sind Sie sicher, dass Sie den <strong>OIDC-Privaten Schlüssel</strong> löschen möchten? Bestehende JWT-Token, die mit diesem privaten Signierungsschlüssel signiert wurden, sind nicht mehr gültig.',
+    delete_cookie_key:
+      'Sind Sie sicher, dass Sie den <strong>OIDC-Cookie-Schlüssel</strong> löschen möchten? Ältere Anmelde-Sitzungen mit Cookies, die mit diesem Cookie-Schlüssel signiert wurden, sind nicht mehr gültig. Eine erneute Authentifizierung ist für diese Benutzer erforderlich.',
+  },
+  messages: {
+    rotate_key_success: 'Signierungsschlüssel erfolgreich rotieren.',
+    delete_key_success: 'Schlüssel erfolgreich gelöscht.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-item.ts
index ebd9f56a379..833515876f5 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'Enterprise SSO',
     not_eligible: 'Entferne dein Enterprise SSO',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-table.ts
index 214e01568d8..867357a6b11 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Maschine-zu-Maschine Rollen',
     scopes_per_role: 'Berechtigungen pro Rolle',
   },
-  audit_logs: {
-    title: 'Prüfprotokolle',
-    retention: 'Aufbewahrungsdauer',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: 'Organisation',
     organizations: 'Organisationen',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2-Bericht',
     hipaa_or_baa_report: 'HIPAA/BAA-Bericht',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Unbegrenzt',
   contact: 'Kontakt',
   monthly_price: '${{value, number}}/Monat',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} pro Monat / je',
   extra_mao_price: 'Dann ${{value, number}} pro MAO',
   per_month: '${{value, number}} pro Monat',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/de/translation/admin-console/tab-sections.ts
index f44a176b464..7128e970b25 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Übersicht',
-  resources: 'Ressourcen',
+  authentication: 'Authentifizierung',
+  authorization: 'Autorisierung',
   users: 'Benutzer',
-  access_control: 'Zugriffskontrolle',
-  help_and_support: 'Hilfe und Support',
+  developer: 'Entwickler',
   tenant: 'Mieter',
-  automation: 'Automatisierung',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/tabs.ts b/packages/phrases/src/locales/de/translation/admin-console/tabs.ts
index d350a5fcaaf..6924fbc0dbd 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Dokumentation',
   tenant_settings: 'Einstellungen',
   mfa: 'Multi-Faktor-Authentifizierung',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Signierschlüssel',
+  organization_template: 'Organisationstemplate',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/de/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/de/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/tenants.ts b/packages/phrases/src/locales/de/translation/admin-console/tenants.ts
index 3a190e53fde..5c2da909749 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Effizientes Verwalten von Mandanteneinstellungen und Anpassen Ihrer Domain.',
   tabs: {
     settings: 'Einstellungen',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Domänen',
     subscription: 'Plan und Abrechnung',
     billing_history: 'Abrechnungshistorie',
@@ -36,6 +38,17 @@ const tenants = {
       'Das Löschen des Mandanten führt zur dauerhaften Entfernung aller zugehörigen Benutzerdaten und Konfigurationen. Bitte gehen Sie vorsichtig vor.',
     tenant_deletion_button: 'Mieter löschen',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Mieter erstellen',
     subtitle:
@@ -75,6 +88,12 @@ const tenants = {
     cannot_delete_description:
       'Entschuldigung, Sie können diesen Mandanten momentan nicht löschen. Stellen Sie sicher, dass Sie sich im kostenlosen Tarif befinden und alle ausstehenden Rechnungen bezahlt haben.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Du hast noch keinen Mandanten erstellt',
     description:
@@ -93,48 +112,6 @@ const tenants = {
     description_2:
       'Wenn Sie weitere Informationen wünschen, Bedenken haben oder die volle Funktionalität wiederherstellen und Ihre Mieter entsperren möchten, zögern Sie nicht, uns umgehend zu kontaktieren.',
   },
-  signing_keys: {
-    title: 'SIGNIERUNGSSCHLÜSSEL',
-    description: 'Sicherer Umgang mit Signierungsschlüsseln in Ihrem Mandanten.',
-    type: {
-      private_key: 'OIDC-Private Keys',
-      cookie_key: 'OIDC-Cookie-Keys',
-    },
-    private_keys_in_use: 'Verwendete private Schlüssel',
-    cookie_keys_in_use: 'Verwendete Cookie-Schlüssel',
-    rotate_private_keys: 'Private Schlüssel rotieren',
-    rotate_cookie_keys: 'Cookie-Schlüssel rotieren',
-    rotate_private_keys_description:
-      'Diese Aktion erstellt einen neuen privaten Signierungsschlüssel, rotiert den aktuellen Schlüssel und entfernt Ihren vorherigen Schlüssel. Ihre JWT-Token, die mit dem aktuellen Schlüssel signiert sind, bleiben gültig, bis sie gelöscht oder erneut rotiert werden.',
-    rotate_cookie_keys_description:
-      'Diese Aktion erstellt einen neuen Cookie-Schlüssel, rotiert den aktuellen Schlüssel und entfernt Ihren vorherigen Schlüssel. Ihre Cookies mit dem aktuellen Schlüssel bleiben gültig, bis sie gelöscht oder erneut rotiert werden.',
-    select_private_key_algorithm:
-      'Signierungsalgorithmus für den neuen privaten Schlüssel auswählen',
-    rotate_button: 'Rotieren',
-    table_column: {
-      id: 'ID',
-      status: 'Status',
-      algorithm: 'Signierungsschlüssel Algorithmus',
-    },
-    status: {
-      current: 'Aktuell',
-      previous: 'Vorherige',
-    },
-    reminder: {
-      rotate_private_key:
-        'Sind Sie sicher, dass Sie die <strong>OIDC-Private Keys</strong> rotieren möchten? Neue ausgestellte JWT-Token werden vom neuen Schlüssel signiert. Bestehende JWT-Token bleiben gültig, bis Sie sie erneut rotieren.',
-      rotate_cookie_key:
-        'Sind Sie sicher, dass Sie die <strong>OIDC-Cookie-Keys</strong> rotieren möchten? Neue Cookies, die in Anmelde-Sitzungen generiert werden, werden mit dem neuen Cookie-Schlüssel signiert. Bestehende Cookies bleiben gültig, bis Sie sie erneut rotieren.',
-      delete_private_key:
-        'Sind Sie sicher, dass Sie den <strong>OIDC-Privaten Schlüssel</strong> löschen möchten? Bestehende JWT-Token, die mit diesem privaten Signierungsschlüssel signiert wurden, sind nicht mehr gültig.',
-      delete_cookie_key:
-        'Sind Sie sicher, dass Sie den <strong>OIDC-Cookie-Schlüssel</strong> löschen möchten? Ältere Anmelde-Sitzungen mit Cookies, die mit diesem Cookie-Schlüssel signiert wurden, sind nicht mehr gültig. Eine erneute Authentifizierung ist für diese Benutzer erforderlich.',
-    },
-    messages: {
-      rotate_key_success: 'Signierungsschlüssel erfolgreich rotieren.',
-      delete_key_success: 'Schlüssel erfolgreich gelöscht.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/de/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/de/translation/admin-console/upsell/index.ts
index 18e4a2970cc..ecc7f650b48 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API-Ressource',
     machine_to_machine: 'Machine-to-Machine-Anwendung',
     tokens: '{{limit}}M Tokens',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'Sie haben Ihr {{item}}-Quotenlimit überschritten. Logto wird Gebühren für die Nutzung über Ihr Quotenlimit hinaus hinzufügen. Die Abrechnung beginnt am Tag der Veröffentlichung des neuen Add-On-Preisdesigns. <a>Mehr erfahren</a>',
diff --git a/packages/phrases/src/locales/de/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/de/translation/admin-console/upsell/paywall.ts
index b07b093563b..6f863de2643 100644
--- a/packages/phrases/src/locales/de/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/de/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/en/errors/index.ts b/packages/phrases/src/locales/en/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/en/errors/index.ts
+++ b/packages/phrases/src/locales/en/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/en/errors/jwt-customizer.ts b/packages/phrases/src/locales/en/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..7f6421a63a9
--- /dev/null
+++ b/packages/phrases/src/locales/en/errors/jwt-customizer.ts
@@ -0,0 +1,6 @@
+const jwt_customizer = {
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/en/errors/user.ts b/packages/phrases/src/locales/en/errors/user.ts
index b935bd592a1..cff11815bdc 100644
--- a/packages/phrases/src/locales/en/errors/user.ts
+++ b/packages/phrases/src/locales/en/errors/user.ts
@@ -32,6 +32,8 @@ const user = {
   missing_mfa: 'You need to bind additional MFA before signing-in.',
   totp_already_in_use: 'TOTP is already in use.',
   backup_code_already_in_use: 'Backup code is already in use.',
+  password_algorithm_required: 'Password algorithm is required.',
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/en/translation/admin-console/api-resource-details.ts
index 6073e8b11f2..294d19d3982 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API resource details',
   back_to_api_resources: 'Back to API resources',
-  settings_tab: 'Settings',
+  general_tab: 'General',
   permissions_tab: 'Permissions',
   settings: 'Settings',
   settings_description:
diff --git a/packages/phrases/src/locales/en/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/en/translation/admin-console/api-resources.ts
index 301b7bd9f43..7a3388a31d7 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/api-resources.ts
@@ -13,6 +13,7 @@ const api_resources = {
   default_api_label:
     'Only zero or one default API can be set per tenant.\nWhen a default API is designated, the resource parameter can be omitted in the auth request. Subsequent token exchanges will use that API as the audience by default, resulting in the issuance of JWTs. <a>Learn more</a>',
   api_resource_created: 'The API resource {{name}} has been successfully created',
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/general.ts b/packages/phrases/src/locales/en/translation/admin-console/general.ts
index 4acd5335406..1b5cc476588 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/general.ts
@@ -25,6 +25,7 @@ const general = {
   customize: 'Customize',
   enable: 'Enable',
   reminder: 'Reminder',
+  edit: 'Edit',
   delete: 'Delete',
   deleted: 'Deleted',
   more_options: 'MORE OPTIONS',
@@ -67,6 +68,7 @@ const general = {
   edit_field: 'Edit {{field}}',
   delete_field: 'Delete {{field}}',
   coming_soon: 'Coming soon',
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/index.ts b/packages/phrases/src/locales/en/translation/admin-console/index.ts
index f2b18bef7ea..d85910d398e 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/invitation.ts b/packages/phrases/src/locales/en/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..91eaa2d6e19
--- /dev/null
+++ b/packages/phrases/src/locales/en/translation/admin-console/invitation.ts
@@ -0,0 +1,14 @@
+const invitation = {
+  find_your_tenants: 'Find your tenants',
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  create_new_tenant: 'Create a new tenant',
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  switch_account: 'Sign in to another account',
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/en/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..645c4c14eb1
--- /dev/null
+++ b/packages/phrases/src/locales/en/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,61 @@
+const jwt_claims = {
+  title: 'Custom JWT',
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    card_title: 'For user',
+    card_field: 'User access token',
+    card_description: 'Add user-specific data during access token issuance.',
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    card_title: 'For M2M',
+    card_field: 'Machine-to-machine token',
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    for: 'for M2M',
+  },
+  code_editor_title: 'Customize the {{token}} claims',
+  custom_jwt_create_button: 'Add custom claims',
+  custom_jwt_item: 'Custom claims {{for}}',
+  delete_modal_title: 'Delete custom claims',
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  clear: 'Clear',
+  cleared: 'Cleared',
+  restore: 'Restore defaults',
+  restored: 'Restored',
+  data_source_tab: 'Data source',
+  test_tab: 'Test context',
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    title: 'User data',
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    title: 'Token data',
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    title: 'Fetch external data',
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    title: 'Set environment variables',
+    subtitle: 'Use environment variables to store sensitive information.',
+    input_field_title: 'Add environment variables',
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    subtitle: 'Adjust mock token and user data for testing.',
+    run_button: 'Run test',
+    result_title: 'Test result',
+  },
+  form_error: {
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/en/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..ce8357bf648
--- /dev/null
+++ b/packages/phrases/src/locales/en/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Organization role details',
+  back_to_org_roles: 'Back to org roles',
+  org_role: 'Organization role',
+  delete_confirm:
+    'Doing so will remove the permissions associated with this role from the affected users and delete the relations among organization roles, members in the organization, and organization permissions.',
+  deleted: 'Org role {{name}} was successfully deleted.',
+  permissions: {
+    tab: 'Permissions',
+    name_column: 'Permission',
+    description_column: 'Description',
+    type_column: 'Permission type',
+    type: {
+      api: 'API permission',
+      org: 'Org permission',
+    },
+    assign_permissions: 'Assign permissions',
+    remove_permission: 'Remove permission',
+    remove_confirmation:
+      'If this permission is removed, the user with this organization role will lose the access granted by this permission.',
+    removed: 'The permission {{name}} was successfully removed from this organization role',
+  },
+  general: {
+    tab: 'General',
+    settings: 'Settings',
+    description:
+      'Organization role is a grouping of permissions that can be assigned to users. The permissions must come from the predefined organization permissions.',
+    name_field: 'Name',
+    description_field: 'Description',
+    description_field_placeholder: 'Users with view-only permissions',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/en/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..28ebf7667d5
--- /dev/null
+++ b/packages/phrases/src/locales/en/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Organization template',
+  subtitle:
+    'In multi-tenant SaaS applications, it\'s common for multiple organizations to share identical access control policies, including permissions and roles. In Logto, this concept is termed "organization template." Using it streamlines the process of constructing and designing your authorization model.',
+  roles: {
+    tab_name: 'Organization roles',
+    search_placeholder: 'Search by role name',
+    create_title: 'Create organization role',
+    role_column: 'Organization role',
+    permissions_column: 'Permissions',
+    placeholder_title: 'Organization role',
+    placeholder_description:
+      'Organization role is a grouping of permissions that can be assigned to users. The permissions must come from the predefined organization permissions.',
+    create_modal: {
+      title: 'Create organization role',
+      create: 'Create role',
+      name_field: 'Role name',
+      description_field: 'Description',
+      created: 'Organization role {{name}} has been successfully created.',
+    },
+  },
+  permissions: {
+    tab_name: 'Organization permissions',
+    search_placeholder: 'Search by permission name',
+    create_org_permission: 'Create organization permission',
+    permission_column: 'Permission',
+    description_column: 'Description',
+    placeholder_title: 'Organization permission',
+    placeholder_description:
+      'Organization permission refers to the authorization to access a resource in the context of organization.',
+    delete_confirm:
+      'If this permission is deleted, all organization roles including this permission will lose this permission, and users who had this permission will lose the access granted by it.',
+    create_title: 'Create organization permission',
+    edit_title: 'Edit organization permission',
+    permission_field_name: 'Permission name',
+    description_field_name: 'Description',
+    description_field_placeholder: 'Read appointment history',
+    create_permission: 'Create permission',
+    created: 'The organization permission {{name}} has been successfully created.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/permissions.ts b/packages/phrases/src/locales/en/translation/admin-console/permissions.ts
index 6b83434be8e..0345c1ef529 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Permission',
   placeholder_description:
     'Permission refers to the authorization to access a resource (we call it API resource).',
+  edit: 'Edit permission',
+  delete: 'Delete permission',
+  remove: 'Remove permission',
+  updated: 'Permission updated.',
+  edit_title: 'Edit API permission',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/en/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..8c4c0e7755d
--- /dev/null
+++ b/packages/phrases/src/locales/en/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Signing keys',
+  description: 'Securely manage signing keys used by your applications.',
+  private_key: 'OIDC private keys',
+  private_keys_description: 'OIDC private keys are used for signing JWT tokens.',
+  cookie_key: 'OIDC cookie keys',
+  cookie_keys_description: 'OIDC cookie keys are used for signing cookies.',
+  private_keys_in_use: 'Private keys in use',
+  cookie_keys_in_use: 'Cookie keys in use',
+  rotate_private_keys: 'Rotate private keys',
+  rotate_cookie_keys: 'Rotate cookie keys',
+  rotate_private_keys_description:
+    'This action will create a new private signing key, rotate the current key, and remove your previous key. Your JWT tokens signed with the current key will remain valid until deletion or another round of rotation.',
+  rotate_cookie_keys_description:
+    'This action will create a new cookie key, rotate the current key, and remove your previous key. Your cookies with the current key will remain valid until deletion or another round of rotation.',
+  select_private_key_algorithm: 'Select signing key algorithm for the new private key',
+  rotate_button: 'Rotate',
+  table_column: {
+    id: 'ID',
+    status: 'Status',
+    algorithm: 'Signing key algorithm',
+  },
+  status: {
+    current: 'Current',
+    previous: 'Previous',
+  },
+  reminder: {
+    rotate_private_key:
+      'Are you sure you want to rotate the <strong>OIDC private keys</strong>? New issued JWT tokens will be signed by the new key. Existing JWT tokens stay valid until you rotate again.',
+    rotate_cookie_key:
+      'Are you sure you want to rotate the <strong>OIDC cookie keys</strong>? New cookies generated in sign-in sessions will be signed by the new cookie key. Existing cookies stay valid until you rotate again.',
+    delete_private_key:
+      'Are you sure you want to delete the <strong>OIDC private key</strong>? Existing JWT tokens signed with this private signing key will no longer be valid.',
+    delete_cookie_key:
+      'Are you sure you want to delete the <strong>OIDC cookie key</strong>? Older sign-in sessions with cookies signed with this cookie key will no longer be valid. A re-authentication is required for these users.',
+  },
+  messages: {
+    rotate_key_success: 'Signing keys rotated successfully.',
+    delete_key_success: 'Key deleted successfully.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-item.ts
index fdb8ec8f99b..2fd1f908d41 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-item.ts
@@ -146,6 +146,13 @@ const quota_item = {
     unlimited: 'Enterprise SSO',
     not_eligible: 'Remove your Enterprise SSO',
   },
+  tenant_members_limit: {
+    name: 'Tenant members',
+    limited: '{{count, number}} tenant member',
+    limited_other: '{{count, number}} tenant members',
+    unlimited: 'Unlimited tenant members',
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-table.ts
index afb3d61172e..b82cd4d05ac 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/subscription/quota-table.ts
@@ -45,14 +45,6 @@ const quota_table = {
     machine_to_machine_roles: 'Machine-to-machine roles',
     scopes_per_role: 'Permissions per role',
   },
-  audit_logs: {
-    title: 'Audit logs',
-    retention: 'Retention',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: 'Organizations',
     organizations: 'Organizations',
@@ -72,6 +64,13 @@ const quota_table = {
     soc2_report: 'SOC2 report',
     hipaa_or_baa_report: 'HIPAA/BAA report',
   },
+  developers_and_platform: {
+    title: 'Developers and platform',
+    hooks: 'Webhooks',
+    audit_logs_retention: 'Audit logs retention',
+    jwt_claims: 'JWT claims',
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Unlimited',
   contact: 'Contact',
   monthly_price: '${{value, number}}/mo',
@@ -100,6 +99,7 @@ const quota_table = {
   per_month_each: '${{value, number}} per mo / ea',
   extra_mao_price: 'Then ${{value, number}} per MAO',
   per_month: '${{value, number}} per mo',
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/en/translation/admin-console/tab-sections.ts
index f5363d76ba9..2c4017dcea7 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Overview',
-  resources: 'Resources',
+  authentication: 'Authentication',
+  authorization: 'Authorization',
   users: 'Users',
-  access_control: 'Access Control',
-  help_and_support: 'Help and Support',
+  developer: 'Developer',
   tenant: 'Tenant',
-  automation: 'Automation',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/tabs.ts b/packages/phrases/src/locales/en/translation/admin-console/tabs.ts
index 81806f70d45..0000f788c11 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/tabs.ts
@@ -14,6 +14,9 @@ const tabs = {
   docs: 'Docs',
   tenant_settings: 'Settings',
   mfa: 'Multi-factor auth',
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Signing keys',
+  organization_template: 'Organization template',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/en/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..b5c7137ade9
--- /dev/null
+++ b/packages/phrases/src/locales/en/translation/admin-console/tenant-members.ts
@@ -0,0 +1,62 @@
+const tenant_members = {
+  members: 'Members',
+  invitations: 'Invitations',
+  invite_members: 'Invite members',
+  user: 'User',
+  roles: 'Roles',
+  admin: 'Admin',
+  collaborator: 'Collaborator',
+  invitation_status: 'Invitation status',
+  inviter: 'Inviter',
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    title: 'Invite people to Silverhand',
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    to: 'To',
+    added_as: 'Added as roles',
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    pending: 'Pending',
+    accepted: 'Accepted',
+    expired: 'Expired',
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    title: 'Invite team members',
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    edit: 'Edit tenant role',
+    delete: 'Remove user from tenant',
+    resend_invite: 'Resend invitation',
+    revoke: 'Revoke invitation',
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    title: 'Change roles of {{name}}',
+  },
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    invitation_sent: 'Invitation sent.',
+    invitation_revoked: 'Invitation revoked.',
+    invitation_resend: 'Invitation resent.',
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    email_required: 'Invitee email is required.',
+    email_exists: 'Email address already exists.',
+    member_exists: 'This user is already a member of this organization.',
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/tenants.ts b/packages/phrases/src/locales/en/translation/admin-console/tenants.ts
index 5c94f503190..f7cddf0618c 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/tenants.ts
@@ -3,6 +3,7 @@ const tenants = {
   description: 'Efficiently manage tenant settings and customize your domain.',
   tabs: {
     settings: 'Settings',
+    members: 'Members',
     domains: 'Domains',
     subscription: 'Plan and billing',
     billing_history: 'Billing history',
@@ -34,6 +35,13 @@ const tenants = {
       'Deleting the tenant will result in the permanent removal of all associated user data and configuration. Please proceed with caution.',
     tenant_deletion_button: 'Delete tenant',
   },
+  leave_tenant_card: {
+    title: 'LEAVE',
+    leave_tenant: 'Leave tenant',
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Create tenant',
     subtitle:
@@ -70,6 +78,10 @@ const tenants = {
     cannot_delete_description:
       "Sorry, you can't delete this tenant right now. Please make sure you're on the Free Plan and have paid all outstanding billings.",
   },
+  leave_tenant_modal: {
+    description: 'Are you sure you want to leave this tenant?',
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: "You haven't created a tenant yet",
     description:
@@ -88,47 +100,6 @@ const tenants = {
     description_2:
       'If you require further clarification, have any concerns, or wish to restore full functionality and unblock your tenants, please do not hesitate to contact us immediately.',
   },
-  signing_keys: {
-    title: 'SIGNING KEYS',
-    description: 'Securely manage signing keys in your tenant.',
-    type: {
-      private_key: 'OIDC private keys',
-      cookie_key: 'OIDC cookie keys',
-    },
-    private_keys_in_use: 'Private keys in use',
-    cookie_keys_in_use: 'Cookie keys in use',
-    rotate_private_keys: 'Rotate private keys',
-    rotate_cookie_keys: 'Rotate cookie keys',
-    rotate_private_keys_description:
-      'This action will create a new private signing key, rotate the current key, and remove your previous key. Your JWT tokens signed with the current key will remain valid until deletion or another round of rotation.',
-    rotate_cookie_keys_description:
-      'This action will create a new cookie key, rotate the current key, and remove your previous key. Your cookies with the current key will remain valid until deletion or another round of rotation.',
-    select_private_key_algorithm: 'Select signing key algorithm for the new private key',
-    rotate_button: 'Rotate',
-    table_column: {
-      id: 'ID',
-      status: 'Status',
-      algorithm: 'Signing key algorithm',
-    },
-    status: {
-      current: 'Current',
-      previous: 'Previous',
-    },
-    reminder: {
-      rotate_private_key:
-        'Are you sure you want to rotate the <strong>OIDC private keys</strong>? New issued JWT tokens will be signed by the new key. Existing JWT tokens stay valid until you rotate again.',
-      rotate_cookie_key:
-        'Are you sure you want to rotate the <strong>OIDC cookie keys</strong>? New cookies generated in sign-in sessions will be signed by the new cookie key. Existing cookies stay valid until you rotate again.',
-      delete_private_key:
-        'Are you sure you want to delete the <strong>OIDC private key</strong>? Existing JWT tokens signed with this private signing key will no longer be valid.',
-      delete_cookie_key:
-        'Are you sure you want to delete the <strong>OIDC cookie key</strong>? Older sign-in sessions with cookies signed with this cookie key will no longer be valid. A re-authentication is required for these users.',
-    },
-    messages: {
-      rotate_key_success: 'Signing keys rotated successfully.',
-      delete_key_success: 'Key deleted successfully.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/en/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/en/translation/admin-console/upsell/index.ts
index b18a2528290..e6b7e63329c 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/upsell/index.ts
@@ -35,6 +35,7 @@ const upsell = {
     api_resource: 'API resource',
     machine_to_machine: 'machine-to-machine application',
     tokens: '{{limit}}M tokens',
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'You have surpassed your {{item}} quota limit. Logto will add charges for the usage beyond your quota limit. Charging will commence on the day the new add-on pricing design is released. <a>Learn more</a>',
diff --git a/packages/phrases/src/locales/en/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/en/translation/admin-console/upsell/paywall.ts
index a77d7afb68e..d476c2d5ccf 100644
--- a/packages/phrases/src/locales/en/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/en/translation/admin-console/upsell/paywall.ts
@@ -54,6 +54,12 @@ const paywall = {
     'Unlock organizations by upgrading to a paid plan. Don’t hesitate to <a>contact us</a> if you need any assistance.',
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/es/errors/index.ts b/packages/phrases/src/locales/es/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/es/errors/index.ts
+++ b/packages/phrases/src/locales/es/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/es/errors/jwt-customizer.ts b/packages/phrases/src/locales/es/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/es/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/es/errors/user.ts b/packages/phrases/src/locales/es/errors/user.ts
index 15a57779174..3bcb5b3af4b 100644
--- a/packages/phrases/src/locales/es/errors/user.ts
+++ b/packages/phrases/src/locales/es/errors/user.ts
@@ -34,6 +34,10 @@ const user = {
   missing_mfa: 'Debes vincular un MFA adicional antes de iniciar sesión.',
   totp_already_in_use: 'TOTP ya está en uso.',
   backup_code_already_in_use: 'El código de respaldo ya está en uso.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/es/translation/admin-console/api-resource-details.ts
index 359ae729fa1..468f7f072cc 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Detalles del recurso de la API',
   back_to_api_resources: 'Volver a los recursos de la API',
-  settings_tab: 'Configuración',
+  general_tab: 'General',
   permissions_tab: 'Permisos',
   settings: 'Configuración',
   settings_description:
diff --git a/packages/phrases/src/locales/es/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/es/translation/admin-console/api-resources.ts
index 08ed74828df..3aad961ac6d 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Sólo se puede establecer cero o una API por defecto por inquilino. Cuando se designa una API por defecto, el parámetro de recurso se puede omitir en la solicitud de autenticación. Las posteriores intercambios de tokens utilizarán esa API como audiencia por defecto, lo que dará lugar a la emisión de JWTs. <a>Obtener más información</a>',
   api_resource_created: 'El recurso de API {{name}} se ha creado correctamente',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/general.ts b/packages/phrases/src/locales/es/translation/admin-console/general.ts
index d419d76dc47..2632917a57d 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Personalizar',
   enable: 'Habilitar',
   reminder: 'Recordatorio',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Eliminar',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -70,6 +72,8 @@ const general = {
   edit_field: 'Editar {{field}}',
   delete_field: 'Eliminar {{field}}',
   coming_soon: 'Próximamente',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/index.ts b/packages/phrases/src/locales/es/translation/admin-console/index.ts
index ad0720c38dc..872b251bf8f 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/invitation.ts b/packages/phrases/src/locales/es/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/es/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/es/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/es/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/es/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..7c247cc811f
--- /dev/null
+++ b/packages/phrases/src/locales/es/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Detalles del rol de la organización',
+  back_to_org_roles: 'Volver a roles de la organización',
+  org_role: 'Rol de la organización',
+  delete_confirm:
+    'Al hacerlo, se eliminarán los permisos asociados con este rol de los usuarios afectados y se borrarán las relaciones entre roles de organización, miembros en la organización y permisos de organización.',
+  deleted: 'El rol de la organización {{name}} se eliminó correctamente.',
+  permissions: {
+    tab: 'Permisos',
+    name_column: 'Permiso',
+    description_column: 'Descripción',
+    type_column: 'Tipo de permiso',
+    type: {
+      api: 'Permiso de API',
+      org: 'Permiso de organización',
+    },
+    assign_permissions: 'Asignar permisos',
+    remove_permission: 'Eliminar permiso',
+    remove_confirmation:
+      'Si este permiso se elimina, el usuario con este rol de organización perderá el acceso otorgado por este permiso.',
+    removed: 'El permiso {{name}} se eliminó correctamente de este rol de organización',
+  },
+  general: {
+    tab: 'General',
+    settings: 'Configuración',
+    description:
+      'El rol de la organización es un grupo de permisos que se pueden asignar a los usuarios. Los permisos deben provenir de los permisos de organización predefinidos.',
+    name_field: 'Nombre',
+    description_field: 'Descripción',
+    description_field_placeholder: 'Usuarios con permisos de solo lectura',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/es/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..d9158d8b4e2
--- /dev/null
+++ b/packages/phrases/src/locales/es/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Plantilla de organización',
+  subtitle:
+    'En aplicaciones SaaS multiinquilino, es común que múltiples organizaciones compartan políticas de control de acceso idénticas, incluyendo permisos y roles. En Logto, este concepto se denomina "plantilla de organización". Usarla simplifica el proceso de construir y diseñar tu modelo de autorización.',
+  roles: {
+    tab_name: 'Roles de org',
+    search_placeholder: 'Buscar por nombre de rol',
+    create_title: 'Crear rol de org',
+    role_column: 'Rol de org',
+    permissions_column: 'Permisos',
+    placeholder_title: 'Rol de organización',
+    placeholder_description:
+      'El rol de organización es un agrupamiento de permisos que se pueden asignar a los usuarios. Los permisos deben provenir de los permisos de organización predefinidos.',
+    create_modal: {
+      title: 'Crear rol de organización',
+      create: 'Crear rol',
+      name_field: 'Nombre del rol',
+      description_field: 'Descripción',
+      created: 'El rol de organización {{name}} se ha creado correctamente.',
+    },
+  },
+  permissions: {
+    tab_name: 'Permisos de org',
+    search_placeholder: 'Buscar por nombre de permiso',
+    create_org_permission: 'Crear permiso de org',
+    permission_column: 'Permiso',
+    description_column: 'Descripción',
+    placeholder_title: 'Permiso de organización',
+    placeholder_description:
+      'El permiso de organización se refiere a la autorización para acceder a un recurso en el contexto de la organización.',
+    delete_confirm:
+      'Si se elimina este permiso, todos los roles de organización que incluyan este permiso perderán dicho permiso, y los usuarios que tenían este permiso perderán el acceso concedido por él.',
+    create_title: 'Crear permiso de organización',
+    edit_title: 'Editar permiso de organización',
+    permission_field_name: 'Nombre del permiso',
+    description_field_name: 'Descripción',
+    description_field_placeholder: 'Leer historial de citas',
+    create_permission: 'Crear permiso',
+    created: 'Se ha creado correctamente el permiso de organización {{name}}.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/permissions.ts b/packages/phrases/src/locales/es/translation/admin-console/permissions.ts
index 39418939f6e..b5a34bf646c 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Permiso',
   placeholder_description:
     'Permiso se refiere a la autorización para acceder a un recurso (lo llamamos recurso de API).',
+  edit: 'Permiso de edición',
+  delete: 'Permiso de eliminación',
+  remove: 'Permiso de remover',
+  updated: 'Permiso actualizado.',
+  edit_title: 'Editar permiso de API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/es/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..f9529a26e39
--- /dev/null
+++ b/packages/phrases/src/locales/es/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Claves de firma',
+  description: 'Administre de forma segura las claves de firma utilizadas por sus aplicaciones.',
+  private_key: 'Claves privadas OIDC',
+  private_keys_description: 'Las claves privadas OIDC se utilizan para firmar tokens JWT.',
+  cookie_key: 'Claves de cookies OIDC',
+  cookie_keys_description: 'Las claves de cookies OIDC se utilizan para firmar cookies.',
+  private_keys_in_use: 'Claves privadas en uso',
+  cookie_keys_in_use: 'Claves de cookies en uso',
+  rotate_private_keys: 'Rotar claves privadas',
+  rotate_cookie_keys: 'Rotar claves de cookies',
+  rotate_private_keys_description:
+    'Esta acción creará una nueva clave de firma privada, rotará la clave actual y eliminará su clave anterior. Sus tokens JWT firmados con la clave actual seguirán siendo válidos hasta su eliminación o otra rotación.',
+  rotate_cookie_keys_description:
+    'Esta acción creará una nueva clave de cookie, rotará la clave actual y eliminará su clave anterior. Sus cookies con la clave actual seguirán siendo válidos hasta su eliminación o otra rotación.',
+  select_private_key_algorithm: 'Seleccione el algoritmo de firma de la nueva clave privada',
+  rotate_button: 'Rotar',
+  table_column: {
+    id: 'ID',
+    status: 'Estado',
+    algorithm: 'Algoritmo de clave de firma',
+  },
+  status: {
+    current: 'Actual',
+    previous: 'Anterior',
+  },
+  reminder: {
+    rotate_private_key:
+      '¿Estás seguro de que deseas rotar las <strong>claves privadas OIDC</strong>? Los nuevos tokens JWT emitidos serán firmados por la nueva clave. Los tokens JWT existentes seguirán siendo válidos hasta que los vuelvas a rotar.',
+    rotate_cookie_key:
+      '¿Estás seguro de que deseas rotar las <strong>claves de cookies OIDC</strong>? Las nuevas cookies generadas en sesiones de inicio de sesión serán firmadas por la nueva clave de cookie. Las cookies existentes seguirán siendo válidas hasta que las vuelvas a rotar.',
+    delete_private_key:
+      '¿Estás seguro de que deseas eliminar la <strong>clave privada OIDC</strong>? Los tokens JWT existentes firmados con esta clave de firma privada ya no serán válidos.',
+    delete_cookie_key:
+      '¿Estás seguro de que deseas eliminar la <strong>clave de cookies OIDC</strong>? Las sesiones de inicio de sesión antiguas con cookies firmadas con esta clave de cookie ya no serán válidas. Se requiere una reautenticación para estos usuarios.',
+  },
+  messages: {
+    rotate_key_success: 'Claves de firma rotadas con éxito.',
+    delete_key_success: 'Clave eliminada con éxito.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-item.ts
index cd042c6be77..8d34b45c50c 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'SSO empresarial',
     not_eligible: 'Elimine su SSO empresarial',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-table.ts
index 118c08752be..c3210f48e54 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Roles de máquina a máquina',
     scopes_per_role: 'Permisos por rol',
   },
-  audit_logs: {
-    title: 'Registros de auditoría',
-    retention: 'Retención',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: 'Organización',
     organizations: 'Organizaciones',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Informe SOC2 (Próximamente)',
     hipaa_or_baa_report: 'Informe HIPAA/BAA (Próximamente)',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Ilimitado',
   contact: 'Contacto',
   monthly_price: '${{value, number}}/mes',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} por mes / cada uno',
   extra_mao_price: 'Luego ${{value, number}} por MAO',
   per_month: '${{value, number}} por mes',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/es/translation/admin-console/tab-sections.ts
index 283d4d3e975..e17740cf1f3 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Visión general',
-  resources: 'Recursos',
+  authentication: 'Autenticación',
+  authorization: 'Autorización',
   users: 'Usuarios',
-  access_control: 'Control de acceso',
-  help_and_support: 'Ayuda y soporte',
+  developer: 'Desarrollador',
   tenant: 'Inquilino',
-  automation: 'Automatización',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/tabs.ts b/packages/phrases/src/locales/es/translation/admin-console/tabs.ts
index f828d521739..cd4218156fa 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Documentos',
   tenant_settings: 'Configuraciones del inquilino',
   mfa: 'Autenticación multifactor',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Claves de firma',
+  organization_template: 'Plantilla de organización',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/es/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/es/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/tenants.ts b/packages/phrases/src/locales/es/translation/admin-console/tenants.ts
index 0393a533739..5216a9cdc0b 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Administre eficientemente la configuración del inquilino y personalice su dominio.',
   tabs: {
     settings: 'Configuraciones',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Dominios',
     subscription: 'Plan y facturación',
     billing_history: 'Historial de facturación',
@@ -36,6 +38,17 @@ const tenants = {
       'Eliminar el inquilino resultará en la eliminación permanente de todos los datos de usuario y configuraciones asociadas. Por favor, proceda con precaución.',
     tenant_deletion_button: 'Eliminar inquilino',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Crear inquilino',
     subtitle:
@@ -74,6 +87,12 @@ const tenants = {
     cannot_delete_description:
       'Lo siento, no puedes eliminar este inquilino en este momento. Asegúrate de estar en el Plan Gratuito y haber pagado todas las facturas pendientes.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Todavía no has creado un inquilino',
     description:
@@ -92,47 +111,6 @@ const tenants = {
     description_2:
       'Si necesita aclaraciones adicionales, tiene alguna inquietud o desea restaurar la funcionalidad completa y desbloquear sus inquilinos, no dude en contactarnos de inmediato.',
   },
-  signing_keys: {
-    title: 'CLAVES DE FIRMA',
-    description: 'Administre de forma segura las claves de firma en su inquilino.',
-    type: {
-      private_key: 'Claves privadas OIDC',
-      cookie_key: 'Claves de cookies OIDC',
-    },
-    private_keys_in_use: 'Claves privadas en uso',
-    cookie_keys_in_use: 'Claves de cookies en uso',
-    rotate_private_keys: 'Rotar claves privadas',
-    rotate_cookie_keys: 'Rotar claves de cookies',
-    rotate_private_keys_description:
-      'Esta acción creará una nueva clave de firma privada, rotará la clave actual y eliminará su clave anterior. Sus tokens JWT firmados con la clave actual seguirán siendo válidos hasta su eliminación o otra rotación.',
-    rotate_cookie_keys_description:
-      'Esta acción creará una nueva clave de cookie, rotará la clave actual y eliminará su clave anterior. Sus cookies con la clave actual seguirán siendo válidos hasta su eliminación o otra rotación.',
-    select_private_key_algorithm: 'Seleccione el algoritmo de firma de la nueva clave privada',
-    rotate_button: 'Rotar',
-    table_column: {
-      id: 'ID',
-      status: 'Estado',
-      algorithm: 'Algoritmo de clave de firma',
-    },
-    status: {
-      current: 'Actual',
-      previous: 'Anterior',
-    },
-    reminder: {
-      rotate_private_key:
-        '¿Estás seguro de que deseas rotar las <strong>claves privadas OIDC</strong>? Los nuevos tokens JWT emitidos serán firmados por la nueva clave. Los tokens JWT existentes seguirán siendo válidos hasta que los vuelvas a rotar.',
-      rotate_cookie_key:
-        '¿Estás seguro de que deseas rotar las <strong>claves de cookies OIDC</strong>? Las nuevas cookies generadas en sesiones de inicio de sesión serán firmadas por la nueva clave de cookie. Las cookies existentes seguirán siendo válidas hasta que las vuelvas a rotar.',
-      delete_private_key:
-        '¿Estás seguro de que deseas eliminar la <strong>clave privada OIDC</strong>? Los tokens JWT existentes firmados con esta clave de firma privada ya no serán válidos.',
-      delete_cookie_key:
-        '¿Estás seguro de que deseas eliminar la <strong>clave de cookies OIDC</strong>? Las sesiones de inicio de sesión antiguas con cookies firmadas con esta clave de cookie ya no serán válidas. Se requiere una reautenticación para estos usuarios.',
-    },
-    messages: {
-      rotate_key_success: 'Claves de firma rotadas con éxito.',
-      delete_key_success: 'Clave eliminada con éxito.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/es/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/es/translation/admin-console/upsell/index.ts
index 78c8c6a870e..aa23183184d 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'Recurso de API',
     machine_to_machine: 'aplicación de máquina a máquina',
     tokens: '{{limit}}M tokens',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'Has superado tu límite de cuota de {{item}}. Logto agregará cargos por el uso más allá de tu límite de cuota. La facturación comenzará el día en que se lance el nuevo diseño de precios del complemento. <a>Más información</a>',
diff --git a/packages/phrases/src/locales/es/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/es/translation/admin-console/upsell/paywall.ts
index c167df086b9..761d0ecf420 100644
--- a/packages/phrases/src/locales/es/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/es/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/fr/errors/index.ts b/packages/phrases/src/locales/fr/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/fr/errors/index.ts
+++ b/packages/phrases/src/locales/fr/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/fr/errors/jwt-customizer.ts b/packages/phrases/src/locales/fr/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/fr/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/fr/errors/user.ts b/packages/phrases/src/locales/fr/errors/user.ts
index 9959938e4e6..3737a685704 100644
--- a/packages/phrases/src/locales/fr/errors/user.ts
+++ b/packages/phrases/src/locales/fr/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: 'Vous devez lier un MFA supplémentaire avant de vous connecter.',
   totp_already_in_use: 'TOTP est déjà utilisé.',
   backup_code_already_in_use: 'Le code de sauvegarde est déjà utilisé.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/fr/translation/admin-console/api-resource-details.ts
index 410c17140dc..c433d629e97 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Détails de la ressource API',
   back_to_api_resources: 'Retour aux ressources API',
-  settings_tab: 'Paramètres',
+  general_tab: 'Général',
   permissions_tab: 'Autorisations',
   settings: 'Paramètres',
   settings_description:
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/fr/translation/admin-console/api-resources.ts
index 2574ba40254..cedaf8b9626 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Seulement zéro ou une API par défaut peut être définie par tenant. Lorsqu\'une API par défaut est désignée, le paramètre "resource" peut être omis dans la demande d\'authentification. Les échanges de jetons ultérieurs utiliseront cette API comme public cible par défaut, ce qui entraînera la délivrance de JWT. <a>En savoir plus</a>',
   api_resource_created: 'La ressource API {{name}} a été créée avec succès.',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/general.ts b/packages/phrases/src/locales/fr/translation/admin-console/general.ts
index 66d955cc70c..cdcd1c2cee7 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Personnaliser',
   enable: 'Activer',
   reminder: 'Rappel',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Supprimer',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -70,6 +72,8 @@ const general = {
   edit_field: 'Modifier {{field}}',
   delete_field: 'Supprimer {{field}}',
   coming_soon: 'Bientôt disponible',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/index.ts b/packages/phrases/src/locales/fr/translation/admin-console/index.ts
index f2b18bef7ea..d85910d398e 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/invitation.ts b/packages/phrases/src/locales/fr/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/fr/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/fr/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/fr/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/fr/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..101286ac50f
--- /dev/null
+++ b/packages/phrases/src/locales/fr/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: "Détails du rôle de l'organisation",
+  back_to_org_roles: "Retour aux rôles de l'organisation",
+  org_role: "Rôle de l'organisation",
+  delete_confirm:
+    "Cela supprimera les autorisations associées à ce rôle des utilisateurs concernés et supprimera les relations entre les rôles de l'organisation, les membres de l'organisation et les autorisations de l'organisation.",
+  deleted: "Le rôle d'organisation {{name}} a été supprimé avec succès.",
+  permissions: {
+    tab: 'Autorisations',
+    name_column: 'Autorisation',
+    description_column: 'Description',
+    type_column: "Type d'autorisation",
+    type: {
+      api: 'Autorisation API',
+      org: "Autorisation d'organisation",
+    },
+    assign_permissions: 'Attribuer des autorisations',
+    remove_permission: 'Supprimer la permission',
+    remove_confirmation:
+      "Si cette permission est supprimée, l'utilisateur avec ce rôle d'organisation perdra l'accès accordé par cette permission.",
+    removed: "La permission {{name}} a été supprimée avec succès de ce rôle d'organisation",
+  },
+  general: {
+    tab: 'Général',
+    settings: 'Réglages',
+    description:
+      "Le rôle d'organisation est un regroupement de permissions qui peuvent être attribuées aux utilisateurs. Les permissions doivent provenir des permissions d'organisation prédéfinies.",
+    name_field: 'Nom',
+    description_field: 'Description',
+    description_field_placeholder: 'Utenti con permessi di sola visualizzazione',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/fr/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..e539ca194f2
--- /dev/null
+++ b/packages/phrases/src/locales/fr/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Modèle d’organisation',
+  subtitle:
+    'Dans les applications SaaS multi-locataires, il est courant que plusieurs organisations partagent des politiques de contrôle d’accès identiques, incluant les permissions et les rôles. Chez Logto, ce concept est désigné par "modèle d’organisation". Son utilisation simplifie le processus de construction et de conception de votre modèle d’autorisation.',
+  roles: {
+    tab_name: 'Rôles org',
+    search_placeholder: 'Rechercher par nom de rôle',
+    create_title: 'Créer un rôle org',
+    role_column: 'Rôle org',
+    permissions_column: 'Permissions',
+    placeholder_title: 'Rôle d’organisation',
+    placeholder_description:
+      'Un rôle d’organisation est un groupement de permissions qui peuvent être attribuées aux utilisateurs. Les permissions doivent provenir des permissions d’organisation prédéfinies.',
+    create_modal: {
+      title: "Créer un rôle d'organisation",
+      create: 'Créer un rôle',
+      name_field: 'Nom du rôle',
+      description_field: 'Description',
+      created: "Le rôle d'organisation {{name}} a été créé avec succès.",
+    },
+  },
+  permissions: {
+    tab_name: 'Permissions org',
+    search_placeholder: 'Rechercher par nom de permission',
+    create_org_permission: 'Créer une permission org',
+    permission_column: 'Permission',
+    description_column: 'Description',
+    placeholder_title: 'Permission d’organisation',
+    placeholder_description:
+      'La permission d’organisation se réfère à l’autorisation d’accéder à une ressource dans le contexte de l’organisation.',
+    delete_confirm:
+      'Si cette permission est supprimée, tous les rôles d’organisation incluant cette permission perdront cette permission, et les utilisateurs qui avaient cette permission perdront l’accès accordé par celle-ci.',
+    create_title: 'Créer une autorisation d’organisation',
+    edit_title: 'Modifier une autorisation d’organisation',
+    permission_field_name: 'Nom de la permission',
+    description_field_name: 'Description',
+    description_field_placeholder: "Lire l'historique des rendez-vous",
+    create_permission: 'Créer une permission',
+    created: "La permission d'organisation {{name}} a été créée avec succès.",
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/permissions.ts b/packages/phrases/src/locales/fr/translation/admin-console/permissions.ts
index 95e9deb703d..ac05b25339c 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Permission',
   placeholder_description:
     "La permission fait référence à l'autorisation d'accéder à une ressource (nous l'appelons ressource d'API).",
+  edit: 'Permission de modifier',
+  delete: 'Permission de supprimer',
+  remove: 'Permission de retirer',
+  updated: 'Permission mise à jour.',
+  edit_title: 'Modifier l’autorisation de l’API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/fr/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..dc48b5cb2d3
--- /dev/null
+++ b/packages/phrases/src/locales/fr/translation/admin-console/signing-keys.ts
@@ -0,0 +1,44 @@
+const signing_keys = {
+  title: 'Clés de signature',
+  description: 'Gérez de manière sécurisée les clés de signature utilisées par vos applications.',
+  private_key: 'Clés privées OIDC',
+  private_keys_description: 'Les clés privées OIDC sont utilisées pour signer les jetons JWT.',
+  cookie_key: 'Clés de cookies OIDC',
+  cookie_keys_description: 'Les clés de cookies OIDC sont utilisées pour signer les cookies.',
+  private_keys_in_use: "Clés privées en cours d'utilisation",
+  cookie_keys_in_use: "Clés de cookies en cours d'utilisation",
+  rotate_private_keys: 'Faire tourner les clés privées',
+  rotate_cookie_keys: 'Faire tourner les clés de cookies',
+  rotate_private_keys_description:
+    "Cette action créera une nouvelle clé de signature privée, fera tourner la clé actuelle et supprimera votre clé précédente. Vos jetons JWT signés avec la clé actuelle resteront valides jusqu'à leur suppression ou une nouvelle rotation.",
+  rotate_cookie_keys_description:
+    "Cette action créera une nouvelle clé de cookie, fera tourner la clé actuelle et supprimera votre clé précédente. Vos cookies avec la clé actuelle resteront valides jusqu'à leur suppression ou une nouvelle rotation.",
+  select_private_key_algorithm:
+    "Sélectionnez l'algorithme de clé de signature pour la nouvelle clé privée",
+  rotate_button: 'Faire tourner',
+  table_column: {
+    id: 'ID',
+    status: 'Statut',
+    algorithm: 'Algorithme de clé de signature',
+  },
+  status: {
+    current: 'Actuel',
+    previous: 'Précédent',
+  },
+  reminder: {
+    rotate_private_key:
+      "Êtes-vous sûr de vouloir faire tourner les <strong>clés privées OIDC</strong>? Les nouveaux jetons JWT émis seront signés par la nouvelle clé. Les jetons JWT existants resteront valides jusqu'à votre prochaine rotation.",
+    rotate_cookie_key:
+      "Êtes-vous sûr de vouloir faire tourner les <strong>clés de cookies OIDC</strong>? Les nouveaux cookies générés dans les sessions de connexion seront signés par la nouvelle clé de cookie. Les cookies existants resteront valides jusqu'à votre prochaine rotation.",
+    delete_private_key:
+      'Êtes-vous sûr de vouloir supprimer la <strong>clé privée OIDC</strong>? Les jetons JWT existants signés avec cette clé de signature privée ne seront plus valides.',
+    delete_cookie_key:
+      'Êtes-vous sûr de vouloir supprimer la <strong>clé de cookie OIDC</strong>? Les anciennes sessions de connexion avec des cookies signés avec cette clé de cookie ne seront plus valides. Une ré-authentification est requise pour ces utilisateurs.',
+  },
+  messages: {
+    rotate_key_success: 'Rotation des clés de signature effectuée avec succès.',
+    delete_key_success: 'Clé supprimée avec succès.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-item.ts
index 4ad1a291e11..429d5c8e5be 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'SSO Entreprise',
     not_eligible: 'Supprimez votre SSO Entreprise',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-table.ts
index 38631ac6142..954abbde7b5 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Rôles machine-à-machine',
     scopes_per_role: 'Autorisations par rôle',
   },
-  audit_logs: {
-    title: "Journaux d'audit",
-    retention: 'Conservation',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: 'Organisation',
     organizations: 'Organisations',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Rapport SOC2',
     hipaa_or_baa_report: 'Rapport HIPAA/BAA',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Illimité',
   contact: 'Contact',
   monthly_price: '${{value, number}}/mois',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} par mois / chacun',
   extra_mao_price: 'Ensuite ${{value, number}} par MAO',
   per_month: '${{value, number}} par mois',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/fr/translation/admin-console/tab-sections.ts
index 7f9b19a1e20..7c425e9566d 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: "Vue d'ensemble",
-  resources: 'Ressources',
+  authentication: 'Authentification',
+  authorization: 'Autorisation',
   users: 'Utilisateurs',
-  access_control: "Contrôle d'accès",
-  help_and_support: 'Aide et support',
+  developer: 'Développeur',
   tenant: 'Locataire',
-  automation: 'Automatisation',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/tabs.ts b/packages/phrases/src/locales/fr/translation/admin-console/tabs.ts
index 03aece5767a..f5934376da4 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Documentation',
   tenant_settings: 'Paramètres du locataire',
   mfa: 'Authentification multi-facteur',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Clés de signature',
+  organization_template: "Modèle d'organisation",
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/fr/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/fr/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/tenants.ts b/packages/phrases/src/locales/fr/translation/admin-console/tenants.ts
index aee9bb80dca..fc87635b858 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Gérez efficacement les paramètres du locataire et personnalisez votre domaine.',
   tabs: {
     settings: 'Paramètres',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Domaines',
     subscription: 'Plan et facturation',
     billing_history: 'Historique de facturation',
@@ -36,6 +38,17 @@ const tenants = {
       'La suppression du locataire entraînera la suppression permanente de toutes les données utilisateur et configurations associées. Veuillez procéder avec prudence.',
     tenant_deletion_button: 'Supprimer le locataire',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Créer un locataire',
     subtitle:
@@ -75,6 +88,12 @@ const tenants = {
     cannot_delete_description:
       "Désolé, vous ne pouvez pas supprimer ce locataire pour le moment. Assurez-vous d'être sur le Plan Gratuit et d'avoir payé toutes les factures en cours.",
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: "Vous n'avez pas encore créé de locataire",
     description:
@@ -93,48 +112,6 @@ const tenants = {
     description_2:
       "Si vous avez besoin de clarifications supplémentaires, si vous avez des préoccupations ou si vous souhaitez restaurer la fonctionnalité complète et débloquer vos locataires, n'hésitez pas à nous contacter immédiatement.",
   },
-  signing_keys: {
-    title: 'CLÉS DE SIGNATURE',
-    description: 'Gérez en toute sécurité les clés de signature dans votre locataire.',
-    type: {
-      private_key: 'Clés privées OIDC',
-      cookie_key: 'Clés de cookies OIDC',
-    },
-    private_keys_in_use: "Clés privées en cours d'utilisation",
-    cookie_keys_in_use: "Clés de cookies en cours d'utilisation",
-    rotate_private_keys: 'Faire tourner les clés privées',
-    rotate_cookie_keys: 'Faire tourner les clés de cookies',
-    rotate_private_keys_description:
-      "Cette action créera une nouvelle clé de signature privée, fera tourner la clé actuelle et supprimera votre clé précédente. Vos jetons JWT signés avec la clé actuelle resteront valides jusqu'à leur suppression ou une nouvelle rotation.",
-    rotate_cookie_keys_description:
-      "Cette action créera une nouvelle clé de cookie, fera tourner la clé actuelle et supprimera votre clé précédente. Vos cookies avec la clé actuelle resteront valides jusqu'à leur suppression ou une nouvelle rotation.",
-    select_private_key_algorithm:
-      "Sélectionnez l'algorithme de clé de signature pour la nouvelle clé privée",
-    rotate_button: 'Faire tourner',
-    table_column: {
-      id: 'ID',
-      status: 'Statut',
-      algorithm: 'Algorithme de clé de signature',
-    },
-    status: {
-      current: 'Actuel',
-      previous: 'Précédent',
-    },
-    reminder: {
-      rotate_private_key:
-        "Êtes-vous sûr de vouloir faire tourner les <strong>clés privées OIDC</strong>? Les nouveaux jetons JWT émis seront signés par la nouvelle clé. Les jetons JWT existants resteront valides jusqu'à votre prochaine rotation.",
-      rotate_cookie_key:
-        "Êtes-vous sûr de vouloir faire tourner les <strong>clés de cookies OIDC</strong>? Les nouveaux cookies générés dans les sessions de connexion seront signés par la nouvelle clé de cookie. Les cookies existants resteront valides jusqu'à votre prochaine rotation.",
-      delete_private_key:
-        'Êtes-vous sûr de vouloir supprimer la <strong>clé privée OIDC</strong>? Les jetons JWT existants signés avec cette clé de signature privée ne seront plus valides.',
-      delete_cookie_key:
-        'Êtes-vous sûr de vouloir supprimer la <strong>clé de cookie OIDC</strong>? Les anciennes sessions de connexion avec des cookies signés avec cette clé de cookie ne seront plus valides. Une ré-authentification est requise pour ces utilisateurs.',
-    },
-    messages: {
-      rotate_key_success: 'Rotation des clés de signature effectuée avec succès.',
-      delete_key_success: 'Clé supprimée avec succès.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/fr/translation/admin-console/upsell/index.ts
index 46baa2f1c6b..765cea9c377 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'Ressource API',
     machine_to_machine: 'application machine à machine',
     tokens: '{{limit}}M jetons',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     "Vous avez dépassé votre limite de quota {{item}}. Logto ajoutera des frais pour l'utilisation au-delà de votre limite de quota. La facturation commencera le jour de la publication du nouveau design tarifaire de l'extension. <a>En savoir plus</a>",
diff --git a/packages/phrases/src/locales/fr/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/fr/translation/admin-console/upsell/paywall.ts
index 17dcfcf76ec..b3e5e8be4f7 100644
--- a/packages/phrases/src/locales/fr/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/fr/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/it/errors/index.ts b/packages/phrases/src/locales/it/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/it/errors/index.ts
+++ b/packages/phrases/src/locales/it/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/it/errors/jwt-customizer.ts b/packages/phrases/src/locales/it/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/it/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/it/errors/user.ts b/packages/phrases/src/locales/it/errors/user.ts
index 5f5b0f4903b..2184b289e91 100644
--- a/packages/phrases/src/locales/it/errors/user.ts
+++ b/packages/phrases/src/locales/it/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: "Devi legare un'ulteriore MFA prima di accedere.",
   totp_already_in_use: 'TOTP è già in uso.',
   backup_code_already_in_use: 'Il codice di backup è già in uso.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/it/translation/admin-console/api-resource-details.ts
index 29aff823dfb..b8d30ccf480 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Dettagli delle risorse API',
   back_to_api_resources: 'Torna alle risorse API',
-  settings_tab: 'Impostazioni',
+  general_tab: 'Generale',
   permissions_tab: 'Autorizzazioni',
   settings: 'Impostazioni',
   settings_description:
diff --git a/packages/phrases/src/locales/it/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/it/translation/admin-console/api-resources.ts
index 8d29d4c52d7..011dc77344f 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Solo zero o una API predefinita possono essere impostate per tenant. Quando viene designata una API predefinita, il parametro di risorsa può essere omesso nella richiesta di autorizzazione. Gli scambi di token successivi utilizzeranno quell API come destinatario per impostazione predefinita, con conseguente rilascio di JWT. <a>Scopri di più</a>',
   api_resource_created: 'La risorsa API {{name}} è stata creata con successo',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/general.ts b/packages/phrases/src/locales/it/translation/admin-console/general.ts
index a0c7af24fc2..b4715e915b9 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Personalizza',
   enable: 'Abilita',
   reminder: 'Promemoria',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Elimina',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -70,6 +72,8 @@ const general = {
   edit_field: 'Modifica {{field}}',
   delete_field: 'Elimina {{field}}',
   coming_soon: 'Prossimamente',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/index.ts b/packages/phrases/src/locales/it/translation/admin-console/index.ts
index f2b18bef7ea..d85910d398e 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/invitation.ts b/packages/phrases/src/locales/it/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/it/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/it/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/it/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/it/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..071914d0845
--- /dev/null
+++ b/packages/phrases/src/locales/it/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: "Dettagli del ruolo dell'organizzazione",
+  back_to_org_roles: "Torna ai ruoli dell'organizzazione",
+  org_role: "Ruolo dell'organizzazione",
+  delete_confirm:
+    "Facendo ciò, verranno rimossi i permessi associati a questo ruolo dagli utenti interessati e verranno eliminati i rapporti tra ruoli organizzativi, membri nell'organizzazione e permessi dell'organizzazione.",
+  deleted: "Il ruolo dell'organizzazione {{name}} è stato eliminato con successo.",
+  permissions: {
+    tab: 'Autorizzazioni',
+    name_column: 'Autorizzazione',
+    description_column: 'Descrizione',
+    type_column: 'Tipo di autorizzazione',
+    type: {
+      api: 'Autorizzazione API',
+      org: 'Autorizzazione organizzazione',
+    },
+    assign_permissions: 'Assegna autorizzazioni',
+    remove_permission: 'Rimuovi permesso',
+    remove_confirmation:
+      "Se questo permesso viene rimosso, l'utente con questo ruolo organizzativo perderà l'accesso concessogli da questo permesso.",
+    removed: 'Il permesso {{name}} è stato rimosso con successo da questo ruolo organizzativo',
+  },
+  general: {
+    tab: 'Generale',
+    settings: 'Impostazioni',
+    description:
+      "Il ruolo dell'organizzazione è un raggruppamento di autorizzazioni che possono essere assegnate agli utenti. Le autorizzazioni devono provenire dalle autorizzazioni predefinite dell'organizzazione.",
+    name_field: 'Nome',
+    description_field: 'Descrizione',
+    description_field_placeholder: 'Utenti con permessi di sola visualizzazione',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/it/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..b1ca9706021
--- /dev/null
+++ b/packages/phrases/src/locales/it/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Modello di organizzazione',
+  subtitle:
+    'Nelle applicazioni SaaS multi-tenant, è comune che più organizzazioni condividano politiche di controllo dell’accesso identiche, incluse autorizzazioni e ruoli. In Logto, questo concetto è denominato "modello di organizzazione". Utilizzarlo semplifica il processo di costruzione e progettazione del tuo modello di autorizzazione.',
+  roles: {
+    tab_name: 'Ruoli org',
+    search_placeholder: 'Cerca per nome del ruolo',
+    create_title: 'Crea ruolo org',
+    role_column: 'Ruolo org',
+    permissions_column: 'Permessi',
+    placeholder_title: 'Ruolo di organizzazione',
+    placeholder_description:
+      'Il ruolo di organizzazione è un raggruppamento di permessi che possono essere assegnati agli utenti. I permessi devono provenire dai permessi di organizzazione predefiniti.',
+    create_modal: {
+      title: "Crea ruolo dell'organizzazione",
+      create: 'Crea ruolo',
+      name_field: 'Nome del ruolo',
+      description_field: 'Descrizione',
+      created: "Il ruolo dell'organizzazione {{name}} è stato creato con successo.",
+    },
+  },
+  permissions: {
+    tab_name: 'Permessi org',
+    search_placeholder: 'Cerca per nome del permesso',
+    create_org_permission: 'Crea permesso org',
+    permission_column: 'Permesso',
+    description_column: 'Descrizione',
+    placeholder_title: 'Permesso di organizzazione',
+    placeholder_description:
+      'Il permesso di organizzazione si riferisce all’autorizzazione ad accedere a una risorsa nel contesto dell’organizzazione.',
+    delete_confirm:
+      'Se questo permesso viene eliminato, tutti i ruoli di organizzazione che includono questo permesso perderanno tale permesso, e gli utenti che avevano questo permesso perderanno l’accesso concesso da esso.',
+    create_title: 'Crea permesso di organizzazione',
+    edit_title: 'Modifica permesso di organizzazione',
+    permission_field_name: 'Nome del permesso',
+    description_field_name: 'Descrizione',
+    description_field_placeholder: 'Leggi la cronologia degli appuntamenti',
+    create_permission: 'Crea permesso',
+    created: 'Permesso creato con successo',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/permissions.ts b/packages/phrases/src/locales/it/translation/admin-console/permissions.ts
index faa8b6f54f3..aa969d3a8f8 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Permesso',
   placeholder_description:
     "Il permesso si riferisce all'autorizzazione per accedere ad una risorsa (la chiamiamo risorsa API).",
+  edit: 'Permesso di modifica',
+  delete: 'Permesso di cancellazione',
+  remove: 'Permesso di rimozione',
+  updated: 'Permesso aggiornato.',
+  edit_title: 'Modifica permesso API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/it/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..5883cad10b2
--- /dev/null
+++ b/packages/phrases/src/locales/it/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Chiavi di firma',
+  description: 'Gestisci in modo sicuro le chiavi di firma utilizzate dalle tue applicazioni.',
+  private_key: 'Chiavi private OIDC',
+  private_keys_description: 'Le chiavi private OIDC vengono utilizzate per firmare i token JWT.',
+  cookie_key: 'Chiavi dei cookie OIDC',
+  cookie_keys_description: 'Le chiavi dei cookie OIDC vengono utilizzate per firmare i cookie.',
+  private_keys_in_use: 'Chiavi private in uso',
+  cookie_keys_in_use: 'Chiavi dei cookie in uso',
+  rotate_private_keys: 'Ruota le chiavi private',
+  rotate_cookie_keys: 'Ruota le chiavi dei cookie',
+  rotate_private_keys_description:
+    'Questa azione creerà una nuova chiave di firma privata, ruoterà la chiave attuale e rimuoverà la chiave precedente. I tuoi token JWT firmati con la chiave attuale rimarranno validi fino alla cancellazione o a un altro ciclo di rotazione.',
+  rotate_cookie_keys_description:
+    'Questa azione creerà una nuova chiave dei cookie, ruoterà la chiave attuale e rimuoverà la chiave precedente. I tuoi cookie con la chiave attuale rimarranno validi fino alla cancellazione o a un altro ciclo di rotazione.',
+  select_private_key_algorithm: "Seleziona l'algoritmo di firma per la nuova chiave privata",
+  rotate_button: 'Ruota',
+  table_column: {
+    id: 'ID',
+    status: 'Stato',
+    algorithm: 'Algoritmo di firma della chiave',
+  },
+  status: {
+    current: 'Attuale',
+    previous: 'Precedente',
+  },
+  reminder: {
+    rotate_private_key:
+      'Sei sicuro di voler ruotare le <strong>chiavi private OIDC</strong>? I nuovi token JWT emessi saranno firmati dalla nuova chiave. I token JWT esistenti rimarranno validi finché non ruoti nuovamente.',
+    rotate_cookie_key:
+      'Sei sicuro di voler ruotare le <strong>chiavi dei cookie OIDC</strong>? I nuovi cookie generati nelle sessioni di accesso saranno firmati dalla nuova chiave dei cookie. I cookie esistenti rimarranno validi finché non ruoti nuovamente.',
+    delete_private_key:
+      'Sei sicuro di voler eliminare la <strong>chiave privata OIDC</strong>? I token JWT esistenti firmati con questa chiave privata non saranno più validi.',
+    delete_cookie_key:
+      'Sei sicuro di voler eliminare la <strong>chiave dei cookie OIDC</strong>? Le sessioni di accesso precedenti con i cookie firmati con questa chiave dei cookie non saranno più valide. È richiesta una nuova autenticazione per questi utenti.',
+  },
+  messages: {
+    rotate_key_success: 'Chiavi di firma ruotate con successo.',
+    delete_key_success: 'Chiave eliminata con successo.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-item.ts
index 876cc000451..47769ea3639 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'SSO aziendale',
     not_eligible: 'Rimuovi il tuo SSO aziendale',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-table.ts
index e9bb8f66a15..de2ed791124 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Ruoli machine-to-machine',
     scopes_per_role: 'Permessi per ruolo',
   },
-  audit_logs: {
-    title: 'Log di audit',
-    retention: 'Conservazione',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: 'Organizzazione',
     organizations: 'Organizzazioni',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Rapporto SOC2',
     hipaa_or_baa_report: 'Rapporto HIPAA/BAA',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Illimitato',
   contact: 'Contatta',
   monthly_price: '${{value, number}}/mese',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} al mese / ognuno',
   extra_mao_price: 'Quindi ${{value, number}} per MAO',
   per_month: '${{value, number}} al mese',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/it/translation/admin-console/tab-sections.ts
index ecad0af52dd..6c00e84589f 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Panoramica',
-  resources: 'Risorse',
+  authentication: 'Autenticazione',
+  authorization: 'Autorizzazione',
   users: 'Utenti',
-  access_control: 'Controllo Accessi',
-  help_and_support: 'Aiuto e Supporto',
-  tenant: 'Locatario',
-  automation: 'Automazione',
+  developer: 'Sviluppatore',
+  tenant: 'Inquilino',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/tabs.ts b/packages/phrases/src/locales/it/translation/admin-console/tabs.ts
index dbbbcdae870..7bfabb42d3b 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Documenti',
   tenant_settings: 'Impostazioni',
   mfa: 'Autenticazione multi-fattore',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Chiavi di firma',
+  organization_template: 'Modello di organizzazione',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/it/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/it/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/tenants.ts b/packages/phrases/src/locales/it/translation/admin-console/tenants.ts
index 47aef5a3239..c6f2d7433ab 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/tenants.ts
@@ -4,6 +4,8 @@ const tenants = {
     "Gestisci efficacemente le impostazioni dell'inquilino e personalizza il tuo dominio.",
   tabs: {
     settings: 'Impostazioni',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Domini',
     subscription: 'Piano e fatturazione',
     billing_history: 'Storico fatturazione',
@@ -37,6 +39,17 @@ const tenants = {
       "L'eliminazione dell'inquilino comporterà la rimozione permanente di tutti i dati utente e le configurazioni associate. Procedere con cautela.",
     tenant_deletion_button: 'Elimina inquilino',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Crea nuovo inquilino',
     subtitle:
@@ -76,6 +89,12 @@ const tenants = {
     cannot_delete_description:
       'Spiacente, al momento non è possibile eliminare questo inquilino. Verifica di essere nel Piano Gratuito e di aver saldato tutte le fatture pendenti.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Non hai ancora creato un inquilino',
     description:
@@ -94,47 +113,6 @@ const tenants = {
     description_2:
       'Se necessiti ulteriori chiarimenti, hai qualche preoccupazione o desideri ripristinare la funzionalità completa e sbloccare i tuoi inquilini, ti preghiamo di contattarci immediatamente.',
   },
-  signing_keys: {
-    title: 'CHIAVI DI FIRMA',
-    description: 'Gestisci in modo sicuro le chiavi di firma nel tuo inquilino.',
-    type: {
-      private_key: 'Chiavi private OIDC',
-      cookie_key: 'Chiavi dei cookie OIDC',
-    },
-    private_keys_in_use: 'Chiavi private in uso',
-    cookie_keys_in_use: 'Chiavi dei cookie in uso',
-    rotate_private_keys: 'Ruota le chiavi private',
-    rotate_cookie_keys: 'Ruota le chiavi dei cookie',
-    rotate_private_keys_description:
-      'Questa azione creerà una nuova chiave di firma privata, ruoterà la chiave attuale e rimuoverà la chiave precedente. I tuoi token JWT firmati con la chiave attuale rimarranno validi fino alla cancellazione o a un altro ciclo di rotazione.',
-    rotate_cookie_keys_description:
-      'Questa azione creerà una nuova chiave dei cookie, ruoterà la chiave attuale e rimuoverà la chiave precedente. I tuoi cookie con la chiave attuale rimarranno validi fino alla cancellazione o a un altro ciclo di rotazione.',
-    select_private_key_algorithm: "Seleziona l'algoritmo di firma per la nuova chiave privata",
-    rotate_button: 'Ruota',
-    table_column: {
-      id: 'ID',
-      status: 'Stato',
-      algorithm: 'Algoritmo di firma della chiave',
-    },
-    status: {
-      current: 'Attuale',
-      previous: 'Precedente',
-    },
-    reminder: {
-      rotate_private_key:
-        'Sei sicuro di voler ruotare le <strong>chiavi private OIDC</strong>? I nuovi token JWT emessi saranno firmati dalla nuova chiave. I token JWT esistenti rimarranno validi finché non ruoti nuovamente.',
-      rotate_cookie_key:
-        'Sei sicuro di voler ruotare le <strong>chiavi dei cookie OIDC</strong>? I nuovi cookie generati nelle sessioni di accesso saranno firmati dalla nuova chiave dei cookie. I cookie esistenti rimarranno validi finché non ruoti nuovamente.',
-      delete_private_key:
-        'Sei sicuro di voler eliminare la <strong>chiave privata OIDC</strong>? I token JWT esistenti firmati con questa chiave privata non saranno più validi.',
-      delete_cookie_key:
-        'Sei sicuro di voler eliminare la <strong>chiave dei cookie OIDC</strong>? Le sessioni di accesso precedenti con i cookie firmati con questa chiave dei cookie non saranno più valide. È richiesta una nuova autenticazione per questi utenti.',
-    },
-    messages: {
-      rotate_key_success: 'Chiavi di firma ruotate con successo.',
-      delete_key_success: 'Chiave eliminata con successo.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/it/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/it/translation/admin-console/upsell/index.ts
index fa340f28b7b..6644d8a6c88 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'Risorsa API',
     machine_to_machine: 'applicazione macchina-macchina',
     tokens: '{{limit}}M token',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     "Hai superato il limite di quota {{item}}. Logto aggiungerà addebiti per l'uso oltre il limite di quota. La fatturazione inizierà il giorno in cui verrà rilasciato il nuovo design dei prezzi dell'addon. <a>Ulteriori informazioni</a>",
diff --git a/packages/phrases/src/locales/it/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/it/translation/admin-console/upsell/paywall.ts
index f4c3dee7746..1dec1dca5c7 100644
--- a/packages/phrases/src/locales/it/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/it/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/ja/errors/index.ts b/packages/phrases/src/locales/ja/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/ja/errors/index.ts
+++ b/packages/phrases/src/locales/ja/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/ja/errors/jwt-customizer.ts b/packages/phrases/src/locales/ja/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/ja/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/ja/errors/user.ts b/packages/phrases/src/locales/ja/errors/user.ts
index 370ebfd30fa..78abaa94f30 100644
--- a/packages/phrases/src/locales/ja/errors/user.ts
+++ b/packages/phrases/src/locales/ja/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: 'MFAを追加してからサインインしてください。',
   totp_already_in_use: 'TOTPはすでに使用されています。',
   backup_code_already_in_use: 'バックアップコードはすでに使用されています。',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/ja/translation/admin-console/api-resource-details.ts
index 4b683109f28..e71f5b9f005 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'APIリソースの詳細 ',
   back_to_api_resources: 'APIリソースに戻る',
-  settings_tab: '設定',
+  general_tab: '一般',
   permissions_tab: '権限',
   settings: '設定',
   settings_description:
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/ja/translation/admin-console/api-resources.ts
index 6f7e8cad732..44115567273 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'テナントごとにデフォルトのAPIを0または1つだけ設定できます。デフォルトのAPIが指定されている場合、認証リクエストでリソースパラメータを省略できます。その後のトークン交換は、デフォルトのAPIを対象として行われます。それにより、JWTが発行されます。<a>詳細を見る</a>',
   api_resource_created: 'APIリソース{{name}}が正常に作成されました',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/general.ts b/packages/phrases/src/locales/ja/translation/admin-console/general.ts
index f5ec492b117..e86c03d46d0 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'カスタマイズする',
   enable: '有効にする',
   reminder: 'リマインダー',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: '削除',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: '{{field}}を編集',
   delete_field: '{{field}}を削除',
   coming_soon: '近日公開予定',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/index.ts b/packages/phrases/src/locales/ja/translation/admin-console/index.ts
index f2b18bef7ea..d85910d398e 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/invitation.ts b/packages/phrases/src/locales/ja/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/ja/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/ja/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/ja/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/ja/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..8d30264fd2d
--- /dev/null
+++ b/packages/phrases/src/locales/ja/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: '組織の役割の詳細',
+  back_to_org_roles: '組織の役割に戻る',
+  org_role: '組織の役割',
+  delete_confirm:
+    'これにより、関連するユーザーからこのロールに関連付けられた権限が削除され、組織の役割、組織のメンバー、および組織の権限間の関係が削除されます。',
+  deleted: '組織の役割 {{name}} は正常に削除されました。',
+  permissions: {
+    tab: '許可',
+    name_column: '許可',
+    description_column: '説明',
+    type_column: '許可の種類',
+    type: {
+      api: 'API許可',
+      org: '組織許可',
+    },
+    assign_permissions: '許可を割り当てる',
+    remove_permission: '権限を削除',
+    remove_confirmation:
+      'この権限を削除すると、この組織の役割を持つユーザーはこの権限によって付与されたアクセスを失います。',
+    removed: 'この組織の役割から権限 {{name}} が正常に削除されました',
+  },
+  general: {
+    tab: '一般',
+    settings: '設定',
+    description:
+      '組織の役割は、ユーザーに割り当てることができる許可のグループです。 許可は、事前定義された組織の許可から取得する必要があります。',
+    name_field: '名前',
+    description_field: '説明',
+    description_field_placeholder: '閲覧専用権限を持つユーザー',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/ja/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..e413daa4042
--- /dev/null
+++ b/packages/phrases/src/locales/ja/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: '組織テンプレート',
+  subtitle:
+    'マルチテナントSaaSアプリケーションでは、複数の組織が同一のアクセス制御ポリシーを共有することが一般的です。これには、権限と役割が含まれます。Logtoでは、この概念を「組織テンプレート」と呼びます。これを使用することで、認証モデルの構築と設計のプロセスが簡素化されます。',
+  roles: {
+    tab_name: '組織の役割',
+    search_placeholder: '役割名で検索',
+    create_title: '組織の役割を作成',
+    role_column: '組織の役割',
+    permissions_column: '権限',
+    placeholder_title: '組織の役割',
+    placeholder_description:
+      '組織の役割は、ユーザーに割り当てることができる権限のグループです。権限は、事前に定義された組織の権限から来なければなりません。',
+    create_modal: {
+      title: '組織の役割を作成する',
+      create: '役割を作成する',
+      name_field: '役割名',
+      description_field: '説明',
+      created: '組織の役割{{name}}が正常に作成されました。',
+    },
+  },
+  permissions: {
+    tab_name: '組織の権限',
+    search_placeholder: '権限名で検索',
+    create_org_permission: '組織の権限を作成',
+    permission_column: '権限',
+    description_column: '説明',
+    placeholder_title: '組織の権限',
+    placeholder_description:
+      '組織の権限は、組織の文脈でリソースにアクセスするための認可を指します。',
+    delete_confirm:
+      'この権限が削除されると、この権限を含むすべての組織の役割がこの権限を失い、この権限を持っていたユーザーはそれによって与えられたアクセスを失います。',
+    create_title: '組織の権限を作成',
+    edit_title: '組織の権限を編集',
+    permission_field_name: '権限名',
+    description_field_name: '説明',
+    description_field_placeholder: '予約履歴を読む',
+    create_permission: '権限を作成',
+    created: '組織権限 {{name}} が正常に作成されました。',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/permissions.ts b/packages/phrases/src/locales/ja/translation/admin-console/permissions.ts
index 6329132ad87..80887267196 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: '権限',
   placeholder_description:
     '権限はリソース（APIリソースと呼んでいます）にアクセスするための承認を指します。',
+  edit: '編集権限',
+  delete: '削除権限',
+  remove: '除去権限',
+  updated: '許可が更新されました。',
+  edit_title: 'APIの権限を編集',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/ja/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..bf7f189d568
--- /dev/null
+++ b/packages/phrases/src/locales/ja/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: '署名キー',
+  description: 'アプリケーションで使用される署名キーを安全に管理します。',
+  private_key: 'OIDCプライベートキー',
+  private_keys_description: 'OIDCプライベートキーはJWTトークンの署名に使用されます。',
+  cookie_key: 'OIDCクッキーキー',
+  cookie_keys_description: 'OIDCクッキーキーはクッキーの署名に使用されます。',
+  private_keys_in_use: '使用中のプライベートキー',
+  cookie_keys_in_use: '使用中のCookieキー',
+  rotate_private_keys: 'プライベートキーを回転させる',
+  rotate_cookie_keys: 'Cookieキーを回転させる',
+  rotate_private_keys_description:
+    'このアクションは新しいプライベート署名キーを作成し、現在のキーを回転させ、前のキーを削除します。現在のキーで署名されたJWTトークンは、削除または別の回転まで有効です。',
+  rotate_cookie_keys_description:
+    'このアクションは新しいCookieキーを作成し、現在のキーを回転させ、前のキーを削除します。現在のキーで生成されたCookieは、削除または別の回転まで有効です。',
+  select_private_key_algorithm: '新しいプライベートキーの署名キーアルゴリズムを選択',
+  rotate_button: '回転',
+  table_column: {
+    id: 'ID',
+    status: 'ステータス',
+    algorithm: '署名キーアルゴリズム',
+  },
+  status: {
+    current: '現在の',
+    previous: '以前の',
+  },
+  reminder: {
+    rotate_private_key:
+      'OIDCプライベートキー</strong>を回転させますか？新しい発行されたJWTトークンは新しいキーで署名されます。既存のJWTトークンは、再度回転するまで有効です。',
+    rotate_cookie_key:
+      'OIDC Cookieキー</strong>を回転させますか？新しいCookieで署名されたサインインセッションのCookieが新しいCookieキーで生成されます。既存のCookieは、再度回転するまで有効です。',
+    delete_private_key:
+      'OIDCプライベートキー</strong>を削除しますか？このプライベート署名キーで署名された既存のJWTトークンはもはや有効ではありません。',
+    delete_cookie_key:
+      'OIDC Cookieキー</strong>を削除しますか？このCookieキーで署名された古いサインインセッションのCookieはもはや有効ではありません。これらのユーザーには再認証が必要です。',
+  },
+  messages: {
+    rotate_key_success: '署名キーが正常に回転されました。',
+    delete_key_success: 'キーが正常に削除されました。',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-item.ts
index a96ce465911..e72d9025fd4 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'エンタープライズSSO',
     not_eligible: 'エンタープライズSSOを削除してください',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-table.ts
index b3e1ac9a70b..db48ae0e151 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'マシン対マシンロール',
     scopes_per_role: 'ロールごとの権限',
   },
-  audit_logs: {
-    title: '監査ログ',
-    retention: '保持期間',
-  },
-  hooks: {
-    title: 'ウェブフック',
-    hooks: 'ウェブフック',
-  },
   organizations: {
     title: '組織',
     organizations: '組織',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2レポート',
     hipaa_or_baa_report: 'HIPAA/BAAレポート',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: '無制限',
   contact: 'お問い合わせ',
   monthly_price: '${{value, number}}/mo',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '各${{value, number}} / 月ごと',
   extra_mao_price: 'その後、MAOごとに${{value, number}}',
   per_month: '${{value, number}} / 月ごと',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/ja/translation/admin-console/tab-sections.ts
index c80132c6b2c..403a094fa56 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: '概要',
-  resources: 'リソース',
+  authentication: '認証',
+  authorization: '認可',
   users: 'ユーザー',
-  access_control: 'アクセス制御',
-  help_and_support: 'ヘルプとサポート',
+  developer: '開発者',
   tenant: 'テナント',
-  automation: 'オートメーション',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/tabs.ts b/packages/phrases/src/locales/ja/translation/admin-console/tabs.ts
index 65e74b7e822..bcc8f098f17 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'ドキュメント',
   tenant_settings: '設定',
   mfa: 'Multi-factor auth',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: '署名キー',
+  organization_template: '組織テンプレート',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/ja/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/ja/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/tenants.ts b/packages/phrases/src/locales/ja/translation/admin-console/tenants.ts
index e12bae2fa47..ddb51155f0d 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'テナントの設定を効率的に管理し、ドメインをカスタマイズします。',
   tabs: {
     settings: '設定',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'ドメイン',
     subscription: 'プランと請求',
     billing_history: '請求履歴',
@@ -34,6 +36,17 @@ const tenants = {
       'テナントの削除は、関連するすべてのユーザーデータと設定の永久的な削除につながります。十分に注意して操作してください。',
     tenant_deletion_button: 'テナントを削除する',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'テナントを作成する',
     subtitle:
@@ -71,6 +84,12 @@ const tenants = {
     cannot_delete_description:
       '申し訳ありませんが、現時点ではこのテナントを削除できません。無料プランに登録しており、未払いの請求がないことを確認してください。',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'まだテナントを作成していません',
     description:
@@ -89,47 +108,6 @@ const tenants = {
     description_2:
       '詳細な説明や懸念事項がある場合、または機能を完全に復元しテナントをアンブロックする場合は、直ちにお問い合わせください。',
   },
-  signing_keys: {
-    title: 'SIGNING KEYS',
-    description: 'テナント内で署名キーを安全に管理します。',
-    type: {
-      private_key: 'OIDCプライベートキー',
-      cookie_key: 'OIDC Cookieキー',
-    },
-    private_keys_in_use: '使用中のプライベートキー',
-    cookie_keys_in_use: '使用中のCookieキー',
-    rotate_private_keys: 'プライベートキーを回転させる',
-    rotate_cookie_keys: 'Cookieキーを回転させる',
-    rotate_private_keys_description:
-      'このアクションは新しいプライベート署名キーを作成し、現在のキーを回転させ、前のキーを削除します。現在のキーで署名されたJWTトークンは、削除または別の回転まで有効です。',
-    rotate_cookie_keys_description:
-      'このアクションは新しいCookieキーを作成し、現在のキーを回転させ、前のキーを削除します。現在のキーで生成されたCookieは、削除または別の回転まで有効です。',
-    select_private_key_algorithm: '新しいプライベートキーの署名キーアルゴリズムを選択',
-    rotate_button: '回転',
-    table_column: {
-      id: 'ID',
-      status: 'ステータス',
-      algorithm: '署名キーアルゴリズム',
-    },
-    status: {
-      current: '現在の',
-      previous: '以前の',
-    },
-    reminder: {
-      rotate_private_key:
-        'OIDCプライベートキー</strong>を回転させますか？新しい発行されたJWTトークンは新しいキーで署名されます。既存のJWTトークンは、再度回転するまで有効です。',
-      rotate_cookie_key:
-        'OIDC Cookieキー</strong>を回転させますか？新しいCookieで署名されたサインインセッションのCookieが新しいCookieキーで生成されます。既存のCookieは、再度回転するまで有効です。',
-      delete_private_key:
-        'OIDCプライベートキー</strong>を削除しますか？このプライベート署名キーで署名された既存のJWTトークンはもはや有効ではありません。',
-      delete_cookie_key:
-        'OIDC Cookieキー</strong>を削除しますか？このCookieキーで署名された古いサインインセッションのCookieはもはや有効ではありません。これらのユーザーには再認証が必要です。',
-    },
-    messages: {
-      rotate_key_success: '署名キーが正常に回転されました。',
-      delete_key_success: 'キーが正常に削除されました。',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/ja/translation/admin-console/upsell/index.ts
index fd7b425be19..4f863f9b668 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API リソース',
     machine_to_machine: 'マシン対マシンアプリケーション',
     tokens: '{{limit}}M トークン',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     '{{item}} のクォータ制限を超えています。Logto はクォータ制限を超える利用に対して料金を追加します。新しいアドオン価格設計がリリースされる日から請求が開始されます。 <a>詳細</a>',
diff --git a/packages/phrases/src/locales/ja/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/ja/translation/admin-console/upsell/paywall.ts
index b00d144f375..95e5f714227 100644
--- a/packages/phrases/src/locales/ja/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/ja/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/ko/errors/index.ts b/packages/phrases/src/locales/ko/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/ko/errors/index.ts
+++ b/packages/phrases/src/locales/ko/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/ko/errors/jwt-customizer.ts b/packages/phrases/src/locales/ko/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/ko/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/ko/errors/user.ts b/packages/phrases/src/locales/ko/errors/user.ts
index 738affbe3bf..07415262af5 100644
--- a/packages/phrases/src/locales/ko/errors/user.ts
+++ b/packages/phrases/src/locales/ko/errors/user.ts
@@ -32,6 +32,10 @@ const user = {
   missing_mfa: 'You need to bind additional MFA before signing-in.',
   totp_already_in_use: 'TOTP is already in use.',
   backup_code_already_in_use: 'Backup code is already in use.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/ko/translation/admin-console/api-resource-details.ts
index eecf097c624..5657ade1b74 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API 리소스 세부 정보',
   back_to_api_resources: 'API 리소스로 돌아가기',
-  settings_tab: '설정',
+  general_tab: '일반',
   permissions_tab: '권한',
   settings: '설정',
   settings_description:
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/ko/translation/admin-console/api-resources.ts
index 7771ca9194e..ee79d3d428d 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     '테넌트 당 기본 API는 0개 또는 1개만 지정 할 수 있어요. 기본 API가 지정되면 인증 요청에서 리소스 매개 변수를 생략할 수 있어요. 이후 토큰 교환이 기본적으로 대상에 해당하는 API를 사용하여 수행되어 JWT가 발급되어요. <a>자세히 알아보기</a>',
   api_resource_created: '{{name}} API 리소스가 성공적으로 생성되었어요.',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/general.ts b/packages/phrases/src/locales/ko/translation/admin-console/general.ts
index 1c1977a9f9d..9437a9f51a5 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: '사용자화',
   enable: '활성화',
   reminder: '리마인더',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: '삭제',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: '{{field}} 편집',
   delete_field: '{{field}} 삭제',
   coming_soon: '곧 출시 예정',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/index.ts b/packages/phrases/src/locales/ko/translation/admin-console/index.ts
index 775b3e31107..8796cd52515 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/invitation.ts b/packages/phrases/src/locales/ko/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/ko/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/ko/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/ko/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/ko/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..52b4af000c1
--- /dev/null
+++ b/packages/phrases/src/locales/ko/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: '조직 역할 세부 정보',
+  back_to_org_roles: '조직 역할로 돌아가기',
+  org_role: '조직 역할',
+  delete_confirm:
+    '이렇게 하면 해당 역할과 관련된 사용자의 권한이 제거되고 조직 역할, 조직 구성원 및 조직 권한 간의 관계가 삭제됩니다.',
+  deleted: '조직 역할 {{name}} 이(가) 성공적으로 삭제되었습니다.',
+  permissions: {
+    tab: '권한',
+    name_column: '권한',
+    description_column: '설명',
+    type_column: '권한 유형',
+    type: {
+      api: 'API 권한',
+      org: '조직 권한',
+    },
+    assign_permissions: '권한 할당',
+    remove_permission: '권한 삭제',
+    remove_confirmation:
+      '이 권한을 제거하면이 조직 역할을하는 사용자는이 권한으로 부여된 액세스를 잃게됩니다.',
+    removed: '권한 {{name}}이(가)이 조직 역할에서 성공적으로 제거되었습니다',
+  },
+  general: {
+    tab: '일반',
+    settings: '설정',
+    description:
+      '조직 역할은 사용자에게 할당할 수있는 권한의 그룹입니다. 권한은 사전 정의 된 조직 권한에서 가져와야합니다.',
+    name_field: '이름',
+    description_field: '설명',
+    description_field_placeholder: '읽기 전용 권한을 가진 사용자',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/ko/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..b3a5a3696af
--- /dev/null
+++ b/packages/phrases/src/locales/ko/translation/admin-console/organization-template.ts
@@ -0,0 +1,42 @@
+const organization_template = {
+  title: '조직 템플릿',
+  subtitle:
+    '멀티-테넌트 SaaS 애플리케이션에서는 여러 조직이 동일한 접근 제어 정책을 공유하는 것이 일반적입니다. 이에는 권한과 역할이 포함됩니다. Logto에서는 이 개념을 "조직 템플릿"이라고 합니다. 이를 사용하면 권한 모델을 구축하고 설계하는 과정이 간소화됩니다.',
+  roles: {
+    tab_name: '조직 역할',
+    search_placeholder: '역할 이름으로 검색',
+    create_title: '조직 역할 생성',
+    role_column: '조직 역할',
+    permissions_column: '권한',
+    placeholder_title: '조직 역할',
+    placeholder_description:
+      '조직 역할은 사용자에게 할당될 수 있는 권한의 그룹입니다. 권한은 미리 정의된 조직 권한에서 와야 합니다.',
+    create_modal: {
+      title: '조직 역할 만들기',
+      create: '역할 만들기',
+      name_field: '역할 이름',
+      description_field: '설명',
+      created: '조직 역할 {{name}}이(가) 성공적으로 만들어졌습니다.',
+    },
+  },
+  permissions: {
+    tab_name: '조직 권한',
+    search_placeholder: '권한 이름으로 검색',
+    create_org_permission: '조직 권한 생성',
+    permission_column: '권한',
+    description_column: '설명',
+    placeholder_title: '조직 권한',
+    placeholder_description: '조직 권한은 조직의 맥락에서 자원에 접근할 수 있는 권한을 의미합니다.',
+    delete_confirm:
+      '이 권한이 삭제되면, 이 권한을 포함하는 모든 조직 역할이 이 권한을 잃게 되며, 이 권한을 가진 사용자는 그것에 의해 부여된 접근을 잃게 됩니다.',
+    create_title: '조직 권한 생성',
+    edit_title: '조직 권한 편집',
+    permission_field_name: '권한 이름',
+    description_field_name: '설명',
+    description_field_placeholder: '약속 기록 읽기',
+    create_permission: '권한 생성',
+    created: '조직 권한 {{name}}이(가) 성공적으로 생성되었습니다.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/permissions.ts b/packages/phrases/src/locales/ko/translation/admin-console/permissions.ts
index 2b8d3f72770..2c5be98c610 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/permissions.ts
@@ -6,6 +6,11 @@ const permissions = {
   api_column: 'API',
   placeholder_title: '권한',
   placeholder_description: '권한은 리소스(API 리소스라고 함)에 액세스할 수 있는 권한을 의미해요.',
+  edit: '편집 권한',
+  delete: '삭제 권한',
+  remove: '제거 권한',
+  updated: '권한이 업데이트되었습니다.',
+  edit_title: 'API 권한 편집',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/ko/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..3b32d1e4b5e
--- /dev/null
+++ b/packages/phrases/src/locales/ko/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: '서명 키',
+  description: '애플리케이션에서 사용되는 서명 키를 안전하게 관리합니다.',
+  private_key: 'OIDC 개인 키',
+  private_keys_description: 'OIDC 개인 키는 JWT 토큰을 서명하는 데 사용됩니다.',
+  cookie_key: 'OIDC 쿠키 키',
+  cookie_keys_description: 'OIDC 쿠키 키는 쿠키를 서명하는 데 사용됩니다.',
+  private_keys_in_use: '사용 중인 개인 키',
+  cookie_keys_in_use: '사용 중인 쿠키 키',
+  rotate_private_keys: '개인 키 회전',
+  rotate_cookie_keys: '쿠키 키 회전',
+  rotate_private_keys_description:
+    '이 작업은 새로운 개인 서명 키를 생성하고 현재 키를 회전시키고 이전 키를 삭제합니다. 현재 키로 서명 된 JWT 토큰은 삭제하거나 다른 회전할 때까지 유효합니다.',
+  rotate_cookie_keys_description:
+    '이 작업은 새 쿠키 키를 생성하고 현재 키를 회전하며 이전 키를 삭제합니다. 현재 키로 서명 된 쿠키는 삭제하거나 다른 회전할 때까지 유효합니다.',
+  select_private_key_algorithm: '새 개인 키의 서명 키 알고리즘 선택',
+  rotate_button: '회전',
+  table_column: {
+    id: 'ID',
+    status: '상태',
+    algorithm: '서명 키 알고리즘',
+  },
+  status: {
+    current: '현재',
+    previous: '이전',
+  },
+  reminder: {
+    rotate_private_key:
+      '정말 <strong>OIDC 개인 키</strong>를 회전하시겠습니까? 새로 발급 된 JWT 토큰은 새 키로 서명됩니다. 기존 JWT 토큰은 회전할 때까지 유효합니다.',
+    rotate_cookie_key:
+      '정말 <strong>OIDC 쿠키 키</strong>를 회전하시겠습니까? 로그인 세션에서 생성 된 새로운 쿠키는 새 쿠키 키로 서명됩니다. 기존 쿠키는 회전할 때까지 유효합니다.',
+    delete_private_key:
+      '정말 <strong>OIDC 개인 키</strong>를 삭제하시겠습니까? 이전에 개인 서명 키로 서명 된 기존 JWT 토큰은 더 이상 유효하지 않게 됩니다.',
+    delete_cookie_key:
+      '정말 <strong>OIDC 쿠키 키</strong>를 삭제하시겠습니까? 이전에 이 쿠키 키로 서명 된 로그인 세션은 더 이상 유효하지 않게 될 것입니다. 이 사용자들에게는 다시 인증이 필요합니다.',
+  },
+  messages: {
+    rotate_key_success: '서명 키가 성공적으로 회전되었습니다.',
+    delete_key_success: '키가 성공적으로 삭제되었습니다.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-item.ts
index b6dbd231669..0cd79ce8c49 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: '기업 SSO',
     not_eligible: '기업 SSO를 제거하십시오',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-table.ts
index 46367d987cb..58dac7287cc 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: '머신 투 머신 역할',
     scopes_per_role: '역할 당 권한',
   },
-  audit_logs: {
-    title: '감사 로그',
-    retention: '보존 기간',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: '조직',
     organizations: '조직',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2 보고서',
     hipaa_or_baa_report: 'HIPAA/BAA 보고서',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: '무제한',
   contact: '문의',
   monthly_price: '${{value, number}}/월',
@@ -101,6 +105,8 @@ const quota_table = {
   per_month_each: '월당 ${{value, number}} / 각각',
   extra_mao_price: '이후 MAO당 ${{value, number}}',
   per_month: '월당 ${{value, number}}',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/ko/translation/admin-console/tab-sections.ts
index f555225b103..d5078193ccf 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
-  overview: '살펴보기',
-  resources: '자원',
+  overview: '개요',
+  authentication: '인증',
+  authorization: '인가',
   users: '사용자',
-  access_control: '접근 제어',
-  help_and_support: '고객센터',
-  tenant: '세입자',
-  automation: '자동화',
+  developer: '개발자',
+  tenant: '임차인',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/tabs.ts b/packages/phrases/src/locales/ko/translation/admin-console/tabs.ts
index ca8779aa7f5..1733123165a 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: '문서',
   tenant_settings: '테넌트 설정',
   mfa: '다중 요소 인증',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: '서명 키',
+  organization_template: '조직 템플릿',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/ko/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/ko/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/tenants.ts b/packages/phrases/src/locales/ko/translation/admin-console/tenants.ts
index aef25247d9c..5299bf80b16 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: '테넌트 설정을 효율적으로 관리하고 도메인을 사용자 정의합니다.',
   tabs: {
     settings: '설정',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: '도메인',
     subscription: '구독 및 청구',
     billing_history: '청구 내역',
@@ -34,6 +36,17 @@ const tenants = {
       '테넌트를 삭제하면 관련된 모든 사용자 데이터와 설정이 영구적으로 삭제됩니다. 신중하게 진행해주십시오.',
     tenant_deletion_button: '테넌트 삭제',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: '테넌트 만들기',
     subtitle:
@@ -70,6 +83,12 @@ const tenants = {
     cannot_delete_description:
       '죄송합니다. 현재이 테넌트를 삭제할 수 없습니다. 무료 플랜에 있고 미결제 청구서가 없는지 확인하십시오.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: '아직 테넌트를 만들지 않았습니다.',
     description:
@@ -88,47 +107,6 @@ const tenants = {
     description_2:
       '자세한 설명이 필요한 경우, 우려 사항이 있거나 기능을 완전히 복원하고 테넌트를 차단 해제하려면 바로 연락 주시기 바랍니다.',
   },
-  signing_keys: {
-    title: '서명 키',
-    description: '테넌트 내의 서명 키를 안전하게 관리합니다.',
-    type: {
-      private_key: 'OIDC 개인 키',
-      cookie_key: 'OIDC 쿠키 키',
-    },
-    private_keys_in_use: '사용 중인 개인 키',
-    cookie_keys_in_use: '사용 중인 쿠키 키',
-    rotate_private_keys: '개인 키 회전',
-    rotate_cookie_keys: '쿠키 키 회전',
-    rotate_private_keys_description:
-      '이 작업은 새로운 개인 서명 키를 생성하고 현재 키를 회전시키고 이전 키를 삭제합니다. 현재 키로 서명 된 JWT 토큰은 삭제하거나 다른 회전할 때까지 유효합니다.',
-    rotate_cookie_keys_description:
-      '이 작업은 새 쿠키 키를 생성하고 현재 키를 회전하며 이전 키를 삭제합니다. 현재 키로 서명 된 쿠키는 삭제하거나 다른 회전할 때까지 유효합니다.',
-    select_private_key_algorithm: '새 개인 키의 서명 키 알고리즘 선택',
-    rotate_button: '회전',
-    table_column: {
-      id: 'ID',
-      status: '상태',
-      algorithm: '서명 키 알고리즘',
-    },
-    status: {
-      current: '현재',
-      previous: '이전',
-    },
-    reminder: {
-      rotate_private_key:
-        '정말 <strong>OIDC 개인 키</strong>를 회전하시겠습니까? 새로 발급 된 JWT 토큰은 새 키로 서명됩니다. 기존 JWT 토큰은 회전할 때까지 유효합니다.',
-      rotate_cookie_key:
-        '정말 <strong>OIDC 쿠키 키</strong>를 회전하시겠습니까? 로그인 세션에서 생성 된 새로운 쿠키는 새 쿠키 키로 서명됩니다. 기존 쿠키는 회전할 때까지 유효합니다.',
-      delete_private_key:
-        '정말 <strong>OIDC 개인 키</strong>를 삭제하시겠습니까? 이전에 개인 서명 키로 서명 된 기존 JWT 토큰은 더 이상 유효하지 않게 됩니다.',
-      delete_cookie_key:
-        '정말 <strong>OIDC 쿠키 키</strong>를 삭제하시겠습니까? 이전에 이 쿠키 키로 서명 된 로그인 세션은 더 이상 유효하지 않게 될 것입니다. 이 사용자들에게는 다시 인증이 필요합니다.',
-    },
-    messages: {
-      rotate_key_success: '서명 키가 성공적으로 회전되었습니다.',
-      delete_key_success: '키가 성공적으로 삭제되었습니다.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/ko/translation/admin-console/upsell/index.ts
index 75e12d8e8d9..b19df9c36de 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API 리소스',
     machine_to_machine: '머신 투 머신 애플리케이션',
     tokens: '{{limit}}M 토큰',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     '{{item}} 할당량 한도를 초과했습니다. Logto는 할당량을 초과하는 사용에 대한 요금을 추가합니다. 새로운 애드온 가격 디자인이 출시된 날부터 청구가 시작됩니다. <a>더 알아보기</a>',
diff --git a/packages/phrases/src/locales/ko/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/ko/translation/admin-console/upsell/paywall.ts
index f53601e7a1f..3e6d0a20944 100644
--- a/packages/phrases/src/locales/ko/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/ko/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/pl-pl/errors/index.ts b/packages/phrases/src/locales/pl-pl/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/pl-pl/errors/index.ts
+++ b/packages/phrases/src/locales/pl-pl/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/pl-pl/errors/jwt-customizer.ts b/packages/phrases/src/locales/pl-pl/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/pl-pl/errors/user.ts b/packages/phrases/src/locales/pl-pl/errors/user.ts
index 524cb2a3579..516707d4b48 100644
--- a/packages/phrases/src/locales/pl-pl/errors/user.ts
+++ b/packages/phrases/src/locales/pl-pl/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: 'You need to bind additional MFA before signing-in.',
   totp_already_in_use: 'TOTP is already in use.',
   backup_code_already_in_use: 'Backup code is already in use.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resource-details.ts
index e24936fe4f9..327fd6d493e 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Szczegóły zasobów API',
   back_to_api_resources: 'Powróć do zasobów API',
-  settings_tab: 'Ustawienia',
+  general_tab: 'Ogólne',
   permissions_tab: 'Uprawnienia',
   settings: 'Ustawienia',
   settings_description:
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resources.ts
index 630aaecb5d4..a46740f88c6 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Tylko jedno API domyślne może być ustawione na jeden najem. Kiedy określone zostanie API domyślne, parametr zasobu może zostać pominięty w żądaniu autoryzacji. Następujące procesy wymiany tokenu będą domyślnie korzystać z tego API, co umożliwi wydanie JWT. <a>Dowiedz się więcej</a>',
   api_resource_created: 'Zasób API {{name}} został pomyślnie utworzony',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/general.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/general.ts
index 339e6c599ee..14cf496642d 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Dostosuj',
   enable: 'Włącz',
   reminder: 'Przypomnienie',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Usuń',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: 'Edytuj {{field}}',
   delete_field: 'Usuń {{field}}',
   coming_soon: 'Wkrótce dostępne',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/index.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/index.ts
index 775b3e31107..8796cd52515 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/invitation.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..8c73fdbb5a4
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Szczegóły roli organizacji',
+  back_to_org_roles: 'Powrót do ról organizacji',
+  org_role: 'Rola organizacji',
+  delete_confirm:
+    'W wyniku tego zostaną usunięte uprawnienia związane z tą rolą od dotkniętych użytkowników i zostaną usunięte związki między rolami organizacyjnymi, członkami organizacji a uprawnieniami organizacji.',
+  deleted: 'Rola organizacji {{name}} została pomyślnie usunięta.',
+  permissions: {
+    tab: 'Uprawnienia',
+    name_column: 'Uprawnienie',
+    description_column: 'Opis',
+    type_column: 'Typ uprawnienia',
+    type: {
+      api: 'Uprawnienie API',
+      org: 'Uprawnienie organizacji',
+    },
+    assign_permissions: 'Przypisz uprawnienia',
+    remove_permission: 'Usuń uprawnienie',
+    remove_confirmation:
+      'Jeśli to uprawnienie zostanie usunięte, użytkownik z tą rolą organizacyjną utraci dostęp udzielony przez to uprawnienie.',
+    removed: 'Uprawnienie {{name}} zostało pomyślnie usunięte z tej roli organizacyjnej',
+  },
+  general: {
+    tab: 'Ogólne',
+    settings: 'Ustawienia',
+    description:
+      'Rola organizacji to grupowanie uprawnień, które można przypisać użytkownikom. Uprawnienia muszą pochodzić z predefiniowanych uprawnień organizacji.',
+    name_field: 'Nazwa',
+    description_field: 'Opis',
+    description_field_placeholder: 'Użytkownicy z uprawnieniami tylko do odczytu',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..705e50e3dc2
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Szablon organizacji',
+  subtitle:
+    'W aplikacjach SaaS wieloklienckich jest powszechne, że wiele organizacji dzieli identyczne polityki kontroli dostępu, w tym uprawnienia i role. W Logto, ten koncept jest określany jako "szablon organizacji". Jego użycie usprawnia proces budowania i projektowania modelu autoryzacji.',
+  roles: {
+    tab_name: 'Role org',
+    search_placeholder: 'Szukaj po nazwie roli',
+    create_title: 'Utwórz rolę org',
+    role_column: 'Rola org',
+    permissions_column: 'Uprawnienia',
+    placeholder_title: 'Rola organizacyjna',
+    placeholder_description:
+      'Rola organizacyjna to grupowanie uprawnień, które można przypisać użytkownikom. Uprawnienia muszą pochodzić z wcześniej zdefiniowanych uprawnień organizacyjnych.',
+    create_modal: {
+      title: 'Utwórz rolę organizacji',
+      create: 'Utwórz rolę',
+      name_field: 'Nazwa roli',
+      description_field: 'Opis',
+      created: 'Rola organizacji {{name}} została pomyślnie utworzona.',
+    },
+  },
+  permissions: {
+    tab_name: 'Uprawnienia org',
+    search_placeholder: 'Szukaj po nazwie uprawnienia',
+    create_org_permission: 'Utwórz uprawnienie org',
+    permission_column: 'Uprawnienie',
+    description_column: 'Opis',
+    placeholder_title: 'Uprawnienie organizacyjne',
+    placeholder_description:
+      'Uprawnienie organizacyjne odnosi się do autoryzacji dostępu do zasobu w kontekście organizacji.',
+    delete_confirm:
+      'Jeśli to uprawnienie zostanie usunięte, wszystkie role organizacyjne zawierające to uprawnienie stracą je, a użytkownicy, którzy mieli to uprawnienie, stracą dostęp przyznany przez nie.',
+    create_title: 'Utwórz uprawnienie organizacji',
+    edit_title: 'Edytuj uprawnienie organizacji',
+    permission_field_name: 'Nazwa uprawnienia',
+    description_field_name: 'Opis',
+    description_field_placeholder: 'Przeczytaj historię spotkań',
+    create_permission: 'Utwórz uprawnienie',
+    created: 'Uprawnienie organizacji {{name}} zostało pomyślnie utworzone.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/permissions.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/permissions.ts
index 607587970f0..8f168197b6a 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Uprawnienie',
   placeholder_description:
     'Uprawnienie odnosi się do autoryzacji dostępu do zasobu (nazywamy go zasobem API).',
+  edit: 'Uprawnienia do edycji',
+  delete: 'Uprawnienia do usunięcia',
+  remove: 'Uprawnienia do usunięcia',
+  updated: 'Uprawnienia zaktualizowane.',
+  edit_title: 'Edytuj uprawnienia API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..901ff5ab862
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Klucze podpisu',
+  description: 'Bezpiecznie zarządzaj kluczami podpisów używanymi przez twoje aplikacje.',
+  private_key: 'Prywatne klucze OIDC',
+  private_keys_description: 'Prywatne klucze OIDC są używane do podpisywania tokenów JWT.',
+  cookie_key: 'Klucze cookie OIDC',
+  cookie_keys_description: 'Klucze cookie OIDC są używane do podpisywania plików cookie.',
+  private_keys_in_use: 'Używane klucze prywatne',
+  cookie_keys_in_use: 'Używane klucze ciasteczek',
+  rotate_private_keys: 'Obróć klucze prywatne',
+  rotate_cookie_keys: 'Obróć klucze ciasteczek',
+  rotate_private_keys_description:
+    'Ta akcja spowoduje utworzenie nowego klucza prywatnego do podpisywania, obrócenie bieżącego klucza i usunięcie poprzedniego klucza. Twoje tokeny JWT podpisane aktualnym kluczem pozostaną ważne do czasu usunięcia lub kolejnego obrotu.',
+  rotate_cookie_keys_description:
+    'Ta akcja spowoduje utworzenie nowego klucza ciasteczka, obrócenie bieżącego klucza i usunięcie poprzedniego klucza. Twoje ciasteczka z aktualnym kluczem pozostaną ważne do czasu usunięcia lub kolejnego obrotu.',
+  select_private_key_algorithm: 'Wybierz algorytm podpisywania klucza dla nowego klucza prywatnego',
+  rotate_button: 'Obróć',
+  table_column: {
+    id: 'ID',
+    status: 'Status',
+    algorithm: 'Algorytm podpisywania klucza',
+  },
+  status: {
+    current: 'Bieżący',
+    previous: 'Poprzedni',
+  },
+  reminder: {
+    rotate_private_key:
+      'Czy na pewno chcesz obrócić <strong>Klucze prywatne OIDC</strong>? Nowo wydane tokeny JWT będą podpisywane nowym kluczem. Istniejące tokeny JWT pozostają ważne do czasu ponownego obrotu.',
+    rotate_cookie_key:
+      'Czy na pewno chcesz obrócić <strong>Klucze ciasteczek OIDC</strong>? Nowo generowane ciasteczka w sesjach logowania będą podpisywane nowym kluczem ciasteczka. Istniejące ciasteczka pozostają ważne do czasu ponownego obrotu.',
+    delete_private_key:
+      'Czy na pewno chcesz usunąć <strong>Klucz prywatny OIDC</strong>? Istniejące tokeny JWT podpisane tym kluczem prywatnym przestaną być ważne.',
+    delete_cookie_key:
+      'Czy na pewno chcesz usunąć <strong>Klucz ciasteczka OIDC</strong>? Starsze sesje logowania z ciasteczkami podpisanymi tym kluczem ciasteczka przestaną być ważne. Wymagane będzie ponowne uwierzytelnienie tych użytkowników.',
+  },
+  messages: {
+    rotate_key_success: 'Klucze podpisu obrócone pomyślnie.',
+    delete_key_success: 'Klucz usunięty pomyślnie.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-item.ts
index ea626d3125c..1755c88d379 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'SSO przedsiębiorstwa',
     not_eligible: 'Usuń swoje SSO przedsiębiorstwa',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-table.ts
index e181fa8b9f2..3be1dd3e325 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Role maszyna-maszyna',
     scopes_per_role: 'Uprawnienia na rolę',
   },
-  audit_logs: {
-    title: 'Logi audytu',
-    retention: 'Okres przechowywania',
-  },
-  hooks: {
-    title: 'Webhooki',
-    hooks: 'Webhooki',
-  },
   organizations: {
     title: 'Organizacja',
     organizations: 'Organizacje',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Raport SOC2',
     hipaa_or_baa_report: 'Raport HIPAA/BAA',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Nieograniczone',
   contact: 'Kontakt',
   monthly_price: '${{value, number}}/mies.',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} za miesiąc / każdy',
   extra_mao_price: 'Następnie ${{value, number}} za MAO',
   per_month: '${{value, number}} za miesiąc',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/tab-sections.ts
index cccb9d9e86a..095c0426ecb 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Przegląd',
-  resources: 'Zasoby',
+  authentication: 'Uwierzytelnianie',
+  authorization: 'Autoryzacja',
   users: 'Użytkownicy',
-  access_control: 'Kontrola dostępu',
-  help_and_support: 'Pomoc i wsparcie',
+  developer: 'Deweloper',
   tenant: 'Najemca',
-  automation: 'Automatyzacja',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/tabs.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/tabs.ts
index 8aecaac7652..1ecbd96c65d 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Dokumentacja',
   tenant_settings: 'Ustawienia',
   mfa: 'Multi-factor auth',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Klucze do podpisu',
+  organization_template: 'Szablon organizacji',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/tenants.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/tenants.ts
index e400ffa7265..87e39c66946 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Skuteczne zarządzanie ustawieniami najemcy i dostosowywanie domeny.',
   tabs: {
     settings: 'Ustawienia',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Domeny',
     subscription: 'Plan i rozliczenia',
     billing_history: 'Historia rozliczeń',
@@ -36,6 +38,17 @@ const tenants = {
       'Usunięcie najemcy spowoduje trwałe usunięcie wszystkich powiązanych danych użytkowników i konfiguracji. Proszę postępować ostrożnie.',
     tenant_deletion_button: 'Usuń najemcę',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Utwórz nowego najemcę',
     subtitle:
@@ -75,6 +88,12 @@ const tenants = {
     cannot_delete_description:
       'Przepraszam, nie możesz teraz usunąć tego najemcy. Upewnij się, że korzystasz z planu darmowego i uregulowałeś wszystkie zaległe płatności.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Nie utworzyłeś jeszcze najemcy',
     description:
@@ -93,48 +112,6 @@ const tenants = {
     description_2:
       'Jeśli potrzebujesz dalszych wyjaśnień, masz jakiekolwiek obawy lub chcesz przywrócić pełną funkcjonalność i odblokować swoje najemce, nie wahaj się skontaktować z nami natychmiast.',
   },
-  signing_keys: {
-    title: 'ZARZĄDZANIE KLUCZAMI PODPISUJĄCYMI',
-    description: 'Bezpieczne zarządzanie kluczami podpisującymi w Twoim najemcy.',
-    type: {
-      private_key: 'Klucze prywatne OIDC',
-      cookie_key: 'Klucze ciasteczek OIDC',
-    },
-    private_keys_in_use: 'Używane klucze prywatne',
-    cookie_keys_in_use: 'Używane klucze ciasteczek',
-    rotate_private_keys: 'Obróć klucze prywatne',
-    rotate_cookie_keys: 'Obróć klucze ciasteczek',
-    rotate_private_keys_description:
-      'Ta akcja spowoduje utworzenie nowego klucza prywatnego do podpisywania, obrócenie bieżącego klucza i usunięcie poprzedniego klucza. Twoje tokeny JWT podpisane aktualnym kluczem pozostaną ważne do czasu usunięcia lub kolejnego obrotu.',
-    rotate_cookie_keys_description:
-      'Ta akcja spowoduje utworzenie nowego klucza ciasteczka, obrócenie bieżącego klucza i usunięcie poprzedniego klucza. Twoje ciasteczka z aktualnym kluczem pozostaną ważne do czasu usunięcia lub kolejnego obrotu.',
-    select_private_key_algorithm:
-      'Wybierz algorytm podpisywania klucza dla nowego klucza prywatnego',
-    rotate_button: 'Obróć',
-    table_column: {
-      id: 'ID',
-      status: 'Status',
-      algorithm: 'Algorytm podpisywania klucza',
-    },
-    status: {
-      current: 'Bieżący',
-      previous: 'Poprzedni',
-    },
-    reminder: {
-      rotate_private_key:
-        'Czy na pewno chcesz obrócić <strong>Klucze prywatne OIDC</strong>? Nowo wydane tokeny JWT będą podpisywane nowym kluczem. Istniejące tokeny JWT pozostają ważne do czasu ponownego obrotu.',
-      rotate_cookie_key:
-        'Czy na pewno chcesz obrócić <strong>Klucze ciasteczek OIDC</strong>? Nowo generowane ciasteczka w sesjach logowania będą podpisywane nowym kluczem ciasteczka. Istniejące ciasteczka pozostają ważne do czasu ponownego obrotu.',
-      delete_private_key:
-        'Czy na pewno chcesz usunąć <strong>Klucz prywatny OIDC</strong>? Istniejące tokeny JWT podpisane tym kluczem prywatnym przestaną być ważne.',
-      delete_cookie_key:
-        'Czy na pewno chcesz usunąć <strong>Klucz ciasteczka OIDC</strong>? Starsze sesje logowania z ciasteczkami podpisanymi tym kluczem ciasteczka przestaną być ważne. Wymagane będzie ponowne uwierzytelnienie tych użytkowników.',
-    },
-    messages: {
-      rotate_key_success: 'Klucze podpisu obrócone pomyślnie.',
-      delete_key_success: 'Klucz usunięty pomyślnie.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/index.ts
index 278368c8be6..8a714035ae5 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'Zasób API',
     machine_to_machine: 'aplikacja od maszyny do maszyny',
     tokens: '{{limit}}M tokenów',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'Przekroczyłeś limit kwoty {{item}}. Logto doliczy opłaty za korzystanie poza limitem kwoty. Fakturowanie rozpocznie się w dniu wprowadzenia nowego projektu cenowego dodatku. <a>Dowiedz się więcej</a>',
diff --git a/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/paywall.ts
index 97ffd8e938e..c4c7a0b5126 100644
--- a/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/pl-pl/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/pt-br/errors/index.ts b/packages/phrases/src/locales/pt-br/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/pt-br/errors/index.ts
+++ b/packages/phrases/src/locales/pt-br/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/pt-br/errors/jwt-customizer.ts b/packages/phrases/src/locales/pt-br/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/pt-br/errors/user.ts b/packages/phrases/src/locales/pt-br/errors/user.ts
index e5b078952ce..fd8f21da0b5 100644
--- a/packages/phrases/src/locales/pt-br/errors/user.ts
+++ b/packages/phrases/src/locales/pt-br/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: 'Você precisa vincular MFA adicional antes de fazer login.',
   totp_already_in_use: 'TOTP já está em uso.',
   backup_code_already_in_use: 'O código de backup já está em uso.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/api-resource-details.ts
index 53162a0f9d4..97c5a0588e3 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Detalhes do Recurso da API',
   back_to_api_resources: 'Voltar para os recursos da API',
-  settings_tab: 'Configurações',
+  general_tab: 'Geral',
   permissions_tab: 'Permissões',
   settings: 'Configurações',
   settings_description:
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/api-resources.ts
index 7b16238e9eb..6b27574f48f 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Apenas uma API padrão pode ser definida por locatário. Quando uma API padrão é definida, o parâmetro de recurso pode ser omitido na solicitação de autenticação. As trocas de token subsequentes usarão essa API como audiência por padrão, resultando na emissão de JWTs. <a>Saiba mais</a>',
   api_resource_created: 'O recurso API {{name}} foi criado com sucesso',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/general.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/general.ts
index 6eb673644e4..a52e4b2d770 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Personalizar',
   enable: 'Habilitar',
   reminder: 'Lembrete',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Excluir',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -70,6 +72,8 @@ const general = {
   edit_field: 'Editar {{field}}',
   delete_field: 'Excluir {{field}}',
   coming_soon: 'Em breve',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/index.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/index.ts
index 095fa2a77d7..0d6394d1407 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/invitation.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..c07dabea9fe
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Detalhes da função da organização',
+  back_to_org_roles: 'Voltar para funções da org',
+  org_role: 'Função da organização',
+  delete_confirm:
+    'Ao fazer isso, os privilégios associados a esta função serão removidos dos usuários afetados e as relações entre funções da organização, membros na organização e permissões da organização serão excluídas.',
+  deleted: 'O papel da organização {{name}} foi excluído com sucesso.',
+  permissions: {
+    tab: 'Permissões',
+    name_column: 'Permissão',
+    description_column: 'Descrição',
+    type_column: 'Tipo de permissão',
+    type: {
+      api: 'Permissão da API',
+      org: 'Permissão da org',
+    },
+    assign_permissions: 'Atribuir permissões',
+    remove_permission: 'Remover permissão',
+    remove_confirmation:
+      'Se esta permissão for removida, o usuário com essa função organizacional perderá o acesso concedido por esta permissão.',
+    removed: 'A permissão {{name}} foi removida com sucesso desta função organizacional',
+  },
+  general: {
+    tab: 'Geral',
+    settings: 'Configurações',
+    description:
+      'A função da organização é um agrupamento de permissões que podem ser atribuídas aos usuários. As permissões devem vir das permissões predefinidas da organização.',
+    name_field: 'Nome',
+    description_field: 'Descrição',
+    description_field_placeholder: 'Usuários com permissões somente de visualização',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..3bc2b07ba6d
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Template de organização',
+  subtitle:
+    'Em aplicações SaaS multi-tenant, é comum que várias organizações compartilhem políticas de controle de acesso idênticas, incluindo permissões e papéis. No Logto, este conceito é chamado de "template de organização". Usá-lo simplifica o processo de construção e design do seu modelo de autorização.',
+  roles: {
+    tab_name: 'Papéis da org',
+    search_placeholder: 'Buscar por nome do papel',
+    create_title: 'Criar papel da org',
+    role_column: 'Papel da org',
+    permissions_column: 'Permissões',
+    placeholder_title: 'Papel da organização',
+    placeholder_description:
+      'Papel da organização é um agrupamento de permissões que podem ser atribuídas aos usuários. As permissões devem vir das permissões organizacionais predefinidas.',
+    create_modal: {
+      title: 'Criar função da organização',
+      create: 'Criar função',
+      name_field: 'Nome da função',
+      description_field: 'Descrição',
+      created: 'A função da organização {{name}} foi criada com sucesso.',
+    },
+  },
+  permissions: {
+    tab_name: 'Permissões da org',
+    search_placeholder: 'Buscar por nome da permissão',
+    create_org_permission: 'Criar permissão da org',
+    permission_column: 'Permissão',
+    description_column: 'Descrição',
+    placeholder_title: 'Permissão da organização',
+    placeholder_description:
+      'Permissão da organização refere-se à autorização para acessar um recurso no contexto da organização.',
+    delete_confirm:
+      'Se esta permissão for deletada, todos os papéis da organização que incluírem esta permissão perderão a mesma, e usuários que tinham esta permissão perderão o acesso concedido por ela.',
+    create_title: 'Criar permissão de organização',
+    edit_title: 'Editar permissão de organização',
+    permission_field_name: 'Nome da permissão',
+    description_field_name: 'Descrição',
+    description_field_placeholder: 'Ler histórico de compromissos',
+    create_permission: 'Criar permissão',
+    created: 'A permissão de organização {{name}} foi criada com sucesso.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/permissions.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/permissions.ts
index 07b4ba82ea5..68c646d49bd 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Permissão',
   placeholder_description:
     'Permissão refere-se à autorização para acessar um recurso (chamamos de recurso de API).',
+  edit: 'Permissão de edição',
+  delete: 'Permissão de exclusão',
+  remove: 'Permissão de remoção',
+  updated: 'Permissão atualizada.',
+  edit_title: 'Editar permissão de API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..668c215bbce
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Chaves de assinatura',
+  description: 'Gerencie com segurança as chaves de assinatura usadas por suas aplicações.',
+  private_key: 'Chaves privadas OIDC',
+  private_keys_description: 'As chaves privadas OIDC são usadas para assinar tokens JWT.',
+  cookie_key: 'Chaves de cookie OIDC',
+  cookie_keys_description: 'As chaves de cookie OIDC são usadas para assinar cookies.',
+  private_keys_in_use: 'Chaves privadas em uso',
+  cookie_keys_in_use: 'Chaves de cookie em uso',
+  rotate_private_keys: 'Girar chaves privadas',
+  rotate_cookie_keys: 'Girar chaves de cookie',
+  rotate_private_keys_description:
+    'Esta ação criará uma nova chave privada de assinatura, girará a chave atual e removerá sua chave anterior. Seus tokens JWT assinados com a chave atual permanecerão válidos até a exclusão ou outra rodada de rotação.',
+  rotate_cookie_keys_description:
+    'Esta ação criará uma nova chave de cookie, girará a chave atual e removerá sua chave anterior. Seus cookies com a chave atual permanecerão válidos até a exclusão ou outra rodada de rotação.',
+  select_private_key_algorithm: 'Selecione o algoritmo de assinatura para a nova chave privada',
+  rotate_button: 'Girar',
+  table_column: {
+    id: 'ID',
+    status: 'Status',
+    algorithm: 'Algoritmo de assinatura',
+  },
+  status: {
+    current: 'Atual',
+    previous: 'Anterior',
+  },
+  reminder: {
+    rotate_private_key:
+      'Tem certeza de que deseja girar as <strong>chaves privadas do OIDC</strong>? Os novos tokens JWT emitidos serão assinados pela nova chave. Os tokens JWT existentes permanecem válidos até você girar novamente.',
+    rotate_cookie_key:
+      'Tem certeza de que deseja girar as <strong>chaves de cookie do OIDC</strong>? Novos cookies gerados em sessões de login serão assinados pela nova chave de cookie. Os cookies existentes permanecem válidos até você girar novamente.',
+    delete_private_key:
+      'Tem certeza de que deseja excluir a <strong>chave privada do OIDC</strong>? Tokens JWT existentes assinados com esta chave privada de assinatura não serão mais válidos.',
+    delete_cookie_key:
+      'Tem certeza de que deseja excluir a <strong>chave de cookie do OIDC</strong>? As sessões de login mais antigas com cookies assinados com esta chave de cookie não serão mais válidas. Será necessária uma nova autenticação para esses usuários.',
+  },
+  messages: {
+    rotate_key_success: 'Chaves de assinatura giradas com sucesso.',
+    delete_key_success: 'Chave excluída com sucesso.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-item.ts
index 7a52b4cbf65..0957749a4ad 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'SSO Empresarial',
     not_eligible: 'Remova seu Enterprise SSO',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-table.ts
index c9e5c9bccfa..daed49af69f 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Funções de máquina-a-máquina',
     scopes_per_role: 'Permissões por função',
   },
-  audit_logs: {
-    title: 'Registros de auditoria',
-    retention: 'Retenção',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: 'Organização',
     organizations: 'Organizações',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Relatório SOC2',
     hipaa_or_baa_report: 'Relatório HIPAA/BAA',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Ilimitado',
   contact: 'Contato',
   monthly_price: '${ { value, number } }/mês',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} por mês / cada',
   extra_mao_price: 'Então ${{value, number}} por MAO',
   per_month: '${{value, number}} por mês',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/tab-sections.ts
index a709d287e30..496f78405e6 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Visão geral',
-  resources: 'Recursos',
+  authentication: 'Autenticação',
+  authorization: 'Autorização',
   users: 'Usuários',
-  access_control: 'Controle de acesso',
-  help_and_support: 'Ajuda e suporte',
-  tenant: 'Locatário',
-  automation: 'Automação',
+  developer: 'Desenvolvedor',
+  tenant: 'Inquilino',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/tabs.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/tabs.ts
index ecc4893ea9f..04319680159 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Documentação',
   tenant_settings: 'Configurações',
   mfa: 'Autenticação de multi-fator',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Chaves de assinatura',
+  organization_template: 'Modelo de organização',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/tenants.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/tenants.ts
index 2f7674cd091..520b9c94932 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Gerencie eficientemente as configurações do locatário e personalize seu domínio.',
   tabs: {
     settings: 'Configurações',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Domínios',
     subscription: 'Plano e faturamento',
     billing_history: 'Histórico de faturamento',
@@ -36,6 +38,17 @@ const tenants = {
       'A exclusão do locatário resultará na remoção permanente de todos os dados de usuário e configuração associados. Por favor, prossiga com cuidado.',
     tenant_deletion_button: 'Excluir locatário',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Criar inquilino',
     subtitle:
@@ -74,6 +87,12 @@ const tenants = {
     cannot_delete_description:
       'Desculpe, você não pode excluir este locatário no momento. Certifique-se de estar no Plano Gratuito e ter pago todas as faturas pendentes.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Você ainda não criou um inquilino',
     description:
@@ -92,47 +111,6 @@ const tenants = {
     description_2:
       'Se você precisa de mais esclarecimentos, tem alguma preocupação ou deseja restaurar a funcionalidade total e desbloquear seus locatários, não hesite em entrar em contato conosco imediatamente.',
   },
-  signing_keys: {
-    title: 'CHAVES DE ASSINATURA',
-    description: 'Gerencie de forma segura as chaves de assinatura em seu locatário.',
-    type: {
-      private_key: 'Chaves privadas do OIDC',
-      cookie_key: 'Chaves de cookie do OIDC',
-    },
-    private_keys_in_use: 'Chaves privadas em uso',
-    cookie_keys_in_use: 'Chaves de cookie em uso',
-    rotate_private_keys: 'Girar chaves privadas',
-    rotate_cookie_keys: 'Girar chaves de cookie',
-    rotate_private_keys_description:
-      'Esta ação criará uma nova chave privada de assinatura, girará a chave atual e removerá sua chave anterior. Seus tokens JWT assinados com a chave atual permanecerão válidos até a exclusão ou outra rodada de rotação.',
-    rotate_cookie_keys_description:
-      'Esta ação criará uma nova chave de cookie, girará a chave atual e removerá sua chave anterior. Seus cookies com a chave atual permanecerão válidos até a exclusão ou outra rodada de rotação.',
-    select_private_key_algorithm: 'Selecione o algoritmo de assinatura para a nova chave privada',
-    rotate_button: 'Girar',
-    table_column: {
-      id: 'ID',
-      status: 'Status',
-      algorithm: 'Algoritmo de assinatura',
-    },
-    status: {
-      current: 'Atual',
-      previous: 'Anterior',
-    },
-    reminder: {
-      rotate_private_key:
-        'Tem certeza de que deseja girar as <strong>chaves privadas do OIDC</strong>? Os novos tokens JWT emitidos serão assinados pela nova chave. Os tokens JWT existentes permanecem válidos até você girar novamente.',
-      rotate_cookie_key:
-        'Tem certeza de que deseja girar as <strong>chaves de cookie do OIDC</strong>? Novos cookies gerados em sessões de login serão assinados pela nova chave de cookie. Os cookies existentes permanecem válidos até você girar novamente.',
-      delete_private_key:
-        'Tem certeza de que deseja excluir a <strong>chave privada do OIDC</strong>? Tokens JWT existentes assinados com esta chave privada de assinatura não serão mais válidos.',
-      delete_cookie_key:
-        'Tem certeza de que deseja excluir a <strong>chave de cookie do OIDC</strong>? As sessões de login mais antigas com cookies assinados com esta chave de cookie não serão mais válidas. Será necessária uma nova autenticação para esses usuários.',
-    },
-    messages: {
-      rotate_key_success: 'Chaves de assinatura giradas com sucesso.',
-      delete_key_success: 'Chave excluída com sucesso.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/index.ts
index 22db3f9fd4c..0a456c196cc 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'Recurso de API',
     machine_to_machine: 'aplicação máquina a máquina',
     tokens: '{{limit}}M tokens',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'Você ultrapassou o limite de sua cota de {{item}}. O Logto adicionará cobranças pelo uso além do limite da cota. A cobrança começará no dia em que o novo design de preços do complemento for lançado. <a>Saiba mais</a>',
diff --git a/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/paywall.ts
index 4e525000ddf..2e63edfeacd 100644
--- a/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/pt-br/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/pt-pt/errors/index.ts b/packages/phrases/src/locales/pt-pt/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/pt-pt/errors/index.ts
+++ b/packages/phrases/src/locales/pt-pt/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/pt-pt/errors/jwt-customizer.ts b/packages/phrases/src/locales/pt-pt/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/pt-pt/errors/user.ts b/packages/phrases/src/locales/pt-pt/errors/user.ts
index 1fe77879727..602a8857aa3 100644
--- a/packages/phrases/src/locales/pt-pt/errors/user.ts
+++ b/packages/phrases/src/locales/pt-pt/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: 'You need to bind additional MFA before signing-in.',
   totp_already_in_use: 'TOTP is already in use.',
   backup_code_already_in_use: 'Backup code is already in use.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resource-details.ts
index 81c95099e14..6d8ecd8ce1b 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Detalhes do recurso da API',
   back_to_api_resources: 'Voltar aos recursos da API',
-  settings_tab: 'Configurações',
+  general_tab: 'Geral',
   permissions_tab: 'Permissões',
   settings: 'Configurações',
   settings_description:
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resources.ts
index 6cb4822bcf4..ebac242fb18 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Somente uma API padrão pode ser definida por inquilino. Quando uma API padrão é definida, o parâmetro de recurso pode ser omitido na solicitação de autorização. Subsequentes trocas de token usarão essa API como audiência por padrão, resultando na emissão de JWTs. <a>Saiba mais</a>',
   api_resource_created: 'O recurso de API {{name}} foi criado com sucesso',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/general.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/general.ts
index da2e3cf4b9e..d2ee6be285b 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Personalizar',
   enable: 'Ativar',
   reminder: 'Lembrete',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Eliminar',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: 'Editar {{field}}',
   delete_field: 'Eliminar {{field}}',
   coming_soon: 'Em breve',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/index.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/index.ts
index 774ab6c00bb..5accb22768d 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/invitation.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..fb73fb7228a
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Detalhes da função da organização',
+  back_to_org_roles: 'Voltar para funções da org',
+  org_role: 'Função da organização',
+  delete_confirm:
+    'Ao fazê-lo, serão removidas as permissões associadas a esta função dos utilizadores afetados e serão eliminadas as relações entre funções da organização, membros na organização e permissões da organização.',
+  deleted: 'O papel da organização {{name}} foi removido com sucesso.',
+  permissions: {
+    tab: 'Permissões',
+    name_column: 'Permissão',
+    description_column: 'Descrição',
+    type_column: 'Tipo de permissão',
+    type: {
+      api: 'Permissão da API',
+      org: 'Permissão da org',
+    },
+    assign_permissions: 'Atribuir permissões',
+    remove_permission: 'Remover permissão',
+    remove_confirmation:
+      'Se esta permissão for removida, o utilizador com esta função organizacional perderá o acesso concedido por esta permissão.',
+    removed: 'A permissão {{name}} foi removida com sucesso desta função organizacional',
+  },
+  general: {
+    tab: 'Geral',
+    settings: 'Configurações',
+    description:
+      'A função da organização é um agrupamento de permissões que podem ser atribuídas aos usuários. As permissões devem vir das permissões predefinidas da organização.',
+    name_field: 'Nome',
+    description_field: 'Descrição',
+    description_field_placeholder: 'Utilizadores com permissões apenas de visualização',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..d68676414b8
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Modelo de organização',
+  subtitle:
+    'Em aplicações SaaS multi-inquilino, é comum várias organizações partilharem políticas de controlo de acesso idênticas, incluindo permissões e papéis. No Logto, este conceito é denominado "modelo de organização". A sua utilização simplifica o processo de construção e desenho do seu modelo de autorização.',
+  roles: {
+    tab_name: 'Papéis da org',
+    search_placeholder: 'Procurar por nome do papel',
+    create_title: 'Criar papel da org',
+    role_column: 'Papel da org',
+    permissions_column: 'Permissões',
+    placeholder_title: 'Papel da organização',
+    placeholder_description:
+      'O papel da organização é um agrupamento de permissões que podem ser atribuídas a utilizadores. As permissões devem provir das permissões organizacionais predefinidas.',
+    create_modal: {
+      title: 'Criar função da organização',
+      create: 'Criar função',
+      name_field: 'Nome da função',
+      description_field: 'Descrição',
+      created: 'A função da organização {{name}} foi criada com sucesso.',
+    },
+  },
+  permissions: {
+    tab_name: 'Permissões da org',
+    search_placeholder: 'Procurar por nome da permissão',
+    create_org_permission: 'Criar permissão da org',
+    permission_column: 'Permissão',
+    description_column: 'Descrição',
+    placeholder_title: 'Permissão da organização',
+    placeholder_description:
+      'A permissão da organização refere-se à autorização para aceder a um recurso no contexto da organização.',
+    delete_confirm:
+      'Se esta permissão for apagada, todos os papéis da organização que incluam esta permissão perderão a mesma, e utilizadores que tinham esta permissão perderão o acesso concedido por ela.',
+    create_title: 'Criar permissão de organização',
+    edit_title: 'Editar permissão de organização',
+    permission_field_name: 'Nome da permissão',
+    description_field_name: 'Descrição',
+    description_field_placeholder: 'Ler histórico de compromissos',
+    create_permission: 'Criar permissão',
+    created: 'A permissão de organização {{name}} foi criada com sucesso.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/permissions.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/permissions.ts
index 33a3b7e7a08..fd41da9d23a 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Permissão',
   placeholder_description:
     'Permissão refere-se à autorização para acessar um recurso (que chamamos de recurso da API).',
+  edit: 'Permissão de edição',
+  delete: 'Permissão de eliminação',
+  remove: 'Permissão para remover',
+  updated: 'Permissão atualizada.',
+  edit_title: 'Editar permissão da API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..d0ff80d0627
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Chaves de assinatura',
+  description: 'Gerir de forma segura as chaves de assinatura utilizadas pelas suas aplicações.',
+  private_key: 'Chaves privadas OIDC',
+  private_keys_description: 'As chaves privadas OIDC são usadas para assinar tokens JWT.',
+  cookie_key: 'Chaves de cookie OIDC',
+  cookie_keys_description: 'As chaves de cookie OIDC são usadas para assinar cookies.',
+  private_keys_in_use: 'Chaves privadas em uso',
+  cookie_keys_in_use: 'Chaves de cookies em uso',
+  rotate_private_keys: 'Rodar chaves privadas',
+  rotate_cookie_keys: 'Rodar chaves de cookies',
+  rotate_private_keys_description:
+    'Esta ação criará uma nova chave privada de assinatura, rodará a chave atual e removerá a chave anterior. Os seus tokens JWT assinados com a chave atual permanecerão válidos até à eliminação ou outra rodada de rotação.',
+  rotate_cookie_keys_description:
+    'Esta ação criará uma nova chave de cookie, rodará a chave atual e removerá a chave anterior. Os seus cookies com a chave atual permanecerão válidos até à eliminação ou outra rodada de rotação.',
+  select_private_key_algorithm: 'Selecionar o algoritmo de assinatura para a nova chave privada',
+  rotate_button: 'Rodar',
+  table_column: {
+    id: 'ID',
+    status: 'Estado',
+    algorithm: 'Algoritmo de assinatura da chave',
+  },
+  status: {
+    current: 'Atual',
+    previous: 'Anterior',
+  },
+  reminder: {
+    rotate_private_key:
+      'Tem a certeza de que pretende rodar as <strong>chaves privadas OIDC</strong>? Os novos tokens JWT emitidos serão assinados pela nova chave. Os tokens JWT existentes permanecem válidos até rodar novamente.',
+    rotate_cookie_key:
+      'Tem a certeza de que pretende rodar as <strong>chaves de cookies OIDC</strong>? Os novos cookies gerados em sessões de login serão assinados pela nova chave de cookie. Os cookies existentes permanecem válidos até rodar novamente.',
+    delete_private_key:
+      'Tem a certeza de que pretende eliminar a <strong>chave privada OIDC</strong>? Os tokens JWT existentes assinados com esta chave de assinatura privada deixarão de ser válidos.',
+    delete_cookie_key:
+      'Tem a certeza de que pretende eliminar a <strong>chave de cookie OIDC</strong>? As sessões de login antigas com cookies assinados com esta chave de cookie deixarão de ser válidas. É necessária uma nova autenticação para estes utilizadores.',
+  },
+  messages: {
+    rotate_key_success: 'Chaves de assinatura rodadas com sucesso.',
+    delete_key_success: 'Chave eliminada com sucesso.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-item.ts
index b28ca64706c..fe265a50c76 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'SSO Empresarial',
     not_eligible: 'Remover o teu SSO Empresarial',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-table.ts
index 465c1741034..b5baaeb2395 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Funções de máquina para máquina',
     scopes_per_role: 'Permissões por função',
   },
-  audit_logs: {
-    title: 'Registos de auditoria',
-    retention: 'Retenção',
-  },
-  hooks: {
-    title: 'Hooks',
-    hooks: 'Hooks',
-  },
   organizations: {
     title: 'Organização',
     organizations: 'Organizações',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Relatório SOC2',
     hipaa_or_baa_report: 'Relatório HIPAA/BAA',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Ilimitado',
   contact: 'Contactar',
   monthly_price: '${{value, number}}/mês',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} por mês / cada um',
   extra_mao_price: 'Depois ${{value, number}} por MAO',
   per_month: '${{value, number}} por mês',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/tab-sections.ts
index ad61c661f7a..228d4bf825d 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
-  overview: 'Vista geral',
-  resources: 'Recursos',
+  overview: 'Visão geral',
+  authentication: 'Autenticação',
+  authorization: 'Autorização',
   users: 'Utilizadores',
-  access_control: 'Controlo de acesso',
-  help_and_support: 'Ajuda e suporte',
-  tenant: 'Arrendatário',
-  automation: 'Automação',
+  developer: 'Desenvolvedor',
+  tenant: 'Inquilino',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/tabs.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/tabs.ts
index 5a2ca047fc4..6b5cebe4e83 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Documentação',
   tenant_settings: 'Definições do inquilino',
   mfa: 'Autenticação multi-fator',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Chaves de assinatura',
+  organization_template: 'Modelo de organização',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/tenants.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/tenants.ts
index 9c6ca182847..42610c5082e 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Gerir eficientemente as configurações do inquilino e personalizar o seu domínio.',
   tabs: {
     settings: 'Definições',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Domínios',
     subscription: 'Plano e faturação',
     billing_history: 'Histórico de faturação',
@@ -36,6 +38,17 @@ const tenants = {
       'A eliminação do inquilino resultará na remoção permanente de todos os dados de utilizador e configuração associados. Por favor, proceda com cuidado.',
     tenant_deletion_button: 'Eliminar inquilino',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Criar inquilino',
     subtitle:
@@ -74,6 +87,12 @@ const tenants = {
     cannot_delete_description:
       'Desculpe, não é possível apagar este inquilino neste momento. Certifique-se de estar no Plano Gratuito e de ter pago todas as faturas em atraso.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Ainda não criou um inquilino',
     description:
@@ -92,47 +111,6 @@ const tenants = {
     description_2:
       'Se precisar de mais esclarecimentos, tiver alguma preocupação ou desejar restaurar a funcionalidade completa e desbloquear os seus inquilinos, não hesite em contactar-nos imediatamente.',
   },
-  signing_keys: {
-    title: 'CHAVES DE ASSINATURA',
-    description: 'Gerir de forma segura as chaves de assinatura no seu inquilino.',
-    type: {
-      private_key: 'Chaves privadas OIDC',
-      cookie_key: 'Chaves de cookies OIDC',
-    },
-    private_keys_in_use: 'Chaves privadas em uso',
-    cookie_keys_in_use: 'Chaves de cookies em uso',
-    rotate_private_keys: 'Rodar chaves privadas',
-    rotate_cookie_keys: 'Rodar chaves de cookies',
-    rotate_private_keys_description:
-      'Esta ação criará uma nova chave privada de assinatura, rodará a chave atual e removerá a chave anterior. Os seus tokens JWT assinados com a chave atual permanecerão válidos até à eliminação ou outra rodada de rotação.',
-    rotate_cookie_keys_description:
-      'Esta ação criará uma nova chave de cookie, rodará a chave atual e removerá a chave anterior. Os seus cookies com a chave atual permanecerão válidos até à eliminação ou outra rodada de rotação.',
-    select_private_key_algorithm: 'Selecionar o algoritmo de assinatura para a nova chave privada',
-    rotate_button: 'Rodar',
-    table_column: {
-      id: 'ID',
-      status: 'Estado',
-      algorithm: 'Algoritmo de assinatura da chave',
-    },
-    status: {
-      current: 'Atual',
-      previous: 'Anterior',
-    },
-    reminder: {
-      rotate_private_key:
-        'Tem a certeza de que pretende rodar as <strong>chaves privadas OIDC</strong>? Os novos tokens JWT emitidos serão assinados pela nova chave. Os tokens JWT existentes permanecem válidos até rodar novamente.',
-      rotate_cookie_key:
-        'Tem a certeza de que pretende rodar as <strong>chaves de cookies OIDC</strong>? Os novos cookies gerados em sessões de login serão assinados pela nova chave de cookie. Os cookies existentes permanecem válidos até rodar novamente.',
-      delete_private_key:
-        'Tem a certeza de que pretende eliminar a <strong>chave privada OIDC</strong>? Os tokens JWT existentes assinados com esta chave de assinatura privada deixarão de ser válidos.',
-      delete_cookie_key:
-        'Tem a certeza de que pretende eliminar a <strong>chave de cookie OIDC</strong>? As sessões de login antigas com cookies assinados com esta chave de cookie deixarão de ser válidas. É necessária uma nova autenticação para estes utilizadores.',
-    },
-    messages: {
-      rotate_key_success: 'Chaves de assinatura rodadas com sucesso.',
-      delete_key_success: 'Chave eliminada com sucesso.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/index.ts
index 22db3f9fd4c..0a456c196cc 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'Recurso de API',
     machine_to_machine: 'aplicação máquina a máquina',
     tokens: '{{limit}}M tokens',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'Você ultrapassou o limite de sua cota de {{item}}. O Logto adicionará cobranças pelo uso além do limite da cota. A cobrança começará no dia em que o novo design de preços do complemento for lançado. <a>Saiba mais</a>',
diff --git a/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/paywall.ts
index 66e36fe7da9..0b5f7d1ec34 100644
--- a/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/pt-pt/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/ru/errors/index.ts b/packages/phrases/src/locales/ru/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/ru/errors/index.ts
+++ b/packages/phrases/src/locales/ru/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/ru/errors/jwt-customizer.ts b/packages/phrases/src/locales/ru/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/ru/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/ru/errors/user.ts b/packages/phrases/src/locales/ru/errors/user.ts
index 672c3a1c053..6ca739d0054 100644
--- a/packages/phrases/src/locales/ru/errors/user.ts
+++ b/packages/phrases/src/locales/ru/errors/user.ts
@@ -33,6 +33,10 @@ const user = {
   missing_mfa: 'You need to bind additional MFA before signing-in.',
   totp_already_in_use: 'TOTP is already in use.',
   backup_code_already_in_use: 'Backup code is already in use.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/ru/translation/admin-console/api-resource-details.ts
index 38787360480..0c2496da8e0 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'Детали ресурса API',
   back_to_api_resources: 'Вернуться к Ресурсам API',
-  settings_tab: 'Настройки',
+  general_tab: 'Общее',
   permissions_tab: 'Разрешения',
   settings: 'Настройки',
   settings_description:
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/ru/translation/admin-console/api-resources.ts
index 5478b03b1d6..d7f356b557f 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'В каждом арендаторе может быть только один API по умолчанию. Когда устанавливается API по умолчанию, можно опустить параметр <a>resource</a> в запросе на аутентификацию. Последующие запросы на обмен токенами будут использовать указанное API в качестве аудитории по умолчанию, что приведет к выдаче JWT. <a>Узнать больше</a>',
   api_resource_created: 'Ресурс API {{name}} был успешно создан',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/general.ts b/packages/phrases/src/locales/ru/translation/admin-console/general.ts
index 77164065f9c..00b62d2d9d3 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Настроить',
   enable: 'Включить',
   reminder: 'Напоминание',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Удалить',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: 'Изменить {{field}}',
   delete_field: 'Удалить {{field}}',
   coming_soon: 'Скоро',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/index.ts b/packages/phrases/src/locales/ru/translation/admin-console/index.ts
index 2e290287bc5..0ce13f2512d 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/invitation.ts b/packages/phrases/src/locales/ru/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/ru/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/ru/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/ru/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/ru/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..e209d125778
--- /dev/null
+++ b/packages/phrases/src/locales/ru/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Детали роли организации',
+  back_to_org_roles: 'Вернуться к ролям организации',
+  org_role: 'Роль организации',
+  delete_confirm:
+    'При этом будут удалены разрешения, связанные с этой ролью, у затронутых пользователей, и будут удалены связи между ролями организации, членами организации и правами организации.',
+  deleted: 'Роль организации {{name}} успешно удалена.',
+  permissions: {
+    tab: 'Разрешения',
+    name_column: 'Разрешение',
+    description_column: 'Описание',
+    type_column: 'Тип разрешения',
+    type: {
+      api: 'Разрешение API',
+      org: 'Разрешение организации',
+    },
+    assign_permissions: 'Назначить разрешения',
+    remove_permission: 'Удалить разрешение',
+    remove_confirmation:
+      'Если это разрешение будет удалено, пользователь с этой организационной ролью потеряет доступ, предоставленный этим разрешением.',
+    removed: 'Разрешение {{name}} успешно удалено из этой организационной роли',
+  },
+  general: {
+    tab: 'Общее',
+    settings: 'Настройки',
+    description:
+      'Роль организации - это группировка разрешений, которые можно назначить пользователям. Разрешения должны быть взяты из предопределенных разрешений организации.',
+    name_field: 'Имя',
+    description_field: 'Описание',
+    description_field_placeholder: 'Пользователи с правами только на просмотр',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/ru/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..9b9504ca317
--- /dev/null
+++ b/packages/phrases/src/locales/ru/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Шаблон организации',
+  subtitle:
+    'В многоарендных SaaS-приложениях обычно несколько организаций делят идентичные политики контроля доступа, включая разрешения и роли. В Logto этот концепт называется "шаблон организации". Его использование упрощает процесс построения и проектирования вашей модели авторизации.',
+  roles: {
+    tab_name: 'Роли орг',
+    search_placeholder: 'Поиск по названию роли',
+    create_title: 'Создать роль орг',
+    role_column: 'Роль орг',
+    permissions_column: 'Разрешения',
+    placeholder_title: 'Роль организации',
+    placeholder_description:
+      'Роль организации - это группировка разрешений, которые могут быть назначены пользователям. Разрешения должны происходить из предопределенных разрешений организации.',
+    create_modal: {
+      title: 'Создать роль организации',
+      create: 'Создать роль',
+      name_field: 'Название роли',
+      description_field: 'Описание',
+      created: 'Роль организации {{name}} успешно создана.',
+    },
+  },
+  permissions: {
+    tab_name: 'Разрешения орг',
+    search_placeholder: 'Поиск по названию разрешения',
+    create_org_permission: 'Создать разрешение орг',
+    permission_column: 'Разрешение',
+    description_column: 'Описание',
+    placeholder_title: 'Разрешение организации',
+    placeholder_description:
+      'Разрешение организации относится к авторизации на доступ к ресурсу в контексте организации.',
+    delete_confirm:
+      'Если это разрешение будет удалено, все роли организации, включающие это разрешение, потеряют его, и пользователи, имевшие это разрешение, потеряют доступ, предоставленный им.',
+    create_title: 'Создание разрешения организации',
+    edit_title: 'Редактирование разрешения организации',
+    permission_field_name: 'Название разрешения',
+    description_field_name: 'Описание',
+    description_field_placeholder: 'Читать историю назначений',
+    create_permission: 'Создать разрешение',
+    created: 'Разрешение для организации {{name}} успешно создано.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/permissions.ts b/packages/phrases/src/locales/ru/translation/admin-console/permissions.ts
index fdc737f32e6..a25457a053d 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'Разрешение',
   placeholder_description:
     'Разрешение относится к авторизации доступа к ресурсу (мы называем это ресурсом API).',
+  edit: 'Разрешение на редактирование',
+  delete: 'Разрешение на удаление',
+  remove: 'Разрешение на удаление',
+  updated: 'Разрешение обновлено.',
+  edit_title: 'Редактировать разрешение API',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/ru/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..beb260f5171
--- /dev/null
+++ b/packages/phrases/src/locales/ru/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: 'Ключи подписи',
+  description: 'Безопасное управление ключами подписи, используемыми вашими приложениями.',
+  private_key: 'Приватные ключи OIDC',
+  private_keys_description: 'Приватные ключи OIDC используются для подписи токенов JWT.',
+  cookie_key: 'Ключи куки OIDC',
+  cookie_keys_description: 'Ключи куки OIDC используются для подписи куки.',
+  private_keys_in_use: 'Используемые закрытые ключи',
+  cookie_keys_in_use: 'Используемые ключи cookie',
+  rotate_private_keys: 'Повернуть закрытые ключи',
+  rotate_cookie_keys: 'Повернуть ключи cookie',
+  rotate_private_keys_description:
+    'Это действие создаст новый закрытый ключ подписи, повернет текущий ключ и удалит предыдущий. Ваши JWT-токены, подписанные текущим ключом, останутся действительными до удаления или следующего раунда поворота.',
+  rotate_cookie_keys_description:
+    'Это действие создаст новый ключ cookie, повернет текущий ключ и удалит предыдущий. Ваши файлы cookie с текущим ключом останутся действительными до удаления или следующего раунда поворота.',
+  select_private_key_algorithm: 'Выберите алгоритм подписи ключа для нового закрытого ключа',
+  rotate_button: 'Повернуть',
+  table_column: {
+    id: 'ID',
+    status: 'Статус',
+    algorithm: 'Алгоритм подписи ключа',
+  },
+  status: {
+    current: 'Текущий',
+    previous: 'Предыдущий',
+  },
+  reminder: {
+    rotate_private_key:
+      'Вы уверены, что хотите повернуть <strong>OIDC закрытые ключи</strong>? Новые выданные JWT-токены будут подписаны новым ключом. Существующие JWT-токены останутся действительными до следующего поворота.',
+    rotate_cookie_key:
+      'Вы уверены, что хотите повернуть <strong>Ключи cookie OIDC</strong>? Новые файлы cookie, созданные в сеансах входа в систему, будут подписаны новым ключом cookie. Существующие файлы cookie останутся действительными до следующего поворота.',
+    delete_private_key:
+      'Вы уверены, что хотите удалить <strong>OIDC закрытый ключ</strong>? Существующие JWT-токены, подписанные этим закрытым ключом, больше не будут действительными.',
+    delete_cookie_key:
+      'Вы уверены, что хотите удалить <strong>Ключ cookie OIDC</strong>? Более старые сеансы входа в систему с файлами cookie, подписанными этим ключом cookie, больше не будут действительными. Для этих пользователей требуется повторная авторизация.',
+  },
+  messages: {
+    rotate_key_success: 'Ключи подписи успешно повернуты.',
+    delete_key_success: 'Ключ успешно удален.',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-item.ts
index 615cfcb7978..437453cadce 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'Единый вход для предприятий',
     not_eligible: 'Удалите свой Единый вход для предприятий',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-table.ts
index 16988a1a468..9310d0f284a 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Роли машины-машины',
     scopes_per_role: 'Разрешения на роль',
   },
-  audit_logs: {
-    title: 'Аудит журналов',
-    retention: 'Сохранение',
-  },
-  hooks: {
-    title: 'Вебхуки',
-    hooks: 'Вебхуки',
-  },
   organizations: {
     title: 'Организация',
     organizations: 'Организации',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'Отчет SOC2',
     hipaa_or_baa_report: 'Отчет HIPAA/BAA',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Неограниченно',
   contact: 'Связаться',
   monthly_price: '${{value, number}}/мес.',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: '${{value, number}} в месяц / за каждый',
   extra_mao_price: 'Затем ${{value, number}} за MAO',
   per_month: '${{value, number}} в месяц',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/ru/translation/admin-console/tab-sections.ts
index 00cd715b0d8..4af34b42704 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Обзор',
-  resources: 'Ресурсы',
+  authentication: 'Аутентификация',
+  authorization: 'Авторизация',
   users: 'Пользователи',
-  access_control: 'Управление доступом',
-  help_and_support: 'Помощь и поддержка',
+  developer: 'Разработчик',
   tenant: 'Арендатор',
-  automation: 'Автоматизация',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/tabs.ts b/packages/phrases/src/locales/ru/translation/admin-console/tabs.ts
index 28b15b2d842..61c881c5a91 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Документация',
   tenant_settings: 'Настройки',
   mfa: 'Multi-factor auth',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'Ключи подписи',
+  organization_template: 'Шаблон организации',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/ru/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/ru/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/tenants.ts b/packages/phrases/src/locales/ru/translation/admin-console/tenants.ts
index 0ac4104b24f..bc89bc0c02b 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Эффективное управление настройками арендатора и настройка вашего домена.',
   tabs: {
     settings: 'Настройки',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Домены',
     subscription: 'План и выставление счетов',
     billing_history: 'История выставления счетов',
@@ -35,6 +37,17 @@ const tenants = {
       'Удаление арендатора приведет к окончательному удалению всех связанных пользовательских данных и настроек. Пожалуйста, действуйте осторожно.',
     tenant_deletion_button: 'Удалить арендатора',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Создать арендатора',
     subtitle:
@@ -74,6 +87,12 @@ const tenants = {
     cannot_delete_description:
       'Извините, вы не можете удалить этого арендатора прямо сейчас. Пожалуйста, убедитесь, что вы используете бесплатный план и оплатили все невыполненные счета.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Вы еще не создали арендатора',
     description:
@@ -92,47 +111,6 @@ const tenants = {
     description_2:
       'Если вам нужна дополнительная информация или у вас возникли какие-либо вопросы или вы хотите восстановить полную функциональность и разблокировать своих арендаторов, не стесняйтесь немедленно связаться с нами.',
   },
-  signing_keys: {
-    title: 'УПРАВЛЕНИЕ КЛЮЧАМИ ПОДПИСИ',
-    description: 'Безопасное управление ключами подписи в вашем арендаторе.',
-    type: {
-      private_key: 'OIDC закрытые ключи',
-      cookie_key: 'Ключи cookie OIDC',
-    },
-    private_keys_in_use: 'Используемые закрытые ключи',
-    cookie_keys_in_use: 'Используемые ключи cookie',
-    rotate_private_keys: 'Повернуть закрытые ключи',
-    rotate_cookie_keys: 'Повернуть ключи cookie',
-    rotate_private_keys_description:
-      'Это действие создаст новый закрытый ключ подписи, повернет текущий ключ и удалит предыдущий. Ваши JWT-токены, подписанные текущим ключом, останутся действительными до удаления или следующего раунда поворота.',
-    rotate_cookie_keys_description:
-      'Это действие создаст новый ключ cookie, повернет текущий ключ и удалит предыдущий. Ваши файлы cookie с текущим ключом останутся действительными до удаления или следующего раунда поворота.',
-    select_private_key_algorithm: 'Выберите алгоритм подписи ключа для нового закрытого ключа',
-    rotate_button: 'Повернуть',
-    table_column: {
-      id: 'ID',
-      status: 'Статус',
-      algorithm: 'Алгоритм подписи ключа',
-    },
-    status: {
-      current: 'Текущий',
-      previous: 'Предыдущий',
-    },
-    reminder: {
-      rotate_private_key:
-        'Вы уверены, что хотите повернуть <strong>OIDC закрытые ключи</strong>? Новые выданные JWT-токены будут подписаны новым ключом. Существующие JWT-токены останутся действительными до следующего поворота.',
-      rotate_cookie_key:
-        'Вы уверены, что хотите повернуть <strong>Ключи cookie OIDC</strong>? Новые файлы cookie, созданные в сеансах входа в систему, будут подписаны новым ключом cookie. Существующие файлы cookie останутся действительными до следующего поворота.',
-      delete_private_key:
-        'Вы уверены, что хотите удалить <strong>OIDC закрытый ключ</strong>? Существующие JWT-токены, подписанные этим закрытым ключом, больше не будут действительными.',
-      delete_cookie_key:
-        'Вы уверены, что хотите удалить <strong>Ключ cookie OIDC</strong>? Более старые сеансы входа в систему с файлами cookie, подписанными этим ключом cookie, больше не будут действительными. Для этих пользователей требуется повторная авторизация.',
-    },
-    messages: {
-      rotate_key_success: 'Ключи подписи успешно повернуты.',
-      delete_key_success: 'Ключ успешно удален.',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/ru/translation/admin-console/upsell/index.ts
index 52ce82e1dc0..629fa809ebe 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API-ресурс',
     machine_to_machine: 'приложение "машина-машина"',
     tokens: '{{limit}}M токенов',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     'Вы превысили лимит вашей квоты по {{item}}. Logto начнет взимать плату за использование сверх вашей квоты. Начисление начнется в день выпуска нового дизайна цен на дополнение. <a>Узнать больше</a>',
diff --git a/packages/phrases/src/locales/ru/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/ru/translation/admin-console/upsell/paywall.ts
index 6763cdc3eb9..6601a707456 100644
--- a/packages/phrases/src/locales/ru/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/ru/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/tr-tr/errors/index.ts b/packages/phrases/src/locales/tr-tr/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/tr-tr/errors/index.ts
+++ b/packages/phrases/src/locales/tr-tr/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/tr-tr/errors/jwt-customizer.ts b/packages/phrases/src/locales/tr-tr/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/tr-tr/errors/user.ts b/packages/phrases/src/locales/tr-tr/errors/user.ts
index 3c50b6cc106..11ba8ded99d 100644
--- a/packages/phrases/src/locales/tr-tr/errors/user.ts
+++ b/packages/phrases/src/locales/tr-tr/errors/user.ts
@@ -32,6 +32,10 @@ const user = {
   missing_mfa: 'You need to bind additional MFA before signing-in.',
   totp_already_in_use: 'TOTP is already in use.',
   backup_code_already_in_use: 'Backup code is already in use.',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resource-details.ts
index e15d0d97cfe..698bd479b54 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API Kaynak detayları',
   back_to_api_resources: 'API Kaynaklarına geri dön',
-  settings_tab: 'Ayarlar',
+  general_tab: 'Genel',
   permissions_tab: 'İzinler',
   settings: 'Ayarlar',
   settings_description:
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resources.ts
index 10b0221889d..241dd02bc41 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     'Mandant başına sadece sıfır veya bir varsayılan API ayarlanabilir. Varsayılan bir API belirlendiğinde, auth isteğindeki kaynak parametresi çıkarılabilir. Sonraki token değişimlerinde varsayılan olarak bu API hedef alınarak JWTler oluşturulur. <a>Daha fazla bilgi edinin</a>',
   api_resource_created: '{{name}} API kaynağı başarıyla oluşturuldu',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/general.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/general.ts
index 0a6d83cd984..f1bb0d53db0 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: 'Özelleştir',
   enable: 'Etkinleştir',
   reminder: 'Hatırlatıcı',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: 'Sil',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -70,6 +72,8 @@ const general = {
   edit_field: '{{field}} Düzenle',
   delete_field: '{{field}} Sil',
   coming_soon: 'Yakında',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/index.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/index.ts
index b1aabc9ebbc..2fc5cb339de 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/invitation.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..ad4c9626aa2
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,34 @@
+const organization_role_details = {
+  page_title: 'Kuruluş rolü ayrıntıları',
+  back_to_org_roles: 'Kuruluş rollerine geri dön',
+  org_role: 'Kuruluş rolü',
+  delete_confirm:
+    'Bunu yapmak, etkilenen kullanıcılardan bu role ilişkilendirilen izinleri kaldıracak ve organizasyon rolleri, organizasyon üyeleri ve organizasyon izinleri arasındaki ilişkileri silecektir.',
+  deleted: 'Kuruluş rolü {{name}} başarıyla silindi.',
+  permissions: {
+    tab: 'İzinler',
+    name_column: 'İzin',
+    description_column: 'Açıklama',
+    type_column: 'İzin türü',
+    type: {
+      api: 'API izni',
+      org: 'Kuruluş izni',
+    },
+    assign_permissions: 'İzinleri atama',
+    remove_permission: 'İzni kaldır',
+    remove_confirmation:
+      'Bu izin kaldırılırsa, bu organizasyon rolüne sahip kullanıcı bu izin tarafından verilen erişimi kaybeder.',
+    removed: '{{name}} izni bu organizasyon rolünden başarıyla kaldırıldı',
+  },
+  general: {
+    tab: 'Genel',
+    settings: 'Ayarlar',
+    description:
+      'Kuruluş rolü, kullanıcılara atanabilecek izinlerin bir gruplamasıdır. İzinler, önceden tanımlanmış kuruluş izinlerinden gelmelidir.',
+    name_field: 'Adı',
+    description_field: 'Açıklama',
+    description_field_placeholder: 'Yalnızca görüntüleme izinlerine sahip kullanıcılar',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..17f29c4e705
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/organization-template.ts
@@ -0,0 +1,43 @@
+const organization_template = {
+  title: 'Organizasyon şablonu',
+  subtitle:
+    'Çok kiracılı SaaS uygulamalarında, birden fazla organizasyonun aynı erişim kontrol politikalarını, izinleri ve rolleri dahil olmak üzere paylaşması yaygındır. Logto\'da bu kavram "organizasyon şablonu" olarak adlandırılır. Bunu kullanmak, yetkilendirme modelinizi oluşturma ve tasarlama sürecini basitleştirir.',
+  roles: {
+    tab_name: 'Org rolleri',
+    search_placeholder: 'Role adı ile ara',
+    create_title: 'Org rolü oluştur',
+    role_column: 'Org rolü',
+    permissions_column: 'İzinler',
+    placeholder_title: 'Organizasyon rolü',
+    placeholder_description:
+      'Organizasyon rolü, kullanıcılara atanabilecek izinlerin bir gruplamasıdır. İzinler, önceden belirlenmiş organizasyon izinlerinden gelmelidir.',
+    create_modal: {
+      title: 'Kuruluş rolü oluştur',
+      create: 'Rol oluştur',
+      name_field: 'Rol adı',
+      description_field: 'Açıklama',
+      created: 'Kuruluş rolü {{name}} başarıyla oluşturuldu.',
+    },
+  },
+  permissions: {
+    tab_name: 'Org izinleri',
+    search_placeholder: 'İzin adı ile ara',
+    create_org_permission: 'Org izni oluştur',
+    permission_column: 'İzin',
+    description_column: 'Açıklama',
+    placeholder_title: 'Organizasyon izni',
+    placeholder_description:
+      'Organizasyon izni, organizasyon bağlamında bir kaynağa erişim yetkisi anlamına gelir.',
+    delete_confirm:
+      'Bu izin silinirse, bu izni içeren tüm organizasyon rolleri bu izni kaybeder ve bu izne sahip kullanıcılar, bu izin tarafından verilen erişimi kaybeder.',
+    create_title: 'Organizasyon izni oluştur',
+    edit_title: 'Organizasyon iznini düzenle',
+    permission_field_name: 'İzin adı',
+    description_field_name: 'Açıklama',
+    description_field_placeholder: 'Randevu geçmişini oku',
+    create_permission: 'İzin oluştur',
+    created: 'Kuruluş izni {{name}} başarıyla oluşturuldu.',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/permissions.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/permissions.ts
index 5b5acdad698..94b6bf98ce6 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/permissions.ts
@@ -7,6 +7,11 @@ const permissions = {
   placeholder_title: 'İzin',
   placeholder_description:
     'İzin, bir kaynağa erişmek için yetki verme durumunu ifade eder (biz buna API kaynağı diyoruz).',
+  edit: 'Düzenleme izni',
+  delete: 'Silme izni',
+  remove: 'Kaldırma izni',
+  updated: 'İzin güncellendi.',
+  edit_title: 'API iznini düzenle',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..fe3eb9bf94c
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/signing-keys.ts
@@ -0,0 +1,44 @@
+const signing_keys = {
+  title: 'İmza Anahtarları',
+  description:
+    'Uygulamalarınız tarafından kullanılan imza anahtarlarını güvenli bir şekilde yönetin.',
+  private_key: 'OIDC özel anahtarları',
+  private_keys_description: 'OIDC özel anahtarları JWT belgelerini imzalamak için kullanılır.',
+  cookie_key: 'OIDC çerez anahtarları',
+  cookie_keys_description: 'OIDC çerez anahtarları çerezleri imzalamak için kullanılır.',
+  private_keys_in_use: 'Kullanılan özel anahtarlar',
+  cookie_keys_in_use: 'Kullanılan çerez anahtarları',
+  rotate_private_keys: 'Özel anahtarları döndür',
+  rotate_cookie_keys: 'Çerez anahtarlarını döndür',
+  rotate_private_keys_description:
+    'Bu işlem yeni bir özel imzalama anahtarı oluşturacak, mevcut anahtarı döndürecek ve önceki anahtarınızı kaldıracak. Güncel anahtar ile imzalanmış JWT jetonlarınız silinene veya başka bir döndürme turuna kadar geçerli kalacaktır.',
+  rotate_cookie_keys_description:
+    'Bu işlem yeni bir çerez anahtarı oluşturacak, mevcut anahtarı döndürecek ve önceki anahtarınızı kaldıracak. Güncel anahtar ile imzalanmış çerezleriniz silinene veya başka bir döndürme turuna kadar geçerli kalacaktır.',
+  select_private_key_algorithm: 'Yeni özel anahtar için imzalama anahtar algoritmasını seçin',
+  rotate_button: 'Döndür',
+  table_column: {
+    id: 'Kimlik',
+    status: 'Durum',
+    algorithm: 'İmzalama anahtar algoritması',
+  },
+  status: {
+    current: 'Geçerli',
+    previous: 'Önceki',
+  },
+  reminder: {
+    rotate_private_key:
+      '<strong>OIDC özel anahtarlarını</strong> döndürmek istediğinizden emin misiniz? Yeni verilen JWT jetonları yeni anahtarla imzalanacaktır. Var olan JWT jetonları, tekrar döndürünceye kadar geçerli kalacaktır.',
+    rotate_cookie_key:
+      '<strong>OIDC çerez anahtarlarını</strong> döndürmek istediğinizden emin misiniz? Oturum açma oturumlarında yeni oluşturulan çerezler yeni çerez anahtarıyla imzalanacaktır. Var olan çerezler, tekrar döndürünceye kadar geçerli kalacaktır.',
+    delete_private_key:
+      '<strong>OIDC özel anahtarını</strong> silmek istediğinizden emin misiniz? Bu özel imzalama anahtarı ile imzalanan mevcut JWT jetonları artık geçerli olmayacaktır.',
+    delete_cookie_key:
+      '<strong>OIDC çerez anahtarını</strong> silmek istediğinizden emin misiniz? Bu çerez anahtarı ile imzalanan eski oturum açma oturumları artık geçerli olmayacaktır. Bu kullanıcılar için yeniden kimlik doğrulaması gereklidir.',
+  },
+  messages: {
+    rotate_key_success: 'İmzalama anahtarları başarıyla döndü',
+    delete_key_success: 'Anahtar başarıyla silindi',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-item.ts
index b15bad26250..c103a4eab42 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: 'Kurumsal SSO',
     not_eligible: "Kurumsal SSO'nuzu kaldırın",
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-table.ts
index afcb982fd4a..432a4696fa7 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: 'Makine-makine rolleri',
     scopes_per_role: 'Rol başına izinler',
   },
-  audit_logs: {
-    title: 'Denetim Günlükleri',
-    retention: 'Saklama',
-  },
-  hooks: {
-    title: 'Web Kancaları',
-    hooks: 'Web Kancaları',
-  },
   organizations: {
     title: 'Organizasyon',
     organizations: 'Organizasyonlar',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2 raporu',
     hipaa_or_baa_report: 'HIPAA/BAA raporu',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: 'Sınırsız',
   contact: 'İletişim',
   monthly_price: '${{value, number}}/ay',
@@ -102,6 +106,8 @@ const quota_table = {
   per_month_each: 'Aylık ${{value, number}} / her biri',
   extra_mao_price: 'Sonra MAO başına ${{value, number}}',
   per_month: 'Aylık ${{value, number}}',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/tab-sections.ts
index e3110308331..f9457f5f558 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: 'Genel Bakış',
-  resources: 'Kaynaklar',
+  authentication: 'Kimlik doğrulama',
+  authorization: 'Yetkilendirme',
   users: 'Kullanıcılar',
-  access_control: 'Erişim Kontrolü',
-  help_and_support: 'Yardım ve Destek',
+  developer: 'Geliştirici',
   tenant: 'Kiracı',
-  automation: 'Otomasyon',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/tabs.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/tabs.ts
index e85cc228114..767355695fd 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: 'Dökümanlar',
   tenant_settings: 'Ayarlar',
   mfa: 'Çoklu faktörlü kimlik doğrulama',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: 'İmza anahtarları',
+  organization_template: 'Kuruluş şablonu',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/tenants.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/tenants.ts
index 17a6be3b224..2971b7add89 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: 'Kiracı ayarlarını verimli bir şekilde yönetin ve alan adınızı özelleştirin.',
   tabs: {
     settings: 'Ayarlar',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: 'Alan adları',
     subscription: 'Plan ve faturalandırma',
     billing_history: 'Fatura geçmişi',
@@ -35,6 +37,17 @@ const tenants = {
       'Kiracının silinmesi, tüm ilişkili kullanıcı verilerinin ve yapılandırmalarının kalıcı olarak silinmesine neden olur. Lütfen dikkatli bir şekilde devam edin.',
     tenant_deletion_button: 'Kiracıyı Sil',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: 'Kiracı Oluştur',
     subtitle:
@@ -73,6 +86,12 @@ const tenants = {
     cannot_delete_description:
       'Üzgünüm, bu kiracıyı şu anda silemezsiniz. Ücretsiz Plan üzerinde olduğunuzdan ve tüm ödenmemiş faturaları ödediğinizden emin olun.',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: 'Henüz bir kiracı oluşturmadınız',
     description:
@@ -91,47 +110,6 @@ const tenants = {
     description_2:
       'Daha fazla açıklama, endişeleriniz veya işlevselliği tamamen geri yüklemek ve kiracılarınızı engellemek isterseniz, lütfen derhal bizimle iletişime geçmekten çekinmeyin.',
   },
-  signing_keys: {
-    title: 'İMZALAMA ANAHTARLARI',
-    description: 'Kiracınızda imzalama anahtarlarını güvenli bir şekilde yönetin.',
-    type: {
-      private_key: 'OIDC özel anahtarları',
-      cookie_key: 'OIDC çerez anahtarları',
-    },
-    private_keys_in_use: 'Kullanılan özel anahtarlar',
-    cookie_keys_in_use: 'Kullanılan çerez anahtarları',
-    rotate_private_keys: 'Özel anahtarları döndür',
-    rotate_cookie_keys: 'Çerez anahtarlarını döndür',
-    rotate_private_keys_description:
-      'Bu işlem yeni bir özel imzalama anahtarı oluşturacak, mevcut anahtarı döndürecek ve önceki anahtarınızı kaldıracak. Güncel anahtar ile imzalanmış JWT jetonlarınız silinene veya başka bir döndürme turuna kadar geçerli kalacaktır.',
-    rotate_cookie_keys_description:
-      'Bu işlem yeni bir çerez anahtarı oluşturacak, mevcut anahtarı döndürecek ve önceki anahtarınızı kaldıracak. Güncel anahtar ile imzalanmış çerezleriniz silinene veya başka bir döndürme turuna kadar geçerli kalacaktır.',
-    select_private_key_algorithm: 'Yeni özel anahtar için imzalama anahtar algoritmasını seçin',
-    rotate_button: 'Döndür',
-    table_column: {
-      id: 'Kimlik',
-      status: 'Durum',
-      algorithm: 'İmzalama anahtar algoritması',
-    },
-    status: {
-      current: 'Geçerli',
-      previous: 'Önceki',
-    },
-    reminder: {
-      rotate_private_key:
-        '<strong>OIDC özel anahtarlarını</strong> döndürmek istediğinizden emin misiniz? Yeni verilen JWT jetonları yeni anahtarla imzalanacaktır. Var olan JWT jetonları, tekrar döndürünceye kadar geçerli kalacaktır.',
-      rotate_cookie_key:
-        '<strong>OIDC çerez anahtarlarını</strong> döndürmek istediğinizden emin misiniz? Oturum açma oturumlarında yeni oluşturulan çerezler yeni çerez anahtarıyla imzalanacaktır. Var olan çerezler, tekrar döndürünceye kadar geçerli kalacaktır.',
-      delete_private_key:
-        '<strong>OIDC özel anahtarını</strong> silmek istediğinizden emin misiniz? Bu özel imzalama anahtarı ile imzalanan mevcut JWT jetonları artık geçerli olmayacaktır.',
-      delete_cookie_key:
-        '<strong>OIDC çerez anahtarını</strong> silmek istediğinizden emin misiniz? Bu çerez anahtarı ile imzalanan eski oturum açma oturumları artık geçerli olmayacaktır. Bu kullanıcılar için yeniden kimlik doğrulaması gereklidir.',
-    },
-    messages: {
-      rotate_key_success: 'İmzalama anahtarları başarıyla döndü',
-      delete_key_success: 'Anahtar başarıyla silindi',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/index.ts
index 5f40db8568a..df747747fc2 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API kaynağı',
     machine_to_machine: 'makine-makine uygulaması',
     tokens: '{{limit}}M jeton',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     '{{item}} kota sınırını aştınız. Logto, kota sınırınızın ötesindeki kullanım için ücret ekleyecektir. Yeni ek paket fiyatlandırma tasarımı gününüzde başlayacaktır. <a>Daha fazla bilgi</a>',
diff --git a/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/paywall.ts
index 4d320c96a98..cff1584abcd 100644
--- a/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/tr-tr/translation/admin-console/upsell/paywall.ts
@@ -55,6 +55,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/zh-cn/errors/index.ts b/packages/phrases/src/locales/zh-cn/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/zh-cn/errors/index.ts
+++ b/packages/phrases/src/locales/zh-cn/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/zh-cn/errors/jwt-customizer.ts b/packages/phrases/src/locales/zh-cn/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/zh-cn/errors/user.ts b/packages/phrases/src/locales/zh-cn/errors/user.ts
index 899dcade239..8fdbf7dd6d8 100644
--- a/packages/phrases/src/locales/zh-cn/errors/user.ts
+++ b/packages/phrases/src/locales/zh-cn/errors/user.ts
@@ -31,6 +31,10 @@ const user = {
   missing_mfa: '你需要在登录之前绑定额外的MFA。',
   totp_already_in_use: 'TOTP已在使用中。',
   backup_code_already_in_use: '备用代码已在使用中。',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resource-details.ts
index 4909a177235..d3e0ee8452c 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API 资源详情',
   back_to_api_resources: '返回 API 资源',
-  settings_tab: '设置',
+  general_tab: '常规',
   permissions_tab: '权限',
   settings: '设置',
   settings_description:
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resources.ts
index 3a7a22747cd..0fe1b9b5cff 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     '每个租户只能设置零个或一个默认 API。当指定默认 API 时，可以在认证请求中省略资源参数。后续令牌交换将默认使用该 API 作为 Audience，从而签发 JWT。<a>了解更多</a>',
   api_resource_created: ' API 资源 {{name}} 已成功创建。',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/general.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/general.ts
index 27218c51215..f4e5787a1d8 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: '自定义',
   enable: '启用',
   reminder: '提示',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: '删除',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: '编辑{{field}}',
   delete_field: '删除{{field}}',
   coming_soon: '即将上线',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/index.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/index.ts
index dad97ee4370..21dd05c3c01 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/invitation.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..8e39fd588bd
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,32 @@
+const organization_role_details = {
+  page_title: '组织角色详情',
+  back_to_org_roles: '返回组织角色',
+  org_role: '组织角色',
+  delete_confirm:
+    '这样做将从受影响的用户中删除与此角色关联的权限，并删除组织角色、组织成员和组织权限之间的关系。',
+  deleted: '组织角色 {{name}} 已成功删除。',
+  permissions: {
+    tab: '权限',
+    name_column: '权限',
+    description_column: '描述',
+    type_column: '权限类型',
+    type: {
+      api: 'API 权限',
+      org: '组织权限',
+    },
+    assign_permissions: '分配权限',
+    remove_permission: '移除权限',
+    remove_confirmation: '如果移除此权限，拥有此组织角色的用户将失去此权限授予的访问权限。',
+    removed: '权限 {{name}} 已成功从此组织角色中移除',
+  },
+  general: {
+    tab: '常规',
+    settings: '设置',
+    description: '组织角色是可以分配给用户的权限组。这些权限必须来自预定义的组织权限。',
+    name_field: '名称',
+    description_field: '描述',
+    description_field_placeholder: '仅具有查看权限的用户',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..5eb4bafa186
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/organization-template.ts
@@ -0,0 +1,41 @@
+const organization_template = {
+  title: '组织模板',
+  subtitle:
+    '在多租户SaaS应用中，多个组织共享相同的访问控制政策，包括权限和角色，是很常见的。在Logto中，这一概念被称为“组织模板”。使用它可以简化构建和设计授权模型的过程。',
+  roles: {
+    tab_name: '组织角色',
+    search_placeholder: '按角色名称搜索',
+    create_title: '创建组织角色',
+    role_column: '组织角色',
+    permissions_column: '权限',
+    placeholder_title: '组织角色',
+    placeholder_description: '组织角色是一组可以分配给用户的权限。权限必须来自预定义的组织权限。',
+    create_modal: {
+      title: '创建组织角色',
+      create: '创建角色',
+      name_field: '角色名称',
+      description_field: '描述',
+      created: '成功创建组织角色 {{name}}。',
+    },
+  },
+  permissions: {
+    tab_name: '组织权限',
+    search_placeholder: '按权限名称搜索',
+    create_org_permission: '创建组织权限',
+    permission_column: '权限',
+    description_column: '描述',
+    placeholder_title: '组织权限',
+    placeholder_description: '组织权限指的是在组织上下文中访问资源的授权。',
+    delete_confirm:
+      '如果删除此权限，包括此权限的所有组织角色都将失去此权限，拥有此权限的用户将失去由此权限授予的访问权限。',
+    create_title: '创建组织权限',
+    edit_title: '编辑组织权限',
+    permission_field_name: '权限名称',
+    description_field_name: '描述',
+    description_field_placeholder: '阅读预约历史',
+    create_permission: '创建权限',
+    created: '组织权限 {{name}} 已成功创建。',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/permissions.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/permissions.ts
index b9744e46f3f..33e885bb5b2 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/permissions.ts
@@ -6,6 +6,11 @@ const permissions = {
   api_column: 'API',
   placeholder_title: '权限',
   placeholder_description: '权限是指访问资源的授权（我们称其为 API 资源）。',
+  edit: '编辑权限',
+  delete: '删除权限',
+  remove: '移除权限',
+  updated: '权限已更新。',
+  edit_title: '编辑 API 权限',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..bd5371360ef
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: '签名密钥',
+  description: '安全管理应用程序使用的签名密钥。',
+  private_key: 'OIDC 私钥',
+  private_keys_description: 'OIDC 私钥用于签署 JWT 令牌。',
+  cookie_key: 'OIDC Cookie 密钥',
+  cookie_keys_description: 'OIDC Cookie 密钥用于签署 Cookie。',
+  private_keys_in_use: '正在使用的私钥',
+  cookie_keys_in_use: '正在使用的 Cookie 密钥',
+  rotate_private_keys: '旋转私钥',
+  rotate_cookie_keys: '旋转 Cookie 密钥',
+  rotate_private_keys_description:
+    '此操作将创建一个新的私钥，旋转当前密钥，并删除之前的密钥。使用当前密钥签名的JWT令牌将在删除或另一轮旋转之前保持有效。',
+  rotate_cookie_keys_description:
+    '此操作将创建一个新的Cookie密钥，旋转当前密钥，并删除之前的密钥。使用当前密钥签名的Cookie将在删除或另一轮旋转之前保持有效。',
+  select_private_key_algorithm: '为新的私钥选择签名密钥算法',
+  rotate_button: '旋转',
+  table_column: {
+    id: 'ID',
+    status: '状态',
+    algorithm: '签名密钥算法',
+  },
+  status: {
+    current: '当前',
+    previous: '之前',
+  },
+  reminder: {
+    rotate_private_key:
+      '您确定要旋转<strong>OIDC私钥</strong>吗？新发布的JWT令牌将由新密钥签名。使用当前密钥签名的现有JWT令牌将在您再次旋转之前保持有效。',
+    rotate_cookie_key:
+      '您确定要旋转<strong>OIDC Cookie密钥</strong>吗？登录会话生成的新Cookie将由新Cookie密钥签名。使用当前密钥签名的现有Cookie将在您再次旋转之前保持有效。',
+    delete_private_key:
+      '您确定要删除<strong>OIDC私钥</strong>吗？使用此私有签名密钥签名的现有JWT令牌将不再有效。',
+    delete_cookie_key:
+      '您确定要删除<strong>OIDC Cookie密钥</strong>吗？用此Cookie密钥签名的旧登录会话将不再有效。这些用户需要重新验证。',
+  },
+  messages: {
+    rotate_key_success: '签名密钥旋转成功。',
+    delete_key_success: '密钥已成功删除。',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-item.ts
index 17e34b74f24..a452fef8f6b 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: '企业SSO',
     not_eligible: '移除你的 企业SSO',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-table.ts
index 3cc11da0c66..dce9ea073ac 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: '机器对机器角色',
     scopes_per_role: '每角色权限',
   },
-  audit_logs: {
-    title: '审计日志',
-    retention: '保留期限',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: '组织',
     organizations: '组织',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2报告',
     hipaa_or_baa_report: 'HIPAA/BAA报告',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: '无限制',
   contact: '联系',
   monthly_price: '${{value, number}} / 月',
@@ -99,6 +103,8 @@ const quota_table = {
   per_month_each: '每月 ${{value, number}} / 每个',
   extra_mao_price: '然后每 MAO ${{value, number}}',
   per_month: '每月 ${{value, number}}',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/tab-sections.ts
index c51bc4af614..1b694647efc 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: '概览',
-  resources: '资源',
+  authentication: '身份验证',
+  authorization: '授权',
   users: '用户',
-  access_control: '访问控制',
-  help_and_support: '帮助与支持',
+  developer: '开发者',
   tenant: '租户',
-  automation: '自动化',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/tabs.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/tabs.ts
index 888a61046d7..0cab45285aa 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: '文档',
   tenant_settings: '租户设置',
   mfa: '多因素认证',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: '签名密钥',
+  organization_template: '组织模板',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/tenants.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/tenants.ts
index 2a2303c3c5e..8bfc7c87849 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: '高效管理租户设置并自定义您的域名。',
   tabs: {
     settings: '设置',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: '域名管理',
     subscription: '套餐与计费',
     billing_history: '历史账单',
@@ -32,6 +34,17 @@ const tenants = {
     tenant_deletion_description: '删除租户将导致永久删除所有相关的用户数据和配置。请谨慎操作。',
     tenant_deletion_button: '删除租户',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: '创建租户',
     subtitle: '创建一个具有隔离资源和用户的新租户。数据托管的区域和租户类型在创建后无法修改。',
@@ -65,6 +78,12 @@ const tenants = {
     cannot_delete_description:
       '抱歉，您现在无法删除此租户。请确保您处于免费计划并已支付所有未结账单。',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: '您还没有创建租户',
     description:
@@ -83,47 +102,6 @@ const tenants = {
     description_2:
       '如果您需要进一步澄清、有任何疑虑或希望恢复全部功能并解锁您的租户，请立即联系我们。',
   },
-  signing_keys: {
-    title: '签名密钥',
-    description: '在您的租户中安全管理签名密钥。',
-    type: {
-      private_key: 'OIDC私钥',
-      cookie_key: 'OIDC Cookie密钥',
-    },
-    private_keys_in_use: '正在使用的私钥',
-    cookie_keys_in_use: '正在使用的 Cookie 密钥',
-    rotate_private_keys: '旋转私钥',
-    rotate_cookie_keys: '旋转 Cookie 密钥',
-    rotate_private_keys_description:
-      '此操作将创建一个新的私钥，旋转当前密钥，并删除之前的密钥。使用当前密钥签名的JWT令牌将在删除或另一轮旋转之前保持有效。',
-    rotate_cookie_keys_description:
-      '此操作将创建一个新的Cookie密钥，旋转当前密钥，并删除之前的密钥。使用当前密钥签名的Cookie将在删除或另一轮旋转之前保持有效。',
-    select_private_key_algorithm: '为新的私钥选择签名密钥算法',
-    rotate_button: '旋转',
-    table_column: {
-      id: 'ID',
-      status: '状态',
-      algorithm: '签名密钥算法',
-    },
-    status: {
-      current: '当前',
-      previous: '之前',
-    },
-    reminder: {
-      rotate_private_key:
-        '您确定要旋转<strong>OIDC私钥</strong>吗？新发布的JWT令牌将由新密钥签名。使用当前密钥签名的现有JWT令牌将在您再次旋转之前保持有效。',
-      rotate_cookie_key:
-        '您确定要旋转<strong>OIDC Cookie密钥</strong>吗？登录会话生成的新Cookie将由新Cookie密钥签名。使用当前密钥签名的现有Cookie将在您再次旋转之前保持有效。',
-      delete_private_key:
-        '您确定要删除<strong>OIDC私钥</strong>吗？使用此私有签名密钥签名的现有JWT令牌将不再有效。',
-      delete_cookie_key:
-        '您确定要删除<strong>OIDC Cookie密钥</strong>吗？用此Cookie密钥签名的旧登录会话将不再有效。这些用户需要重新验证。',
-    },
-    messages: {
-      rotate_key_success: '签名密钥旋转成功。',
-      delete_key_success: '密钥已成功删除。',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/index.ts
index fe87ac9d460..6a02d5a1397 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API 资源',
     machine_to_machine: '机器对机器应用',
     tokens: '{{limit}}M 令牌',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     '您已超过{{item}}配额限制。Logto将为超出配额限制的使用添加费用。计费将从新的附加定价设计发布当天开始。 <a>了解更多</a>',
diff --git a/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/paywall.ts
index 50a9095c70d..7891e8da286 100644
--- a/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/zh-cn/translation/admin-console/upsell/paywall.ts
@@ -54,6 +54,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/zh-hk/errors/index.ts b/packages/phrases/src/locales/zh-hk/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/zh-hk/errors/index.ts
+++ b/packages/phrases/src/locales/zh-hk/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/zh-hk/errors/jwt-customizer.ts b/packages/phrases/src/locales/zh-hk/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/zh-hk/errors/user.ts b/packages/phrases/src/locales/zh-hk/errors/user.ts
index 81fe7efb15d..98b7938e4da 100644
--- a/packages/phrases/src/locales/zh-hk/errors/user.ts
+++ b/packages/phrases/src/locales/zh-hk/errors/user.ts
@@ -31,6 +31,10 @@ const user = {
   missing_mfa: '你需要在登錄前綁定額外的 MFA。',
   totp_already_in_use: 'TOTP 已經在使用中。',
   backup_code_already_in_use: '備份代碼已經在使用中。',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resource-details.ts
index 4e48a87bef7..34667981382 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API 資源詳情',
   back_to_api_resources: '返回 API 資源',
-  settings_tab: '設置',
+  general_tab: '常規',
   permissions_tab: '權限',
   settings: '設置',
   settings_description:
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resources.ts
index 2ece458d856..8d5c757edca 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     '一个租户只能设置零或一个默认 API。当指定默认 API 时，可以在身份验证请求中省略资源参数，还可以使用该 API 作为默认受众方进行令牌交换，从而发放 JWT。<a>了解更多</a>',
   api_resource_created: ' API 資源 {{name}} 已成功創建。',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/general.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/general.ts
index 4edf09f6975..4fc26c9d013 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: '自定義',
   enable: '啟用',
   reminder: '提示',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: '刪除',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: '編輯{{field}}',
   delete_field: '刪除{{field}}',
   coming_soon: '即將推出',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/index.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/index.ts
index b742a19f96f..0fb3d93411c 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/invitation.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..01610c0b00a
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,32 @@
+const organization_role_details = {
+  page_title: '組織角色詳情',
+  back_to_org_roles: '返回組織角色',
+  org_role: '組織角色',
+  delete_confirm:
+    '這樣做將會從受影響的使用者中移除與此角色相關聯的權限，並刪除組織角色、組織成員和組織權限之間的關係。',
+  deleted: '組織角色 {{name}} 已成功刪除。',
+  permissions: {
+    tab: '權限',
+    name_column: '權限',
+    description_column: '描述',
+    type_column: '權限類型',
+    type: {
+      api: 'API 權限',
+      org: '組織權限',
+    },
+    assign_permissions: '分配權限',
+    remove_permission: '移除權限',
+    remove_confirmation: '如果移除此權限，擁有此組織角色的使用者將失去此權限所授予的存取權。',
+    removed: '權限 {{name}} 已成功從此組織角色中移除',
+  },
+  general: {
+    tab: '一般',
+    settings: '設置',
+    description: '組織角色是可以分配給用戶的權限組。這些權限必須來自預定義的組織權限。',
+    name_field: '名稱',
+    description_field: '描述',
+    description_field_placeholder: '僅擁有檢視權限的使用者',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..958a07c1f4a
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/organization-template.ts
@@ -0,0 +1,41 @@
+const organization_template = {
+  title: '組織模板',
+  subtitle:
+    '在多租戶SaaS應用中，多個組織共享相同的訪問控制政策，包括權限和角色，是很常見的。在Logto中，這一概念被稱為“組織模板”。使用它可以簡化構建和設計授權模型的過程。',
+  roles: {
+    tab_name: '組織角色',
+    search_placeholder: '按角色名稱搜索',
+    create_title: '創建組織角色',
+    role_column: '組織角色',
+    permissions_column: '權限',
+    placeholder_title: '組織角色',
+    placeholder_description: '組織角色是一組可以分配給用戶的權限。權限必須來自預定義的組織權限。',
+    create_modal: {
+      title: '建立組織角色',
+      create: '建立角色',
+      name_field: '角色名稱',
+      description_field: '描述',
+      created: '成功建立組織角色 {{name}}。',
+    },
+  },
+  permissions: {
+    tab_name: '組織權限',
+    search_placeholder: '按權限名稱搜索',
+    create_org_permission: '創建組織權限',
+    permission_column: '權限',
+    description_column: '描述',
+    placeholder_title: '組織權限',
+    placeholder_description: '組織權限指的是在組織上下文中訪問資源的授權。',
+    delete_confirm:
+      '如果刪除此權限，包括此權限的所有組織角色都將失去此權限，擁有此權限的用戶將失去由此權限授予的訪問權限。',
+    create_title: '創建組織權限',
+    edit_title: '編輯組織權限',
+    permission_field_name: '權限名稱',
+    description_field_name: '描述',
+    description_field_placeholder: '閱讀約會歷史',
+    create_permission: '創建權限',
+    created: '組織權限 {{name}} 已成功建立。',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/permissions.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/permissions.ts
index c903fa12e25..ffaa4c7be97 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/permissions.ts
@@ -6,6 +6,11 @@ const permissions = {
   api_column: 'API',
   placeholder_title: '權限',
   placeholder_description: '權限是指訪問資源的授權（我們稱其為 API 資源）。',
+  edit: '編輯權限',
+  delete: '刪除權限',
+  remove: '移除權限',
+  updated: '權限已更新。',
+  edit_title: '編輯 API 權限',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..2f7f84396bb
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: '簽名密鑰',
+  description: '安全管理應用程式使用的簽名密鑰。',
+  private_key: 'OIDC 私鑰',
+  private_keys_description: 'OIDC 私鑰用於簽署 JWT 令牌。',
+  cookie_key: 'OIDC cookie 密鑰',
+  cookie_keys_description: 'OIDC cookie 密鑰用於簽署 cookie。',
+  private_keys_in_use: '正在使用的私密金鑰',
+  cookie_keys_in_use: '正在使用的 Cookie 金鑰',
+  rotate_private_keys: '旋轉私密金鑰',
+  rotate_cookie_keys: '旋轉 Cookie 金鑰',
+  rotate_private_keys_description:
+    '此操作將創建一個新的私密簽署金鑰，旋轉當前金鑰並刪除以前的金鑰。您的使用當前金鑰簽署的 JWT 標記將保持有效，直到刪除或再次旋轉。',
+  rotate_cookie_keys_description:
+    '此操作將創建一個新的 cookie 金鑰，旋轉當前金鑰並刪除以前的金鑰。使用當前金鑰簽署的 cookie 將保持有效，直到刪除或再次旋轉。',
+  select_private_key_algorithm: '選擇新私密金鑰的簽署算法',
+  rotate_button: '旋轉',
+  table_column: {
+    id: 'ID',
+    status: '狀態',
+    algorithm: '簽署金鑰算法',
+  },
+  status: {
+    current: '當前',
+    previous: '之前',
+  },
+  reminder: {
+    rotate_private_key:
+      '您確定要旋轉<strong>OIDC私密金鑰</strong>嗎？使用新金鑰發放的 JWT 標記將由新金鑰簽署。使用當前金鑰簽署的 JWT 標記將保持有效，直到您再次旋轉。',
+    rotate_cookie_key:
+      '您確定要旋轉<strong>OIDC Cookie金鑰</strong>嗎？在登錄會話中生成的新 cookie 將由新cookie金鑰簽署。使用當前金鑰簽署的cookie將保持有效，直到您再次旋轉。',
+    delete_private_key:
+      '您確定要刪除<strong>OIDC私密金鑰</strong>嗎？使用此私密簽署金鑰簽署的現有 JWT 標記將不再有效。',
+    delete_cookie_key:
+      '您確定要刪除<strong>OIDC Cookie金鑰</strong>嗎？使用此cookie金鑰簽署的較舊的登錄會話中的cookie不再有效，這些用戶需要重新驗證。',
+  },
+  messages: {
+    rotate_key_success: '簽署金鑰成功旋轉。',
+    delete_key_success: '金鑰成功刪除。',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-item.ts
index cdd6e43cadf..f3609e3c40e 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: '企業SSO',
     not_eligible: '移除您的企業單一登入',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-table.ts
index 565c963cd3e..33cfa75f20e 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: '機器對機器角色',
     scopes_per_role: '每角色權限',
   },
-  audit_logs: {
-    title: '審核日誌',
-    retention: '保留期限',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: '組織',
     organizations: '組織',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2報告',
     hipaa_or_baa_report: 'HIPAA/BAA報告',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: '無限制',
   contact: '聯絡',
   monthly_price: '${{value, number}}/月',
@@ -99,6 +103,8 @@ const quota_table = {
   per_month_each: '每月 ${{value, number}} / 每個',
   extra_mao_price: '然後每 MAO ${{value, number}}',
   per_month: '每月 ${{value, number}}',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/tab-sections.ts
index cc8255c9f53..df26a92656a 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
-  overview: '概觀',
-  resources: '資源',
-  users: '使用者',
-  access_control: '訪問控制',
-  help_and_support: '幫助與支援',
+  overview: '概覽',
+  authentication: '身份驗證',
+  authorization: '授權',
+  users: '用戶',
+  developer: '開發者',
   tenant: '租戶',
-  automation: '自動化',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/tabs.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/tabs.ts
index 714a75bf66e..d79ad4d8dd7 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: '文檔',
   tenant_settings: '租戶設置',
   mfa: '多重認證',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: '簽署密鑰',
+  organization_template: '組織模板',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/tenants.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/tenants.ts
index d1876271f2c..4d9bd6a790a 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: '高效管理租戶設置並自訂您的域名。',
   tabs: {
     settings: '設定',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: '網域',
     subscription: '方案與計費',
     billing_history: '帳單記錄',
@@ -32,6 +34,17 @@ const tenants = {
     tenant_deletion_description: '刪除租戶將導致永久刪除所有相關的用戶數據和配置。請謹慎操作。',
     tenant_deletion_button: '刪除租戶',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: '創建租戶',
     subtitle: '創建一個具有隔離資源和用戶的新租戶。數據托管的區域和租戶類型在創建後無法修改。',
@@ -65,6 +78,12 @@ const tenants = {
     cannot_delete_description:
       '抱歉，您現在無法刪除此租戶。請確保您處於免費計劃並已支付所有未結賬單。',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: '您尚未建立租戶',
     description:
@@ -83,47 +102,6 @@ const tenants = {
     description_2:
       '如果您需要進一步了解，有任何疑慮或希望恢復完整功能並解鎖您的租戶，請立即與我們聯繫。',
   },
-  signing_keys: {
-    title: '簽署金鑰',
-    description: '在您的租戶中安全地管理簽署金鑰。',
-    type: {
-      private_key: 'OIDC私密金鑰',
-      cookie_key: 'OIDC Cookie金鑰',
-    },
-    private_keys_in_use: '正在使用的私密金鑰',
-    cookie_keys_in_use: '正在使用的 Cookie 金鑰',
-    rotate_private_keys: '旋轉私密金鑰',
-    rotate_cookie_keys: '旋轉 Cookie 金鑰',
-    rotate_private_keys_description:
-      '此操作將創建一個新的私密簽署金鑰，旋轉當前金鑰並刪除以前的金鑰。您的使用當前金鑰簽署的 JWT 標記將保持有效，直到刪除或再次旋轉。',
-    rotate_cookie_keys_description:
-      '此操作將創建一個新的 cookie 金鑰，旋轉當前金鑰並刪除以前的金鑰。使用當前金鑰簽署的 cookie 將保持有效，直到刪除或再次旋轉。',
-    select_private_key_algorithm: '選擇新私密金鑰的簽署算法',
-    rotate_button: '旋轉',
-    table_column: {
-      id: 'ID',
-      status: '狀態',
-      algorithm: '簽署金鑰算法',
-    },
-    status: {
-      current: '當前',
-      previous: '之前',
-    },
-    reminder: {
-      rotate_private_key:
-        '您確定要旋轉<strong>OIDC私密金鑰</strong>嗎？使用新金鑰發放的 JWT 標記將由新金鑰簽署。使用當前金鑰簽署的 JWT 標記將保持有效，直到您再次旋轉。',
-      rotate_cookie_key:
-        '您確定要旋轉<strong>OIDC Cookie金鑰</strong>嗎？在登錄會話中生成的新 cookie 將由新cookie金鑰簽署。使用當前金鑰簽署的cookie將保持有效，直到您再次旋轉。',
-      delete_private_key:
-        '您確定要刪除<strong>OIDC私密金鑰</strong>嗎？使用此私密簽署金鑰簽署的現有 JWT 標記將不再有效。',
-      delete_cookie_key:
-        '您確定要刪除<strong>OIDC Cookie金鑰</strong>嗎？使用此cookie金鑰簽署的較舊的登錄會話中的cookie不再有效，這些用戶需要重新驗證。',
-    },
-    messages: {
-      rotate_key_success: '簽署金鑰成功旋轉。',
-      delete_key_success: '金鑰成功刪除。',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/index.ts
index e7f7113414b..5120cc4db1f 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API 資源',
     machine_to_machine: '機器對機器應用',
     tokens: '{{limit}}M 令牌',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     '您已超出{{item}}配額限制。Logto將為超出配額限制的使用添加費用。計費將從新的附加定價設計發布當天開始。 <a>了解更多</a>',
diff --git a/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/paywall.ts
index 0d565bf63bc..b2f7939d952 100644
--- a/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/zh-hk/translation/admin-console/upsell/paywall.ts
@@ -54,6 +54,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/phrases/src/locales/zh-tw/errors/index.ts b/packages/phrases/src/locales/zh-tw/errors/index.ts
index 74995792d5c..40df6998e9e 100644
--- a/packages/phrases/src/locales/zh-tw/errors/index.ts
+++ b/packages/phrases/src/locales/zh-tw/errors/index.ts
@@ -5,6 +5,7 @@ import domain from './domain.js';
 import entity from './entity.js';
 import guard from './guard.js';
 import hook from './hook.js';
+import jwt_customizer from './jwt-customizer.js';
 import localization from './localization.js';
 import log from './log.js';
 import oidc from './oidc.js';
@@ -34,6 +35,7 @@ const errors = {
   connector,
   verification_code,
   sign_in_experiences,
+  jwt_customizer,
   localization,
   swagger,
   entity,
diff --git a/packages/phrases/src/locales/zh-tw/errors/jwt-customizer.ts b/packages/phrases/src/locales/zh-tw/errors/jwt-customizer.ts
new file mode 100644
index 00000000000..c7c5c1e2af9
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/errors/jwt-customizer.ts
@@ -0,0 +1,8 @@
+const jwt_customizer = {
+  /** UNTRANSLATED */
+  general: 'An error occurred while customizing the JWT token. Please try again later.',
+  /** UNTRANSLATED */
+  can_not_create_for_admin_tenant: 'Cannot create a JWT token customizer for the admin tenant.',
+};
+
+export default Object.freeze(jwt_customizer);
diff --git a/packages/phrases/src/locales/zh-tw/errors/user.ts b/packages/phrases/src/locales/zh-tw/errors/user.ts
index ae767874e96..2ca2b159575 100644
--- a/packages/phrases/src/locales/zh-tw/errors/user.ts
+++ b/packages/phrases/src/locales/zh-tw/errors/user.ts
@@ -31,6 +31,10 @@ const user = {
   missing_mfa: '在登錄前需要綁定額外的多因素驗證。',
   totp_already_in_use: 'TOTP 已經在使用中。',
   backup_code_already_in_use: '備份代碼已經在使用中。',
+  /** UNTRANSLATED */
+  password_algorithm_required: 'Password algorithm is required.',
+  /** UNTRANSLATED */
+  password_and_digest: 'You cannot set both plain text password and password digest.',
 };
 
 export default Object.freeze(user);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resource-details.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resource-details.ts
index 99623a4e2fc..6e18a1f77be 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resource-details.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resource-details.ts
@@ -1,7 +1,7 @@
 const api_resource_details = {
   page_title: 'API 資源詳情',
   back_to_api_resources: '返回 API 資源',
-  settings_tab: '設定',
+  general_tab: '常規',
   permissions_tab: '權限',
   settings: '設定',
   settings_description:
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resources.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resources.ts
index e7321a68c86..3c3d730e6a7 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resources.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/api-resources.ts
@@ -13,6 +13,8 @@ const api_resources = {
   default_api_label:
     '一個租戶只能設定零個或一個預設 API。當指定了預設 API 後，可以在授權請求中省略 `resource` 參數。隨後的令牌交換將使用該 API 作為默認的 Audience，從而產生 JWT。<a>了解更多</a>',
   api_resource_created: ' API 資源 {{name}} 已成功創建。',
+  /** UNTRANSLATED */
+  invalid_resource_indicator_format: 'API indicator must be a valid absolute URI.',
 };
 
 export default Object.freeze(api_resources);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/general.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/general.ts
index 02efe7b495c..699d4832c5d 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/general.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/general.ts
@@ -25,6 +25,8 @@ const general = {
   customize: '自定義',
   enable: '啟用',
   reminder: '提示',
+  /** UNTRANSLATED */
+  edit: 'Edit',
   delete: '刪除',
   /** UNTRANSLATED */
   deleted: 'Deleted',
@@ -69,6 +71,8 @@ const general = {
   edit_field: '編輯{{field}}',
   delete_field: '刪除{{field}}',
   coming_soon: '即將上線',
+  /** UNTRANSLATED */
+  or: 'Or',
 };
 
 export default Object.freeze(general);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/index.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/index.ts
index b742a19f96f..0fb3d93411c 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/index.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/index.ts
@@ -15,11 +15,15 @@ import errors from './errors.js';
 import general from './general.js';
 import get_started from './get-started.js';
 import guide from './guide.js';
+import invitation from './invitation.js';
+import jwt_claims from './jwt-claims.js';
 import log_details from './log-details.js';
 import logs from './logs.js';
 import menu from './menu.js';
 import mfa from './mfa.js';
 import organization_details from './organization-details.js';
+import organization_role_details from './organization-role-details.js';
+import organization_template from './organization-template.js';
 import organizations from './organizations.js';
 import permissions from './permissions.js';
 import profile from './profile.js';
@@ -28,9 +32,11 @@ import role_details from './role-details.js';
 import roles from './roles.js';
 import session_expired from './session-expired.js';
 import sign_in_exp from './sign-in-exp/index.js';
+import signing_keys from './signing-keys.js';
 import subscription from './subscription/index.js';
 import tab_sections from './tab-sections.js';
 import tabs from './tabs.js';
+import tenant_members from './tenant-members.js';
 import tenants from './tenants.js';
 import topbar from './topbar.js';
 import upsell from './upsell/index.js';
@@ -77,6 +83,7 @@ const admin_console = {
   webhook_details,
   domain,
   tenants,
+  tenant_members,
   topbar,
   subscription,
   upsell,
@@ -85,6 +92,11 @@ const admin_console = {
   organizations,
   organization_details,
   protected_app,
+  jwt_claims,
+  invitation,
+  signing_keys,
+  organization_template,
+  organization_role_details,
 };
 
 export default Object.freeze(admin_console);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/invitation.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/invitation.ts
new file mode 100644
index 00000000000..c158350e390
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/invitation.ts
@@ -0,0 +1,22 @@
+const invitation = {
+  /** UNTRANSLATED */
+  find_your_tenants: 'Find your tenants',
+  /** UNTRANSLATED */
+  find_tenants_description:
+    'Your email address may already be registered with multiple tenants. You can choose to join the existing ones or continue create a new one.',
+  /** UNTRANSLATED */
+  create_new_tenant: 'Create a new tenant',
+  /** UNTRANSLATED */
+  email_not_match_title: 'You are currently signed in as\n{{email}}',
+  /** UNTRANSLATED */
+  email_not_match_description:
+    'You do not currently have access to this organization.\nPlease sign in with the correct account to accept the invitation and become a member of the organization.',
+  /** UNTRANSLATED */
+  switch_account: 'Sign in to another account',
+  /** UNTRANSLATED */
+  invalid_invitation_status: 'Invalid invitation. Please contact the administrator and try again.',
+  /** UNTRANSLATED */
+  invitation_not_found: 'Invitation not found. Please contact the administrator.',
+};
+
+export default Object.freeze(invitation);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/jwt-claims.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/jwt-claims.ts
new file mode 100644
index 00000000000..f0d189ab412
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/jwt-claims.ts
@@ -0,0 +1,99 @@
+const jwt_claims = {
+  /** UNTRANSLATED */
+  title: 'Custom JWT',
+  /** UNTRANSLATED */
+  description:
+    'Set up custom JWT claims to include in the access token. These claims can be used to pass additional information to your application.',
+  user_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For user',
+    /** UNTRANSLATED */
+    card_field: 'User access token',
+    /** UNTRANSLATED */
+    card_description: 'Add user-specific data during access token issuance.',
+    /** UNTRANSLATED */
+    for: 'for user',
+  },
+  machine_to_machine_jwt: {
+    /** UNTRANSLATED */
+    card_title: 'For M2M',
+    /** UNTRANSLATED */
+    card_field: 'Machine-to-machine token',
+    /** UNTRANSLATED */
+    card_description: 'Add extra data during machine-to-machine token issuance.',
+    /** UNTRANSLATED */
+    for: 'for M2M',
+  },
+  /** UNTRANSLATED */
+  code_editor_title: 'Customize the {{token}} claims',
+  /** UNTRANSLATED */
+  custom_jwt_create_button: 'Add custom claims',
+  /** UNTRANSLATED */
+  custom_jwt_item: 'Custom claims {{for}}',
+  /** UNTRANSLATED */
+  delete_modal_title: 'Delete custom claims',
+  /** UNTRANSLATED */
+  delete_modal_content: 'Are you sure you want to delete the custom claims?',
+  /** UNTRANSLATED */
+  clear: 'Clear',
+  /** UNTRANSLATED */
+  cleared: 'Cleared',
+  /** UNTRANSLATED */
+  restore: 'Restore defaults',
+  /** UNTRANSLATED */
+  restored: 'Restored',
+  /** UNTRANSLATED */
+  data_source_tab: 'Data source',
+  /** UNTRANSLATED */
+  test_tab: 'Test context',
+  /** UNTRANSLATED */
+  jwt_claims_description: 'Default claims are auto-included in the JWT and cannot be overridden.',
+  user_data: {
+    /** UNTRANSLATED */
+    title: 'User data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `data.user` input parameter to provide vital user info.',
+  },
+  token_data: {
+    /** UNTRANSLATED */
+    title: 'Token data',
+    /** UNTRANSLATED */
+    subtitle: 'Use `token` input parameter for current access token payload. ',
+  },
+  fetch_external_data: {
+    /** UNTRANSLATED */
+    title: 'Fetch external data',
+    /** UNTRANSLATED */
+    subtitle: 'Incorporate data from your external APIs directly into claims.',
+    /** UNTRANSLATED */
+    description:
+      'Use the `fetch` function to call your external APIs and include the data in your custom claims. Example: ',
+  },
+  environment_variables: {
+    /** UNTRANSLATED */
+    title: 'Set environment variables',
+    /** UNTRANSLATED */
+    subtitle: 'Use environment variables to store sensitive information.',
+    /** UNTRANSLATED */
+    input_field_title: 'Add environment variables',
+    /** UNTRANSLATED */
+    sample_code: 'Accessing environment variables in your custom JWT claims handler. Example: ',
+  },
+  /** UNTRANSLATED */
+  jwt_claims_hint:
+    'Limit custom claims to under 50KB. Default JWT claims are automatically included in the token and can not be overridden.',
+  tester: {
+    /** UNTRANSLATED */
+    subtitle: 'Adjust mock token and user data for testing.',
+    /** UNTRANSLATED */
+    run_button: 'Run test',
+    /** UNTRANSLATED */
+    result_title: 'Test result',
+  },
+  form_error: {
+    /** UNTRANSLATED */
+    invalid_json: 'Invalid JSON format',
+  },
+};
+
+export default Object.freeze(jwt_claims);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/organization-role-details.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/organization-role-details.ts
new file mode 100644
index 00000000000..5b84ca5fd68
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/organization-role-details.ts
@@ -0,0 +1,32 @@
+const organization_role_details = {
+  page_title: '組織角色詳情',
+  back_to_org_roles: '返回組織角色',
+  org_role: '組織角色',
+  delete_confirm:
+    '這樣做將會從受影響的使用者中移除與此角色相關聯的權限，並刪除組織角色、組織成員和組織權限之間的關係。',
+  deleted: '組織角色 {{name}} 已成功刪除。',
+  permissions: {
+    tab: '權限',
+    name_column: '權限',
+    description_column: '描述',
+    type_column: '權限類型',
+    type: {
+      api: 'API 權限',
+      org: '組織權限',
+    },
+    assign_permissions: '分配權限',
+    remove_permission: '移除權限',
+    remove_confirmation: '如果移除此權限，擁有此組織角色的使用者將失去此權限所授予的存取權。',
+    removed: '權限 {{name}} 已成功從此組織角色中移除',
+  },
+  general: {
+    tab: '一般',
+    settings: '設置',
+    description: '組織角色是可以分配給用戶的權限組。這些權限必須來自預定義的組織權限。',
+    name_field: '名稱',
+    description_field: '描述',
+    description_field_placeholder: '僅具有查看權限的使用者',
+  },
+};
+
+export default Object.freeze(organization_role_details);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/organization-template.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/organization-template.ts
new file mode 100644
index 00000000000..15028e54e6b
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/organization-template.ts
@@ -0,0 +1,41 @@
+const organization_template = {
+  title: '組織模板',
+  subtitle:
+    '在多租戶SaaS應用中，多個組織共享相同的訪問控制政策，包括權限和角色，是很常見的。在Logto中，這一概念被稱為“組織模板”。使用它可以簡化建立和設計授權模型的過程。',
+  roles: {
+    tab_name: '組織角色',
+    search_placeholder: '按角色名稱搜尋',
+    create_title: '創建組織角色',
+    role_column: '組織角色',
+    permissions_column: '權限',
+    placeholder_title: '組織角色',
+    placeholder_description: '組織角色是一組可以分配給使用者的權限。權限必須來自預定義的組織權限。',
+    create_modal: {
+      title: '建立組織角色',
+      create: '建立角色',
+      name_field: '角色名稱',
+      description_field: '描述',
+      created: '成功建立組織角色 {{name}}。',
+    },
+  },
+  permissions: {
+    tab_name: '組織權限',
+    search_placeholder: '按權限名稱搜尋',
+    create_org_permission: '創建組織權限',
+    permission_column: '權限',
+    description_column: '描述',
+    placeholder_title: '組織權限',
+    placeholder_description: '組織權限指的是在組織上下文中訪問資源的授權。',
+    delete_confirm:
+      '如果刪除此權限，包括此權限的所有組織角色都將失去此權限，擁有此權限的使用者將失去由此權限授予的訪問權限。',
+    create_title: '創建組織權限',
+    edit_title: '編輯組織權限',
+    permission_field_name: '權限名稱',
+    description_field_name: '描述',
+    description_field_placeholder: '閱讀預約歷史',
+    create_permission: '創建權限',
+    created: '組織權限 {{name}} 已成功建立。',
+  },
+};
+
+export default Object.freeze(organization_template);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/permissions.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/permissions.ts
index c903fa12e25..ffaa4c7be97 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/permissions.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/permissions.ts
@@ -6,6 +6,11 @@ const permissions = {
   api_column: 'API',
   placeholder_title: '權限',
   placeholder_description: '權限是指訪問資源的授權（我們稱其為 API 資源）。',
+  edit: '編輯權限',
+  delete: '刪除權限',
+  remove: '移除權限',
+  updated: '權限已更新。',
+  edit_title: '編輯 API 權限',
 };
 
 export default Object.freeze(permissions);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/signing-keys.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/signing-keys.ts
new file mode 100644
index 00000000000..f665c9576e6
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/signing-keys.ts
@@ -0,0 +1,43 @@
+const signing_keys = {
+  title: '簽名密鑰',
+  description: '安全管理應用程式使用的簽名密鑰。',
+  private_key: 'OIDC 私鑰',
+  private_keys_description: 'OIDC 私鑰用於簽署 JWT 令牌。',
+  cookie_key: 'OIDC cookie 密鑰',
+  cookie_keys_description: 'OIDC cookie 密鑰用於簽署 cookie。',
+  private_keys_in_use: '正在使用的私鑰',
+  cookie_keys_in_use: '正在使用的 Cookie 密鑰',
+  rotate_private_keys: '輪換私鑰',
+  rotate_cookie_keys: '輪換 Cookie 密鑰',
+  rotate_private_keys_description:
+    '此操作將創建一個新的私密簽名密鑰，輪換當前密鑰並刪除之前的密鑰。您的使用當前密鑰簽署的 JWT 憑證在刪除或另一輪輪換之前仍然有效。',
+  rotate_cookie_keys_description:
+    '此操作將創建一個新的 Cookie 密鑰，輪換當前密鑰並刪除之前的密鑰。使用當前密鑰簽署的 Cookie 將在刪除或另一輪輪換之前仍然有效。',
+  select_private_key_algorithm: '選擇新私鑰的簽名演算法',
+  rotate_button: '輪換',
+  table_column: {
+    id: 'ID',
+    status: '狀態',
+    algorithm: '簽名演算法',
+  },
+  status: {
+    current: '當前的',
+    previous: '之前的',
+  },
+  reminder: {
+    rotate_private_key:
+      '您確定要輪換<strong>OIDC私鑰</strong>嗎？新發放的 JWT 憑證將由新的密鑰簽署。現有的 JWT 憑證仍然有效，直到下一輪輪換或刪除。',
+    rotate_cookie_key:
+      '您確定要輪換<strong>OIDC Cookie 密鑰</strong>嗎？在登入會話中生成的新 Cookie 將由新的 Cookie 密鑰簽署。現有 Cookie 在下一輪輪換或刪除之前仍然有效。',
+    delete_private_key:
+      '您確定要刪除<strong>OIDC私鑰</strong>嗎？使用此私密簽名密鑰簽署的現有 JWT 憑證將不再有效。',
+    delete_cookie_key:
+      '您確定要刪除<strong>OIDC Cookie 密鑰</strong>嗎？用此 Cookie 密鑰簽署的舊登入會話將不再有效。這些使用者需要重新驗證。',
+  },
+  messages: {
+    rotate_key_success: '密鑰輪換成功。',
+    delete_key_success: '密鑰刪除成功。',
+  },
+};
+
+export default Object.freeze(signing_keys);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-item.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-item.ts
index 481df26cac5..44a89c1378f 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-item.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-item.ts
@@ -151,6 +151,18 @@ const quota_item = {
     unlimited: '企業單一登錄',
     not_eligible: '移除你的 企業單一登錄',
   },
+  tenant_members_limit: {
+    /** UNTRANSLATED */
+    name: 'Tenant members',
+    /** UNTRANSLATED */
+    limited: '{{count, number}} tenant member',
+    /** UNTRANSLATED */
+    limited_other: '{{count, number}} tenant members',
+    /** UNTRANSLATED */
+    unlimited: 'Unlimited tenant members',
+    /** UNTRANSLATED */
+    not_eligible: 'Remove your tenant members',
+  },
 };
 
 export default Object.freeze(quota_item);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-table.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-table.ts
index 12102acd5b2..0a5b55b8ddd 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-table.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/subscription/quota-table.ts
@@ -46,14 +46,6 @@ const quota_table = {
     machine_to_machine_roles: '機器對機器角色',
     scopes_per_role: '每角色權限',
   },
-  audit_logs: {
-    title: '稽核日誌',
-    retention: '保留期限',
-  },
-  hooks: {
-    title: 'Webhooks',
-    hooks: 'Webhooks',
-  },
   organizations: {
     title: '組織',
     organizations: '組織',
@@ -73,6 +65,18 @@ const quota_table = {
     soc2_report: 'SOC2 報告',
     hipaa_or_baa_report: 'HIPAA/BAA 報告',
   },
+  developers_and_platform: {
+    /** UNTRANSLATED */
+    title: 'Developers and platform',
+    /** UNTRANSLATED */
+    hooks: 'Webhooks',
+    /** UNTRANSLATED */
+    audit_logs_retention: 'Audit logs retention',
+    /** UNTRANSLATED */
+    jwt_claims: 'JWT claims',
+    /** UNTRANSLATED */
+    tenant_members: 'Tenant members',
+  },
   unlimited: '無限制',
   contact: '聯絡',
   monthly_price: '${{value, number}}/月',
@@ -99,6 +103,8 @@ const quota_table = {
   per_month_each: '每月 ${{value, number}} / 每個',
   extra_mao_price: '然後每 MAO ${{value, number}}',
   per_month: '每月 ${{value, number}}',
+  /** UNTRANSLATED */
+  per_member: 'Then ${{value, number}} per member',
 };
 
 export default Object.freeze(quota_table);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/tab-sections.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/tab-sections.ts
index 87a0a8c8201..18d1425905e 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/tab-sections.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/tab-sections.ts
@@ -1,11 +1,10 @@
 const tab_sections = {
   overview: '概觀',
-  resources: '資源',
-  users: '使用者',
-  access_control: '訪問控制',
-  help_and_support: '幫助與支持',
+  authentication: '身份驗證',
+  authorization: '授權',
+  users: '用戶',
+  developer: '開發者',
   tenant: '租戶',
-  automation: '自動化',
 };
 
 export default Object.freeze(tab_sections);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/tabs.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/tabs.ts
index 0e8f730ab76..09100028303 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/tabs.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/tabs.ts
@@ -14,6 +14,10 @@ const tabs = {
   docs: '文件',
   tenant_settings: '租戶設定',
   mfa: '多重認證',
+  /** UNTRANSLATED */
+  customize_jwt: 'JWT Claims',
+  signing_keys: '簽署密鑰',
+  organization_template: '組織模板',
 };
 
 export default Object.freeze(tabs);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/tenant-members.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/tenant-members.ts
new file mode 100644
index 00000000000..c2947d0cef9
--- /dev/null
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/tenant-members.ts
@@ -0,0 +1,103 @@
+const tenant_members = {
+  /** UNTRANSLATED */
+  members: 'Members',
+  /** UNTRANSLATED */
+  invitations: 'Invitations',
+  /** UNTRANSLATED */
+  invite_members: 'Invite members',
+  /** UNTRANSLATED */
+  user: 'User',
+  /** UNTRANSLATED */
+  roles: 'Roles',
+  /** UNTRANSLATED */
+  admin: 'Admin',
+  /** UNTRANSLATED */
+  collaborator: 'Collaborator',
+  /** UNTRANSLATED */
+  invitation_status: 'Invitation status',
+  /** UNTRANSLATED */
+  inviter: 'Inviter',
+  /** UNTRANSLATED */
+  expiration_date: 'Expiration date',
+  invite_modal: {
+    /** UNTRANSLATED */
+    title: 'Invite people to Silverhand',
+    /** UNTRANSLATED */
+    subtitle: 'To invite members to an organization, they must accept the invitation.',
+    /** UNTRANSLATED */
+    to: 'To',
+    /** UNTRANSLATED */
+    added_as: 'Added as roles',
+    /** UNTRANSLATED */
+    email_input_placeholder: 'johndoe@example.com',
+  },
+  invitation_statuses: {
+    /** UNTRANSLATED */
+    pending: 'Pending',
+    /** UNTRANSLATED */
+    accepted: 'Accepted',
+    /** UNTRANSLATED */
+    expired: 'Expired',
+    /** UNTRANSLATED */
+    revoked: 'Revoked',
+  },
+  invitation_empty_placeholder: {
+    /** UNTRANSLATED */
+    title: 'Invite team members',
+    /** UNTRANSLATED */
+    description:
+      'Your tenant currently has no members invited.\nTo assist with your integration, consider adding more members or admins.',
+  },
+  menu_options: {
+    /** UNTRANSLATED */
+    edit: 'Edit tenant role',
+    /** UNTRANSLATED */
+    delete: 'Remove user from tenant',
+    /** UNTRANSLATED */
+    resend_invite: 'Resend invitation',
+    /** UNTRANSLATED */
+    revoke: 'Revoke invitation',
+    /** UNTRANSLATED */
+    delete_invitation_record: 'Delete this invitation record',
+  },
+  edit_modal: {
+    /** UNTRANSLATED */
+    title: 'Change roles of {{name}}',
+  },
+  /** UNTRANSLATED */
+  delete_user_confirm: 'Are you sure you want to remove this user from this tenant?',
+  /** UNTRANSLATED */
+  assign_admin_confirm:
+    'Are you sure you want to make the selected user(s) admin? Granting admin access will give the user(s) the following permissions.<ul><li>Change the tenant billing plan</li><li>Add or remove collaborators</li><li>Delete the tenant</li></ul>',
+  /** UNTRANSLATED */
+  revoke_invitation_confirm: 'Are you sure you want to revoke this invitation?',
+  /** UNTRANSLATED */
+  delete_invitation_confirm: 'Are you sure you want to delete this invitation record?',
+  messages: {
+    /** UNTRANSLATED */
+    invitation_sent: 'Invitation sent.',
+    /** UNTRANSLATED */
+    invitation_revoked: 'Invitation revoked.',
+    /** UNTRANSLATED */
+    invitation_resend: 'Invitation resent.',
+    /** UNTRANSLATED */
+    invitation_deleted: 'Invitation record deleted.',
+  },
+  errors: {
+    /** UNTRANSLATED */
+    email_required: 'Invitee email is required.',
+    /** UNTRANSLATED */
+    email_exists: 'Email address already exists.',
+    /** UNTRANSLATED */
+    member_exists: 'This user is already a member of this organization.',
+    /** UNTRANSLATED */
+    pending_invitation_exists:
+      'Pending invitation exists. Delete related email or revoke the invitation.',
+    /** UNTRANSLATED */
+    invalid_email: 'Email address is invalid. Please make sure it is in the right format.',
+    /** UNTRANSLATED */
+    max_member_limit: 'You have reached the maximum number of members ({{limit}}) for this tenant.',
+  },
+};
+
+export default Object.freeze(tenant_members);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/tenants.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/tenants.ts
index aef64ba8246..244df5cc0bd 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/tenants.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/tenants.ts
@@ -3,6 +3,8 @@ const tenants = {
   description: '高效管理租戶設定並自訂您的網域。',
   tabs: {
     settings: '設置',
+    /** UNTRANSLATED */
+    members: 'Members',
     domains: '網域',
     subscription: '方案與計費',
     billing_history: '帳單歷史記錄',
@@ -32,6 +34,17 @@ const tenants = {
     tenant_deletion_description: '刪除租戶將導致所有相關的使用者資料和設定永久移除。請謹慎進行。',
     tenant_deletion_button: '刪除租戶',
   },
+  leave_tenant_card: {
+    /** UNTRANSLATED */
+    title: 'LEAVE',
+    /** UNTRANSLATED */
+    leave_tenant: 'Leave tenant',
+    /** UNTRANSLATED */
+    leave_tenant_description:
+      'Any resources in the tenant will remain but you no longer have access to this tenant.',
+    /** UNTRANSLATED */
+    last_admin_note: 'To leave this tenant, ensure at least one more member has the Admin role.',
+  },
   create_modal: {
     title: '建立客戶',
     subtitle: '創建一個具有隔離資源和用戶的新租戶。數據托管的區域和租戶類型在創建後無法修改。',
@@ -65,6 +78,12 @@ const tenants = {
     cannot_delete_description:
       '抱歉，您現在無法刪除此租戶。請確保您處於免費方案並已支付所有未結賬單。',
   },
+  leave_tenant_modal: {
+    /** UNTRANSLATED */
+    description: 'Are you sure you want to leave this tenant?',
+    /** UNTRANSLATED */
+    leave_button: 'Leave',
+  },
   tenant_landing_page: {
     title: '您尚未建立租戶',
     description:
@@ -83,47 +102,6 @@ const tenants = {
     description_2:
       '如果您需要進一步的說明、有任何疑慮或希望恢復全部功能並解鎖您的租戶，請立即聯絡我們。',
   },
-  signing_keys: {
-    title: '簽名密鑰',
-    description: '在您的租戶中安全管理簽名密鑰。',
-    type: {
-      private_key: 'OIDC 私鑰',
-      cookie_key: 'OIDC Cookie 密鑰',
-    },
-    private_keys_in_use: '正在使用的私鑰',
-    cookie_keys_in_use: '正在使用的 Cookie 密鑰',
-    rotate_private_keys: '輪換私鑰',
-    rotate_cookie_keys: '輪換 Cookie 密鑰',
-    rotate_private_keys_description:
-      '此操作將創建一個新的私密簽名密鑰，輪換當前密鑰並刪除之前的密鑰。您的使用當前密鑰簽署的 JWT 憑證在刪除或另一輪輪換之前仍然有效。',
-    rotate_cookie_keys_description:
-      '此操作將創建一個新的 Cookie 密鑰，輪換當前密鑰並刪除之前的密鑰。使用當前密鑰簽署的 Cookie 將在刪除或另一輪輪換之前仍然有效。',
-    select_private_key_algorithm: '選擇新私鑰的簽名演算法',
-    rotate_button: '輪換',
-    table_column: {
-      id: 'ID',
-      status: '狀態',
-      algorithm: '簽名演算法',
-    },
-    status: {
-      current: '當前的',
-      previous: '之前的',
-    },
-    reminder: {
-      rotate_private_key:
-        '您確定要輪換<strong>OIDC私鑰</strong>嗎？新發放的 JWT 憑證將由新的密鑰簽署。現有的 JWT 憑證仍然有效，直到下一輪輪換或刪除。',
-      rotate_cookie_key:
-        '您確定要輪換<strong>OIDC Cookie 密鑰</strong>嗎？在登入會話中生成的新 Cookie 將由新的 Cookie 密鑰簽署。現有 Cookie 在下一輪輪換或刪除之前仍然有效。',
-      delete_private_key:
-        '您確定要刪除<strong>OIDC私鑰</strong>嗎？使用此私密簽名密鑰簽署的現有 JWT 憑證將不再有效。',
-      delete_cookie_key:
-        '您確定要刪除<strong>OIDC Cookie 密鑰</strong>嗎？用此 Cookie 密鑰簽署的舊登入會話將不再有效。這些使用者需要重新驗證。',
-    },
-    messages: {
-      rotate_key_success: '密鑰輪換成功。',
-      delete_key_success: '密鑰刪除成功。',
-    },
-  },
 };
 
 export default Object.freeze(tenants);
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/index.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/index.ts
index d5473f959ed..71a7b5fe07b 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/index.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/index.ts
@@ -35,6 +35,8 @@ const upsell = {
     api_resource: 'API 資源',
     machine_to_machine: '機器對機器應用',
     tokens: '{{limit}}M 令牌',
+    /** UNTRANSLATED */
+    tenant_member: 'tenant member',
   },
   charge_notification_for_quota_limit:
     '您已超出{{item}}額度限制。Logto將為超出額度限制的使用添加費用。計費將從新的附加價格設計發布當天開始。 <a>了解更多</a>',
diff --git a/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/paywall.ts b/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/paywall.ts
index a8316b11abd..66d4f2e282a 100644
--- a/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/paywall.ts
+++ b/packages/phrases/src/locales/zh-tw/translation/admin-console/upsell/paywall.ts
@@ -54,6 +54,15 @@ const paywall = {
   /** UNTRANSLATED */
   third_party_apps:
     'Unlock Logto as IdP for third-party apps by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  sso_connectors:
+    'Unlock enterprise sso by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members:
+    'Unlock collaboration feature by upgrading to a paid plan. For any assistance, feel free to <a>contact us</a>.',
+  /** UNTRANSLATED */
+  tenant_members_dev_plan:
+    "You've reached your {{limit}}-member limit. Release a member or revoke a pending invitation to add someone new. Need more seats? Feel free to contact us.",
 };
 
 export default Object.freeze(paywall);
diff --git a/packages/schemas/CHANGELOG.md b/packages/schemas/CHANGELOG.md
index 25b78a0ac9a..383fb91185a 100644
--- a/packages/schemas/CHANGELOG.md
+++ b/packages/schemas/CHANGELOG.md
@@ -1,5 +1,63 @@
 # Change Log
 
+## 1.15.0
+
+### Minor Changes
+
+- abffb9f95: full oidc standard claims support
+
+  We have added support for the remaining [OpenID Connect standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). Now, these claims are accessible in both ID tokens and the response from the `/me` endpoint.
+
+  Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the `profile` scope, and the `address` claim can be obtained by using the `address` scope.
+
+  For all newly introduced claims, we store them in the `user.profile` field.
+
+  > ![Note]
+  > Unlike other database fields (e.g. `name`), the claims stored in the `profile` field will fall back to `undefined` rather than `null`. We refrain from using `?? null` here to reduce the size of ID tokens, since `undefined` fields will be stripped in tokens.
+
+- 2cbc591ff: add oidc params variables and types
+
+  - Add `ExtraParamsKey` enum for all possible OIDC extra parameters that Logto supports.
+  - Add `FirstScreen` enum for the `first_screen` parameter.
+  - Add `extraParamsObjectGuard` guard and `ExtraParamsObject` type for shaping the extra parameters object in the OIDC authentication request.
+
+- cc01acbd0: Create a new user through API with password digest and corresponding algorithm
+
+### Patch Changes
+
+- 951865859: ## Resolve third-party app's /interaction/consent endpoint 500 error
+
+  ### Reproduction steps
+
+  - Create an organization scope with an empty description and assign this scope to a third-party application.
+  - Login to the third-party application and request the organization scope.
+  - Proceed through the interaction flow until reaching the consent page.
+  - An internal server error 500 is returned.
+
+  ### Root cause
+
+  For the `/interaction/consent` endpoint, the organization scope is returned alongside other resource scopes in the `missingResourceScopes` property.
+
+  In the `consentInfoResponseGuard`, we utilize the resource Scopes zod guard to validate the `missingResourceScopes` property. However, the description field in the resource scope is mandatory while organization scopes'description is optional. An organization scope with an empty description will not pass the validation.
+
+  ### Solution
+
+  Alter the resource scopes table to make the description field nullable. Related Scope zod guard and the consentInfoResponseGuard will be updated to reflect this change. Align the resource scopes table with the organization scopes table to ensure consistency.
+
+- Updated dependencies [5758f84f5]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [abffb9f95]
+- Updated dependencies [746483c49]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [cc01acbd0]
+- Updated dependencies [57d97a4df]
+- Updated dependencies [2c10c2423]
+  - @logto/phrases@1.10.0
+  - @logto/connector-kit@3.0.0
+  - @logto/core-kit@2.4.0
+  - @logto/phrases-experience@1.6.1
+  - @logto/shared@3.1.0
+
 ## 1.14.0
 
 ## 1.13.1
diff --git a/packages/schemas/alterations/1.0.0-1677208902-update-admin-console-config.ts b/packages/schemas/alterations/1.0.0-1677208902-update-admin-console-config.ts
index 453d88658a4..8a438ca2c65 100644
--- a/packages/schemas/alterations/1.0.0-1677208902-update-admin-console-config.ts
+++ b/packages/schemas/alterations/1.0.0-1677208902-update-admin-console-config.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1677765137-seed-for-admin-tenant.ts b/packages/schemas/alterations/1.0.0-1677765137-seed-for-admin-tenant.ts
index 11dcc3e8310..c2a26d5a172 100644
--- a/packages/schemas/alterations/1.0.0-1677765137-seed-for-admin-tenant.ts
+++ b/packages/schemas/alterations/1.0.0-1677765137-seed-for-admin-tenant.ts
@@ -1,6 +1,6 @@
 import { generateStandardId } from '@logto/shared/universal';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1677907982-allow-admin-create-multiple-tenants.ts b/packages/schemas/alterations/1.0.0-1677907982-allow-admin-create-multiple-tenants.ts
index ca7fa7f5467..633c1647177 100644
--- a/packages/schemas/alterations/1.0.0-1677907982-allow-admin-create-multiple-tenants.ts
+++ b/packages/schemas/alterations/1.0.0-1677907982-allow-admin-create-multiple-tenants.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared/universal';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678157950-privacy-policy-url.ts b/packages/schemas/alterations/1.0.0-1678157950-privacy-policy-url.ts
index cf6330b4b46..1689e7cc1f0 100644
--- a/packages/schemas/alterations/1.0.0-1678157950-privacy-policy-url.ts
+++ b/packages/schemas/alterations/1.0.0-1678157950-privacy-policy-url.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678199795-add-verification-status-table.ts b/packages/schemas/alterations/1.0.0-1678199795-add-verification-status-table.ts
index 38e4e0d9411..cca035cd00c 100644
--- a/packages/schemas/alterations/1.0.0-1678199795-add-verification-status-table.ts
+++ b/packages/schemas/alterations/1.0.0-1678199795-add-verification-status-table.ts
@@ -1,5 +1,5 @@
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678259693-remove-branding-style-config.ts b/packages/schemas/alterations/1.0.0-1678259693-remove-branding-style-config.ts
index c945f8e0b31..b973e1f5a6c 100644
--- a/packages/schemas/alterations/1.0.0-1678259693-remove-branding-style-config.ts
+++ b/packages/schemas/alterations/1.0.0-1678259693-remove-branding-style-config.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678269972-use-restrictive-policies.ts b/packages/schemas/alterations/1.0.0-1678269972-use-restrictive-policies.ts
index 9c9355ac3e1..788096ce7d1 100644
--- a/packages/schemas/alterations/1.0.0-1678269972-use-restrictive-policies.ts
+++ b/packages/schemas/alterations/1.0.0-1678269972-use-restrictive-policies.ts
@@ -1,5 +1,5 @@
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678284778-restrict-internal-roles.ts b/packages/schemas/alterations/1.0.0-1678284778-restrict-internal-roles.ts
index 5c78ea9e8b8..cab144754d5 100644
--- a/packages/schemas/alterations/1.0.0-1678284778-restrict-internal-roles.ts
+++ b/packages/schemas/alterations/1.0.0-1678284778-restrict-internal-roles.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678425761-m2m-app-for-tenants.ts b/packages/schemas/alterations/1.0.0-1678425761-m2m-app-for-tenants.ts
index 8ec500bfb3b..486098b65fc 100644
--- a/packages/schemas/alterations/1.0.0-1678425761-m2m-app-for-tenants.ts
+++ b/packages/schemas/alterations/1.0.0-1678425761-m2m-app-for-tenants.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared/universal';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678450233-support-custom-content.ts b/packages/schemas/alterations/1.0.0-1678450233-support-custom-content.ts
index a3333b1093e..5d11f9ad24f 100644
--- a/packages/schemas/alterations/1.0.0-1678450233-support-custom-content.ts
+++ b/packages/schemas/alterations/1.0.0-1678450233-support-custom-content.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678716747-service-logs.ts b/packages/schemas/alterations/1.0.0-1678716747-service-logs.ts
index 5b476badb98..4f952ef0314 100644
--- a/packages/schemas/alterations/1.0.0-1678716747-service-logs.ts
+++ b/packages/schemas/alterations/1.0.0-1678716747-service-logs.ts
@@ -1,5 +1,5 @@
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678928481-remove-deprecated-logto-config-item.ts b/packages/schemas/alterations/1.0.0-1678928481-remove-deprecated-logto-config-item.ts
index 82c08f877f6..713ded68a1a 100644
--- a/packages/schemas/alterations/1.0.0-1678928481-remove-deprecated-logto-config-item.ts
+++ b/packages/schemas/alterations/1.0.0-1678928481-remove-deprecated-logto-config-item.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1678953179-update-get-started-task-config.ts b/packages/schemas/alterations/1.0.0-1678953179-update-get-started-task-config.ts
index eebe53a76da..72f43fcf711 100644
--- a/packages/schemas/alterations/1.0.0-1678953179-update-get-started-task-config.ts
+++ b/packages/schemas/alterations/1.0.0-1678953179-update-get-started-task-config.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0-1679209413-drop-connector-database-storage.ts b/packages/schemas/alterations/1.0.0-1679209413-drop-connector-database-storage.ts
index 6b766549d54..0c97e248e1d 100644
--- a/packages/schemas/alterations/1.0.0-1679209413-drop-connector-database-storage.ts
+++ b/packages/schemas/alterations/1.0.0-1679209413-drop-connector-database-storage.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.10-1-logto-config.ts b/packages/schemas/alterations/1.0.0_beta.10-1-logto-config.ts
index 83d6e0068da..05b6e2d3508 100644
--- a/packages/schemas/alterations/1.0.0_beta.10-1-logto-config.ts
+++ b/packages/schemas/alterations/1.0.0_beta.10-1-logto-config.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.10-1663923211-machine-to-machine-app.ts b/packages/schemas/alterations/1.0.0_beta.10-1663923211-machine-to-machine-app.ts
index a8bb4d683b3..ce6403b407e 100644
--- a/packages/schemas/alterations/1.0.0_beta.10-1663923211-machine-to-machine-app.ts
+++ b/packages/schemas/alterations/1.0.0_beta.10-1663923211-machine-to-machine-app.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.10-1664265197-custom-phrases.ts b/packages/schemas/alterations/1.0.0_beta.10-1664265197-custom-phrases.ts
index 5f496d40186..92f800039ec 100644
--- a/packages/schemas/alterations/1.0.0_beta.10-1664265197-custom-phrases.ts
+++ b/packages/schemas/alterations/1.0.0_beta.10-1664265197-custom-phrases.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.11-1664347703-rename-language-key-to-tag.ts b/packages/schemas/alterations/1.0.0_beta.11-1664347703-rename-language-key-to-tag.ts
index b17b1567e7d..0909224cafc 100644
--- a/packages/schemas/alterations/1.0.0_beta.11-1664347703-rename-language-key-to-tag.ts
+++ b/packages/schemas/alterations/1.0.0_beta.11-1664347703-rename-language-key-to-tag.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.11-1664356000-add-created-at-column-to-users.ts b/packages/schemas/alterations/1.0.0_beta.11-1664356000-add-created-at-column-to-users.ts
index 1e708b9d6d2..32a6ff817aa 100644
--- a/packages/schemas/alterations/1.0.0_beta.11-1664356000-add-created-at-column-to-users.ts
+++ b/packages/schemas/alterations/1.0.0_beta.11-1664356000-add-created-at-column-to-users.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.11-1664462389-correct-user-created-at-column-by-user-logs.ts b/packages/schemas/alterations/1.0.0_beta.11-1664462389-correct-user-created-at-column-by-user-logs.ts
index 9669dd100ac..a74f742da22 100644
--- a/packages/schemas/alterations/1.0.0_beta.11-1664462389-correct-user-created-at-column-by-user-logs.ts
+++ b/packages/schemas/alterations/1.0.0_beta.11-1664462389-correct-user-created-at-column-by-user-logs.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.14-1665300135-sign-in-sign-up.ts b/packages/schemas/alterations/1.0.0_beta.14-1665300135-sign-in-sign-up.ts
index 08e172d8a17..04eb4204aa4 100644
--- a/packages/schemas/alterations/1.0.0_beta.14-1665300135-sign-in-sign-up.ts
+++ b/packages/schemas/alterations/1.0.0_beta.14-1665300135-sign-in-sign-up.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.14-1667283640-remove-forgot-password.ts b/packages/schemas/alterations/1.0.0_beta.14-1667283640-remove-forgot-password.ts
index cfb0534de43..a8b827a9a70 100644
--- a/packages/schemas/alterations/1.0.0_beta.14-1667283640-remove-forgot-password.ts
+++ b/packages/schemas/alterations/1.0.0_beta.14-1667283640-remove-forgot-password.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.14-1667292082-remove-sign-in-method.ts b/packages/schemas/alterations/1.0.0_beta.14-1667292082-remove-sign-in-method.ts
index 0cc0ffc57ab..965150b8d80 100644
--- a/packages/schemas/alterations/1.0.0_beta.14-1667292082-remove-sign-in-method.ts
+++ b/packages/schemas/alterations/1.0.0_beta.14-1667292082-remove-sign-in-method.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.14-1667374974-user-suspend.ts b/packages/schemas/alterations/1.0.0_beta.14-1667374974-user-suspend.ts
index d48f7f6cf55..03edab4463b 100644
--- a/packages/schemas/alterations/1.0.0_beta.14-1667374974-user-suspend.ts
+++ b/packages/schemas/alterations/1.0.0_beta.14-1667374974-user-suspend.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.14-1667900481-add-passcode-type-continue.ts b/packages/schemas/alterations/1.0.0_beta.14-1667900481-add-passcode-type-continue.ts
index c40fbfd3ece..47d2844d71a 100644
--- a/packages/schemas/alterations/1.0.0_beta.14-1667900481-add-passcode-type-continue.ts
+++ b/packages/schemas/alterations/1.0.0_beta.14-1667900481-add-passcode-type-continue.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1668666590-support-multiple-connector-instances.ts b/packages/schemas/alterations/1.0.0_beta.18-1668666590-support-multiple-connector-instances.ts
index b2d9af7d098..fde3a840d12 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1668666590-support-multiple-connector-instances.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1668666590-support-multiple-connector-instances.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1668666600-remove-connector-enabled.ts b/packages/schemas/alterations/1.0.0_beta.18-1668666600-remove-connector-enabled.ts
index aeceedcb0d2..ca10a7baf40 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1668666600-remove-connector-enabled.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1668666600-remove-connector-enabled.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1669091623-roles-and-scopes.ts b/packages/schemas/alterations/1.0.0_beta.18-1669091623-roles-and-scopes.ts
index 2eecaed34e0..466454eecaa 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1669091623-roles-and-scopes.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1669091623-roles-and-scopes.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1669702299-sign-up.ts b/packages/schemas/alterations/1.0.0_beta.18-1669702299-sign-up.ts
index c5c6b8f8021..b1bef3620ba 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1669702299-sign-up.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1669702299-sign-up.ts
@@ -1,6 +1,6 @@
 import { isSameArray } from '@silverhand/essentials';
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1671039448-add-user-name-index.ts b/packages/schemas/alterations/1.0.0_beta.18-1671039448-add-user-name-index.ts
index fb30bec7cc8..62fb6f68df6 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1671039448-add-user-name-index.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1671039448-add-user-name-index.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1671080370-terms-of-use.ts b/packages/schemas/alterations/1.0.0_beta.18-1671080370-terms-of-use.ts
index cd170c3a2c3..b35bff74562 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1671080370-terms-of-use.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1671080370-terms-of-use.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1671336831-refactor-log-types.ts b/packages/schemas/alterations/1.0.0_beta.18-1671336831-refactor-log-types.ts
index 7e689fb06e0..0574ac4bbf0 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1671336831-refactor-log-types.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1671336831-refactor-log-types.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1671509870-hooks.ts b/packages/schemas/alterations/1.0.0_beta.18-1671509870-hooks.ts
index 111188d0d93..a25ef1918da 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1671509870-hooks.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1671509870-hooks.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_beta.18-1672119200-align-passcode-type-with-message-type.ts b/packages/schemas/alterations/1.0.0_beta.18-1672119200-align-passcode-type-with-message-type.ts
index fb13927a86e..f79cdbf796b 100644
--- a/packages/schemas/alterations/1.0.0_beta.18-1672119200-align-passcode-type-with-message-type.ts
+++ b/packages/schemas/alterations/1.0.0_beta.18-1672119200-align-passcode-type-with-message-type.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1672815959-user-roles.ts b/packages/schemas/alterations/1.0.0_rc.0-1672815959-user-roles.ts
index 5cce8604a66..bbb5316c8f1 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1672815959-user-roles.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1672815959-user-roles.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1672820345-scope-resource-id.ts b/packages/schemas/alterations/1.0.0_rc.0-1672820345-scope-resource-id.ts
index 35a1af20f12..380f97aced0 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1672820345-scope-resource-id.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1672820345-scope-resource-id.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1672901841-roles-and-scopes-not-null.ts b/packages/schemas/alterations/1.0.0_rc.0-1672901841-roles-and-scopes-not-null.ts
index b56cc2275f3..847b998e23d 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1672901841-roles-and-scopes-not-null.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1672901841-roles-and-scopes-not-null.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673001922-support-generic-passcode.ts b/packages/schemas/alterations/1.0.0_rc.0-1673001922-support-generic-passcode.ts
index 8c6607b7ac9..74ad01c601e 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673001922-support-generic-passcode.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673001922-support-generic-passcode.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673165463-scope-name-index.ts b/packages/schemas/alterations/1.0.0_rc.0-1673165463-scope-name-index.ts
index f23bf0b8c74..9a266a41fb9 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673165463-scope-name-index.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673165463-scope-name-index.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673349501-sms-sign-in-identifier-to-phone.ts b/packages/schemas/alterations/1.0.0_rc.0-1673349501-sms-sign-in-identifier-to-phone.ts
index 375d070f996..645af884103 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673349501-sms-sign-in-identifier-to-phone.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673349501-sms-sign-in-identifier-to-phone.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673465463-ac-scope-name.ts b/packages/schemas/alterations/1.0.0_rc.0-1673465463-ac-scope-name.ts
index 49cbef45465..8501b814817 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673465463-ac-scope-name.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673465463-ac-scope-name.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673853579-ac-default-scope.ts b/packages/schemas/alterations/1.0.0_rc.0-1673853579-ac-default-scope.ts
index ba498fb1ed8..11ea3bf9d26 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673853579-ac-default-scope.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673853579-ac-default-scope.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673863835-ac-scope-role.ts b/packages/schemas/alterations/1.0.0_rc.0-1673863835-ac-scope-role.ts
index a94505a072d..85e2872e414 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673863835-ac-scope-role.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673863835-ac-scope-role.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673882867-fix-alteration-issues.ts b/packages/schemas/alterations/1.0.0_rc.0-1673882867-fix-alteration-issues.ts
index e8c9d05f305..a513f6616cc 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673882867-fix-alteration-issues.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673882867-fix-alteration-issues.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673940577-scope-description-not-null.ts b/packages/schemas/alterations/1.0.0_rc.0-1673940577-scope-description-not-null.ts
index 4d1490f2979..8dc0a1c9442 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673940577-scope-description-not-null.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673940577-scope-description-not-null.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1673941897-application-roles.ts b/packages/schemas/alterations/1.0.0_rc.0-1673941897-application-roles.ts
index da3f10f2937..8bc217f2589 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1673941897-application-roles.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1673941897-application-roles.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674032095.1-dedup-resources-constraint.ts b/packages/schemas/alterations/1.0.0_rc.0-1674032095.1-dedup-resources-constraint.ts
index 53083993f47..7098b6bfa11 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674032095.1-dedup-resources-constraint.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674032095.1-dedup-resources-constraint.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674032095.2-oidc-model-pkey.ts b/packages/schemas/alterations/1.0.0_rc.0-1674032095.2-oidc-model-pkey.ts
index 080881e19ac..153e4ac9640 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674032095.2-oidc-model-pkey.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674032095.2-oidc-model-pkey.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674032095.3-tenant-table.ts b/packages/schemas/alterations/1.0.0_rc.0-1674032095.3-tenant-table.ts
index 184afe09e3b..8fd9395ca1f 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674032095.3-tenant-table.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674032095.3-tenant-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674032095.4-add-id-column.ts b/packages/schemas/alterations/1.0.0_rc.0-1674032095.4-add-id-column.ts
index e5bfded998a..35f293c91e1 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674032095.4-add-id-column.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674032095.4-add-id-column.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674032095.5-multi-tenancy.ts b/packages/schemas/alterations/1.0.0_rc.0-1674032095.5-multi-tenancy.ts
index b993328da1a..2538f6ff4f4 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674032095.5-multi-tenancy.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674032095.5-multi-tenancy.ts
@@ -1,5 +1,4 @@
-import { sql } from 'slonik';
-import { raw } from 'slonik-sql-tag-raw';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
@@ -121,7 +120,7 @@ const alteration: AlterationScript = {
                   on ${getId(table)} (
                     ${tenantId},
                     ${sql.join(
-                      columns.map((column) => raw(column)),
+                      columns.map((column) => sql.raw(column)),
                       sql`, `
                     )}
                   );
@@ -147,7 +146,7 @@ const alteration: AlterationScript = {
             add constraint ${indexName} unique (
               ${tenantId},
               ${sql.join(
-                columns.map((column) => raw(column)),
+                columns.map((column) => sql.raw(column)),
                 sql`, `
               )}
             );
@@ -171,7 +170,7 @@ const alteration: AlterationScript = {
             create unique index ${indexName}
               on ${getId(table)} (
                 ${sql.join(
-                  columns.map((column) => raw(column)),
+                  columns.map((column) => sql.raw(column)),
                   sql`, `
                 )}
               )
@@ -180,7 +179,7 @@ const alteration: AlterationScript = {
             alter table ${getId(table)}
               add constraint ${indexName} unique (
                 ${sql.join(
-                  columns.map((column) => raw(column)),
+                  columns.map((column) => sql.raw(column)),
                   sql`, `
                 )}
               );
@@ -203,7 +202,7 @@ const alteration: AlterationScript = {
               create index ${indexName} 
                 on ${getId(table)} (
                   ${sql.join(
-                    columns.map((column) => raw(column)),
+                    columns.map((column) => sql.raw(column)),
                     sql`, `
                   )}
                 );
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674032095.6-add-tenant-id-trigger.ts b/packages/schemas/alterations/1.0.0_rc.0-1674032095.6-add-tenant-id-trigger.ts
index 9f40d0305cc..b92be7c282c 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674032095.6-add-tenant-id-trigger.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674032095.6-add-tenant-id-trigger.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1674987042-drop-settings-and-create-systems.ts b/packages/schemas/alterations/1.0.0_rc.0-1674987042-drop-settings-and-create-systems.ts
index 6fa64e66ed0..16850cd954a 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1674987042-drop-settings-and-create-systems.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1674987042-drop-settings-and-create-systems.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.0-1675316731-update-seed-data.ts b/packages/schemas/alterations/1.0.0_rc.0-1675316731-update-seed-data.ts
index 18f192e76e7..4db3f5b41d0 100644
--- a/packages/schemas/alterations/1.0.0_rc.0-1675316731-update-seed-data.ts
+++ b/packages/schemas/alterations/1.0.0_rc.0-1675316731-update-seed-data.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1675788753-multi-tenancy-rls.ts b/packages/schemas/alterations/1.0.0_rc.1-1675788753-multi-tenancy-rls.ts
index 53543b1412e..dc15876f21b 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1675788753-multi-tenancy-rls.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1675788753-multi-tenancy-rls.ts
@@ -1,7 +1,6 @@
 import { generateStandardId } from '@logto/shared/universal';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
-import { raw } from 'slonik-sql-tag-raw';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
@@ -123,7 +122,7 @@ const alteration: AlterationScript = {
     `);
     await pool.query(sql`
       create role ${sql.identifier([role])} with inherit login
-        password '${raw(password)}'
+        password '${sql.raw(password)}'
         in role ${sql.identifier([baseRole])};
     `);
   },
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676115897-add-admin-tenant.ts b/packages/schemas/alterations/1.0.0_rc.1-1676115897-add-admin-tenant.ts
index 422b33c73c1..f6767435b4f 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676115897-add-admin-tenant.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676115897-add-admin-tenant.ts
@@ -1,7 +1,6 @@
 import { generateStandardId } from '@logto/shared/universal';
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
-import { raw } from 'slonik-sql-tag-raw';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
@@ -154,7 +153,7 @@ const alteration: AlterationScript = {
     `);
     await pool.query(sql`
       create role ${getId(role)} with inherit login
-        password '${raw(password)}'
+        password '${sql.raw(password)}'
         in role ${getId(baseRole)};
     `);
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676185899-fix-logs-index.ts b/packages/schemas/alterations/1.0.0_rc.1-1676185899-fix-logs-index.ts
index 68bbf4c4e06..e6ef78945ab 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676185899-fix-logs-index.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676185899-fix-logs-index.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676190092-migrate-admin-data.ts b/packages/schemas/alterations/1.0.0_rc.1-1676190092-migrate-admin-data.ts
index cb2e49446cb..65434ddf0c1 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676190092-migrate-admin-data.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676190092-migrate-admin-data.ts
@@ -3,8 +3,8 @@ import { promisify } from 'node:util';
 
 import { generateStandardId } from '@logto/shared/universal';
 import inquirer from 'inquirer';
-import type { CommonQueryMethods, SerializableValue } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods, SerializableValue } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676823841-update-sie-primary-key.ts b/packages/schemas/alterations/1.0.0_rc.1-1676823841-update-sie-primary-key.ts
index ddca9f3a539..7ea41d1fc08 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676823841-update-sie-primary-key.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676823841-update-sie-primary-key.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676874936-support-custom-css.ts b/packages/schemas/alterations/1.0.0_rc.1-1676874936-support-custom-css.ts
index 6c25619a20d..9c9a08275f8 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676874936-support-custom-css.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676874936-support-custom-css.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676886855-connector-database-read-write.ts b/packages/schemas/alterations/1.0.0_rc.1-1676886855-connector-database-read-write.ts
index a5cb136e1b8..bcb425be844 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676886855-connector-database-read-write.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676886855-connector-database-read-write.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676906977-remove-demo-app.ts b/packages/schemas/alterations/1.0.0_rc.1-1676906977-remove-demo-app.ts
index 0e744b16c13..918a3006794 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676906977-remove-demo-app.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676906977-remove-demo-app.ts
@@ -1,7 +1,7 @@
 import { generateStandardId } from '@logto/shared/universal';
 import chalk from 'chalk';
 import inquirer from 'inquirer';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1676956206-move-console-sie-to-database.ts b/packages/schemas/alterations/1.0.0_rc.1-1676956206-move-console-sie-to-database.ts
index 38c4c930a13..9f899f2ef56 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1676956206-move-console-sie-to-database.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1676956206-move-console-sie-to-database.ts
@@ -1,5 +1,5 @@
 import { generateDarkColor } from '@logto/core-kit';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.0.0_rc.1-1677059985-move-console-application-to-database.ts b/packages/schemas/alterations/1.0.0_rc.1-1677059985-move-console-application-to-database.ts
index 4dc1de1444f..9848ba3e303 100644
--- a/packages/schemas/alterations/1.0.0_rc.1-1677059985-move-console-application-to-database.ts
+++ b/packages/schemas/alterations/1.0.0_rc.1-1677059985-move-console-application-to-database.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared/universal';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.10.1-1695647183-update-private-key-type.ts b/packages/schemas/alterations/1.10.1-1695647183-update-private-key-type.ts
index 50aa053311d..1e9d6eef421 100644
--- a/packages/schemas/alterations/1.10.1-1695647183-update-private-key-type.ts
+++ b/packages/schemas/alterations/1.10.1-1695647183-update-private-key-type.ts
@@ -1,6 +1,6 @@
 import { generateStandardId } from '@logto/shared';
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.10.1-1696657546-organization-tables.ts b/packages/schemas/alterations/1.10.1-1696657546-organization-tables.ts
index 06c1929286f..1f38e006e18 100644
--- a/packages/schemas/alterations/1.10.1-1696657546-organization-tables.ts
+++ b/packages/schemas/alterations/1.10.1-1696657546-organization-tables.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.10.1-1697683802-add-sso-connectors-table.ts b/packages/schemas/alterations/1.10.1-1697683802-add-sso-connectors-table.ts
index 60c14ee3db6..2d941e5860d 100644
--- a/packages/schemas/alterations/1.10.1-1697683802-add-sso-connectors-table.ts
+++ b/packages/schemas/alterations/1.10.1-1697683802-add-sso-connectors-table.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.10.1-1698646271-add-organization-created-flag.ts b/packages/schemas/alterations/1.10.1-1698646271-add-organization-created-flag.ts
index 80eb5538a6b..b20326ae777 100644
--- a/packages/schemas/alterations/1.10.1-1698646271-add-organization-created-flag.ts
+++ b/packages/schemas/alterations/1.10.1-1698646271-add-organization-created-flag.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.10.1-1698820410-add-user-sso-identities-table.ts b/packages/schemas/alterations/1.10.1-1698820410-add-user-sso-identities-table.ts
index dde1ba464f3..dae2e816888 100644
--- a/packages/schemas/alterations/1.10.1-1698820410-add-user-sso-identities-table.ts
+++ b/packages/schemas/alterations/1.10.1-1698820410-add-user-sso-identities-table.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.10.1-1698910485-user-logto-data.ts b/packages/schemas/alterations/1.10.1-1698910485-user-logto-data.ts
index 29d5a98df82..b111b45e210 100644
--- a/packages/schemas/alterations/1.10.1-1698910485-user-logto-data.ts
+++ b/packages/schemas/alterations/1.10.1-1698910485-user-logto-data.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.11.0-1699422979-add-sso-connector-id-col-to-user-sso-identities-table.ts b/packages/schemas/alterations/1.11.0-1699422979-add-sso-connector-id-col-to-user-sso-identities-table.ts
index 23a4b80ba2a..94e973fd5da 100644
--- a/packages/schemas/alterations/1.11.0-1699422979-add-sso-connector-id-col-to-user-sso-identities-table.ts
+++ b/packages/schemas/alterations/1.11.0-1699422979-add-sso-connector-id-col-to-user-sso-identities-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.11.0-1699598903-remove-sso-only-column-in-sso-connectors-table.ts b/packages/schemas/alterations/1.11.0-1699598903-remove-sso-only-column-in-sso-connectors-table.ts
index 6f0378c18fc..c9115d930fd 100644
--- a/packages/schemas/alterations/1.11.0-1699598903-remove-sso-only-column-in-sso-connectors-table.ts
+++ b/packages/schemas/alterations/1.11.0-1699598903-remove-sso-only-column-in-sso-connectors-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.12.0-1700031616-update-org-role-foreign-keys.ts b/packages/schemas/alterations/1.12.0-1700031616-update-org-role-foreign-keys.ts
index 8dd5179513d..b9eb81c7464 100644
--- a/packages/schemas/alterations/1.12.0-1700031616-update-org-role-foreign-keys.ts
+++ b/packages/schemas/alterations/1.12.0-1700031616-update-org-role-foreign-keys.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.ts b/packages/schemas/alterations/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.ts
index 859b5166bdc..6a54a53f70b 100644
--- a/packages/schemas/alterations/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.ts
+++ b/packages/schemas/alterations/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.ts b/packages/schemas/alterations/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.ts
index 18267412d21..7d6c10503a3 100644
--- a/packages/schemas/alterations/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.ts
+++ b/packages/schemas/alterations/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1702274830-add-new-third-party-column-to-applications-table.ts b/packages/schemas/alterations/1.13.0-1702274830-add-new-third-party-column-to-applications-table.ts
index 76ee320df7e..bbe52b484d9 100644
--- a/packages/schemas/alterations/1.13.0-1702274830-add-new-third-party-column-to-applications-table.ts
+++ b/packages/schemas/alterations/1.13.0-1702274830-add-new-third-party-column-to-applications-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1702372401-add-application-permissions-tables.ts b/packages/schemas/alterations/1.13.0-1702372401-add-application-permissions-tables.ts
index d40baf18a96..78eb1c97a07 100644
--- a/packages/schemas/alterations/1.13.0-1702372401-add-application-permissions-tables.ts
+++ b/packages/schemas/alterations/1.13.0-1702372401-add-application-permissions-tables.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1702544178-sync-tenant-orgs.ts b/packages/schemas/alterations/1.13.0-1702544178-sync-tenant-orgs.ts
index e0a8e083a0a..c72aba1fb1f 100644
--- a/packages/schemas/alterations/1.13.0-1702544178-sync-tenant-orgs.ts
+++ b/packages/schemas/alterations/1.13.0-1702544178-sync-tenant-orgs.ts
@@ -15,7 +15,7 @@
  */
 
 import { ConsoleLog, generateStandardId } from '@logto/shared';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import { type AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1702871078-protected-application-type.ts b/packages/schemas/alterations/1.13.0-1702871078-protected-application-type.ts
index 5bb5e3a1073..5440eaae4c5 100644
--- a/packages/schemas/alterations/1.13.0-1702871078-protected-application-type.ts
+++ b/packages/schemas/alterations/1.13.0-1702871078-protected-application-type.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1702877515-protected-app-configs.ts b/packages/schemas/alterations/1.13.0-1702877515-protected-app-configs.ts
index 72d817cabef..c5b58151230 100644
--- a/packages/schemas/alterations/1.13.0-1702877515-protected-app-configs.ts
+++ b/packages/schemas/alterations/1.13.0-1702877515-protected-app-configs.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1702978120-application-sign-in-experience-table.ts b/packages/schemas/alterations/1.13.0-1702978120-application-sign-in-experience-table.ts
index 3c68a2a7eb5..9f83ee0ff27 100644
--- a/packages/schemas/alterations/1.13.0-1702978120-application-sign-in-experience-table.ts
+++ b/packages/schemas/alterations/1.13.0-1702978120-application-sign-in-experience-table.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1703229996-daily-token-usage.ts b/packages/schemas/alterations/1.13.0-1703229996-daily-token-usage.ts
index 63a906ceae8..e5a97a3bef2 100644
--- a/packages/schemas/alterations/1.13.0-1703229996-daily-token-usage.ts
+++ b/packages/schemas/alterations/1.13.0-1703229996-daily-token-usage.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1703230000-update-tenant-roles.ts b/packages/schemas/alterations/1.13.0-1703230000-update-tenant-roles.ts
index 036765f477a..c5c6b38c850 100644
--- a/packages/schemas/alterations/1.13.0-1703230000-update-tenant-roles.ts
+++ b/packages/schemas/alterations/1.13.0-1703230000-update-tenant-roles.ts
@@ -1,5 +1,5 @@
 import { ConsoleLog } from '@logto/shared';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1704692973-remove-legacy-resources.ts b/packages/schemas/alterations/1.13.0-1704692973-remove-legacy-resources.ts
index 8972fa6a165..ce402cdca02 100644
--- a/packages/schemas/alterations/1.13.0-1704692973-remove-legacy-resources.ts
+++ b/packages/schemas/alterations/1.13.0-1704692973-remove-legacy-resources.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared/universal';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1704934999-add-magic-links-table.ts b/packages/schemas/alterations/1.13.0-1704934999-add-magic-links-table.ts
index 38c0298773d..d949bde0399 100644
--- a/packages/schemas/alterations/1.13.0-1704934999-add-magic-links-table.ts
+++ b/packages/schemas/alterations/1.13.0-1704934999-add-magic-links-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1704935001-add-organization-invitation-tables.ts b/packages/schemas/alterations/1.13.0-1704935001-add-organization-invitation-tables.ts
index 00cd5c7e06c..bbebf0f0c4e 100644
--- a/packages/schemas/alterations/1.13.0-1704935001-add-organization-invitation-tables.ts
+++ b/packages/schemas/alterations/1.13.0-1704935001-add-organization-invitation-tables.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1705288654-add-application-user-consent-organizations-table.ts b/packages/schemas/alterations/1.13.0-1705288654-add-application-user-consent-organizations-table.ts
index db85124ebf4..e4f429a49e7 100644
--- a/packages/schemas/alterations/1.13.0-1705288654-add-application-user-consent-organizations-table.ts
+++ b/packages/schemas/alterations/1.13.0-1705288654-add-application-user-consent-organizations-table.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1705991158-update-invitation-indices.ts b/packages/schemas/alterations/1.13.0-1705991158-update-invitation-indices.ts
index 9ec7e6eae1f..3f1eb2fb7de 100644
--- a/packages/schemas/alterations/1.13.0-1705991158-update-invitation-indices.ts
+++ b/packages/schemas/alterations/1.13.0-1705991158-update-invitation-indices.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1706449174-update-organization-invitation-column.ts b/packages/schemas/alterations/1.13.0-1706449174-update-organization-invitation-column.ts
index 8f01de4468c..490fd99ef96 100644
--- a/packages/schemas/alterations/1.13.0-1706449174-update-organization-invitation-column.ts
+++ b/packages/schemas/alterations/1.13.0-1706449174-update-organization-invitation-column.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1706510290-protected-app-host-index.ts b/packages/schemas/alterations/1.13.0-1706510290-protected-app-host-index.ts
index 97feae7d6ec..a3e4a808532 100644
--- a/packages/schemas/alterations/1.13.0-1706510290-protected-app-host-index.ts
+++ b/packages/schemas/alterations/1.13.0-1706510290-protected-app-host-index.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1706512952-restore-get-started-page.ts b/packages/schemas/alterations/1.13.0-1706512952-restore-get-started-page.ts
index 070578ca126..f234a0b3e45 100644
--- a/packages/schemas/alterations/1.13.0-1706512952-restore-get-started-page.ts
+++ b/packages/schemas/alterations/1.13.0-1706512952-restore-get-started-page.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1706528755-remove-magic-links.ts b/packages/schemas/alterations/1.13.0-1706528755-remove-magic-links.ts
index 27e9b75779f..b228d28b572 100644
--- a/packages/schemas/alterations/1.13.0-1706528755-remove-magic-links.ts
+++ b/packages/schemas/alterations/1.13.0-1706528755-remove-magic-links.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.0-1706585206-protected-app-custom-domain-unique.ts b/packages/schemas/alterations/1.13.0-1706585206-protected-app-custom-domain-unique.ts
index e9cda338574..455e98beb31 100644
--- a/packages/schemas/alterations/1.13.0-1706585206-protected-app-custom-domain-unique.ts
+++ b/packages/schemas/alterations/1.13.0-1706585206-protected-app-custom-domain-unique.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.13.1-1707360939-grant-is-suspended-read-permission.ts b/packages/schemas/alterations/1.13.1-1707360939-grant-is-suspended-read-permission.ts
index 8a3918fae2a..7f588cc5d39 100644
--- a/packages/schemas/alterations/1.13.1-1707360939-grant-is-suspended-read-permission.ts
+++ b/packages/schemas/alterations/1.13.1-1707360939-grant-is-suspended-read-permission.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts b/packages/schemas/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts
index 2794a15b82a..92e07f7c83b 100644
--- a/packages/schemas/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts
+++ b/packages/schemas/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.14.0-1709190131-enhance-dau-data-accuracy.ts b/packages/schemas/alterations/1.14.0-1709190131-enhance-dau-data-accuracy.ts
index 8895f037d53..8c88d9d9db5 100644
--- a/packages/schemas/alterations/1.14.0-1709190131-enhance-dau-data-accuracy.ts
+++ b/packages/schemas/alterations/1.14.0-1709190131-enhance-dau-data-accuracy.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.15.0-1709521416-user-password-encrypt-method.ts b/packages/schemas/alterations/1.15.0-1709521416-user-password-encrypt-method.ts
new file mode 100644
index 00000000000..783e2338921
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1709521416-user-password-encrypt-method.ts
@@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter type users_password_encryption_method add value 'SHA1';
+      alter type users_password_encryption_method add value 'SHA256';
+      alter type users_password_encryption_method add value 'MD5';
+      alter type users_password_encryption_method add value 'Bcrypt';
+    `);
+  },
+  down: async (pool) => {
+    const { rows } = await pool.query(sql`
+      select id from users
+      where password_encryption_method <> ${'Argon2i'}
+    `);
+    if (rows.length > 0) {
+      throw new Error('There are users with password encryption methods other than Argon2i.');
+    }
+
+    await pool.query(sql`
+      create type users_password_encryption_method_revised as enum ('Argon2i');
+
+      alter table users 
+      alter column password_encryption_method type users_password_encryption_method_revised 
+      using password_encryption_method::text::users_password_encryption_method_revised;
+
+      drop type users_password_encryption_method;
+      alter type users_password_encryption_method_revised rename to users_password_encryption_method;
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1709528944-regenerate-dau-data.ts b/packages/schemas/alterations/1.15.0-1709528944-regenerate-dau-data.ts
new file mode 100644
index 00000000000..c386b869830
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1709528944-regenerate-dau-data.ts
@@ -0,0 +1,49 @@
+import { generateStandardId } from '@logto/shared/universal';
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+type ActiveUserInteractionLog = {
+  tenantId: string;
+  userId: string;
+  createdAt: number;
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Delete all record from `daily_active_users` table
+    await pool.query(sql`delete from daily_active_users;`);
+
+    // Retrieve all active user logs from `logs` table
+    const { rows: interactionLogs } = await pool.query<ActiveUserInteractionLog>(sql`
+      select tenant_id, payload->>'userId' as user_id, created_at
+      from logs
+      where payload->>'userId' is not null and key like 'ExchangeTokenBy.%' and payload->>'result' = 'Success'
+    `);
+
+    if (interactionLogs.length === 0) {
+      console.log('No active user interaction logs found, skip alteration');
+      return;
+    }
+
+    // Generate DAU data from active user logs
+    for (const { tenantId, userId, createdAt } of interactionLogs) {
+      /**
+       * Note: we ignore the conflict here because conflict data may be inserted when staging.
+       */
+      // eslint-disable-next-line no-await-in-loop
+      await pool.query(sql`
+        insert into daily_active_users (id, tenant_id, user_id, date)
+        values (${generateStandardId()},${tenantId}, ${userId}, ${new Date(
+          createdAt
+        ).toISOString()})
+        on conflict do nothing;
+      `);
+    }
+  },
+  down: async (pool) => {
+    // Cannot be reverted
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1710223946-add-fetch-custom-jwt-cloud-scope.ts b/packages/schemas/alterations/1.15.0-1710223946-add-fetch-custom-jwt-cloud-scope.ts
new file mode 100644
index 00000000000..e619455bdba
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1710223946-add-fetch-custom-jwt-cloud-scope.ts
@@ -0,0 +1,92 @@
+import { generateStandardId } from '@logto/shared/universal';
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+type Resource = {
+  tenantId: string;
+  id: string;
+  name: string;
+  indicator: string;
+  isDefault: boolean;
+};
+
+type Scope = {
+  tenantId: string;
+  id: string;
+  resourceId: string;
+  name: string;
+  description: string;
+};
+
+type Role = {
+  tenantId: string;
+  id: string;
+  name: string;
+  description: string;
+};
+
+const cloudApiIndicator = 'https://cloud.logto.io/api';
+
+const cloudConnectionAppRoleName = 'tenantApplication';
+
+const adminTenantId = 'admin';
+
+const fetchCustomJwtCloudScopeName = 'fetch:custom:jwt';
+const fetchCustomJwtCloudScopeDescription =
+  'Allow accessing external resource to execute JWT payload customizer script and fetch the parsed token payload.';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Get the Cloud API resource
+    const cloudApiResource = await pool.one<Resource>(sql`
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+
+    // Get cloud connection application role
+    const tenantApplicationRole = await pool.one<Role>(sql`
+      select * from roles
+      where tenant_id = ${adminTenantId}
+      and name = ${cloudConnectionAppRoleName} and type = 'MachineToMachine'
+    `);
+
+    // Create the `custom:jwt` scope
+    const customJwtCloudScope = await pool.one<Scope>(sql`
+      insert into scopes (id, tenant_id, resource_id, name, description)
+      values (${generateStandardId()}, ${adminTenantId}, ${
+        cloudApiResource.id
+      }, ${fetchCustomJwtCloudScopeName}, ${fetchCustomJwtCloudScopeDescription})
+      returning *;
+    `);
+
+    // Assign the `custom:jwt` scope to cloud connection application role
+    await pool.query(sql`
+      insert into roles_scopes (id, tenant_id, role_id, scope_id)
+      values (${generateStandardId()}, ${adminTenantId}, ${tenantApplicationRole.id}, ${
+        customJwtCloudScope.id
+      });
+    `);
+  },
+  down: async (pool) => {
+    // Get the Cloud API resource
+    const cloudApiResource = await pool.one<Resource>(sql`
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+
+    // Remove the `custom:jwt` scope
+    await pool.query(sql`
+      delete from scopes
+      where
+        tenant_id = ${adminTenantId} and
+        name = ${fetchCustomJwtCloudScopeName} and
+        description = ${fetchCustomJwtCloudScopeDescription} and
+        resource_id = ${cloudApiResource.id}
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1710408335-make-resource-scopes-description-nullable.ts b/packages/schemas/alterations/1.15.0-1710408335-make-resource-scopes-description-nullable.ts
new file mode 100644
index 00000000000..23c93255690
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1710408335-make-resource-scopes-description-nullable.ts
@@ -0,0 +1,22 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Make the resource scopes description nullable
+    await pool.query(sql`
+      alter table scopes
+      alter column description drop not null;
+    `);
+  },
+  down: async (pool) => {
+    // Revert the resource scopes description nullable
+    await pool.query(sql`
+      alter table scopes
+      alter column description set not null;
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1710859622-add-oidc-standard-claim-properties.ts b/packages/schemas/alterations/1.15.0-1710859622-add-oidc-standard-claim-properties.ts
new file mode 100644
index 00000000000..1354c7c85c4
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1710859622-add-oidc-standard-claim-properties.ts
@@ -0,0 +1,38 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table users
+        add column profile jsonb not null default '{}'::jsonb,
+        add column updated_at timestamptz not null default (now());
+    `);
+    await pool.query(sql`
+      create function set_updated_at() returns trigger as
+      $$ begin
+        new.updated_at = now();
+        return new;
+      end; $$ language plpgsql;
+
+      create trigger set_updated_at
+        before update on users
+        for each row
+        execute procedure set_updated_at();
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table users
+        drop column profile,
+        drop column updated_at;
+    `);
+    await pool.query(sql`
+      drop trigger set_updated_at on users;
+      drop function set_updated_at();
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1711607772-remove-invite-member-scope-from-tenant-member-role.ts b/packages/schemas/alterations/1.15.0-1711607772-remove-invite-member-scope-from-tenant-member-role.ts
new file mode 100644
index 00000000000..cbb7bfa6493
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1711607772-remove-invite-member-scope-from-tenant-member-role.ts
@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      delete from organization_role_scope_relations
+        where tenant_id = 'admin' and organization_role_id = 'member' and organization_scope_id = 'invite-member';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      insert into organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id)
+        values ('admin', 'member', 'invite-member');
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1711624564-add-read-member-scope-to-tenant-roles.ts b/packages/schemas/alterations/1.15.0-1711624564-add-read-member-scope-to-tenant-roles.ts
new file mode 100644
index 00000000000..bd1c8f2f8ff
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1711624564-add-read-member-scope-to-tenant-roles.ts
@@ -0,0 +1,25 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      insert into organization_scopes (tenant_id, id, name, description)
+        values ('admin', 'read-member', 'read:member', 'Read members of the tenant.');
+      insert into organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id)
+        values ('admin', 'admin', 'read-member'),
+               ('admin', 'member', 'read-member');
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      delete from organization_role_scope_relations
+        where tenant_id = 'admin' and organization_scope_id = 'read-member';
+      delete from organization_scopes
+        where tenant_id = 'admin' and id = 'read-member';
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1711955211-organization-resource-scope.ts b/packages/schemas/alterations/1.15.0-1711955211-organization-resource-scope.ts
new file mode 100644
index 00000000000..c8caf0b09ad
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1711955211-organization-resource-scope.ts
@@ -0,0 +1,39 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table organization_role_resource_scope_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        scope_id varchar(21) not null
+          references scopes (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_role_id, scope_id)
+      );
+    `);
+    await applyTableRls(pool, 'organization_role_resource_scope_relations');
+  },
+  down: async (pool) => {
+    const result = await pool.maybeOne(sql`
+      select * from information_schema.tables 
+      where table_name = 'organization_role_resource_scope_relations'
+    `);
+
+    if (!result) {
+      return;
+    }
+
+    await dropTableRls(pool, 'organization_role_resource_scope_relations');
+    await pool.query(sql`
+      drop table organization_role_resource_scope_relations
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1712041436-rename-organization-member-role-to-collaborator.ts b/packages/schemas/alterations/1.15.0-1712041436-rename-organization-member-role-to-collaborator.ts
new file mode 100644
index 00000000000..524943cfa72
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1712041436-rename-organization-member-role-to-collaborator.ts
@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update organization_roles
+        set id = 'collaborator', name = 'collaborator', description = 'Collaborator of the tenant, who has permissions to operate the tenant data, but not the tenant settings.'
+        where tenant_id = 'admin' and id = 'member';
+      update organization_role_scope_relations
+        set organization_role_id = 'collaborator'
+        where tenant_id = 'admin' and organization_role_id = 'member';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update organization_roles
+        set id = 'member', name = 'member', description = 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.'
+        where tenant_id = 'admin' and id = 'collaborator';
+      update organization_role_scope_relations
+        set organization_role_id = 'member'
+        where tenant_id = 'admin' and organization_role_id = 'collaborator';
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1712545011-fix-organization-resource-scope.ts b/packages/schemas/alterations/1.15.0-1712545011-fix-organization-resource-scope.ts
new file mode 100644
index 00000000000..c074b013b8d
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1712545011-fix-organization-resource-scope.ts
@@ -0,0 +1,43 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls } from './utils/1704934999-tables.js';
+
+/**
+ * The script `next-1711955211-organization-resource-scope` was merged after `next-1712041436-rename-organization-member-role-to-collaborator`,
+ * so the table `organization_role_resource_scope_relations` may not be created in the database.
+ * This script is to fix the issue, try to create the table if it is not exists.
+ */
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const result = await pool.maybeOne(sql`
+      select * from information_schema.tables 
+      where table_name = 'organization_role_resource_scope_relations'
+    `);
+
+    if (result) {
+      // The table already exists, do nothing
+      return;
+    }
+
+    await pool.query(sql`
+      create table organization_role_resource_scope_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        scope_id varchar(21) not null
+          references scopes (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_role_id, scope_id)
+      );
+    `);
+    await applyTableRls(pool, 'organization_role_resource_scope_relations');
+  },
+  down: async () => {
+    // Do nothing
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.15.0-1712559358-fix-down-organization-resource-scope.ts b/packages/schemas/alterations/1.15.0-1712559358-fix-down-organization-resource-scope.ts
new file mode 100644
index 00000000000..ebaae94be69
--- /dev/null
+++ b/packages/schemas/alterations/1.15.0-1712559358-fix-down-organization-resource-scope.ts
@@ -0,0 +1,46 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+/**
+ * The script `next-1711955211-organization-resource-scope` was merged after `next-1712041436-rename-organization-member-role-to-collaborator`,
+ * so the table `organization_role_resource_scope_relations` may not be created in the database.
+ * This script is to fix the issue, try to create the table if it is not exists.
+ */
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const result = await pool.maybeOne(sql`
+      select * from information_schema.tables 
+      where table_name = 'organization_role_resource_scope_relations'
+    `);
+
+    if (result) {
+      // The table already exists, do nothing
+      return;
+    }
+
+    await pool.query(sql`
+      create table organization_role_resource_scope_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        scope_id varchar(21) not null
+          references scopes (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_role_id, scope_id)
+      );
+    `);
+    await applyTableRls(pool, 'organization_role_resource_scope_relations');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_role_resource_scope_relations');
+    await pool.query(sql`
+      drop table organization_role_resource_scope_relations
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/alterations/1.2.0-1681267285-fix-get-started-passwordless-status.ts b/packages/schemas/alterations/1.2.0-1681267285-fix-get-started-passwordless-status.ts
index 4ee3556ef98..a51c91d4617 100644
--- a/packages/schemas/alterations/1.2.0-1681267285-fix-get-started-passwordless-status.ts
+++ b/packages/schemas/alterations/1.2.0-1681267285-fix-get-started-passwordless-status.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.3.0-1683292832-update-hooks.ts b/packages/schemas/alterations/1.3.0-1683292832-update-hooks.ts
index 62da0404f33..4051802e2fa 100644
--- a/packages/schemas/alterations/1.3.0-1683292832-update-hooks.ts
+++ b/packages/schemas/alterations/1.3.0-1683292832-update-hooks.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.5.0-1684382842-add-name-tag-created-at-for-tenants-table.ts b/packages/schemas/alterations/1.5.0-1684382842-add-name-tag-created-at-for-tenants-table.ts
index 96e4061253a..5991a7de1d9 100644
--- a/packages/schemas/alterations/1.5.0-1684382842-add-name-tag-created-at-for-tenants-table.ts
+++ b/packages/schemas/alterations/1.5.0-1684382842-add-name-tag-created-at-for-tenants-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.5.0-1684739802-create-hook-id-index-for-logs.ts b/packages/schemas/alterations/1.5.0-1684739802-create-hook-id-index-for-logs.ts
index ed2c9bde03b..3b54dbaefaa 100644
--- a/packages/schemas/alterations/1.5.0-1684739802-create-hook-id-index-for-logs.ts
+++ b/packages/schemas/alterations/1.5.0-1684739802-create-hook-id-index-for-logs.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.5.0-1684822341-init-domains.ts b/packages/schemas/alterations/1.5.0-1684822341-init-domains.ts
index 7b3a8354044..f5a46c1df5b 100644
--- a/packages/schemas/alterations/1.5.0-1684822341-init-domains.ts
+++ b/packages/schemas/alterations/1.5.0-1684822341-init-domains.ts
@@ -1,5 +1,5 @@
-import type { CommonQueryMethods } from 'slonik';
-import { sql } from 'slonik';
+import type { CommonQueryMethods } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.5.0-1684837981-add-manage-tenant-self-scope-to-user-role.ts b/packages/schemas/alterations/1.5.0-1684837981-add-manage-tenant-self-scope-to-user-role.ts
index 2969562dc8b..11b87dde0aa 100644
--- a/packages/schemas/alterations/1.5.0-1684837981-add-manage-tenant-self-scope-to-user-role.ts
+++ b/packages/schemas/alterations/1.5.0-1684837981-add-manage-tenant-self-scope-to-user-role.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared/universal';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.5.0-1685285719-support-default-resource.ts b/packages/schemas/alterations/1.5.0-1685285719-support-default-resource.ts
index 4df058bce54..0425333e3dd 100644
--- a/packages/schemas/alterations/1.5.0-1685285719-support-default-resource.ts
+++ b/packages/schemas/alterations/1.5.0-1685285719-support-default-resource.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.6.0-1685691718-domain-unique.ts b/packages/schemas/alterations/1.6.0-1685691718-domain-unique.ts
index 8e2042226ea..8ee2d008fda 100644
--- a/packages/schemas/alterations/1.6.0-1685691718-domain-unique.ts
+++ b/packages/schemas/alterations/1.6.0-1685691718-domain-unique.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.7.0-1688375200-sync-cloud-m2m-to-logto-config.ts b/packages/schemas/alterations/1.7.0-1688375200-sync-cloud-m2m-to-logto-config.ts
index c2855385cb3..e595ee18c62 100644
--- a/packages/schemas/alterations/1.7.0-1688375200-sync-cloud-m2m-to-logto-config.ts
+++ b/packages/schemas/alterations/1.7.0-1688375200-sync-cloud-m2m-to-logto-config.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.7.0-1688613459-remove-m2m-credentials-from-existing-logto-email-connector-config.ts b/packages/schemas/alterations/1.7.0-1688613459-remove-m2m-credentials-from-existing-logto-email-connector-config.ts
index b649ce99fb0..67b788fc760 100644
--- a/packages/schemas/alterations/1.7.0-1688613459-remove-m2m-credentials-from-existing-logto-email-connector-config.ts
+++ b/packages/schemas/alterations/1.7.0-1688613459-remove-m2m-credentials-from-existing-logto-email-connector-config.ts
@@ -1,6 +1,6 @@
 import { GlobalValues } from '@logto/shared';
 import { appendPath } from '@silverhand/essentials';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.7.0-1688627407-daily-active-users.ts b/packages/schemas/alterations/1.7.0-1688627407-daily-active-users.ts
index e171d5e69e5..a8cfcb7b53e 100644
--- a/packages/schemas/alterations/1.7.0-1688627407-daily-active-users.ts
+++ b/packages/schemas/alterations/1.7.0-1688627407-daily-active-users.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.8.0-1692088012-add-is-suspend-column-to-tenants-table.ts b/packages/schemas/alterations/1.8.0-1692088012-add-is-suspend-column-to-tenants-table.ts
index 00d70b39309..e0f807b1619 100644
--- a/packages/schemas/alterations/1.8.0-1692088012-add-is-suspend-column-to-tenants-table.ts
+++ b/packages/schemas/alterations/1.8.0-1692088012-add-is-suspend-column-to-tenants-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.8.0-1692194751-add-affiliate-scopes.ts b/packages/schemas/alterations/1.8.0-1692194751-add-affiliate-scopes.ts
index 9e7d7a80470..ef20cbdc288 100644
--- a/packages/schemas/alterations/1.8.0-1692194751-add-affiliate-scopes.ts
+++ b/packages/schemas/alterations/1.8.0-1692194751-add-affiliate-scopes.ts
@@ -1,5 +1,5 @@
 import { generateStandardId } from '@logto/shared/universal';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1693554904-add-possword-policy.ts b/packages/schemas/alterations/1.9.0-1693554904-add-possword-policy.ts
index f2a7a10d31d..3d5629a14a5 100644
--- a/packages/schemas/alterations/1.9.0-1693554904-add-possword-policy.ts
+++ b/packages/schemas/alterations/1.9.0-1693554904-add-possword-policy.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1694399696-add-type-col-to-roles-table.ts b/packages/schemas/alterations/1.9.0-1694399696-add-type-col-to-roles-table.ts
index 5b222e4e1fc..9819dc0b071 100644
--- a/packages/schemas/alterations/1.9.0-1694399696-add-type-col-to-roles-table.ts
+++ b/packages/schemas/alterations/1.9.0-1694399696-add-type-col-to-roles-table.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.ts b/packages/schemas/alterations/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.ts
index aabf5c49744..3d66201c8d4 100644
--- a/packages/schemas/alterations/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.ts
+++ b/packages/schemas/alterations/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1694484927-remove-deprecated-challenge-flag.ts b/packages/schemas/alterations/1.9.0-1694484927-remove-deprecated-challenge-flag.ts
index 180f8983990..81042bad93d 100644
--- a/packages/schemas/alterations/1.9.0-1694484927-remove-deprecated-challenge-flag.ts
+++ b/packages/schemas/alterations/1.9.0-1694484927-remove-deprecated-challenge-flag.ts
@@ -1,5 +1,5 @@
-import type { DatabaseTransactionConnection } from 'slonik';
-import { sql } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1694487524-sie-mfa.ts b/packages/schemas/alterations/1.9.0-1694487524-sie-mfa.ts
index 50d101bb25a..8d77ec79ace 100644
--- a/packages/schemas/alterations/1.9.0-1694487524-sie-mfa.ts
+++ b/packages/schemas/alterations/1.9.0-1694487524-sie-mfa.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1694509714-keep-existing-password-policy.ts b/packages/schemas/alterations/1.9.0-1694509714-keep-existing-password-policy.ts
index 480f9b79d81..3553f33d79f 100644
--- a/packages/schemas/alterations/1.9.0-1694509714-keep-existing-password-policy.ts
+++ b/packages/schemas/alterations/1.9.0-1694509714-keep-existing-password-policy.ts
@@ -1,5 +1,5 @@
 import { yes } from '@silverhand/essentials';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.0-1694746763-user-verifications.ts b/packages/schemas/alterations/1.9.0-1694746763-user-verifications.ts
index e0b8038b57c..f90a32d8eda 100644
--- a/packages/schemas/alterations/1.9.0-1694746763-user-verifications.ts
+++ b/packages/schemas/alterations/1.9.0-1694746763-user-verifications.ts
@@ -1,4 +1,4 @@
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.2-1694854226-init-sentinel.ts b/packages/schemas/alterations/1.9.2-1694854226-init-sentinel.ts
index 41a4a138d93..f66c27fbb77 100644
--- a/packages/schemas/alterations/1.9.2-1694854226-init-sentinel.ts
+++ b/packages/schemas/alterations/1.9.2-1694854226-init-sentinel.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/1.9.2-1695198741-remove-m2m-app-admin-access-switch.ts b/packages/schemas/alterations/1.9.2-1695198741-remove-m2m-app-admin-access-switch.ts
index 38980a56b03..03b5b573e50 100644
--- a/packages/schemas/alterations/1.9.2-1695198741-remove-m2m-app-admin-access-switch.ts
+++ b/packages/schemas/alterations/1.9.2-1695198741-remove-m2m-app-admin-access-switch.ts
@@ -1,6 +1,6 @@
 import { generateStandardId } from '@logto/shared/universal';
 import { deduplicate } from '@silverhand/essentials';
-import { sql } from 'slonik';
+import { sql } from '@silverhand/slonik';
 
 import type { AlterationScript } from '../lib/types/alteration.js';
 
diff --git a/packages/schemas/alterations/utils/1704934999-tables.ts b/packages/schemas/alterations/utils/1704934999-tables.ts
index df7c574debb..607a89fedf5 100644
--- a/packages/schemas/alterations/utils/1704934999-tables.ts
+++ b/packages/schemas/alterations/utils/1704934999-tables.ts
@@ -1,4 +1,4 @@
-import { type CommonQueryMethods, sql } from 'slonik';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
 
 const getId = (value: string) => sql.identifier([value]);
 
diff --git a/packages/schemas/jest.config.js b/packages/schemas/jest.config.js
deleted file mode 100644
index 5656d33479a..00000000000
--- a/packages/schemas/jest.config.js
+++ /dev/null
@@ -1,13 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/schemas/package.json b/packages/schemas/package.json
index 3e56663cebb..0d4a630552c 100644
--- a/packages/schemas/package.json
+++ b/packages/schemas/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -26,15 +26,14 @@
     "generate": "./generate.sh",
     "build:alterations": "rm -rf alterations-js && tsc -p tsconfig.build.alterations.json",
     "build": "pnpm generate && rm -rf lib/ && tsc -p tsconfig.build.json && pnpm build:alterations",
-    "build:test": "pnpm generate && rm -rf lib/ && tsc -p tsconfig.test.json --sourcemap",
+    "build:test": "pnpm build",
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
     "prepublishOnly": "! ls alterations/next-*",
     "prepack": "pnpm build",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only"
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage"
   },
   "engines": {
     "node": "^20.9.0"
@@ -42,22 +41,21 @@
   "devDependencies": {
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/essentials": "^2.9.0",
+    "@silverhand/slonik": "31.0.0-beta.2",
     "@silverhand/ts-config": "5.0.0",
     "@types/inquirer": "^9.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
     "@types/pluralize": "^0.0.33",
+    "@vitest/coverage-v8": "^1.4.0",
     "camelcase": "^8.0.0",
     "chalk": "^5.0.0",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "pluralize": "^8.0.0",
     "prettier": "^3.0.0",
     "roarr": "^7.11.0",
-    "slonik": "^30.0.0",
-    "slonik-sql-tag-raw": "^1.1.4",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "eslintConfig": {
     "extends": "@silverhand",
@@ -80,13 +78,13 @@
   },
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
-    "@logto/core-kit": "workspace:^2.3.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
+    "@logto/core-kit": "workspace:^2.4.0",
     "@logto/language-kit": "workspace:^1.1.0",
-    "@logto/phrases": "workspace:^1.9.0",
-    "@logto/phrases-experience": "workspace:^1.6.0",
+    "@logto/phrases": "workspace:^1.10.0",
+    "@logto/phrases-experience": "workspace:^1.6.1",
     "@logto/shared": "workspace:^3.1.0",
-    "@withtyped/server": "^0.12.9"
+    "@withtyped/server": "^0.13.3"
   },
   "peerDependencies": {
     "zod": "^3.22.4"
diff --git a/packages/schemas/src/consts/experience.ts b/packages/schemas/src/consts/experience.ts
new file mode 100644
index 00000000000..bc84b6fa15e
--- /dev/null
+++ b/packages/schemas/src/consts/experience.ts
@@ -0,0 +1,10 @@
+const routes = Object.freeze({
+  signIn: 'sign-in',
+  register: 'register',
+  sso: 'single-sign-on',
+  consent: 'consent',
+});
+
+export const experience = Object.freeze({
+  routes,
+});
diff --git a/packages/schemas/src/consts/index.ts b/packages/schemas/src/consts/index.ts
index ac4995afbe3..e8edd442eb8 100644
--- a/packages/schemas/src/consts/index.ts
+++ b/packages/schemas/src/consts/index.ts
@@ -4,3 +4,4 @@ export * from './oidc.js';
 export * from './date.js';
 export * from './tenant.js';
 export * from './subscriptions.js';
+export * from './experience.js';
diff --git a/packages/schemas/src/consts/oidc.ts b/packages/schemas/src/consts/oidc.ts
index 74176639109..162280b5c84 100644
--- a/packages/schemas/src/consts/oidc.ts
+++ b/packages/schemas/src/consts/oidc.ts
@@ -1,3 +1,5 @@
+import { z } from 'zod';
+
 import { type CustomClientMetadata } from '../foundations/index.js';
 
 import { inSeconds } from './date.js';
@@ -9,3 +11,49 @@ export const customClientMetadataDefault = Object.freeze({
   refreshTokenTtlInDays: 14,
   rotateRefreshToken: true,
 } as const satisfies Partial<CustomClientMetadata>);
+
+export enum ExtraParamsKey {
+  /**
+   * @deprecated Use {@link FirstScreen} instead.
+   * @see {@link InteractionMode} for the available values.
+   */
+  InteractionMode = 'interaction_mode',
+  /**
+   * The first screen to show for the user.
+   *
+   * @see {@link FirstScreen} for the available values.
+   */
+  FirstScreen = 'first_screen',
+  /**
+   * Directly sign in via the specified method. Note that the method must be properly configured
+   * in Logto.
+   *
+   * @remark
+   * The format of the value for this key is one of the following:
+   *
+   * - `social:<target>` (Use a social connector with the specified target, e.g. `social:google`)
+   * - `sso:<connector-id>` (Use the specified SSO connector, e.g. `sso:123456`)
+   */
+  DirectSignIn = 'direct_sign_in',
+}
+
+/** @deprecated Use {@link FirstScreen} instead. */
+export enum InteractionMode {
+  SignIn = 'signIn',
+  SignUp = 'signUp',
+}
+
+export enum FirstScreen {
+  SignIn = 'signIn',
+  Register = 'register',
+}
+
+export const extraParamsObjectGuard = z
+  .object({
+    [ExtraParamsKey.InteractionMode]: z.nativeEnum(InteractionMode),
+    [ExtraParamsKey.FirstScreen]: z.nativeEnum(FirstScreen),
+    [ExtraParamsKey.DirectSignIn]: z.string(),
+  })
+  .partial();
+
+export type ExtraParamsObject = z.infer<typeof extraParamsObjectGuard>;
diff --git a/packages/schemas/src/consts/subscriptions.ts b/packages/schemas/src/consts/subscriptions.ts
index a75005b9638..1ce395e8d52 100644
--- a/packages/schemas/src/consts/subscriptions.ts
+++ b/packages/schemas/src/consts/subscriptions.ts
@@ -1,6 +1,29 @@
+/**
+ * Logto-provided predefined subscription plan IDs.
+ *
+ * In theory, the subscription plan ID will be a random string,
+ * but Logto provides some predefined subscription plans and their IDs are reserved plan IDs.
+ */
 export enum ReservedPlanId {
   Free = 'free',
+  /**
+   * @deprecated
+   * In recent refactoring, the `hobby` plan is now treated as the `pro` plan.
+   * Only use this plan ID to check if a plan is a `pro` plan or not.
+   * This plan ID will be renamed to `pro` after legacy Stripe data is migrated by @darcyYe
+   *
+   * Todo @darcyYe:
+   * - LOG-7846: Rename `hobby` to `pro` and `pro` to `legacy-pro`
+   * - LOG-8339: Migrate legacy Stripe data
+   */
   Hobby = 'hobby',
+  /**
+   * @deprecated
+   * Now this `pro` ID is not used anymore, we use `hobby` as the `pro` plan ID.
+   * Only use this `pro` value when displaying the plan ID to the user.
+   *
+   * Todo @darcyYe see `Hobby` todo
+   */
   Pro = 'pro',
   Development = 'dev',
 }
diff --git a/packages/schemas/src/foundations/jsonb-types/index.ts b/packages/schemas/src/foundations/jsonb-types/index.ts
index f7eda89666f..601855d1f37 100644
--- a/packages/schemas/src/foundations/jsonb-types/index.ts
+++ b/packages/schemas/src/foundations/jsonb-types/index.ts
@@ -1,6 +1,3 @@
-import type { Json } from '@withtyped/server';
-import { z } from 'zod';
-
 export * from './custom-domain.js';
 export * from './hooks.js';
 export * from './logs.js';
@@ -15,17 +12,8 @@ export * from './applications.js';
 export {
   configurableConnectorMetadataGuard,
   type ConfigurableConnectorMetadata,
+  jsonGuard,
+  jsonObjectGuard,
 } from '@logto/connector-kit';
 
 export type { Json, JsonObject } from '@withtyped/server';
-
-/* === Commonly Used === */
-
-// Copied from https://github.com/colinhacks/zod#json-type
-const literalSchema = z.union([z.string(), z.number(), z.boolean(), z.null()]);
-
-export const jsonGuard: z.ZodType<Json> = z.lazy(() =>
-  z.union([literalSchema, z.array(jsonGuard), z.record(jsonGuard)])
-);
-
-export const jsonObjectGuard = z.record(jsonGuard);
diff --git a/packages/schemas/src/foundations/jsonb-types/users.ts b/packages/schemas/src/foundations/jsonb-types/users.ts
index 9fdb2070f63..78c8065fa4b 100644
--- a/packages/schemas/src/foundations/jsonb-types/users.ts
+++ b/packages/schemas/src/foundations/jsonb-types/users.ts
@@ -1,12 +1,63 @@
+import { jsonObjectGuard } from '@logto/connector-kit';
 import { z } from 'zod';
 
 import { MfaFactor } from './sign-in-experience.js';
 
+export type UserProfile = Partial<{
+  familyName: string;
+  givenName: string;
+  middleName: string;
+  nickname: string;
+  preferredUsername: string;
+  profile: string;
+  website: string;
+  gender: string;
+  birthdate: string;
+  zoneinfo: string;
+  locale: string;
+  address: Partial<{
+    formatted: string;
+    streetAddress: string;
+    locality: string;
+    region: string;
+    postalCode: string;
+    country: string;
+  }>;
+}>;
+
+export const userProfileGuard = (
+  z.object({
+    familyName: z.string(),
+    givenName: z.string(),
+    middleName: z.string(),
+    nickname: z.string(),
+    preferredUsername: z.string(),
+    profile: z.string(),
+    website: z.string(),
+    gender: z.string(),
+    birthdate: z.string(),
+    zoneinfo: z.string(),
+    locale: z.string(),
+    address: z
+      .object({
+        formatted: z.string(),
+        streetAddress: z.string(),
+        locality: z.string(),
+        region: z.string(),
+        postalCode: z.string(),
+        country: z.string(),
+      })
+      .partial(),
+  }) satisfies z.ZodType<Required<UserProfile>>
+).partial();
+
+export const userProfileKeys = Object.freeze(userProfileGuard.keyof().options);
+
 export const roleNamesGuard = z.string().array();
 
 export const identityGuard = z.object({
   userId: z.string(),
-  details: z.record(z.unknown()).optional(), // Connector's userinfo details, schemaless
+  details: jsonObjectGuard.optional(), // Connector's userinfo details, schemaless
 });
 export const identitiesGuard = z.record(identityGuard);
 
diff --git a/packages/schemas/src/gen/utils.test.ts b/packages/schemas/src/gen/utils.test.ts
index 679dc630e39..fadf34d35ab 100644
--- a/packages/schemas/src/gen/utils.test.ts
+++ b/packages/schemas/src/gen/utils.test.ts
@@ -1,3 +1,5 @@
+import { describe, it, expect } from 'vitest';
+
 import { parseType, getType, splitTableFieldDefinitions } from './utils.js';
 
 describe('splitTableFieldDefinitions', () => {
diff --git a/packages/schemas/src/seeds/cloud-api.ts b/packages/schemas/src/seeds/cloud-api.ts
index 97dfc61478f..30782d56341 100644
--- a/packages/schemas/src/seeds/cloud-api.ts
+++ b/packages/schemas/src/seeds/cloud-api.ts
@@ -17,12 +17,15 @@ export enum CloudScope {
   ManageTenantSelf = 'manage:tenant:self',
   SendSms = 'send:sms',
   SendEmail = 'send:email',
+  /**
+   * The user can access external (independent from Logto instance) resource to run JWT payload customizer
+   * scripts and fetch the parsed token payload.
+   */
+  FetchCustomJwt = 'fetch:custom:jwt',
   /** The user can see and manage affiliates, including create, update, and delete. */
   ManageAffiliate = 'manage:affiliate',
   /** The user can create new affiliates and logs. */
   CreateAffiliate = 'create:affiliate',
-  /** The user can prune logs which are expired. */
-  PruneLogs = 'prune:logs',
 }
 
 export const createCloudApi = (): Readonly<[UpdateAdminData, ...CreateScope[]]> => {
@@ -63,6 +66,10 @@ export const createCloudApi = (): Readonly<[UpdateAdminData, ...CreateScope[]]>
       CloudScope.SendSms,
       'Allow sending SMS. This scope is only available to M2M application.'
     ),
+    buildScope(
+      CloudScope.FetchCustomJwt,
+      'Allow accessing external resource to execute JWT payload customizer script and fetch the parsed token payload.'
+    ),
     buildScope(CloudScope.CreateAffiliate, 'Allow creating new affiliates and logs.'),
     buildScope(
       CloudScope.ManageAffiliate,
diff --git a/packages/schemas/src/types/alteration.ts b/packages/schemas/src/types/alteration.ts
index 7439b3edaa5..8ae97177770 100644
--- a/packages/schemas/src/types/alteration.ts
+++ b/packages/schemas/src/types/alteration.ts
@@ -1,4 +1,4 @@
-import type { DatabaseTransactionConnection } from 'slonik';
+import type { DatabaseTransactionConnection } from '@silverhand/slonik';
 
 export type AlterationScript = {
   up: (connection: DatabaseTransactionConnection) => Promise<void>;
diff --git a/packages/schemas/src/types/consent.ts b/packages/schemas/src/types/consent.ts
index a872fe5a3d2..d1e58468df9 100644
--- a/packages/schemas/src/types/consent.ts
+++ b/packages/schemas/src/types/consent.ts
@@ -44,6 +44,7 @@ export const publicOrganizationGuard = Organizations.guard.pick({
   id: true,
   name: true,
 });
+
 export const missingResourceScopesGuard = z.object({
   // The original resource id has a maximum length of 21 restriction. We need to make it compatible with the logto reserved organization name.
   // use string here, as we do not care about the resource id length here.
diff --git a/packages/schemas/src/types/index.ts b/packages/schemas/src/types/index.ts
index cd460391cb7..72c1058bf42 100644
--- a/packages/schemas/src/types/index.ts
+++ b/packages/schemas/src/types/index.ts
@@ -2,7 +2,7 @@ export * from './connector.js';
 export * from './log/index.js';
 export * from './oidc-config.js';
 export * from './user.js';
-export * from './logto-config.js';
+export * from './logto-config/index.js';
 export * from './interactions.js';
 export * from './search.js';
 export * from './resource.js';
@@ -26,3 +26,4 @@ export * from './tenant.js';
 export * from './tenant-organization.js';
 export * from './mapi-proxy.js';
 export * from './consent.js';
+export * from './onboarding.js';
diff --git a/packages/schemas/src/types/log/index.ts b/packages/schemas/src/types/log/index.ts
index 71b759b7ac2..02577ab6529 100644
--- a/packages/schemas/src/types/log/index.ts
+++ b/packages/schemas/src/types/log/index.ts
@@ -1,16 +1,19 @@
 import type * as hook from './hook.js';
 import type * as interaction from './interaction.js';
+import type * as jwtCustomizer from './jwt-customizer.js';
 import type * as token from './token.js';
 
 export * as interaction from './interaction.js';
 export * as token from './token.js';
 export * as hook from './hook.js';
+export * as jwtCustomizer from './jwt-customizer.js';
 
 /** Fallback for empty or unrecognized log keys. */
 export const LogKeyUnknown = 'Unknown';
 
 export type AuditLogKey = typeof LogKeyUnknown | interaction.LogKey | token.LogKey;
 export type WebhookLogKey = hook.LogKey;
+export type JwtCustomizerLogKey = jwtCustomizer.LogKey;
 
 /**
  * The union type of all available log keys.
@@ -19,4 +22,4 @@ export type WebhookLogKey = hook.LogKey;
  * @see {@link interaction.LogKey} for interaction log keys.
  * @see {@link token.LogKey} for token log keys.
  **/
-export type LogKey = AuditLogKey | WebhookLogKey;
+export type LogKey = AuditLogKey | WebhookLogKey | JwtCustomizerLogKey;
diff --git a/packages/schemas/src/types/log/jwt-customizer.ts b/packages/schemas/src/types/log/jwt-customizer.ts
new file mode 100644
index 00000000000..5524a0c5903
--- /dev/null
+++ b/packages/schemas/src/types/log/jwt-customizer.ts
@@ -0,0 +1,11 @@
+export type Prefix = 'JwtCustomizer';
+
+export const prefix: Prefix = 'JwtCustomizer';
+
+/** The type of a custom JWT scenario. */
+export enum Type {
+  AccessToken = 'AccessToken',
+  ClientCredentials = 'ClientCredentials',
+}
+
+export type LogKey = `${Prefix}.${Type.AccessToken | Type.ClientCredentials}`;
diff --git a/packages/schemas/src/types/logto-config.ts b/packages/schemas/src/types/logto-config/index.ts
similarity index 69%
rename from packages/schemas/src/types/logto-config.ts
rename to packages/schemas/src/types/logto-config/index.ts
index 08cc6fda5cc..aa92f0a01ae 100644
--- a/packages/schemas/src/types/logto-config.ts
+++ b/packages/schemas/src/types/logto-config/index.ts
@@ -1,6 +1,16 @@
 import type { ZodType } from 'zod';
 import { z } from 'zod';
 
+import {
+  type AccessTokenJwtCustomizer,
+  type ClientCredentialsJwtCustomizer,
+  accessTokenJwtCustomizerGuard,
+  clientCredentialsJwtCustomizerGuard,
+} from './jwt-customizer.js';
+
+export * from './oidc-provider.js';
+export * from './jwt-customizer.js';
+
 /**
  * Logto OIDC signing key types, used mainly in REST API routes.
  */
@@ -45,6 +55,36 @@ export const logtoOidcConfigGuard: Readonly<{
   [LogtoOidcConfigKey.CookieKeys]: oidcConfigKeyGuard.array(),
 });
 
+export enum LogtoJwtTokenKey {
+  AccessToken = 'jwt.accessToken',
+  ClientCredentials = 'jwt.clientCredentials',
+}
+
+export type JwtCustomizerType = {
+  [LogtoJwtTokenKey.AccessToken]: AccessTokenJwtCustomizer;
+  [LogtoJwtTokenKey.ClientCredentials]: ClientCredentialsJwtCustomizer;
+};
+
+export const jwtCustomizerConfigGuard: Readonly<{
+  [key in LogtoJwtTokenKey]: ZodType<JwtCustomizerType[key]>;
+}> = Object.freeze({
+  [LogtoJwtTokenKey.AccessToken]: accessTokenJwtCustomizerGuard,
+  [LogtoJwtTokenKey.ClientCredentials]: clientCredentialsJwtCustomizerGuard,
+});
+
+export const jwtCustomizerConfigsGuard = z.discriminatedUnion('key', [
+  z.object({
+    key: z.literal(LogtoJwtTokenKey.AccessToken),
+    value: accessTokenJwtCustomizerGuard,
+  }),
+  z.object({
+    key: z.literal(LogtoJwtTokenKey.ClientCredentials),
+    value: clientCredentialsJwtCustomizerGuard,
+  }),
+]);
+
+export type JwtCustomizerConfigs = z.infer<typeof jwtCustomizerConfigsGuard>;
+
 /* --- Logto tenant configs --- */
 export const adminConsoleDataGuard = z.object({
   signInExperienceCustomized: z.boolean(),
@@ -65,6 +105,7 @@ export const adminConsoleDataGuard = z.object({
       token: z.boolean().optional(),
       apiResource: z.boolean().optional(),
       machineToMachineApp: z.boolean().optional(),
+      tenantMember: z.boolean().optional(),
     })
     .optional(),
 });
@@ -101,17 +142,21 @@ export const logtoTenantConfigGuard: Readonly<{
 });
 
 /* --- Summary --- */
-export type LogtoConfigKey = LogtoOidcConfigKey | LogtoTenantConfigKey;
-export type LogtoConfigType = LogtoOidcConfigType | LogtoTenantConfigType;
-export type LogtoConfigGuard = typeof logtoOidcConfigGuard & typeof logtoTenantConfigGuard;
+export type LogtoConfigKey = LogtoOidcConfigKey | LogtoJwtTokenKey | LogtoTenantConfigKey;
+export type LogtoConfigType = LogtoOidcConfigType | JwtCustomizerType | LogtoTenantConfigType;
+export type LogtoConfigGuard = typeof logtoOidcConfigGuard &
+  typeof jwtCustomizerConfigGuard &
+  typeof logtoTenantConfigGuard;
 
 export const logtoConfigKeys: readonly LogtoConfigKey[] = Object.freeze([
   ...Object.values(LogtoOidcConfigKey),
+  ...Object.values(LogtoJwtTokenKey),
   ...Object.values(LogtoTenantConfigKey),
 ]);
 
 export const logtoConfigGuards: LogtoConfigGuard = Object.freeze({
   ...logtoOidcConfigGuard,
+  ...jwtCustomizerConfigGuard,
   ...logtoTenantConfigGuard,
 });
 
diff --git a/packages/schemas/src/types/logto-config/jwt-customizer.test.ts b/packages/schemas/src/types/logto-config/jwt-customizer.test.ts
new file mode 100644
index 00000000000..f8ab7046320
--- /dev/null
+++ b/packages/schemas/src/types/logto-config/jwt-customizer.test.ts
@@ -0,0 +1,100 @@
+import { pick } from '@silverhand/essentials';
+import { describe, it, expect } from 'vitest';
+
+import {
+  accessTokenJwtCustomizerGuard,
+  clientCredentialsJwtCustomizerGuard,
+} from './jwt-customizer.js';
+
+const allFields = ['script', 'environmentVariables', 'contextSample', 'tokenSample'] as const;
+
+const testClientCredentialsTokenPayload = {
+  script: '',
+  environmentVariables: {},
+  contextSample: {},
+  tokenSample: {},
+};
+
+const testAccessTokenPayload = {
+  ...testClientCredentialsTokenPayload,
+  contextSample: {
+    user: {
+      id: '123',
+      username: 'foo',
+      primaryEmail: 'foo@logto.io',
+      primaryPhone: '+1234567890',
+      name: 'Foo Bar',
+      avatar: 'https://example.com/avatar.png',
+      customData: {},
+      identities: {},
+      profile: {},
+      applicationId: 'my-app',
+      ssoIdentities: [],
+      mfaVerificationFactors: [],
+      roles: [],
+      organizations: [],
+      organizationRoles: [],
+    },
+  },
+};
+
+describe('test token sample guard', () => {
+  it.each(allFields)('should pass guard with any of the field not specified', (droppedField) => {
+    const resultAccessToken = accessTokenJwtCustomizerGuard.safeParse(
+      pick(testAccessTokenPayload, ...allFields.filter((field) => field !== droppedField))
+    );
+    if (!resultAccessToken.success) {
+      console.log('resultAccessToken.error', resultAccessToken.error);
+    }
+    expect(resultAccessToken.success).toBe(true);
+
+    const resultClientCredentials = clientCredentialsJwtCustomizerGuard.safeParse(
+      pick(
+        testClientCredentialsTokenPayload,
+        ...allFields.filter((field) => field !== droppedField)
+      )
+    );
+    if (!resultClientCredentials.success) {
+      console.log('resultClientCredentials.error', resultClientCredentials.error);
+    }
+    expect(resultClientCredentials.success).toBe(true);
+  });
+
+  it.each(allFields)(
+    'should pass partial guard with any of the field not specified',
+    (droppedField) => {
+      const resultAccessToken = accessTokenJwtCustomizerGuard
+        .partial()
+        .safeParse(
+          pick(testAccessTokenPayload, ...allFields.filter((field) => field !== droppedField))
+        );
+      expect(resultAccessToken.success).toBe(true);
+
+      const resultClientCredentials = clientCredentialsJwtCustomizerGuard
+        .partial()
+        .safeParse(
+          pick(
+            testClientCredentialsTokenPayload,
+            ...allFields.filter((field) => field !== droppedField)
+          )
+        );
+      expect(resultClientCredentials.success).toBe(true);
+    }
+  );
+
+  it('should throw when unwanted fields presented (access token)', () => {
+    const result = accessTokenJwtCustomizerGuard.safeParse({
+      ...testAccessTokenPayload,
+      abc: 'abc',
+    });
+    expect(result.success).toBe(false);
+  });
+
+  it('should throw when unwanted fields presented (client credentials token)', () => {
+    const result = clientCredentialsJwtCustomizerGuard.safeParse({
+      ...testClientCredentialsTokenPayload,
+      abc: 'abc',
+    });
+    expect(result.success).toBe(false);
+  });
+});
diff --git a/packages/schemas/src/types/logto-config/jwt-customizer.ts b/packages/schemas/src/types/logto-config/jwt-customizer.ts
new file mode 100644
index 00000000000..d6f252a37e6
--- /dev/null
+++ b/packages/schemas/src/types/logto-config/jwt-customizer.ts
@@ -0,0 +1,116 @@
+import { z } from 'zod';
+
+import { Roles, UserSsoIdentities, Organizations } from '../../db-entries/index.js';
+import { jsonObjectGuard, mfaFactorsGuard } from '../../foundations/index.js';
+import { scopeResponseGuard } from '../scope.js';
+import { userInfoGuard } from '../user.js';
+
+import { accessTokenPayloadGuard, clientCredentialsPayloadGuard } from './oidc-provider.js';
+
+export const jwtCustomizerUserContextGuard = userInfoGuard.extend({
+  ssoIdentities: UserSsoIdentities.guard
+    .pick({ issuer: true, identityId: true, detail: true })
+    .array(),
+  mfaVerificationFactors: mfaFactorsGuard,
+  roles: Roles.guard
+    .pick({ id: true, name: true, description: true })
+    .extend({
+      scopes: scopeResponseGuard
+        .pick({ id: true, name: true, description: true, resourceId: true, resource: true })
+        .array(),
+    })
+    .array(),
+  organizations: Organizations.guard.pick({ id: true, name: true, description: true }).array(),
+  organizationRoles: z
+    .object({
+      organizationId: z.string(),
+      roleId: z.string(),
+      roleName: z.string(),
+    })
+    .array(),
+});
+
+export type JwtCustomizerUserContext = z.infer<typeof jwtCustomizerUserContextGuard>;
+
+export const jwtCustomizerGuard = z
+  .object({
+    script: z.string(),
+    environmentVariables: z.record(z.string()),
+    contextSample: jsonObjectGuard,
+  })
+  .partial();
+
+export const accessTokenJwtCustomizerGuard = jwtCustomizerGuard
+  .extend({
+    // Use partial token guard since users customization may not rely on all fields.
+    tokenSample: accessTokenPayloadGuard.partial().optional(),
+    contextSample: z.object({ user: jwtCustomizerUserContextGuard.partial() }).optional(),
+  })
+  .strict();
+
+export type AccessTokenJwtCustomizer = z.infer<typeof accessTokenJwtCustomizerGuard>;
+
+export const clientCredentialsJwtCustomizerGuard = jwtCustomizerGuard
+  .extend({
+    // Use partial token guard since users customization may not rely on all fields.
+    tokenSample: clientCredentialsPayloadGuard.partial().optional(),
+  })
+  .strict();
+
+export type ClientCredentialsJwtCustomizer = z.infer<typeof clientCredentialsJwtCustomizerGuard>;
+
+export enum LogtoJwtTokenKeyType {
+  AccessToken = 'access-token',
+  ClientCredentials = 'client-credentials',
+}
+
+/**
+ * This guard is for the core JWT customizer testing API request body guard.
+ */
+export const jwtCustomizerTestRequestBodyGuard = z.discriminatedUnion('tokenType', [
+  z.object({
+    tokenType: z.literal(LogtoJwtTokenKeyType.AccessToken),
+    ...accessTokenJwtCustomizerGuard
+      .required({
+        script: true,
+      })
+      .pick({ environmentVariables: true, script: true }).shape,
+    token: accessTokenJwtCustomizerGuard.required().shape.tokenSample,
+    context: accessTokenJwtCustomizerGuard.required().shape.contextSample,
+  }),
+  z.object({
+    tokenType: z.literal(LogtoJwtTokenKeyType.ClientCredentials),
+    ...clientCredentialsJwtCustomizerGuard
+      .required({
+        script: true,
+      })
+      .pick({ environmentVariables: true, script: true }).shape,
+    token: clientCredentialsJwtCustomizerGuard.required().shape.tokenSample,
+  }),
+]);
+
+export type JwtCustomizerTestRequestBody = z.infer<typeof jwtCustomizerTestRequestBodyGuard>;
+
+/**
+ * This guard is for cloud API use (request body guard).
+ * Since the cloud API will be use by both testing and production, should keep the fields as general as possible.
+ * The response guard for the cloud API is `jsonObjectGuard` since it extends the `token` with extra claims.
+ */
+const commonJwtCustomizerGuard = jwtCustomizerGuard
+  .pick({ script: true, environmentVariables: true })
+  .required({ script: true })
+  .extend({
+    token: jsonObjectGuard,
+  });
+
+export const customJwtFetcherGuard = z.discriminatedUnion('tokenType', [
+  commonJwtCustomizerGuard.extend({
+    tokenType: z.literal(LogtoJwtTokenKeyType.AccessToken),
+    context: jsonObjectGuard,
+  }),
+  commonJwtCustomizerGuard.extend({
+    tokenType: z.literal(LogtoJwtTokenKeyType.ClientCredentials),
+  }),
+]);
+
+export type CustomJwtFetcher = z.infer<typeof customJwtFetcherGuard>;
diff --git a/packages/schemas/src/types/logto-config/oidc-provider.ts b/packages/schemas/src/types/logto-config/oidc-provider.ts
new file mode 100644
index 00000000000..c78274f40b3
--- /dev/null
+++ b/packages/schemas/src/types/logto-config/oidc-provider.ts
@@ -0,0 +1,40 @@
+/**
+ * Manually implement zod guards of some node OIDC provider types.
+ *
+ * Please note that we defined `accessTokenPayloadGuard` and `clientCredentialsPayloadGuard` in this file, they are used to make the user-defined token
+ * sample to be aligned with the real token payload given by the OIDC provider in a real use case.
+ *
+ * Only keep the least necessary fields in the guards to align with the raw token payload that can be used for `extraTokenClaims` method.
+ */
+import { z } from 'zod';
+
+const baseTokenPayloadGuardObject = {
+  jti: z.string(),
+  aud: z.union([z.string(), z.string().array()]),
+  scope: z.string().optional(),
+  clientId: z.string().optional(),
+};
+
+export const accessTokenPayloadGuard = z
+  .object({
+    ...baseTokenPayloadGuardObject,
+    accountId: z.string(),
+    expiresWithSession: z.boolean().optional(),
+    grantId: z.string(),
+    gty: z.string(),
+    sessionUid: z.string().optional(),
+    sid: z.string().optional(),
+    kind: z.literal('AccessToken'),
+  })
+  .strict();
+
+export type AccessTokenPayload = z.infer<typeof accessTokenPayloadGuard>;
+
+export const clientCredentialsPayloadGuard = z
+  .object({
+    ...baseTokenPayloadGuardObject,
+    kind: z.literal('ClientCredentials'),
+  })
+  .strict();
+
+export type ClientCredentialsPayload = z.infer<typeof clientCredentialsPayloadGuard>;
diff --git a/packages/schemas/src/types/onboarding.ts b/packages/schemas/src/types/onboarding.ts
new file mode 100644
index 00000000000..d1b57ce0870
--- /dev/null
+++ b/packages/schemas/src/types/onboarding.ts
@@ -0,0 +1,82 @@
+import { z } from 'zod';
+
+export const userOnboardingDataKey = 'onboarding';
+
+export enum Project {
+  Personal = 'personal',
+  Company = 'company',
+}
+
+/** @deprecated Open-source options was for cloud preview use, no longer needed. Use default `Cloud` value for placeholder. */
+enum DeploymentType {
+  OpenSource = 'open-source',
+  Cloud = 'cloud',
+}
+
+/** @deprecated */
+export enum Title {
+  Developer = 'developer',
+  TeamLead = 'team-lead',
+  Ceo = 'ceo',
+  Cto = 'cto',
+  Product = 'product',
+  Others = 'others',
+}
+
+/** @deprecated */
+export enum CompanySize {
+  Scale1 = '1',
+  Scale2 = '2-49',
+  Scale3 = '50-199',
+  Scale4 = '200-999',
+  Scale5 = '1000+',
+}
+
+/** @deprecated */
+export enum Reason {
+  Passwordless = 'passwordless',
+  Efficiency = 'efficiency',
+  AccessControl = 'access-control',
+  MultiTenancy = 'multi-tenancy',
+  Enterprise = 'enterprise',
+  Others = 'others',
+}
+
+export enum Stage {
+  NewProduct = 'new-product',
+  ExistingProduct = 'existing-product',
+  TargetEnterpriseReady = 'target-enterprise-ready',
+}
+
+export enum AdditionalFeatures {
+  CustomizeUiAndFlow = 'customize-ui-and-flow',
+  Compliance = 'compliance',
+  ExportUserDataFromLogto = 'export-user-data-from-logto',
+  BudgetControl = 'budget-control',
+  BringOwnAuth = 'bring-own-auth',
+  Others = 'others',
+}
+
+const questionnaireGuard = z.object({
+  project: z.nativeEnum(Project).optional(),
+  /** @deprecated Open-source options was for cloud preview use, no longer needed. Use default `Cloud` value for placeholder. */
+  deploymentType: z.nativeEnum(DeploymentType).optional().default(DeploymentType.Cloud),
+  /** @deprecated */
+  titles: z.array(z.nativeEnum(Title)).optional(),
+  companyName: z.string().optional(),
+  /** @deprecated */
+  companySize: z.nativeEnum(CompanySize).optional(),
+  /** @deprecated */
+  reasons: z.array(z.nativeEnum(Reason)).optional(),
+  stage: z.nativeEnum(Stage).optional(),
+  additionalFeatures: z.array(z.nativeEnum(AdditionalFeatures)).optional(),
+});
+
+export type Questionnaire = z.infer<typeof questionnaireGuard>;
+
+export const userOnboardingDataGuard = z.object({
+  questionnaire: questionnaireGuard.optional(),
+  isOnboardingDone: z.boolean().optional(),
+});
+
+export type UserOnboardingData = z.infer<typeof userOnboardingDataGuard>;
diff --git a/packages/schemas/src/types/organization.ts b/packages/schemas/src/types/organization.ts
index 32d750eba43..27a8201932f 100644
--- a/packages/schemas/src/types/organization.ts
+++ b/packages/schemas/src/types/organization.ts
@@ -8,6 +8,7 @@ import {
   type OrganizationInvitation,
   OrganizationInvitations,
 } from '../db-entries/index.js';
+import { type ToZodObject } from '../utils/zod.js';
 
 import { type UserInfo, type FeaturedUser, userInfoGuard } from './user.js';
 
@@ -19,11 +20,36 @@ export type OrganizationScopeEntity = {
   name: string;
 };
 
+/**
+ * The simplified resource scope entity that is returned for some endpoints.
+ */
+export type ResourceScopeEntity = {
+  id: string;
+  name: string;
+  resource: {
+    id: string;
+    name: string;
+  };
+};
+
 export type OrganizationRoleWithScopes = OrganizationRole & {
   scopes: OrganizationScopeEntity[];
+  resourceScopes: ResourceScopeEntity[];
 };
 
-export const organizationRoleWithScopesGuard: z.ZodType<OrganizationRoleWithScopes> =
+// TODO @wangsijie - Remove this once the feature is ready
+export const organizationRoleWithScopesGuardDeprecated: ToZodObject<
+  Omit<OrganizationRoleWithScopes, 'resourceScopes'>
+> = OrganizationRoles.guard.extend({
+  scopes: z
+    .object({
+      id: z.string(),
+      name: z.string(),
+    })
+    .array(),
+});
+
+export const organizationRoleWithScopesGuard: ToZodObject<OrganizationRoleWithScopes> =
   OrganizationRoles.guard.extend({
     scopes: z
       .object({
@@ -31,6 +57,16 @@ export const organizationRoleWithScopesGuard: z.ZodType<OrganizationRoleWithScop
         name: z.string(),
       })
       .array(),
+    resourceScopes: z
+      .object({
+        id: z.string(),
+        name: z.string(),
+        resource: z.object({
+          id: z.string(),
+          name: z.string(),
+        }),
+      })
+      .array(),
   });
 
 /**
@@ -42,7 +78,7 @@ export type OrganizationRoleEntity = {
   name: string;
 };
 
-const organizationRoleEntityGuard: z.ZodType<OrganizationRoleEntity> = z.object({
+const organizationRoleEntityGuard: ToZodObject<OrganizationRoleEntity> = z.object({
   id: z.string(),
   name: z.string(),
 });
@@ -56,7 +92,7 @@ export type OrganizationWithRoles = Organization & {
   organizationRoles: OrganizationRoleEntity[];
 };
 
-export const organizationWithOrganizationRolesGuard: z.ZodType<OrganizationWithRoles> =
+export const organizationWithOrganizationRolesGuard: ToZodObject<OrganizationWithRoles> =
   Organizations.guard.extend({
     organizationRoles: organizationRoleEntityGuard.array(),
   });
@@ -70,7 +106,7 @@ export type UserWithOrganizationRoles = UserInfo & {
   organizationRoles: OrganizationRoleEntity[];
 };
 
-export const userWithOrganizationRolesGuard: z.ZodType<UserWithOrganizationRoles> =
+export const userWithOrganizationRolesGuard: ToZodObject<UserWithOrganizationRoles> =
   userInfoGuard.extend({
     organizationRoles: organizationRoleEntityGuard.array(),
   });
@@ -93,7 +129,7 @@ export type OrganizationInvitationEntity = OrganizationInvitation & {
   organizationRoles: OrganizationRoleEntity[];
 };
 
-export const organizationInvitationEntityGuard: z.ZodType<OrganizationInvitationEntity> =
+export const organizationInvitationEntityGuard: ToZodObject<OrganizationInvitationEntity> =
   OrganizationInvitations.guard.extend({
     organizationRoles: organizationRoleEntityGuard.array(),
   });
diff --git a/packages/schemas/src/types/service-log.ts b/packages/schemas/src/types/service-log.ts
index 48d0298ca46..fe34c3a13f2 100644
--- a/packages/schemas/src/types/service-log.ts
+++ b/packages/schemas/src/types/service-log.ts
@@ -1,4 +1,5 @@
 export enum ServiceLogType {
   SendEmail = 'sendEmail',
   SendSms = 'sendSms',
+  FetchCustomJwt = 'fetchCustomJwt',
 }
diff --git a/packages/schemas/src/types/sso-connector.ts b/packages/schemas/src/types/sso-connector.ts
index 6e1b273ee62..e3a9bb073ac 100644
--- a/packages/schemas/src/types/sso-connector.ts
+++ b/packages/schemas/src/types/sso-connector.ts
@@ -20,6 +20,12 @@ export enum SsoProviderName {
   AZURE_AD = 'AzureAD',
   GOOGLE_WORKSPACE = 'GoogleWorkspace',
   OKTA = 'Okta',
+  AZURE_AD_OIDC = 'AzureAdOidc',
+}
+
+export enum SsoProviderType {
+  OIDC = 'oidc',
+  SAML = 'saml',
 }
 
 export const singleSignOnDomainBlackList = Object.freeze([
@@ -50,6 +56,7 @@ export type SupportedSsoConnector = Omit<SsoConnector, 'providerName'> & {
 
 const ssoConnectorProviderDetailGuard = z.object({
   providerName: z.nativeEnum(SsoProviderName),
+  providerType: z.nativeEnum(SsoProviderType),
   logo: z.string(),
   logoDark: z.string(),
   description: z.string(),
@@ -64,13 +71,18 @@ export type SsoConnectorProvidersResponse = z.infer<typeof ssoConnectorProviders
 
 // API response guard for all the SSO connectors CRUD APIs
 export const ssoConnectorWithProviderConfigGuard = SsoConnectors.guard
-  .omit({ providerName: true })
+  // Must be a supported SSO provider name. Overwrite the providerName string type to enum.
+  .extend({ providerName: z.nativeEnum(SsoProviderName) })
   .merge(
+    // Static provider details
     z.object({
-      name: z.string(), // For display purpose, generate from i18n key name defined by SSO factory.
-      providerName: z.nativeEnum(SsoProviderName),
+      name: z.string(),
+      providerType: z.nativeEnum(SsoProviderType),
       providerLogo: z.string(),
       providerLogoDark: z.string(),
+      // SSO connection config parsed from the provider.
+      // - OIDC: connection config fetched from the OIDC provider.
+      // - SAML: connection config fetched from the metadata url or metadata file.
       providerConfig: z.record(z.unknown()).optional(),
     })
   );
diff --git a/packages/schemas/src/types/tenant-organization.ts b/packages/schemas/src/types/tenant-organization.ts
index 1828ca050e4..beaf4524ad0 100644
--- a/packages/schemas/src/types/tenant-organization.ts
+++ b/packages/schemas/src/types/tenant-organization.ts
@@ -17,6 +17,15 @@ import { adminTenantId } from '../seeds/tenant.js';
 /** Given a tenant ID, return the corresponding organization ID in the admin tenant. */
 export const getTenantOrganizationId = (tenantId: string) => `t-${tenantId}`;
 
+/** Given an admin tenant organization ID, check the format and return the corresponding user tenant ID. */
+export const getTenantIdFromOrganizationId = (organizationId: string) => {
+  if (!organizationId.startsWith('t-')) {
+    throw new Error(`Invalid admin tenant organization ID: ${organizationId}`);
+  }
+
+  return organizationId.slice(2);
+};
+
 /**
  * Given a tenant ID, return the organization create data for the admin tenant. It follows a
  * convention to generate the organization ID and name which can be used across the system.
@@ -55,6 +64,8 @@ export enum TenantScope {
   WriteData = 'write:data',
   /** Delete data of the tenant. */
   DeleteData = 'delete:data',
+  /** Read members of the tenant. */
+  ReadMember = 'read:member',
   /** Invite members to the tenant. */
   InviteMember = 'invite:member',
   /** Remove members from the tenant. */
@@ -97,6 +108,7 @@ const tenantScopeDescriptions: Readonly<Record<TenantScope, string>> = Object.fr
   [TenantScope.ReadData]: 'Read the tenant data.',
   [TenantScope.WriteData]: 'Write the tenant data, including creating and updating the tenant.',
   [TenantScope.DeleteData]: 'Delete data of the tenant.',
+  [TenantScope.ReadMember]: 'Read members of the tenant.',
   [TenantScope.InviteMember]: 'Invite members to the tenant.',
   [TenantScope.RemoveMember]: 'Remove members from the tenant.',
   [TenantScope.UpdateMemberRole]: 'Update the role of a member in the tenant.',
@@ -112,14 +124,14 @@ const tenantScopeDescriptions: Readonly<Record<TenantScope, string>> = Object.fr
 export enum TenantRole {
   /** Admin of the tenant, who has all permissions. */
   Admin = 'admin',
-  /** Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings. */
-  Member = 'member',
+  /** Collaborator of the tenant, who has permissions to operate the tenant data, but not the tenant settings. */
+  Collaborator = 'collaborator',
 }
 
 const tenantRoleDescriptions: Readonly<Record<TenantRole, string>> = Object.freeze({
   [TenantRole.Admin]: 'Admin of the tenant, who has all permissions.',
-  [TenantRole.Member]:
-    'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+  [TenantRole.Collaborator]:
+    'Collaborator of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
 });
 
 /**
@@ -127,14 +139,14 @@ const tenantRoleDescriptions: Readonly<Record<TenantRole, string>> = Object.free
  *
  * @example
  * ```ts
- * const role = TenantRole.Member; // 'member'
+ * const role = TenantRole.Collaborator; // 'collaborator'
  * const roleData = getTenantRole(role);
  *
  * expect(roleData).toEqual({
  *   tenantId: 'admin',
- *   id: 'member',
- *   name: 'member',
- *   description: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ *   id: 'collaborator',
+ *   name: 'collaborator',
+ *   description: 'Collaborator of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
  * });
  * ```
  *
@@ -155,10 +167,10 @@ export const getTenantRole = (role: TenantRole): Readonly<OrganizationRole> =>
 export const tenantRoleScopes: Readonly<Record<TenantRole, Readonly<TenantScope[]>>> =
   Object.freeze({
     [TenantRole.Admin]: allTenantScopes,
-    [TenantRole.Member]: [
+    [TenantRole.Collaborator]: [
       TenantScope.ReadData,
       TenantScope.WriteData,
       TenantScope.DeleteData,
-      TenantScope.InviteMember,
+      TenantScope.ReadMember,
     ],
   });
diff --git a/packages/schemas/src/types/user.ts b/packages/schemas/src/types/user.ts
index d51d1620385..be40f494452 100644
--- a/packages/schemas/src/types/user.ts
+++ b/packages/schemas/src/types/user.ts
@@ -14,12 +14,18 @@ export const userInfoSelectFields = Object.freeze([
   'identities',
   'lastSignInAt',
   'createdAt',
+  'updatedAt',
+  'profile',
   'applicationId',
   'isSuspended',
-] as const);
+] satisfies Array<keyof User>);
 
 export const userInfoGuard = Users.guard.pick(
-  Object.fromEntries(userInfoSelectFields.map((key) => [key, true]))
+  // eslint-disable-next-line no-restricted-syntax
+  Object.fromEntries(userInfoSelectFields.map((field) => [field, true])) as Record<
+    (typeof userInfoSelectFields)[number],
+    true
+  >
 );
 
 export type UserInfo = z.infer<typeof userInfoGuard>;
diff --git a/packages/schemas/src/utils/domain.test.ts b/packages/schemas/src/utils/domain.test.ts
index 61167fd464b..bb83f35b534 100644
--- a/packages/schemas/src/utils/domain.test.ts
+++ b/packages/schemas/src/utils/domain.test.ts
@@ -1,3 +1,5 @@
+import { describe, it, expect } from 'vitest';
+
 import { findDuplicatedOrBlockedEmailDomains } from './domain.js';
 
 describe('findDuplicatedOrBlockedEmailDomains', () => {
diff --git a/packages/schemas/src/utils/zod.ts b/packages/schemas/src/utils/zod.ts
new file mode 100644
index 00000000000..7b17b83046c
--- /dev/null
+++ b/packages/schemas/src/utils/zod.ts
@@ -0,0 +1,5 @@
+import { type z } from 'zod';
+
+export type ToZodObject<T> = z.ZodObject<{
+  [K in keyof T]: z.ZodType<T[K]>;
+}>;
diff --git a/packages/schemas/tables/_functions.sql b/packages/schemas/tables/_functions.sql
index ccb7a9ef9fc..4a6184f6283 100644
--- a/packages/schemas/tables/_functions.sql
+++ b/packages/schemas/tables/_functions.sql
@@ -1,5 +1,6 @@
 /* init_order = 0.5 */
 
+/** A function to set the tenant_id column based on the current user. */
 create function set_tenant_id() returns trigger as
 $$ begin
   if new.tenant_id is not null then
@@ -13,4 +14,11 @@ $$ begin
   return new;
 end; $$ language plpgsql;
 
+/** A function to set the `updated_at` column to the current time. */
+create function set_updated_at() returns trigger as
+$$ begin
+  new.updated_at = now();
+  return new;
+end; $$ language plpgsql;
+
 /* no_after_each */
diff --git a/packages/schemas/tables/organization_role_resource_scope_relations.sql b/packages/schemas/tables/organization_role_resource_scope_relations.sql
new file mode 100644
index 00000000000..4de9bfb7af9
--- /dev/null
+++ b/packages/schemas/tables/organization_role_resource_scope_relations.sql
@@ -0,0 +1,12 @@
+/* init_order = 3 */
+
+/** The relations between organization roles and resource scopes (normal scopes). It indicates which resource scopes are available to which organization roles. */
+create table organization_role_resource_scope_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  organization_role_id varchar(21) not null
+    references organization_roles (id) on update cascade on delete cascade,
+  scope_id varchar(21) not null
+    references scopes (id) on update cascade on delete cascade,
+  primary key (tenant_id, organization_role_id, scope_id)
+);
diff --git a/packages/schemas/tables/scopes.sql b/packages/schemas/tables/scopes.sql
index 74f1d4a8919..954009d2c0b 100644
--- a/packages/schemas/tables/scopes.sql
+++ b/packages/schemas/tables/scopes.sql
@@ -7,7 +7,7 @@ create table scopes (
   resource_id varchar(21) not null
     references resources (id) on update cascade on delete cascade,
   name varchar(256) not null,
-  description text not null,
+  description text,
   created_at timestamptz not null default(now()),
   primary key (id),
   constraint scopes__resource_id_name
diff --git a/packages/schemas/tables/users.sql b/packages/schemas/tables/users.sql
index e873e6b710c..66294bba279 100644
--- a/packages/schemas/tables/users.sql
+++ b/packages/schemas/tables/users.sql
@@ -1,6 +1,6 @@
 /* init_order = 1 */
 
-create type users_password_encryption_method as enum ('Argon2i');
+create type users_password_encryption_method as enum ('Argon2i', 'SHA1', 'SHA256', 'MD5', 'Bcrypt');
 
 create table users (
   tenant_id varchar(21) not null
@@ -12,7 +12,10 @@ create table users (
   password_encrypted varchar(128),
   password_encryption_method users_password_encryption_method,
   name varchar(128),
+  /** The URL that points to the user's profile picture. Mapped to OpenID Connect's `picture` claim. */ 
   avatar varchar(2048),
+  /** Additional OpenID Connect standard claims that are not included in user's properties. */
+  profile jsonb /* @use UserProfile */ not null default '{}'::jsonb,
   application_id varchar(21),
   identities jsonb /* @use Identities */ not null default '{}'::jsonb,
   custom_data jsonb /* @use JsonObject */ not null default '{}'::jsonb,
@@ -21,6 +24,7 @@ create table users (
   is_suspended boolean not null default false,
   last_sign_in_at timestamptz,
   created_at timestamptz not null default (now()),
+  updated_at timestamptz not null default (now()),
   primary key (id),
   constraint users__username
     unique (tenant_id, username),
@@ -35,3 +39,8 @@ create index users__id
 
 create index users__name
   on users (tenant_id, name);
+
+create trigger set_updated_at
+  before update on users
+  for each row
+  execute procedure set_updated_at();
diff --git a/packages/schemas/tsconfig.test.json b/packages/schemas/tsconfig.test.json
deleted file mode 100644
index 55de18c33aa..00000000000
--- a/packages/schemas/tsconfig.test.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig",
-  "compilerOptions": {
-    "isolatedModules": false,
-    "allowJs": true
-  },
-  "include": ["src"]
-}
diff --git a/packages/shared/jest.config.js b/packages/shared/jest.config.js
deleted file mode 100644
index 5656d33479a..00000000000
--- a/packages/shared/jest.config.js
+++ /dev/null
@@ -1,13 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/shared/package.json b/packages/shared/package.json
index cf2485e7493..4467e981d2e 100644
--- a/packages/shared/package.json
+++ b/packages/shared/package.json
@@ -28,26 +28,26 @@
   "scripts": {
     "precommit": "lint-staged",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json",
-    "build:test": "rm -rf lib/ && tsc -p tsconfig.test.json --sourcemap",
+    "build:test": "pnpm build",
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
     "prepack": "pnpm build",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only"
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage"
   },
   "devDependencies": {
-    "@logto/connector-kit": "workspace:^2.1.0",
+    "@jest/globals": "^29.7.0",
+    "@logto/connector-kit": "workspace:^3.0.0",
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
+    "@vitest/coverage-v8": "^1.4.0",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "prettier": "^3.0.0",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "engines": {
     "node": "^20.9.0"
@@ -64,7 +64,6 @@
     "chalk": "^5.0.0",
     "find-up": "^7.0.0",
     "libphonenumber-js": "^1.9.49",
-    "nanoid": "^5.0.1",
-    "slonik": "^30.0.0"
+    "nanoid": "^5.0.1"
   }
 }
diff --git a/packages/shared/src/database/types.ts b/packages/shared/src/database/types.ts
index 0508100cfaa..fde43ae9330 100644
--- a/packages/shared/src/database/types.ts
+++ b/packages/shared/src/database/types.ts
@@ -1,5 +1,3 @@
-import type { IdentifierSqlToken } from 'slonik';
-
 export type SchemaValuePrimitive = string | number | boolean | undefined;
 export type SchemaValue = SchemaValuePrimitive | Record<string, unknown> | unknown[] | null;
 export type SchemaLike<Key extends string> = {
@@ -10,9 +8,6 @@ export type Table<Keys extends string, TableName extends string = string> = {
   table: TableName;
   fields: Record<Keys, string>;
 };
-export type FieldIdentifiers<Key extends string> = {
-  [key in Key]: IdentifierSqlToken;
-};
 
 export type OrderDirection = 'asc' | 'desc';
 
diff --git a/packages/shared/src/esm/module-proxy.ts b/packages/shared/src/esm/module-proxy.ts
index a6662ef8fbb..6868afd33d6 100644
--- a/packages/shared/src/esm/module-proxy.ts
+++ b/packages/shared/src/esm/module-proxy.ts
@@ -1,3 +1,7 @@
+/**
+ * @fileoverview This file is used for jest only. This package does not need jest for testing.
+ */
+
 const { jest } = import.meta;
 
 // For testing
diff --git a/packages/shared/src/include.d/import-meta.d.ts b/packages/shared/src/include.d/import-meta.d.ts
index e016debb586..54a74e9c981 100644
--- a/packages/shared/src/include.d/import-meta.d.ts
+++ b/packages/shared/src/include.d/import-meta.d.ts
@@ -1,10 +1,4 @@
 interface ImportMeta {
-  jest: typeof jest & {
-    // Almost same as `jest.mock()`, but factory is required
-    unstable_mockModule: <T = unknown>(
-      moduleName: string,
-      factory: () => T,
-      options?: jest.MockOptions
-    ) => typeof jest;
-  };
+  // eslint-disable-next-line @typescript-eslint/consistent-type-imports -- import from outside will invalid this module augmentation
+  jest: typeof import('@jest/globals').jest;
 }
diff --git a/packages/shared/src/index.ts b/packages/shared/src/index.ts
index bd0487a64d6..9ae771b2793 100644
--- a/packages/shared/src/index.ts
+++ b/packages/shared/src/index.ts
@@ -1,3 +1,2 @@
 export * from './universal.js';
 export * from './node/index.js';
-export * from './database/sql.js';
diff --git a/packages/shared/src/node/env/UrlSet.test.ts b/packages/shared/src/node/env/UrlSet.test.ts
index 2348ddc2a43..63e302edc9a 100644
--- a/packages/shared/src/node/env/UrlSet.test.ts
+++ b/packages/shared/src/node/env/UrlSet.test.ts
@@ -1,3 +1,5 @@
+import { afterEach, describe, expect, it } from 'vitest';
+
 import UrlSet from './UrlSet.js';
 
 describe('UrlSet', () => {
diff --git a/packages/shared/src/utils/id.test.ts b/packages/shared/src/utils/id.test.ts
index 1c8bdcff4aa..788f826676e 100644
--- a/packages/shared/src/utils/id.test.ts
+++ b/packages/shared/src/utils/id.test.ts
@@ -1,3 +1,5 @@
+import { describe, expect, it } from 'vitest';
+
 import { generateStandardId, generateStandardSecret, generateStandardShortId } from './id.js';
 
 describe('standard id generator', () => {
diff --git a/packages/shared/src/utils/sub-domain.test.ts b/packages/shared/src/utils/sub-domain.test.ts
index 0515a92ce0d..bc9f7272f9f 100644
--- a/packages/shared/src/utils/sub-domain.test.ts
+++ b/packages/shared/src/utils/sub-domain.test.ts
@@ -1,3 +1,5 @@
+import { describe, expect, it } from 'vitest';
+
 import { isValidSubdomain } from './sub-domain.js';
 
 describe('isValidSubdomain()', () => {
diff --git a/packages/shared/src/utils/ttl-cache.test.ts b/packages/shared/src/utils/ttl-cache.test.ts
index d9b69209fd6..ee6a9659f6c 100644
--- a/packages/shared/src/utils/ttl-cache.test.ts
+++ b/packages/shared/src/utils/ttl-cache.test.ts
@@ -1,31 +1,31 @@
-import { TtlCache } from './ttl-cache.js';
+import { afterEach, describe, expect, it, beforeEach, vi } from 'vitest';
 
-const { jest } = import.meta;
+import { TtlCache } from './ttl-cache.js';
 
 describe('TtlCache', () => {
   beforeEach(() => {
-    jest.useFakeTimers();
+    vi.useFakeTimers();
   });
 
   afterEach(() => {
-    jest.useRealTimers();
+    vi.useRealTimers();
   });
 
   it('should return cached value after a long time if ttl is not set', () => {
-    jest.setSystemTime(0);
+    vi.setSystemTime(0);
 
     const cache = new TtlCache();
     const someObject = Object.freeze({ foo: 'bar', baz: 123 });
 
     cache.set('foo', someObject);
 
-    jest.setSystemTime(100_000_000);
+    vi.setSystemTime(100_000_000);
     expect(cache.get('foo')).toBe(someObject);
     expect(cache.has('foo')).toBe(true);
   });
 
   it('should return cached value and honor ttl', () => {
-    jest.setSystemTime(0);
+    vi.setSystemTime(0);
 
     const cache = new TtlCache(100);
     const someObject = Object.freeze({ foo: 'bar', baz: 123 });
@@ -33,7 +33,7 @@ describe('TtlCache', () => {
     cache.set(123, someObject);
     cache.set('foo', someObject, 99);
 
-    jest.setSystemTime(100);
+    vi.setSystemTime(100);
     expect(cache.get(123)).toBe(someObject);
     expect(cache.has(123)).toBe(true);
     expect(cache.get('123')).toBe(undefined);
@@ -41,7 +41,7 @@ describe('TtlCache', () => {
     expect(cache.get('foo')).toBe(undefined);
     expect(cache.has('foo')).toBe(false);
 
-    jest.setSystemTime(101);
+    vi.setSystemTime(101);
     expect(cache.get(123)).toBe(undefined);
     expect(cache.has(123)).toBe(false);
   });
diff --git a/packages/shared/src/utils/user-display-name.test.ts b/packages/shared/src/utils/user-display-name.test.ts
index 8c02e035b97..27594135bf2 100644
--- a/packages/shared/src/utils/user-display-name.test.ts
+++ b/packages/shared/src/utils/user-display-name.test.ts
@@ -1,3 +1,5 @@
+import { describe, expect, it } from 'vitest';
+
 import { getUserDisplayName } from './user-display-name.js';
 
 describe('getUserDisplayName', () => {
diff --git a/packages/shared/tsconfig.json b/packages/shared/tsconfig.json
index 260f3d2f019..22565820555 100644
--- a/packages/shared/tsconfig.json
+++ b/packages/shared/tsconfig.json
@@ -2,7 +2,7 @@
   "extends": "@silverhand/ts-config/tsconfig.base",
   "compilerOptions": {
     "outDir": "lib",
-    "types": ["node", "jest"]
+    "types": ["node"]
   },
   "include": [
     "src"
diff --git a/packages/shared/tsconfig.test.json b/packages/shared/tsconfig.test.json
deleted file mode 100644
index 1c66acf6d81..00000000000
--- a/packages/shared/tsconfig.test.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "extends": "./tsconfig"
-}
diff --git a/packages/toolkit/connector-kit/CHANGELOG.md b/packages/toolkit/connector-kit/CHANGELOG.md
index 9ad7bd4defe..c07eebf2a25 100644
--- a/packages/toolkit/connector-kit/CHANGELOG.md
+++ b/packages/toolkit/connector-kit/CHANGELOG.md
@@ -1,5 +1,26 @@
 # Change Log
 
+## 3.0.0
+
+### Major Changes
+
+- 57d97a4df: update `SocialUserInfo` and `GetUserInfo` types
+
+  - Added `rawData?: Json` to `SocialUserInfo`
+  - `GetUserInfo` now does not accept unknown keys in the return object, since the raw data is now stored in `SocialUserInfo`
+
+- 57d97a4df: guard results of `parseJson` and `parseJsonObject`
+
+  Now `parseJson` and `parseJsonObject` are type safe.
+
+### Minor Changes
+
+- 57d97a4df: add `jsonGuard()` and `jsonObjectGuard()`
+
+### Patch Changes
+
+- 2c10c2423: allow unknown properties in send message payload
+
 ## 2.1.0
 
 ### Minor Changes
diff --git a/packages/toolkit/connector-kit/jest.config.js b/packages/toolkit/connector-kit/jest.config.js
deleted file mode 100644
index 47665f39a5c..00000000000
--- a/packages/toolkit/connector-kit/jest.config.js
+++ /dev/null
@@ -1,13 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/toolkit/connector-kit/package.json b/packages/toolkit/connector-kit/package.json
index 3ffb7f94328..aad3fd4fb11 100644
--- a/packages/toolkit/connector-kit/package.json
+++ b/packages/toolkit/connector-kit/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-kit",
-  "version": "2.1.0",
+  "version": "3.0.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {
@@ -30,32 +30,28 @@
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
     "prepack": "pnpm build",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only",
-    "test:coverage": "pnpm test:only --silent --coverage"
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage"
   },
   "dependencies": {
     "@logto/language-kit": "workspace:^1.1.0",
     "@silverhand/essentials": "^2.9.0",
-    "@withtyped/client": "^0.7.22",
-    "@withtyped/server": "^0.12.9"
+    "@withtyped/client": "^0.8.4",
+    "@withtyped/server": "^0.13.3"
   },
   "optionalDependencies": {
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@jest/types": "^29.0.3",
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
+    "@vitest/coverage-v8": "^1.4.0",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "prettier": "^3.0.0",
-    "tslib": "^2.4.1",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "engines": {
     "node": "^20.9.0"
diff --git a/packages/toolkit/connector-kit/src/index.test.ts b/packages/toolkit/connector-kit/src/index.test.ts
index 5016b400724..2e6e164ffde 100644
--- a/packages/toolkit/connector-kit/src/index.test.ts
+++ b/packages/toolkit/connector-kit/src/index.test.ts
@@ -1,3 +1,4 @@
+import { describe, it, expect } from 'vitest';
 import { z } from 'zod';
 
 import {
@@ -59,15 +60,25 @@ describe('replaceSendMessageHandlebars', () => {
     );
   });
 
-  it('should replace handlebars with empty string if payload does not contain the key', () => {
+  it('should not replace handlebars if payload does not contain the key', () => {
     const template = 'Your verification code is {{code}}';
     const payload = {};
-    expect(replaceSendMessageHandlebars(template, payload)).toEqual('Your verification code is ');
+    expect(replaceSendMessageHandlebars(template, payload)).toEqual(
+      'Your verification code is {{code}}'
+    );
   });
 
-  it('should ignore handlebars that are not in the predefined list for both template and payload', () => {
+  it('should replace all handlebars even they are not in the predefined list for payload', () => {
     const template = 'Your verification code is {{code}} and {{foo}}';
     const payload = { code: '123456', foo: 'bar' };
+    expect(replaceSendMessageHandlebars(template, payload)).toEqual(
+      'Your verification code is 123456 and bar'
+    );
+  });
+
+  it('should ignore handlebars that are not in the payload', () => {
+    const template = 'Your verification code is {{code}} and {{foo}}';
+    const payload = { code: '123456' };
     expect(replaceSendMessageHandlebars(template, payload)).toEqual(
       'Your verification code is 123456 and {{foo}}'
     );
diff --git a/packages/toolkit/connector-kit/src/index.ts b/packages/toolkit/connector-kit/src/index.ts
index 6dc55f59d5c..b9f560fe12a 100644
--- a/packages/toolkit/connector-kit/src/index.ts
+++ b/packages/toolkit/connector-kit/src/index.ts
@@ -1,11 +1,13 @@
+import { type Json, type JsonObject } from '@withtyped/server';
 import type { ZodType, ZodTypeDef } from 'zod';
 
 import {
   ConnectorError,
   ConnectorErrorCodes,
-  sendMessagePayloadKeys,
   type SendMessagePayload,
   ConnectorType,
+  jsonGuard,
+  jsonObjectGuard,
 } from './types/index.js';
 
 export * from './types/index.js';
@@ -25,38 +27,24 @@ export const parseJson = (
   jsonString: string,
   errorCode: ConnectorErrorCodes = ConnectorErrorCodes.InvalidResponse,
   errorPayload?: unknown
-): unknown => {
+): Json => {
   try {
-    return JSON.parse(jsonString);
+    return jsonGuard.parse(JSON.parse(jsonString));
   } catch {
     throw new ConnectorError(errorCode, errorPayload ?? jsonString);
   }
 };
 
-const isRecordOrArray = (parsed: unknown): parsed is Record<string, unknown> | unknown[] => {
-  if (Array.isArray(parsed)) {
-    return true;
-  }
-
-  if (!(parsed !== null && typeof parsed === 'object')) {
-    return false;
-  }
-
-  if (Object.getOwnPropertySymbols(parsed).length > 0) {
-    return false;
-  }
-
-  return true;
-};
-
-export const parseJsonObject = (...args: Parameters<typeof parseJson>) => {
-  const parsed = parseJson(...args);
-
-  if (!isRecordOrArray(parsed)) {
-    throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, parsed);
+export const parseJsonObject = (
+  ...[jsonString, errorCode = ConnectorErrorCodes.InvalidResponse, errorPayload]: Parameters<
+    typeof parseJson
+  >
+): JsonObject => {
+  try {
+    return jsonObjectGuard.parse(JSON.parse(jsonString));
+  } catch {
+    throw new ConnectorError(errorCode, errorPayload ?? jsonString);
   }
-
-  return parsed;
 };
 
 /** @deprecated Use {@link mockConnectorFilePaths} instead. */
@@ -96,7 +84,7 @@ export const replaceSendMessageHandlebars = (
   template: string,
   payload: SendMessagePayload
 ): string => {
-  return sendMessagePayloadKeys.reduce(
+  return Object.keys(payload).reduce(
     (accumulator, key) =>
       accumulator.replaceAll(new RegExp(`{{\\s*${key}\\s*}}`, 'g'), payload[key] ?? ''),
     template
diff --git a/packages/toolkit/connector-kit/src/types/index.ts b/packages/toolkit/connector-kit/src/types/index.ts
index 432c270a268..6e46c15b4e9 100644
--- a/packages/toolkit/connector-kit/src/types/index.ts
+++ b/packages/toolkit/connector-kit/src/types/index.ts
@@ -14,14 +14,14 @@ export * from './social.js';
 export type GetConnectorConfig = (id: string) => Promise<unknown>;
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-export type GetCloudServiceClient<T extends Router<any, BaseRoutes, string>> = () => Promise<
+export type GetCloudServiceClient<T extends Router<any, any, BaseRoutes, string>> = () => Promise<
   Client<T>
 >;
 
 export type CreateConnector<
   T extends AllConnector,
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  U extends Router<any, BaseRoutes, string> = Router<any, BaseRoutes, string>,
+  U extends Router<any, any, BaseRoutes, string> = Router<any, any, BaseRoutes, string>,
 > = (options: {
   getConfig: GetConnectorConfig;
   getCloudServiceClient?: GetCloudServiceClient<U>;
diff --git a/packages/toolkit/connector-kit/src/types/passwordless.ts b/packages/toolkit/connector-kit/src/types/passwordless.ts
index 688a60a0397..5decfc0adf2 100644
--- a/packages/toolkit/connector-kit/src/types/passwordless.ts
+++ b/packages/toolkit/connector-kit/src/types/passwordless.ts
@@ -32,6 +32,7 @@ export enum TemplateType {
 
 export const templateTypeGuard = z.nativeEnum(TemplateType);
 
+/** The payload for sending email or sms. */
 export type SendMessagePayload = {
   /**
    * The dynamic verification code to send. It will replace the `{{code}}` handlebars in the
@@ -44,16 +45,15 @@ export type SendMessagePayload = {
    * @example 'https://example.com'
    */
   link?: string;
-};
-
-export const sendMessagePayloadKeys = ['code', 'link'] as const satisfies Array<
-  keyof SendMessagePayload
->;
+} & Record<string, string>;
 
-export const sendMessagePayloadGuard = z.object({
-  code: z.string().optional(),
-  link: z.string().optional(),
-}) satisfies z.ZodType<SendMessagePayload>;
+/** The guard for {@link SendMessagePayload}. */
+export const sendMessagePayloadGuard = z
+  .object({
+    code: z.string().optional(),
+    link: z.string().optional(),
+  })
+  .and(z.record(z.string())) satisfies z.ZodType<SendMessagePayload>;
 
 export const urlRegEx =
   /(https?:\/\/)?(?:www\.)?[\w#%+.:=@~-]{1,256}\.[\d()A-Za-z]{1,6}\b[\w#%&()+./:=?@~-]*/;
diff --git a/packages/toolkit/connector-kit/src/types/social.ts b/packages/toolkit/connector-kit/src/types/social.ts
index 865eb0318c0..71f2008e666 100644
--- a/packages/toolkit/connector-kit/src/types/social.ts
+++ b/packages/toolkit/connector-kit/src/types/social.ts
@@ -1,4 +1,5 @@
 // MARK: Social connector
+import { type Json } from '@withtyped/server';
 import { z } from 'zod';
 
 import { type BaseConnector, type ConnectorType } from './foundation.js';
@@ -22,20 +23,38 @@ export type GetAuthorizationUri = (
   setSession: SetSession
 ) => Promise<string>;
 
+// Copied from https://github.com/colinhacks/zod#json-type
+const literalSchema = z.union([z.string(), z.number(), z.boolean(), z.null()]);
+
+export const jsonGuard: z.ZodType<Json> = z.lazy(() =>
+  z.union([literalSchema, z.array(jsonGuard), z.record(jsonGuard)])
+);
+
+export const jsonObjectGuard = z.record(jsonGuard);
+
+/**
+ * Normalized social user info that can be used in the system. The raw data returned from the
+ * social provider is also included in the `rawData` field.
+ */
+export type SocialUserInfo = {
+  id: string;
+  email?: string;
+  phone?: string;
+  name?: string;
+  avatar?: string;
+  rawData?: Json;
+};
+
 export const socialUserInfoGuard = z.object({
   id: z.string(),
   email: z.string().optional(),
   phone: z.string().optional(),
   name: z.string().optional(),
   avatar: z.string().optional(),
-});
-
-export type SocialUserInfo = z.infer<typeof socialUserInfoGuard>;
+  rawData: jsonGuard.optional(),
+}) satisfies z.ZodType<SocialUserInfo>;
 
-export type GetUserInfo = (
-  data: unknown,
-  getSession: GetSession
-) => Promise<SocialUserInfo & Record<string, string | boolean | number | undefined>>;
+export type GetUserInfo = (data: unknown, getSession: GetSession) => Promise<SocialUserInfo>;
 
 export const connectorSessionGuard = z
   .object({
diff --git a/packages/toolkit/connector-kit/tsconfig.test.json b/packages/toolkit/connector-kit/tsconfig.test.json
deleted file mode 100644
index 55de18c33aa..00000000000
--- a/packages/toolkit/connector-kit/tsconfig.test.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig",
-  "compilerOptions": {
-    "isolatedModules": false,
-    "allowJs": true
-  },
-  "include": ["src"]
-}
diff --git a/packages/toolkit/core-kit/CHANGELOG.md b/packages/toolkit/core-kit/CHANGELOG.md
index 8ad47f1453f..0885f23dc2a 100644
--- a/packages/toolkit/core-kit/CHANGELOG.md
+++ b/packages/toolkit/core-kit/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Change Log
 
+## 2.4.0
+
+### Minor Changes
+
+- abffb9f95: full oidc standard claims support
+
+  We have added support for the remaining [OpenID Connect standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). Now, these claims are accessible in both ID tokens and the response from the `/me` endpoint.
+
+  Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the `profile` scope, and the `address` claim can be obtained by using the `address` scope.
+
+  For all newly introduced claims, we store them in the `user.profile` field.
+
+  > ![Note]
+  > Unlike other database fields (e.g. `name`), the claims stored in the `profile` field will fall back to `undefined` rather than `null`. We refrain from using `?? null` here to reduce the size of ID tokens, since `undefined` fields will be stripped in tokens.
+
+### Patch Changes
+
+- @logto/shared@3.1.0
+
 ## 2.3.0
 
 ### Minor Changes
diff --git a/packages/toolkit/core-kit/jest.config.js b/packages/toolkit/core-kit/jest.config.js
deleted file mode 100644
index 838c8248d1d..00000000000
--- a/packages/toolkit/core-kit/jest.config.js
+++ /dev/null
@@ -1,14 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  setupFilesAfterEnv: ['<rootDir>/jest.setup.js'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/toolkit/core-kit/jest.setup.js b/packages/toolkit/core-kit/jest.setup.js
deleted file mode 100644
index ee007a94391..00000000000
--- a/packages/toolkit/core-kit/jest.setup.js
+++ /dev/null
@@ -1,4 +0,0 @@
-import crypto from 'node:crypto';
-
-// eslint-disable-next-line @silverhand/fp/no-mutation
-global.crypto = crypto;
diff --git a/packages/toolkit/core-kit/package.json b/packages/toolkit/core-kit/package.json
index ff7d8b9f300..d97ea358208 100644
--- a/packages/toolkit/core-kit/package.json
+++ b/packages/toolkit/core-kit/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/core-kit",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {
@@ -29,15 +29,13 @@
     "precommit": "lint-staged",
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json",
-    "build:test": "pnpm build -p tsconfig.test.json --sourcemap",
+    "build:test": "pnpm build",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
     "prepack": "pnpm build",
     "stylelint": "stylelint \"scss/**/*.scss\"",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only",
-    "test:coverage": "pnpm test:only --silent --coverage"
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage"
   },
   "engines": {
     "node": "^20.9.0"
@@ -45,29 +43,27 @@
   "dependencies": {
     "@logto/language-kit": "workspace:^1.1.0",
     "@logto/shared": "workspace:^3.1.0",
+    "@silverhand/essentials": "^2.9.0",
     "color": "^4.2.3"
   },
   "optionalDependencies": {
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@jest/types": "^29.0.3",
     "@silverhand/eslint-config": "5.0.0",
-    "@silverhand/essentials": "^2.9.0",
     "@silverhand/ts-config": "5.0.0",
     "@silverhand/ts-config-react": "5.0.0",
     "@types/color": "^3.0.3",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
     "@types/react": "^18.0.31",
+    "@vitest/coverage-v8": "^1.4.0",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "postcss": "^8.4.31",
     "prettier": "^3.0.0",
     "stylelint": "^15.0.0",
-    "tslib": "^2.4.1",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "eslintConfig": {
     "extends": "@silverhand"
diff --git a/packages/toolkit/core-kit/scss/_console-themes.scss b/packages/toolkit/core-kit/scss/_console-themes.scss
index c6ed2d03926..19d9ae98d0b 100644
--- a/packages/toolkit/core-kit/scss/_console-themes.scss
+++ b/packages/toolkit/core-kit/scss/_console-themes.scss
@@ -162,7 +162,17 @@
   --color-specific-icon-bg: #f3effa;
   --color-specific-toggle-off-enable: var(--color-neutral-90);
   --color-specific-unselected-disabled: var(--color-hover); // 8% Neutral-10
+  --color-specific-selected-disabled: var(--color-primary-80);
+  --color-specific-focused-inside: var(--color-primary-30);
+  --color-specific-focused-outside: var(--color-primary-40);
+  --color-specific-button-icon: rgba(255, 255, 255, 70%); // 70% static white
+  --color-overlay-primary-hover: rgba(93, 52, 242, 8%); // 8% Primary-40
+  --color-overlay-primary-pressed: rgba(93, 52, 242, 12%); // 12% Primary-40
   --color-function-n-overlay-primary-focused: rgba(93, 52, 242, 16%); // 16% Primary-40
+  --color-overlay-danger-hover: rgba(186, 27, 27, 8%); // 8% Error-40
+  --color-overlay-dark-bg-hover: rgba(255, 255, 255, 12%); // 12% static white
+  --color-overlay-dark-bg-pressed: rgba(255, 255, 255, 18%); // 18% static white
+  --color-overlay-dark-bg-focused: rgba(255, 255, 255, 24%); // 24% static white
 
   // Shadows
   --shadow-1: 0 4px 8px rgba(0, 0, 0, 8%);
@@ -201,6 +211,15 @@
   --color-bg-state-unselected: var(--color-neutral-90);
   --color-bg-state-disabled: rgba(25, 28, 29, 8%); // 8% --color-neutral-10
   --color-bg-info-tag: rgba(229, 225, 236, 80%); // 80% --color-neutral-variant-90
+
+  // code editor
+  --color-code-bg: #181133;
+  --color-code-bg-float: #30314e;
+  --color-code-white: #f7f8f8;
+  --color-code-grey: #adaab4;
+  --color-code-dark-bg-focused: rgba(255, 255, 255, 24%);
+  --color-code-dark-bg-hover: rgba(255, 255, 255, 12%);
+  --color-code-dark-bg-pressed: rgba(255, 255, 255, 18%);
 }
 
 @mixin dark {
@@ -367,7 +386,17 @@
   --color-specific-icon-bg: rgba(247, 248, 248, 12%);
   --color-specific-toggle-off-enable: var(--color-neutral-90);
   --color-specific-unselected-disabled: var(--color-hover); // 8% Neutral-10
+  --color-specific-selected-disabled: var(--color-primary-80);
+  --color-specific-focused-inside: var(--color-primary-40);
+  --color-specific-focused-outside: rgba(#cabeff, 32%); // 32% Primary-40
+  --color-specific-button-icon: rgba(255, 255, 255, 60%); // 60% static white
+  --color-overlay-primary-hover: rgba(202, 190, 255, 8%); // 8% Primary-40
+  --color-overlay-primary-pressed: rgba(202, 190, 255, 12%); // 12% Primary-40
   --color-function-n-overlay-primary-focused: rgba(202, 190, 255, 16%); // 16% Primary-40
+  --color-overlay-danger-hover: rgba(186, 27, 27, 8%); // 8% Error-40
+  --color-overlay-dark-bg-hover: rgba(255, 255, 255, 12%); // 12% static white
+  --color-overlay-dark-bg-pressed: rgba(255, 255, 255, 18%); // 18% static white
+  --color-overlay-dark-bg-focused: rgba(255, 255, 255, 24%); // 24% static white
 
   // Shadows
   --shadow-1: 0 4px 8px rgba(0, 0, 0, 8%);
@@ -409,4 +438,11 @@
   --color-bg-state-unselected: var(--color-neutral-90);
   --color-bg-state-disabled: rgba(247, 248, 248, 8%); // 8% --color-neutral-10
   --color-bg-info-tag: var(--color-neutral-variant-90);
+
+  // code editor
+  --color-code-bg: #090613;
+  --color-code-bg-float: #232439;
+  --color-code-white: #f7f8f8;
+  --color-code-grey: #adaab4;
+  --color-code-dark-bg-focused: rgba(255, 255, 255, 24%);
 }
diff --git a/packages/toolkit/core-kit/scss/_fonts.scss b/packages/toolkit/core-kit/scss/_fonts.scss
index 0c461d0484d..d3aa3bdeae2 100644
--- a/packages/toolkit/core-kit/scss/_fonts.scss
+++ b/packages/toolkit/core-kit/scss/_fonts.scss
@@ -30,4 +30,5 @@ $font-family:
   --font-body-3: 400 12px/16px #{$font-family};
   --font-section-head-1: 700 12px/16px #{$font-family};
   --font-section-head-2: 700 10px/16px #{$font-family};
+  --font-code: 500 14px/20px 'Roboto Mono', monospace;
 }
diff --git a/packages/toolkit/core-kit/src/openid.ts b/packages/toolkit/core-kit/src/openid.ts
index 2b59ba4bb44..d950b8d1297 100644
--- a/packages/toolkit/core-kit/src/openid.ts
+++ b/packages/toolkit/core-kit/src/openid.ts
@@ -15,19 +15,35 @@ export enum ReservedResource {
 }
 
 export type UserClaim =
+  // OIDC standard claims
   | 'name'
+  | 'given_name'
+  | 'family_name'
+  | 'middle_name'
+  | 'nickname'
+  | 'preferred_username'
+  | 'profile'
   | 'picture'
-  | 'username'
+  | 'website'
   | 'email'
   | 'email_verified'
+  | 'gender'
+  | 'birthdate'
+  | 'zoneinfo'
+  | 'locale'
   | 'phone_number'
   | 'phone_number_verified'
+  | 'address'
+  | 'updated_at'
+  // Custom claims
+  | 'username'
   | 'roles'
   | 'organizations'
   | 'organization_data'
   | 'organization_roles'
   | 'custom_data'
-  | 'identities';
+  | 'identities'
+  | 'created_at';
 
 /**
  * Scopes for ID Token and Userinfo Endpoint.
@@ -51,6 +67,12 @@ export enum UserScope {
    * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
    */
   Phone = 'phone',
+  /**
+   * Scope for user address.
+   *
+   * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+   */
+  Address = 'address',
   /**
    * Scope for user's custom data.
    *
@@ -85,11 +107,33 @@ export enum UserScope {
 
 /**
  * Mapped claims that ID Token includes.
+ *
+ * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0} for standard scope - claim mapping.
  */
 export const idTokenClaims: Readonly<Record<UserScope, UserClaim[]>> = Object.freeze({
-  [UserScope.Profile]: ['name', 'picture', 'username'],
+  [UserScope.Profile]: [
+    // Standard claims
+    'name',
+    'family_name',
+    'given_name',
+    'middle_name',
+    'nickname',
+    'preferred_username',
+    'profile',
+    'picture',
+    'website',
+    'gender',
+    'birthdate',
+    'zoneinfo',
+    'locale',
+    'updated_at',
+    // Custom claims
+    'username',
+    'created_at',
+  ],
   [UserScope.Email]: ['email', 'email_verified'],
   [UserScope.Phone]: ['phone_number', 'phone_number_verified'],
+  [UserScope.Address]: ['address'],
   [UserScope.Roles]: ['roles'],
   [UserScope.Organizations]: ['organizations'],
   [UserScope.OrganizationRoles]: ['organization_roles'],
@@ -104,6 +148,7 @@ export const userinfoClaims: Readonly<Record<UserScope, UserClaim[]>> = Object.f
   [UserScope.Profile]: [],
   [UserScope.Email]: [],
   [UserScope.Phone]: [],
+  [UserScope.Address]: [],
   [UserScope.Roles]: [],
   [UserScope.Organizations]: ['organization_data'],
   [UserScope.OrganizationRoles]: [],
diff --git a/packages/toolkit/core-kit/src/password-policy.test.ts b/packages/toolkit/core-kit/src/password-policy.test.ts
index b7a44c2a100..55106112e72 100644
--- a/packages/toolkit/core-kit/src/password-policy.test.ts
+++ b/packages/toolkit/core-kit/src/password-policy.test.ts
@@ -1,14 +1,13 @@
+import { describe, expect, it, beforeAll, afterAll, vi } from 'vitest';
 import { ZodError } from 'zod';
 
 import { PasswordPolicyChecker } from './password-policy.js';
 
-const { jest } = import.meta;
-
 const mockPwnResponse = () => {
   const originalFetch = global.fetch;
   beforeAll(() => {
     // eslint-disable-next-line @silverhand/fp/no-mutation
-    global.fetch = jest.fn().mockResolvedValue({
+    global.fetch = vi.fn().mockResolvedValue({
       // Return hash suffixes for '123456'.
       text: async () =>
         'D032E84B0AEB4E773555C73D6B13BEA7A44:1\nD09CA3762AF61E59520943DC26494F8941B:37615252',
diff --git a/packages/toolkit/core-kit/src/password-policy.ts b/packages/toolkit/core-kit/src/password-policy.ts
index 085e0d8d4da..e9e46017819 100644
--- a/packages/toolkit/core-kit/src/password-policy.ts
+++ b/packages/toolkit/core-kit/src/password-policy.ts
@@ -3,6 +3,8 @@ import { type webcrypto } from 'node:crypto';
 import { type DeepPartial } from '@silverhand/essentials';
 import { z } from 'zod';
 
+import { getPwnPasswordsForTest, isIntegrationTest } from './utils/integration-test.js';
+
 /** Password policy configuration type. */
 export type PasswordPolicy = {
   /** Policy about password length. */
@@ -300,6 +302,10 @@ export class PasswordPolicyChecker {
    * @returns Whether the password has been pwned.
    */
   async hasBeenPwned(password: string): Promise<boolean> {
+    if (isIntegrationTest()) {
+      return getPwnPasswordsForTest().includes(password);
+    }
+
     const hash = await this.subtle.digest('SHA-1', new TextEncoder().encode(password));
     const hashHex = Array.from(new Uint8Array(hash))
       .map((binary) => binary.toString(16).padStart(2, '0'))
diff --git a/packages/toolkit/core-kit/src/regex.test.ts b/packages/toolkit/core-kit/src/regex.test.ts
index 555580b56e1..09321f44e9f 100644
--- a/packages/toolkit/core-kit/src/regex.test.ts
+++ b/packages/toolkit/core-kit/src/regex.test.ts
@@ -1,3 +1,5 @@
+import { describe, expect, it } from 'vitest';
+
 import { domainRegEx } from './regex.js';
 
 describe('Regular expressions should work as expected', () => {
diff --git a/packages/toolkit/core-kit/src/utils/integration-test.ts b/packages/toolkit/core-kit/src/utils/integration-test.ts
new file mode 100644
index 00000000000..1c072b908e8
--- /dev/null
+++ b/packages/toolkit/core-kit/src/utils/integration-test.ts
@@ -0,0 +1,10 @@
+import { yes } from '@silverhand/essentials';
+
+export const isIntegrationTest = () => yes(process.env.INTEGRATION_TEST);
+
+export const getPwnPasswordsForTest = () => {
+  if (!isIntegrationTest()) {
+    throw new Error('This function should only be called in integration tests');
+  }
+  return Object.freeze(['123456aA', 'test_password']);
+};
diff --git a/packages/toolkit/core-kit/src/utils/url.test.ts b/packages/toolkit/core-kit/src/utils/url.test.ts
index 90742ca2e67..75ab7588c55 100644
--- a/packages/toolkit/core-kit/src/utils/url.test.ts
+++ b/packages/toolkit/core-kit/src/utils/url.test.ts
@@ -1,3 +1,5 @@
+import { describe, expect, it } from 'vitest';
+
 import { isLocalhost, isValidUrl, validateRedirectUrl } from './url.js';
 
 describe('url utilities', () => {
diff --git a/packages/toolkit/core-kit/tsconfig.test.json b/packages/toolkit/core-kit/tsconfig.test.json
deleted file mode 100644
index 55de18c33aa..00000000000
--- a/packages/toolkit/core-kit/tsconfig.test.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig",
-  "compilerOptions": {
-    "isolatedModules": false,
-    "allowJs": true
-  },
-  "include": ["src"]
-}
diff --git a/packages/toolkit/language-kit/jest.config.js b/packages/toolkit/language-kit/jest.config.js
deleted file mode 100644
index 47665f39a5c..00000000000
--- a/packages/toolkit/language-kit/jest.config.js
+++ /dev/null
@@ -1,13 +0,0 @@
-/** @type {import('jest').Config} */
-const config = {
-  transform: {},
-  coveragePathIgnorePatterns: ['/node_modules/', '/src/__mocks__/'],
-  coverageReporters: ['text-summary', 'lcov'],
-  coverageProvider: 'v8',
-  roots: ['./lib'],
-  moduleNameMapper: {
-    '^(chalk|inquirer)$': '<rootDir>/../../shared/lib/esm/module-proxy.js',
-  },
-};
-
-export default config;
diff --git a/packages/toolkit/language-kit/package.json b/packages/toolkit/language-kit/package.json
index 3f6627f8320..fe1158722f5 100644
--- a/packages/toolkit/language-kit/package.json
+++ b/packages/toolkit/language-kit/package.json
@@ -22,14 +22,12 @@
   "scripts": {
     "precommit": "lint-staged",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json",
-    "build:test": "pnpm build -p tsconfig.test.json --sourcemap",
+    "build:test": "pnpm build",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
     "prepack": "pnpm build",
-    "test:only": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test": "pnpm build:test && pnpm test:only",
-    "test:ci": "pnpm test:only",
-    "test:coverage": "pnpm test:only --silent --coverage"
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage"
   },
   "engines": {
     "node": "^20.9.0"
@@ -38,17 +36,15 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@jest/types": "^29.0.3",
     "@silverhand/eslint-config": "5.0.0",
     "@silverhand/ts-config": "5.0.0",
-    "@types/jest": "^29.4.0",
     "@types/node": "^20.9.5",
+    "@vitest/coverage-v8": "^1.4.0",
     "eslint": "^8.44.0",
-    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "prettier": "^3.0.0",
-    "tslib": "^2.4.1",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^1.4.0"
   },
   "eslintConfig": {
     "extends": "@silverhand"
diff --git a/packages/toolkit/language-kit/src/utility.test.ts b/packages/toolkit/language-kit/src/utility.test.ts
index f79fca46259..8743fb20fec 100644
--- a/packages/toolkit/language-kit/src/utility.test.ts
+++ b/packages/toolkit/language-kit/src/utility.test.ts
@@ -1,3 +1,4 @@
+import { describe, expect, it } from 'vitest';
 import { number, ZodError } from 'zod';
 
 import { fallback, isLanguageTag, languageTagGuard } from './utility.js';
diff --git a/packages/toolkit/language-kit/tsconfig.test.json b/packages/toolkit/language-kit/tsconfig.test.json
deleted file mode 100644
index 55de18c33aa..00000000000
--- a/packages/toolkit/language-kit/tsconfig.test.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig",
-  "compilerOptions": {
-    "isolatedModules": false,
-    "allowJs": true
-  },
-  "include": ["src"]
-}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index fc47c7b4bd7..28d413ea6a7 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -16,14 +16,14 @@ importers:
         specifier: ^2.26.2
         version: 2.26.2
       '@commitlint/cli':
-        specifier: ^18.0.0
-        version: 18.4.3(typescript@5.0.2)
+        specifier: ^19.0.0
+        version: 19.0.3(@types/node@20.11.20)(typescript@5.0.2)
       '@commitlint/config-conventional':
-        specifier: ^18.0.0
-        version: 18.4.3
+        specifier: ^19.0.0
+        version: 19.0.3
       '@commitlint/types':
-        specifier: ^18.0.0
-        version: 18.4.3
+        specifier: ^19.0.0
+        version: 19.0.3
       '@types/pg':
         specifier: ^8.6.6
         version: 8.6.6
@@ -54,6 +54,9 @@ importers:
       applicationinsights:
         specifier: ^2.7.0
         version: 2.7.0
+      tslib:
+        specifier: ^2.4.1
+        version: 2.4.1
     devDependencies:
       '@silverhand/eslint-config':
         specifier: 5.0.0
@@ -67,24 +70,21 @@ importers:
       '@silverhand/ts-config-react':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
       '@types/react':
         specifier: ^18.0.31
         version: 18.0.31
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
       history:
         specifier: ^5.3.0
         version: 5.3.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -94,32 +94,32 @@ importers:
       react:
         specifier: ^18.0.0
         version: 18.2.0
-      tslib:
-        specifier: ^2.4.1
-        version: 2.4.1
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/cli:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/language-kit':
         specifier: workspace:^1.1.0
         version: link:../toolkit/language-kit
       '@logto/phrases':
-        specifier: workspace:^1.9.0
+        specifier: workspace:^1.10.0
         version: link:../phrases
       '@logto/phrases-experience':
-        specifier: workspace:^1.6.0
+        specifier: workspace:^1.6.1
         version: link:../phrases-experience
       '@logto/schemas':
-        specifier: workspace:1.14.0
+        specifier: workspace:1.15.0
         version: link:../schemas
       '@logto/shared':
         specifier: workspace:^3.1.0
@@ -127,6 +127,9 @@ importers:
       '@silverhand/essentials':
         specifier: ^2.9.0
         version: 2.9.0
+      '@silverhand/slonik':
+        specifier: 31.0.0-beta.2
+        version: 31.0.0-beta.2
       chalk:
         specifier: ^5.0.0
         version: 5.1.2
@@ -169,15 +172,6 @@ importers:
       semver:
         specifier: ^7.3.8
         version: 7.5.2
-      slonik:
-        specifier: ^30.0.0
-        version: 30.1.2
-      slonik-interceptor-preset:
-        specifier: ^1.2.10
-        version: 1.2.10
-      slonik-sql-tag-raw:
-        specifier: ^1.1.4
-        version: 1.1.4(roarr@7.11.0)(slonik@30.1.2)
       tar:
         specifier: ^6.1.11
         version: 6.1.11
@@ -200,9 +194,6 @@ importers:
       '@types/inquirer':
         specifier: ^9.0.0
         version: 9.0.3
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
@@ -218,15 +209,15 @@ importers:
       '@types/yargs':
         specifier: ^17.0.13
         version: 17.0.13
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       '@withtyped/server':
-        specifier: ^0.12.9
-        version: 0.12.9(zod@3.22.4)
+        specifier: ^0.13.3
+        version: 0.13.3(zod@3.22.4)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -236,11 +227,14 @@ importers:
       sinon:
         specifier: ^17.0.0
         version: 17.0.0
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/connectors/connector-alipay-native:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -255,15 +249,12 @@ importers:
         specifier: ^0.6.3
         version: 0.6.3
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -285,24 +276,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -315,20 +300,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-alipay-web:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -343,15 +331,12 @@ importers:
         specifier: ^0.6.3
         version: 0.6.3
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -373,24 +358,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -403,20 +382,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-aliyun-dm:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -425,15 +407,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -452,24 +431,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -482,20 +455,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-aliyun-sms:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -504,15 +480,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -531,24 +504,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -561,20 +528,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-apple:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@logto/shared':
         specifier: workspace:^3.1.0
@@ -589,15 +559,12 @@ importers:
         specifier: ^5.0.0
         version: 5.0.1
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -616,24 +583,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -646,15 +607,18 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-aws-ses:
     dependencies:
@@ -665,7 +629,7 @@ importers:
         specifier: ^3.226.0
         version: 3.226.0
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -674,15 +638,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -701,24 +662,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -731,15 +686,18 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-azuread:
     dependencies:
@@ -747,7 +705,7 @@ importers:
         specifier: ^2.0.0
         version: 2.6.4
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -756,15 +714,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -783,24 +738,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -813,20 +762,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-discord:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -835,15 +787,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -862,24 +811,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -892,20 +835,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-facebook:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -914,15 +860,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -941,24 +884,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -971,20 +908,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-feishu-web:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -993,15 +933,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1020,24 +957,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1050,20 +981,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-github:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1075,15 +1009,12 @@ importers:
         specifier: ^9.0.0
         version: 9.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1102,24 +1033,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1132,20 +1057,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-google:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1154,15 +1082,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1181,24 +1106,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1211,20 +1130,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-kakao:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1233,15 +1155,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1260,24 +1179,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1290,20 +1203,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-logto-email:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1312,18 +1228,15 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@logto/cloud':
-        specifier: 0.2.5-faca9a9
-        version: 0.2.5-faca9a9(zod@3.22.4)
+        specifier: 0.2.5-ab8a489
+        version: 0.2.5-ab8a489(zod@3.22.4)
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1342,24 +1255,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1372,20 +1279,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-logto-sms:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1394,15 +1304,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1421,24 +1328,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1451,20 +1352,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-logto-social-demo:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1473,15 +1377,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1500,24 +1401,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1530,20 +1425,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-mailgun:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1552,15 +1450,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1579,24 +1474,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1609,20 +1498,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-mock-email:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1631,15 +1523,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1658,24 +1547,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1688,20 +1571,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-mock-email-alternative:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1710,15 +1596,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1737,24 +1620,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1767,20 +1644,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-mock-sms:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1789,15 +1669,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1816,24 +1693,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1846,20 +1717,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-mock-social:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1868,15 +1742,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1895,24 +1766,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -1925,20 +1790,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-naver:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -1947,15 +1815,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -1974,24 +1839,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2004,20 +1863,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-oauth2:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2029,15 +1891,12 @@ importers:
         specifier: ^9.0.0
         version: 9.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2056,24 +1915,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2086,20 +1939,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-oidc:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@logto/shared':
         specifier: workspace:^3.1.0
@@ -2117,15 +1973,12 @@ importers:
         specifier: ^5.0.1
         version: 5.0.1
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2144,24 +1997,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2174,20 +2021,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-saml:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2202,15 +2052,12 @@ importers:
         specifier: 2.8.10
         version: 2.8.10
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2229,24 +2076,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2259,20 +2100,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-sendgrid-email:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2281,15 +2125,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2308,24 +2149,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2338,20 +2173,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-smsaero:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2360,15 +2198,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2387,24 +2222,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2417,20 +2246,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-smtp:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2442,15 +2274,12 @@ importers:
         specifier: ^6.9.9
         version: 6.9.9
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2469,9 +2298,6 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
@@ -2481,15 +2307,12 @@ importers:
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2502,20 +2325,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-tencent-sms:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2524,15 +2350,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2551,24 +2374,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2581,20 +2398,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-twilio-sms:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2603,15 +2423,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2630,24 +2447,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2660,20 +2471,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-wechat-native:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2682,15 +2496,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2709,24 +2520,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2739,20 +2544,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-wechat-web:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2761,15 +2569,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2788,24 +2593,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.11.20
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.11.20)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2818,20 +2617,23 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.11.20)
 
   packages/connectors/connector-wecom:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.0.0
+        specifier: workspace:^3.0.0
         version: link:../../toolkit/connector-kit
       '@silverhand/essentials':
         specifier: ^2.9.0
@@ -2840,15 +2642,12 @@ importers:
         specifier: ^14.0.0
         version: 14.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.5.0
-        version: 29.6.3
       '@rollup/plugin-commonjs':
         specifier: ^25.0.0
         version: 25.0.7(rollup@4.12.0)
@@ -2867,24 +2666,18 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.1
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
-      jest-matcher-specific-error:
-        specifier: ^1.0.0
-        version: 1.0.0
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -2897,15 +2690,18 @@ importers:
       rollup:
         specifier: ^4.0.0
         version: 4.12.0
-      rollup-plugin-summary:
-        specifier: ^2.0.0
-        version: 2.0.0(rollup@4.12.0)
+      rollup-plugin-output-size:
+        specifier: ^1.3.0
+        version: 1.3.0(rollup@4.12.0)
       supertest:
         specifier: ^6.2.2
         version: 6.2.2
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/console:
     devDependencies:
@@ -2919,28 +2715,28 @@ importers:
         specifier: workspace:^1.4.0
         version: link:../app-insights
       '@logto/cloud':
-        specifier: 0.2.5-faca9a9
-        version: 0.2.5-faca9a9(zod@3.22.4)
+        specifier: 0.2.5-ab8a489
+        version: 0.2.5-ab8a489(zod@3.22.4)
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/language-kit':
         specifier: workspace:^1.1.0
         version: link:../toolkit/language-kit
       '@logto/phrases':
-        specifier: workspace:^1.9.0
+        specifier: workspace:^1.10.0
         version: link:../phrases
       '@logto/phrases-experience':
-        specifier: workspace:^1.6.0
+        specifier: workspace:^1.6.1
         version: link:../phrases-experience
       '@logto/react':
-        specifier: ^3.0.0
-        version: 3.0.0(react@18.2.0)
+        specifier: ^3.0.5
+        version: 3.0.5(react@18.2.0)
       '@logto/schemas':
-        specifier: workspace:^1.13.1
+        specifier: workspace:^1.15.0
         version: link:../schemas
       '@logto/shared':
         specifier: workspace:^3.1.0
@@ -2948,6 +2744,9 @@ importers:
       '@mdx-js/react':
         specifier: ^1.6.22
         version: 1.6.22(react@18.2.0)
+      '@monaco-editor/react':
+        specifier: ^4.6.0
+        version: 4.6.0(monaco-editor@0.46.0)(react-dom@18.2.0)(react@18.2.0)
       '@parcel/compressor-brotli':
         specifier: 2.9.3
         version: 2.9.3(@parcel/core@2.9.3)
@@ -3021,8 +2820,8 @@ importers:
         specifier: ^15.5.1
         version: 15.5.1
       '@withtyped/client':
-        specifier: ^0.7.22
-        version: 0.7.22(zod@3.22.4)
+        specifier: ^0.8.4
+        version: 0.8.4(zod@3.22.4)
       buffer:
         specifier: ^5.7.1
         version: 5.7.1
@@ -3084,8 +2883,8 @@ importers:
         specifier: ^4.2.0
         version: 4.2.0
       ky:
-        specifier: ^1.0.0
-        version: 1.0.0
+        specifier: ^1.2.3
+        version: 1.2.3
       libphonenumber-js:
         specifier: ^1.10.51
         version: 1.10.51
@@ -3203,6 +3002,9 @@ importers:
       zod:
         specifier: ^3.22.4
         version: 3.22.4
+      zod-to-ts:
+        specifier: ^1.2.0
+        version: 1.2.0(typescript@5.3.3)(zod@3.22.4)
 
   packages/core:
     dependencies:
@@ -3228,16 +3030,16 @@ importers:
         specifier: workspace:^1.4.0
         version: link:../app-insights
       '@logto/cli':
-        specifier: workspace:^1.14.0
+        specifier: workspace:^1.15.0
         version: link:../cli
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@logto/console':
         specifier: workspace:*
         version: link:../console
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/demo-app':
         specifier: workspace:*
@@ -3249,13 +3051,13 @@ importers:
         specifier: workspace:^1.1.0
         version: link:../toolkit/language-kit
       '@logto/phrases':
-        specifier: workspace:^1.9.0
+        specifier: workspace:^1.10.0
         version: link:../phrases
       '@logto/phrases-experience':
-        specifier: workspace:^1.6.0
+        specifier: workspace:^1.6.1
         version: link:../phrases-experience
       '@logto/schemas':
-        specifier: workspace:^1.14.0
+        specifier: workspace:^1.15.0
         version: link:../schemas
       '@logto/shared':
         specifier: workspace:^3.1.0
@@ -3263,12 +3065,15 @@ importers:
       '@silverhand/essentials':
         specifier: ^2.9.0
         version: 2.9.0
+      '@silverhand/slonik':
+        specifier: 31.0.0-beta.2
+        version: 31.0.0-beta.2
       '@simplewebauthn/server':
         specifier: ^9.0.0
         version: 9.0.1
       '@withtyped/client':
-        specifier: ^0.7.22
-        version: 0.7.22(zod@3.22.4)
+        specifier: ^0.8.4
+        version: 0.8.4(zod@3.22.4)
       camelcase:
         specifier: ^8.0.0
         version: 8.0.0
@@ -3386,28 +3191,19 @@ importers:
       semver:
         specifier: ^7.3.8
         version: 7.5.2
-      slonik:
-        specifier: ^30.0.0
-        version: 30.1.2
-      slonik-interceptor-preset:
-        specifier: ^1.2.10
-        version: 1.2.10
-      slonik-sql-tag-raw:
-        specifier: ^1.1.4
-        version: 1.1.4(roarr@7.11.0)(slonik@30.1.2)
       snake-case:
-        specifier: ^3.0.4
-        version: 3.0.4
+        specifier: ^4.0.0
+        version: 4.0.0
       snakecase-keys:
-        specifier: ^6.0.0
-        version: 6.0.0
+        specifier: ^7.0.0
+        version: 7.0.0
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
       '@logto/cloud':
-        specifier: 0.2.5-faca9a9
-        version: 0.2.5-faca9a9(zod@3.22.4)
+        specifier: 0.2.5-ab8a489
+        version: 0.2.5-ab8a489(zod@3.22.4)
       '@silverhand/eslint-config':
         specifier: 5.0.0
         version: 5.0.0(eslint@8.44.0)(prettier@3.0.0)(typescript@5.3.3)
@@ -3505,25 +3301,25 @@ importers:
   packages/create:
     dependencies:
       '@logto/cli':
-        specifier: workspace:^1.14.0
+        specifier: workspace:^1.15.0
         version: link:../cli
 
   packages/demo-app:
     devDependencies:
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/language-kit':
         specifier: workspace:^1.1.0
         version: link:../toolkit/language-kit
       '@logto/phrases':
-        specifier: workspace:^1.9.0
+        specifier: workspace:^1.10.0
         version: link:../phrases
       '@logto/react':
-        specifier: ^3.0.0
-        version: 3.0.0(react@18.2.0)
+        specifier: ^3.0.5
+        version: 3.0.5(react@18.2.0)
       '@logto/schemas':
-        specifier: workspace:^1.13.0
+        specifier: workspace:^1.15.0
         version: link:../schemas
       '@parcel/core':
         specifier: 2.9.3
@@ -3599,27 +3395,27 @@ importers:
     devDependencies:
       '@jest/types':
         specifier: ^29.5.0
-        version: 29.5.0
+        version: 29.6.3
       '@logto/app-insights':
         specifier: workspace:^1.4.0
         version: link:../app-insights
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/language-kit':
         specifier: workspace:^1.1.0
         version: link:../toolkit/language-kit
       '@logto/phrases':
-        specifier: workspace:^1.9.0
+        specifier: workspace:^1.10.0
         version: link:../phrases
       '@logto/phrases-experience':
-        specifier: workspace:^1.6.0
+        specifier: workspace:^1.6.1
         version: link:../phrases-experience
       '@logto/schemas':
-        specifier: workspace:^1.13.0
+        specifier: workspace:^1.15.0
         version: link:../schemas
       '@parcel/compressor-brotli':
         specifier: 2.9.3
@@ -3725,7 +3521,7 @@ importers:
         version: 3.0.0
       jest:
         specifier: ^29.7.0
-        version: 29.7.0(@types/node@18.19.3)
+        version: 29.7.0(@types/node@20.11.20)
       jest-environment-jsdom:
         specifier: ^29.0.0
         version: 29.2.2
@@ -3739,8 +3535,8 @@ importers:
         specifier: ^3.7.5
         version: 3.7.5
       ky:
-        specifier: ^1.0.0
-        version: 1.0.0
+        specifier: ^1.2.3
+        version: 1.2.3
       libphonenumber-js:
         specifier: ^1.10.51
         version: 1.10.51
@@ -3830,19 +3626,19 @@ importers:
         specifier: ^29.1.2
         version: 29.1.2
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@logto/core-kit':
         specifier: workspace:^
         version: link:../toolkit/core-kit
       '@logto/js':
-        specifier: ^4.0.0
-        version: 4.0.0
+        specifier: ^4.1.1
+        version: 4.1.1
       '@logto/node':
-        specifier: ^2.4.0
-        version: 2.4.0
+        specifier: ^2.4.4
+        version: 2.4.4
       '@logto/schemas':
-        specifier: workspace:^1.13.0
+        specifier: workspace:^1.15.0
         version: link:../schemas
       '@logto/shared':
         specifier: workspace:^3.1.0
@@ -3871,9 +3667,6 @@ importers:
       expect-puppeteer:
         specifier: ^10.0.0
         version: 10.0.0
-      got:
-        specifier: ^14.0.0
-        version: 14.0.0
       jest:
         specifier: ^29.7.0
         version: 29.7.0(@types/node@20.10.4)
@@ -3881,14 +3674,14 @@ importers:
         specifier: ^1.0.0
         version: 1.0.0
       jest-puppeteer:
-        specifier: ^10.0.0
-        version: 10.0.1(puppeteer@21.0.0)(typescript@5.3.3)
+        specifier: ^10.0.1
+        version: 10.0.1(puppeteer@22.6.0)(typescript@5.3.3)
       jose:
         specifier: ^5.0.0
         version: 5.0.1
-      node-fetch:
-        specifier: ^3.3.0
-        version: 3.3.0
+      ky:
+        specifier: ^1.2.3
+        version: 1.2.3
       openapi-schema-validator:
         specifier: ^12.1.3
         version: 12.1.3
@@ -3899,8 +3692,8 @@ importers:
         specifier: ^3.0.0
         version: 3.0.0
       puppeteer:
-        specifier: ^21.0.0
-        version: 21.0.0
+        specifier: ^22.6.0
+        version: 22.6.0(typescript@5.3.3)
       text-encoder:
         specifier: ^0.0.4
         version: 0.0.4
@@ -3942,7 +3735,7 @@ importers:
   packages/phrases-experience:
     dependencies:
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/language-kit':
         specifier: workspace:^1.1.0
@@ -3979,26 +3772,26 @@ importers:
   packages/schemas:
     dependencies:
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@logto/core-kit':
-        specifier: workspace:^2.3.0
+        specifier: workspace:^2.4.0
         version: link:../toolkit/core-kit
       '@logto/language-kit':
         specifier: workspace:^1.1.0
         version: link:../toolkit/language-kit
       '@logto/phrases':
-        specifier: workspace:^1.9.0
+        specifier: workspace:^1.10.0
         version: link:../phrases
       '@logto/phrases-experience':
-        specifier: workspace:^1.6.0
+        specifier: workspace:^1.6.1
         version: link:../phrases-experience
       '@logto/shared':
         specifier: workspace:^3.1.0
         version: link:../shared
       '@withtyped/server':
-        specifier: ^0.12.9
-        version: 0.12.9(zod@3.22.4)
+        specifier: ^0.13.3
+        version: 0.13.3(zod@3.22.4)
       zod:
         specifier: ^3.22.4
         version: 3.22.4
@@ -4009,21 +3802,24 @@ importers:
       '@silverhand/essentials':
         specifier: ^2.9.0
         version: 2.9.0
+      '@silverhand/slonik':
+        specifier: 31.0.0-beta.2
+        version: 31.0.0-beta.2
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
       '@types/inquirer':
         specifier: ^9.0.0
         version: 9.0.3
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
       '@types/pluralize':
         specifier: ^0.0.33
         version: 0.0.33
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       camelcase:
         specifier: ^8.0.0
         version: 8.0.0
@@ -4033,9 +3829,6 @@ importers:
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -4048,15 +3841,12 @@ importers:
       roarr:
         specifier: ^7.11.0
         version: 7.11.0
-      slonik:
-        specifier: ^30.0.0
-        version: 30.1.2
-      slonik-sql-tag-raw:
-        specifier: ^1.1.4
-        version: 1.1.4(roarr@7.11.0)(slonik@30.1.2)
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/shared:
     dependencies:
@@ -4075,12 +3865,12 @@ importers:
       nanoid:
         specifier: ^5.0.1
         version: 5.0.1
-      slonik:
-        specifier: ^30.0.0
-        version: 30.1.2
     devDependencies:
+      '@jest/globals':
+        specifier: ^29.7.0
+        version: 29.7.0
       '@logto/connector-kit':
-        specifier: workspace:^2.1.0
+        specifier: workspace:^3.0.0
         version: link:../toolkit/connector-kit
       '@silverhand/eslint-config':
         specifier: 5.0.0
@@ -4088,18 +3878,15 @@ importers:
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -4109,6 +3896,9 @@ importers:
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/toolkit/connector-kit:
     dependencies:
@@ -4119,49 +3909,43 @@ importers:
         specifier: ^2.9.0
         version: 2.9.0
       '@withtyped/client':
-        specifier: ^0.7.22
-        version: 0.7.22(zod@3.22.4)
+        specifier: ^0.8.4
+        version: 0.8.4(zod@3.22.4)
       '@withtyped/server':
-        specifier: ^0.12.9
-        version: 0.12.9(zod@3.22.4)
+        specifier: ^0.13.3
+        version: 0.13.3(zod@3.22.4)
     optionalDependencies:
       zod:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.0.3
-        version: 29.1.2
       '@silverhand/eslint-config':
         specifier: 5.0.0
         version: 5.0.0(eslint@8.44.0)(prettier@3.0.0)(typescript@5.3.3)
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
       prettier:
         specifier: ^3.0.0
         version: 3.0.0
-      tslib:
-        specifier: ^2.4.1
-        version: 2.4.1
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/toolkit/core-kit:
     dependencies:
@@ -4171,6 +3955,9 @@ importers:
       '@logto/shared':
         specifier: workspace:^3.1.0
         version: link:../../shared
+      '@silverhand/essentials':
+        specifier: ^2.9.0
+        version: 2.9.0
       color:
         specifier: ^4.2.3
         version: 4.2.3
@@ -4179,15 +3966,9 @@ importers:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.0.3
-        version: 29.3.1
       '@silverhand/eslint-config':
         specifier: 5.0.0
         version: 5.0.0(eslint@8.44.0)(prettier@3.0.0)(typescript@5.3.3)
-      '@silverhand/essentials':
-        specifier: ^2.9.0
-        version: 2.9.0
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
@@ -4197,21 +3978,18 @@ importers:
       '@types/color':
         specifier: ^3.0.3
         version: 3.0.3
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
       '@types/react':
         specifier: ^18.0.31
         version: 18.0.31
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
@@ -4224,12 +4002,12 @@ importers:
       stylelint:
         specifier: ^15.0.0
         version: 15.0.0
-      tslib:
-        specifier: ^2.4.1
-        version: 2.4.1
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
   packages/toolkit/language-kit:
     optionalDependencies:
@@ -4237,39 +4015,33 @@ importers:
         specifier: ^3.22.4
         version: 3.22.4
     devDependencies:
-      '@jest/types':
-        specifier: ^29.0.3
-        version: 29.3.1
       '@silverhand/eslint-config':
         specifier: 5.0.0
         version: 5.0.0(eslint@8.44.0)(prettier@3.0.0)(typescript@5.3.3)
       '@silverhand/ts-config':
         specifier: 5.0.0
         version: 5.0.0(typescript@5.3.3)
-      '@types/jest':
-        specifier: ^29.4.0
-        version: 29.4.0
       '@types/node':
         specifier: ^20.9.5
         version: 20.10.4
+      '@vitest/coverage-v8':
+        specifier: ^1.4.0
+        version: 1.4.0(vitest@1.4.0)
       eslint:
         specifier: ^8.44.0
         version: 8.44.0
-      jest:
-        specifier: ^29.7.0
-        version: 29.7.0(@types/node@20.10.4)
       lint-staged:
         specifier: ^15.0.0
         version: 15.0.2
       prettier:
         specifier: ^3.0.0
         version: 3.0.0
-      tslib:
-        specifier: ^2.4.1
-        version: 2.4.1
       typescript:
         specifier: ^5.3.3
         version: 5.3.3
+      vitest:
+        specifier: ^1.4.0
+        version: 1.4.0(@types/node@20.10.4)
 
 packages:
 
@@ -4278,12 +4050,12 @@ packages:
     engines: {node: '>=0.10.0'}
     dev: true
 
-  /@ampproject/remapping@2.2.0:
-    resolution: {integrity: sha512-qRmjj8nj9qmLTQXXmaR1cck3UXSRMPrbsLJAasZpF+t3riI71BXed5ebIOYwQntykeZuhjsdweEc9BxH5Jc26w==}
+  /@ampproject/remapping@2.3.0:
+    resolution: {integrity: sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==}
     engines: {node: '>=6.0.0'}
     dependencies:
-      '@jridgewell/gen-mapping': 0.1.1
-      '@jridgewell/trace-mapping': 0.3.18
+      '@jridgewell/gen-mapping': 0.3.5
+      '@jridgewell/trace-mapping': 0.3.25
     dev: true
 
   /@apidevtools/json-schema-ref-parser@9.0.6:
@@ -6129,6 +5901,7 @@ packages:
     engines: {node: '>=6.9.0'}
     dependencies:
       '@babel/highlight': 7.22.5
+    dev: true
 
   /@babel/compat-data@7.20.1:
     resolution: {integrity: sha512-EWZ4mE2diW3QALKvDMiXnbZpRvlj+nayZ112nK93SnhqOtpdsbVD4W+2tEoT3YNBAG9RBR0ISY758ZkOgsn6pQ==}
@@ -6163,7 +5936,7 @@ packages:
     resolution: {integrity: sha512-w7DbG8DtMrJcFOi4VrLm+8QM4az8Mo+PuLBKLp2zrYRCow8W/f9xiXm5sN53C8HksCyDQwCKha9JiDoIyPjT2g==}
     engines: {node: '>=6.9.0'}
     dependencies:
-      '@ampproject/remapping': 2.2.0
+      '@ampproject/remapping': 2.3.0
       '@babel/code-frame': 7.22.5
       '@babel/generator': 7.20.4
       '@babel/helper-compilation-targets': 7.20.0(@babel/core@7.20.2)
@@ -6186,8 +5959,8 @@ packages:
     resolution: {integrity: sha512-luCf7yk/cm7yab6CAW1aiFnmEfBJplb/JojV56MYEK7ziWfGmFlTfmL9Ehwfy4gFhbjBfWO1wj7/TuSbVNEEtA==}
     engines: {node: '>=6.9.0'}
     dependencies:
-      '@babel/types': 7.20.2
-      '@jridgewell/gen-mapping': 0.3.2
+      '@babel/types': 7.24.0
+      '@jridgewell/gen-mapping': 0.3.5
       jsesc: 2.5.2
     dev: true
 
@@ -6214,21 +5987,21 @@ packages:
     engines: {node: '>=6.9.0'}
     dependencies:
       '@babel/template': 7.18.10
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/helper-hoist-variables@7.18.6:
     resolution: {integrity: sha512-UlJQPkFqFULIcyW5sbzgbkxn2FKRgwWiRexcuaR8RNJRy8+LLveqPjwZV/bwrLZCN0eUHD/x8D0heK1ozuoo6Q==}
     engines: {node: '>=6.9.0'}
     dependencies:
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/helper-module-imports@7.18.6:
     resolution: {integrity: sha512-0NFvs3VkuSYbFi1x2Vd6tKrywq+z/cLeYC/RJNFrIX/30Bf5aiGYbtvGXolEktzJH8o5E5KJ3tT+nkxuuZFVlA==}
     engines: {node: '>=6.9.0'}
     dependencies:
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/helper-module-transforms@7.20.2:
@@ -6242,7 +6015,7 @@ packages:
       '@babel/helper-validator-identifier': 7.22.5
       '@babel/template': 7.18.10
       '@babel/traverse': 7.20.1
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -6260,23 +6033,35 @@ packages:
     resolution: {integrity: sha512-+0woI/WPq59IrqDYbVGfshjT5Dmk/nnbdpcF8SnMhhXObpTq2KNBdLFRFrkVdbDOyUmHBCxzm5FHV1rACIkIbA==}
     engines: {node: '>=6.9.0'}
     dependencies:
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/helper-split-export-declaration@7.18.6:
     resolution: {integrity: sha512-bde1etTx6ZyTmobl9LLMMQsaizFVZrquTEHOqKeQESMKo4PlObf+8+JA25ZsIpZhT/WEd39+vOdLXAFG/nELpA==}
     engines: {node: '>=6.9.0'}
     dependencies:
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/helper-string-parser@7.19.4:
     resolution: {integrity: sha512-nHtDoQcuqFmwYNYPz3Rah5ph2p8PFeFCsZk9A/48dPc/rGocJ5J3hAAZ7pb76VWX3fZKu+uEr/FhH5jLx7umrw==}
     engines: {node: '>=6.9.0'}
+    dev: true
+
+  /@babel/helper-string-parser@7.23.4:
+    resolution: {integrity: sha512-803gmbQdqwdf4olxrX4AJyFBV/RTr3rSmOj0rKwesmzlfhYNDEs+/iOcznzpNWlJlIlTJC2QfPFcHB6DlzdVLQ==}
+    engines: {node: '>=6.9.0'}
+    dev: true
+
+  /@babel/helper-validator-identifier@7.22.20:
+    resolution: {integrity: sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==}
+    engines: {node: '>=6.9.0'}
+    dev: true
 
   /@babel/helper-validator-identifier@7.22.5:
     resolution: {integrity: sha512-aJXu+6lErq8ltp+JhkJUfk1MTGyuA4v7f3pA+BJ5HLfNC6nAQ0Cpi9uOquUj8Hehg0aUiHzWQbOVJGao6ztBAQ==}
     engines: {node: '>=6.9.0'}
+    dev: true
 
   /@babel/helper-validator-option@7.18.6:
     resolution: {integrity: sha512-XO7gESt5ouv/LRJdrVjkShckw6STTaB7l9BrpBaAHDeF5YZT+01PCwmR0SJHnkW6i8OwW/EVWRShfi4j2x+KQw==}
@@ -6289,7 +6074,7 @@ packages:
     dependencies:
       '@babel/template': 7.18.10
       '@babel/traverse': 7.20.1
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -6301,13 +6086,22 @@ packages:
       '@babel/helper-validator-identifier': 7.22.5
       chalk: 2.4.2
       js-tokens: 4.0.0
+    dev: true
 
   /@babel/parser@7.20.3:
     resolution: {integrity: sha512-OP/s5a94frIPXwjzEcv5S/tpQfc6XhxYUnmWpgdqMWGgYCuErA3SzozaRAMQgSZWKeTJxht9aWAkUY+0UzvOFg==}
     engines: {node: '>=6.0.0'}
     hasBin: true
     dependencies:
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
+    dev: true
+
+  /@babel/parser@7.24.0:
+    resolution: {integrity: sha512-QuP/FxEAzMSjXygs8v4N9dvdXzEHN4W1oF3PxuWAtPo08UdM17u89RDMgjLn/mlc56iM0HlLmVkO/wgR+rDgHg==}
+    engines: {node: '>=6.0.0'}
+    hasBin: true
+    dependencies:
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/plugin-proposal-object-rest-spread@7.12.1(@babel/core@7.12.9):
@@ -6502,8 +6296,8 @@ packages:
     engines: {node: '>=6.9.0'}
     dependencies:
       '@babel/code-frame': 7.22.5
-      '@babel/parser': 7.20.3
-      '@babel/types': 7.20.2
+      '@babel/parser': 7.24.0
+      '@babel/types': 7.24.0
     dev: true
 
   /@babel/traverse@7.20.1:
@@ -6516,8 +6310,8 @@ packages:
       '@babel/helper-function-name': 7.19.0
       '@babel/helper-hoist-variables': 7.18.6
       '@babel/helper-split-export-declaration': 7.18.6
-      '@babel/parser': 7.20.3
-      '@babel/types': 7.20.2
+      '@babel/parser': 7.24.0
+      '@babel/types': 7.24.0
       debug: 4.3.4
       globals: 11.12.0
     transitivePeerDependencies:
@@ -6531,6 +6325,16 @@ packages:
       '@babel/helper-string-parser': 7.19.4
       '@babel/helper-validator-identifier': 7.22.5
       to-fast-properties: 2.0.0
+    dev: true
+
+  /@babel/types@7.24.0:
+    resolution: {integrity: sha512-+j7a5c253RfKh8iABBhywc8NSfP5LURe7Uh4qpsh6jc+aLJguvmIUBdjSdEMQv2bENrCR5MfRdjGo7vzS/ob7w==}
+    engines: {node: '>=6.9.0'}
+    dependencies:
+      '@babel/helper-string-parser': 7.23.4
+      '@babel/helper-validator-identifier': 7.22.20
+      to-fast-properties: 2.0.0
+    dev: true
 
   /@bcoe/v8-coverage@0.2.3:
     resolution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==}
@@ -6768,52 +6572,44 @@ packages:
       prettier: 2.8.4
     dev: true
 
-  /@colors/colors@1.5.0:
-    resolution: {integrity: sha512-ooWCrlZP11i8GImSjTHYHLkvFDP48nS4+204nGb1RiX/WXYHmJA2III9/e2DWVabCESdW7hBAEzHRqUn9OUVvQ==}
-    engines: {node: '>=0.1.90'}
-    requiresBuild: true
-    dev: true
-    optional: true
-
-  /@commitlint/cli@18.4.3(typescript@5.0.2):
-    resolution: {integrity: sha512-zop98yfB3A6NveYAZ3P1Mb6bIXuCeWgnUfVNkH4yhIMQpQfzFwseadazOuSn0OOfTt0lWuFauehpm9GcqM5lww==}
+  /@commitlint/cli@19.0.3(@types/node@20.11.20)(typescript@5.0.2):
+    resolution: {integrity: sha512-mGhh/aYPib4Vy4h+AGRloMY+CqkmtdeKPV9poMcZeImF5e3knQ5VYaSeAM0mEzps1dbKsHvABwaDpafLUuM96g==}
     engines: {node: '>=v18'}
     hasBin: true
     dependencies:
-      '@commitlint/format': 18.4.3
-      '@commitlint/lint': 18.4.3
-      '@commitlint/load': 18.4.3(typescript@5.0.2)
-      '@commitlint/read': 18.4.3
-      '@commitlint/types': 18.4.3
-      execa: 5.1.1
-      lodash.isfunction: 3.0.9
-      resolve-from: 5.0.0
-      resolve-global: 1.0.0
+      '@commitlint/format': 19.0.3
+      '@commitlint/lint': 19.0.3
+      '@commitlint/load': 19.0.3(@types/node@20.11.20)(typescript@5.0.2)
+      '@commitlint/read': 19.0.3
+      '@commitlint/types': 19.0.3
+      execa: 8.0.1
       yargs: 17.7.2
     transitivePeerDependencies:
+      - '@types/node'
       - typescript
     dev: true
 
-  /@commitlint/config-conventional@18.4.3:
-    resolution: {integrity: sha512-729eRRaNta7JZF07qf6SAGSghoDEp9mH7yHU0m7ff0q89W97wDrWCyZ3yoV3mcQJwbhlmVmZPTkPcm7qiAu8WA==}
+  /@commitlint/config-conventional@19.0.3:
+    resolution: {integrity: sha512-vh0L8XeLaEzTe8VCxSd0gAFvfTK0RFolrzw4o431bIuWJfi/yRCHJlsDwus7wW2eJaFFDR0VFXJyjGyDQhi4vA==}
     engines: {node: '>=v18'}
     dependencies:
+      '@commitlint/types': 19.0.3
       conventional-changelog-conventionalcommits: 7.0.2
     dev: true
 
-  /@commitlint/config-validator@18.4.3:
-    resolution: {integrity: sha512-FPZZmTJBARPCyef9ohRC9EANiQEKSWIdatx5OlgeHKu878dWwpyeFauVkhzuBRJFcCA4Uvz/FDtlDKs008IHcA==}
+  /@commitlint/config-validator@19.0.3:
+    resolution: {integrity: sha512-2D3r4PKjoo59zBc2auodrSCaUnCSALCx54yveOFwwP/i2kfEAQrygwOleFWswLqK0UL/F9r07MFi5ev2ohyM4Q==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/types': 18.4.3
+      '@commitlint/types': 19.0.3
       ajv: 8.12.0
     dev: true
 
-  /@commitlint/ensure@18.4.3:
-    resolution: {integrity: sha512-MI4fwD9TWDVn4plF5+7JUyLLbkOdzIRBmVeNlk4dcGlkrVA+/l5GLcpN66q9LkFsFv6G2X31y89ApA3hqnqIFg==}
+  /@commitlint/ensure@19.0.3:
+    resolution: {integrity: sha512-SZEpa/VvBLoT+EFZVb91YWbmaZ/9rPH3ESrINOl0HD2kMYsjvl0tF7nMHh0EpTcv4+gTtZBAe1y/SS6/OhfZzQ==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/types': 18.4.3
+      '@commitlint/types': 19.0.3
       lodash.camelcase: 4.3.0
       lodash.kebabcase: 4.1.1
       lodash.snakecase: 4.1.1
@@ -6821,122 +6617,121 @@ packages:
       lodash.upperfirst: 4.3.1
     dev: true
 
-  /@commitlint/execute-rule@18.4.3:
-    resolution: {integrity: sha512-t7FM4c+BdX9WWZCPrrbV5+0SWLgT3kCq7e7/GhHCreYifg3V8qyvO127HF796vyFql75n4TFF+5v1asOOWkV1Q==}
+  /@commitlint/execute-rule@19.0.0:
+    resolution: {integrity: sha512-mtsdpY1qyWgAO/iOK0L6gSGeR7GFcdW7tIjcNFxcWkfLDF5qVbPHKuGATFqRMsxcO8OUKNj0+3WOHB7EHm4Jdw==}
     engines: {node: '>=v18'}
     dev: true
 
-  /@commitlint/format@18.4.3:
-    resolution: {integrity: sha512-8b+ItXYHxAhRAXFfYki5PpbuMMOmXYuzLxib65z2XTqki59YDQJGpJ/wB1kEE5MQDgSTQWtKUrA8n9zS/1uIDQ==}
+  /@commitlint/format@19.0.3:
+    resolution: {integrity: sha512-QjjyGyoiVWzx1f5xOteKHNLFyhyweVifMgopozSgx1fGNrGV8+wp7k6n1t6StHdJ6maQJ+UUtO2TcEiBFRyR6Q==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/types': 18.4.3
-      chalk: 4.1.2
+      '@commitlint/types': 19.0.3
+      chalk: 5.3.0
     dev: true
 
-  /@commitlint/is-ignored@18.4.3:
-    resolution: {integrity: sha512-ZseOY9UfuAI32h9w342Km4AIaTieeFskm2ZKdrG7r31+c6zGBzuny9KQhwI9puc0J3GkUquEgKJblCl7pMnjwg==}
+  /@commitlint/is-ignored@19.0.3:
+    resolution: {integrity: sha512-MqDrxJaRSVSzCbPsV6iOKG/Lt52Y+PVwFVexqImmYYFhe51iVJjK2hRhOG2jUAGiUHk4jpdFr0cZPzcBkSzXDQ==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/types': 18.4.3
-      semver: 7.5.4
+      '@commitlint/types': 19.0.3
+      semver: 7.6.0
     dev: true
 
-  /@commitlint/lint@18.4.3:
-    resolution: {integrity: sha512-18u3MRgEXNbnYkMOWoncvq6QB8/90m9TbERKgdPqVvS+zQ/MsuRhdvHYCIXGXZxUb0YI4DV2PC4bPneBV/fYuA==}
+  /@commitlint/lint@19.0.3:
+    resolution: {integrity: sha512-uHPyRqIn57iIplYa5xBr6oNu5aPXKGC4WLeuHfqQHclwIqbJ33g3yA5fIA+/NYnp5ZM2EFiujqHFaVUYj6HlKA==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/is-ignored': 18.4.3
-      '@commitlint/parse': 18.4.3
-      '@commitlint/rules': 18.4.3
-      '@commitlint/types': 18.4.3
+      '@commitlint/is-ignored': 19.0.3
+      '@commitlint/parse': 19.0.3
+      '@commitlint/rules': 19.0.3
+      '@commitlint/types': 19.0.3
     dev: true
 
-  /@commitlint/load@18.4.3(typescript@5.0.2):
-    resolution: {integrity: sha512-v6j2WhvRQJrcJaj5D+EyES2WKTxPpxENmNpNG3Ww8MZGik3jWRXtph0QTzia5ZJyPh2ib5aC/6BIDymkUUM58Q==}
+  /@commitlint/load@19.0.3(@types/node@20.11.20)(typescript@5.0.2):
+    resolution: {integrity: sha512-18Tk/ZcDFRKIoKfEcl7kC+bYkEQ055iyKmGsYDoYWpKf6FUvBrP9bIWapuy/MB+kYiltmP9ITiUx6UXtqC9IRw==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/config-validator': 18.4.3
-      '@commitlint/execute-rule': 18.4.3
-      '@commitlint/resolve-extends': 18.4.3
-      '@commitlint/types': 18.4.3
-      '@types/node': 18.19.3
-      chalk: 4.1.2
+      '@commitlint/config-validator': 19.0.3
+      '@commitlint/execute-rule': 19.0.0
+      '@commitlint/resolve-extends': 19.0.3
+      '@commitlint/types': 19.0.3
+      chalk: 5.3.0
       cosmiconfig: 8.3.6(typescript@5.0.2)
-      cosmiconfig-typescript-loader: 5.0.0(@types/node@18.19.3)(cosmiconfig@8.3.6)(typescript@5.0.2)
+      cosmiconfig-typescript-loader: 5.0.0(@types/node@20.11.20)(cosmiconfig@8.3.6)(typescript@5.0.2)
       lodash.isplainobject: 4.0.6
       lodash.merge: 4.6.2
       lodash.uniq: 4.5.0
-      resolve-from: 5.0.0
     transitivePeerDependencies:
+      - '@types/node'
       - typescript
     dev: true
 
-  /@commitlint/message@18.4.3:
-    resolution: {integrity: sha512-ddJ7AztWUIoEMAXoewx45lKEYEOeOlBVWjk8hDMUGpprkuvWULpaXczqdjwVtjrKT3JhhN+gMs8pm5G3vB2how==}
+  /@commitlint/message@19.0.0:
+    resolution: {integrity: sha512-c9czf6lU+9oF9gVVa2lmKaOARJvt4soRsVmbR7Njwp9FpbBgste5i7l/2l5o8MmbwGh4yE1snfnsy2qyA2r/Fw==}
     engines: {node: '>=v18'}
     dev: true
 
-  /@commitlint/parse@18.4.3:
-    resolution: {integrity: sha512-eoH7CXM9L+/Me96KVcfJ27EIIbA5P9sqw3DqjJhRYuhaULIsPHFs5S5GBDCqT0vKZQDx0DgxhMpW6AQbnKrFtA==}
+  /@commitlint/parse@19.0.3:
+    resolution: {integrity: sha512-Il+tNyOb8VDxN3P6XoBBwWJtKKGzHlitEuXA5BP6ir/3loWlsSqDr5aecl6hZcC/spjq4pHqNh0qPlfeWu38QA==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/types': 18.4.3
+      '@commitlint/types': 19.0.3
       conventional-changelog-angular: 7.0.0
       conventional-commits-parser: 5.0.0
     dev: true
 
-  /@commitlint/read@18.4.3:
-    resolution: {integrity: sha512-H4HGxaYA6OBCimZAtghL+B+SWu8ep4X7BwgmedmqWZRHxRLcX2q0bWBtUm5FsMbluxbOfrJwOs/Z0ah4roP/GQ==}
+  /@commitlint/read@19.0.3:
+    resolution: {integrity: sha512-b5AflTyAXkUx5qKw4TkjjcOccXZHql3JqMi522knTQktq2AubKXFz60Sws+K4FsefwPws6fGz9mqiI/NvsvxFA==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/top-level': 18.4.3
-      '@commitlint/types': 18.4.3
-      fs-extra: 11.1.1
-      git-raw-commits: 2.0.11
+      '@commitlint/top-level': 19.0.0
+      '@commitlint/types': 19.0.3
+      git-raw-commits: 4.0.0
       minimist: 1.2.8
     dev: true
 
-  /@commitlint/resolve-extends@18.4.3:
-    resolution: {integrity: sha512-30sk04LZWf8+SDgJrbJCjM90gTg2LxsD9cykCFeFu+JFHvBFq5ugzp2eO/DJGylAdVaqxej3c7eTSE64hR/lnw==}
+  /@commitlint/resolve-extends@19.0.3:
+    resolution: {integrity: sha512-18BKmta8OC8+Ub+Q3QGM9l27VjQaXobloVXOrMvu8CpEwJYv62vC/t7Ka5kJnsW0tU9q1eMqJFZ/nN9T/cOaIA==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/config-validator': 18.4.3
-      '@commitlint/types': 18.4.3
-      import-fresh: 3.3.0
+      '@commitlint/config-validator': 19.0.3
+      '@commitlint/types': 19.0.3
+      global-directory: 4.0.1
+      import-meta-resolve: 4.0.0
       lodash.mergewith: 4.6.2
       resolve-from: 5.0.0
-      resolve-global: 1.0.0
     dev: true
 
-  /@commitlint/rules@18.4.3:
-    resolution: {integrity: sha512-8KIeukDf45BiY+Lul1T0imSNXF0sMrlLG6JpLLKolkmYVQ6PxxoNOriwyZ3UTFFpaVbPy0rcITaV7U9JCAfDTA==}
+  /@commitlint/rules@19.0.3:
+    resolution: {integrity: sha512-TspKb9VB6svklxNCKKwxhELn7qhtY1rFF8ls58DcFd0F97XoG07xugPjjbVnLqmMkRjZDbDIwBKt9bddOfLaPw==}
     engines: {node: '>=v18'}
     dependencies:
-      '@commitlint/ensure': 18.4.3
-      '@commitlint/message': 18.4.3
-      '@commitlint/to-lines': 18.4.3
-      '@commitlint/types': 18.4.3
-      execa: 5.1.1
+      '@commitlint/ensure': 19.0.3
+      '@commitlint/message': 19.0.0
+      '@commitlint/to-lines': 19.0.0
+      '@commitlint/types': 19.0.3
+      execa: 8.0.1
     dev: true
 
-  /@commitlint/to-lines@18.4.3:
-    resolution: {integrity: sha512-fy1TAleik4Zfru1RJ8ZU6cOSvgSVhUellxd3WZV1D5RwHZETt1sZdcA4mQN2y3VcIZsUNKkW0Mq8CM9/L9harQ==}
+  /@commitlint/to-lines@19.0.0:
+    resolution: {integrity: sha512-vkxWo+VQU5wFhiP9Ub9Sre0FYe019JxFikrALVoD5UGa8/t3yOJEpEhxC5xKiENKKhUkTpEItMTRAjHw2SCpZw==}
     engines: {node: '>=v18'}
     dev: true
 
-  /@commitlint/top-level@18.4.3:
-    resolution: {integrity: sha512-E6fJPBLPFL5R8+XUNSYkj4HekIOuGMyJo3mIx2PkYc3clel+pcWQ7TConqXxNWW4x1ugigiIY2RGot55qUq1hw==}
+  /@commitlint/top-level@19.0.0:
+    resolution: {integrity: sha512-KKjShd6u1aMGNkCkaX4aG1jOGdn7f8ZI8TR1VEuNqUOjWTOdcDSsmglinglJ18JTjuBX5I1PtjrhQCRcixRVFQ==}
     engines: {node: '>=v18'}
     dependencies:
-      find-up: 5.0.0
+      find-up: 7.0.0
     dev: true
 
-  /@commitlint/types@18.4.3:
-    resolution: {integrity: sha512-cvzx+vtY/I2hVBZHCLrpoh+sA0hfuzHwDc+BAFPimYLjJkpHnghQM+z8W/KyLGkygJh3BtI3xXXq+dKjnSWEmA==}
+  /@commitlint/types@19.0.3:
+    resolution: {integrity: sha512-tpyc+7i6bPG9mvaBbtKUeghfyZSDgWquIDfMgqYtTbmZ9Y9VzEm2je9EYcQ0aoz5o7NvGS+rcDec93yO08MHYA==}
     engines: {node: '>=v18'}
     dependencies:
-      chalk: 4.1.2
+      '@types/conventional-commits-parser': 5.0.0
+      chalk: 5.3.0
     dev: true
 
   /@cspotcode/source-map-support@0.8.1:
@@ -6964,57 +6759,264 @@ packages:
       '@csstools/css-tokenizer': 2.2.3
     dev: true
 
-  /@csstools/css-tokenizer@2.0.1:
-    resolution: {integrity: sha512-sYD3H7ReR88S/4+V5VbKiBEUJF4FqvG+8aNJkxqoPAnbhFziDG22IDZc4+h+xA63SfgM+h15lq5OnLeCxQ9nPA==}
-    engines: {node: ^14 || ^16 || >=18}
+  /@csstools/css-tokenizer@2.0.1:
+    resolution: {integrity: sha512-sYD3H7ReR88S/4+V5VbKiBEUJF4FqvG+8aNJkxqoPAnbhFziDG22IDZc4+h+xA63SfgM+h15lq5OnLeCxQ9nPA==}
+    engines: {node: ^14 || ^16 || >=18}
+    dev: true
+
+  /@csstools/css-tokenizer@2.2.3:
+    resolution: {integrity: sha512-pp//EvZ9dUmGuGtG1p+n17gTHEOqu9jO+FiCUjNN3BDmyhdA2Jq9QsVeR7K8/2QCK17HSsioPlTW9ZkzoWb3Lg==}
+    engines: {node: ^14 || ^16 || >=18}
+    dev: true
+
+  /@csstools/media-query-list-parser@2.0.1(@csstools/css-parser-algorithms@2.0.1)(@csstools/css-tokenizer@2.0.1):
+    resolution: {integrity: sha512-X2/OuzEbjaxhzm97UJ+95GrMeT29d1Ib+Pu+paGLuRWZnWRK9sI9r3ikmKXPWGA1C4y4JEdBEFpp9jEqCvLeRA==}
+    engines: {node: ^14 || ^16 || >=18}
+    peerDependencies:
+      '@csstools/css-parser-algorithms': ^2.0.0
+      '@csstools/css-tokenizer': ^2.0.0
+    dependencies:
+      '@csstools/css-parser-algorithms': 2.0.1(@csstools/css-tokenizer@2.0.1)
+      '@csstools/css-tokenizer': 2.0.1
+    dev: true
+
+  /@csstools/media-query-list-parser@2.1.8(@csstools/css-parser-algorithms@2.6.0)(@csstools/css-tokenizer@2.2.3):
+    resolution: {integrity: sha512-DiD3vG5ciNzeuTEoh74S+JMjQDs50R3zlxHnBnfd04YYfA/kh2KiBCGhzqLxlJcNq+7yNQ3stuZZYLX6wK/U2g==}
+    engines: {node: ^14 || ^16 || >=18}
+    peerDependencies:
+      '@csstools/css-parser-algorithms': ^2.6.0
+      '@csstools/css-tokenizer': ^2.2.3
+    dependencies:
+      '@csstools/css-parser-algorithms': 2.6.0(@csstools/css-tokenizer@2.2.3)
+      '@csstools/css-tokenizer': 2.2.3
+    dev: true
+
+  /@csstools/selector-specificity@2.1.1(postcss-selector-parser@6.0.11)(postcss@8.4.31):
+    resolution: {integrity: sha512-jwx+WCqszn53YHOfvFMJJRd/B2GqkCBt+1MJSG6o5/s8+ytHMvDZXsJgUEWLk12UnLd7HYKac4BYU5i/Ron1Cw==}
+    engines: {node: ^14 || ^16 || >=18}
+    peerDependencies:
+      postcss: ^8.4
+      postcss-selector-parser: ^6.0.10
+    dependencies:
+      postcss: 8.4.31
+      postcss-selector-parser: 6.0.11
+    dev: true
+
+  /@csstools/selector-specificity@3.0.2(postcss-selector-parser@6.0.15):
+    resolution: {integrity: sha512-RpHaZ1h9LE7aALeQXmXrJkRG84ZxIsctEN2biEUmFyKpzFM3zZ35eUMcIzZFsw/2olQE6v69+esEqU2f1MKycg==}
+    engines: {node: ^14 || ^16 || >=18}
+    peerDependencies:
+      postcss-selector-parser: ^6.0.13
+    dependencies:
+      postcss-selector-parser: 6.0.15
+    dev: true
+
+  /@esbuild/aix-ppc64@0.19.12:
+    resolution: {integrity: sha512-bmoCYyWdEL3wDQIVbcyzRyeKLgk2WtWLTWz1ZIAZF/EGbNOwSA6ew3PftJ1PqMiOOGu0OyFMzG53L0zqIpPeNA==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [aix]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/android-arm64@0.19.12:
+    resolution: {integrity: sha512-P0UVNGIienjZv3f5zq0DP3Nt2IE/3plFzuaS96vihvD0Hd6H/q4WXUGpCxD/E8YrSXfNyRPbpTq+T8ZQioSuPA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [android]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/android-arm@0.19.12:
+    resolution: {integrity: sha512-qg/Lj1mu3CdQlDEEiWrlC4eaPZ1KztwGJ9B6J+/6G+/4ewxJg7gqj8eVYWvao1bXrqGiW2rsBZFSX3q2lcW05w==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [android]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/android-x64@0.19.12:
+    resolution: {integrity: sha512-3k7ZoUW6Q6YqhdhIaq/WZ7HwBpnFBlW905Fa4s4qWJyiNOgT1dOqDiVAQFwBH7gBRZr17gLrlFCRzF6jFh7Kew==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [android]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/darwin-arm64@0.19.12:
+    resolution: {integrity: sha512-B6IeSgZgtEzGC42jsI+YYu9Z3HKRxp8ZT3cqhvliEHovq8HSX2YX8lNocDn79gCKJXOSaEot9MVYky7AKjCs8g==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [darwin]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/darwin-x64@0.19.12:
+    resolution: {integrity: sha512-hKoVkKzFiToTgn+41qGhsUJXFlIjxI/jSYeZf3ugemDYZldIXIxhvwN6erJGlX4t5h417iFuheZ7l+YVn05N3A==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [darwin]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/freebsd-arm64@0.19.12:
+    resolution: {integrity: sha512-4aRvFIXmwAcDBw9AueDQ2YnGmz5L6obe5kmPT8Vd+/+x/JMVKCgdcRwH6APrbpNXsPz+K653Qg8HB/oXvXVukA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [freebsd]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/freebsd-x64@0.19.12:
+    resolution: {integrity: sha512-EYoXZ4d8xtBoVN7CEwWY2IN4ho76xjYXqSXMNccFSx2lgqOG/1TBPW0yPx1bJZk94qu3tX0fycJeeQsKovA8gg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [freebsd]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-arm64@0.19.12:
+    resolution: {integrity: sha512-EoTjyYyLuVPfdPLsGVVVC8a0p1BFFvtpQDB/YLEhaXyf/5bczaGeN15QkR+O4S5LeJ92Tqotve7i1jn35qwvdA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-arm@0.19.12:
+    resolution: {integrity: sha512-J5jPms//KhSNv+LO1S1TX1UWp1ucM6N6XuL6ITdKWElCu8wXP72l9MM0zDTzzeikVyqFE6U8YAV9/tFyj0ti+w==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-ia32@0.19.12:
+    resolution: {integrity: sha512-Thsa42rrP1+UIGaWz47uydHSBOgTUnwBwNq59khgIwktK6x60Hivfbux9iNR0eHCHzOLjLMLfUMLCypBkZXMHA==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-loong64@0.19.12:
+    resolution: {integrity: sha512-LiXdXA0s3IqRRjm6rV6XaWATScKAXjI4R4LoDlvO7+yQqFdlr1Bax62sRwkVvRIrwXxvtYEHHI4dm50jAXkuAA==}
+    engines: {node: '>=12'}
+    cpu: [loong64]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-mips64el@0.19.12:
+    resolution: {integrity: sha512-fEnAuj5VGTanfJ07ff0gOA6IPsvrVHLVb6Lyd1g2/ed67oU1eFzL0r9WL7ZzscD+/N6i3dWumGE1Un4f7Amf+w==}
+    engines: {node: '>=12'}
+    cpu: [mips64el]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-ppc64@0.19.12:
+    resolution: {integrity: sha512-nYJA2/QPimDQOh1rKWedNOe3Gfc8PabU7HT3iXWtNUbRzXS9+vgB0Fjaqr//XNbd82mCxHzik2qotuI89cfixg==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-riscv64@0.19.12:
+    resolution: {integrity: sha512-2MueBrlPQCw5dVJJpQdUYgeqIzDQgw3QtiAHUC4RBz9FXPrskyyU3VI1hw7C0BSKB9OduwSJ79FTCqtGMWqJHg==}
+    engines: {node: '>=12'}
+    cpu: [riscv64]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-s390x@0.19.12:
+    resolution: {integrity: sha512-+Pil1Nv3Umes4m3AZKqA2anfhJiVmNCYkPchwFJNEJN5QxmTs1uzyy4TvmDrCRNT2ApwSari7ZIgrPeUx4UZDg==}
+    engines: {node: '>=12'}
+    cpu: [s390x]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/linux-x64@0.19.12:
+    resolution: {integrity: sha512-B71g1QpxfwBvNrfyJdVDexenDIt1CiDN1TIXLbhOw0KhJzE78KIFGX6OJ9MrtC0oOqMWf+0xop4qEU8JrJTwCg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [linux]
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /@esbuild/netbsd-x64@0.19.12:
+    resolution: {integrity: sha512-3ltjQ7n1owJgFbuC61Oj++XhtzmymoCihNFgT84UAmJnxJfm4sYCiSLTXZtE00VWYpPMYc+ZQmB6xbSdVh0JWA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [netbsd]
+    requiresBuild: true
     dev: true
+    optional: true
 
-  /@csstools/css-tokenizer@2.2.3:
-    resolution: {integrity: sha512-pp//EvZ9dUmGuGtG1p+n17gTHEOqu9jO+FiCUjNN3BDmyhdA2Jq9QsVeR7K8/2QCK17HSsioPlTW9ZkzoWb3Lg==}
-    engines: {node: ^14 || ^16 || >=18}
+  /@esbuild/openbsd-x64@0.19.12:
+    resolution: {integrity: sha512-RbrfTB9SWsr0kWmb9srfF+L933uMDdu9BIzdA7os2t0TXhCRjrQyCeOt6wVxr79CKD4c+p+YhCj31HBkYcXebw==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [openbsd]
+    requiresBuild: true
     dev: true
+    optional: true
 
-  /@csstools/media-query-list-parser@2.0.1(@csstools/css-parser-algorithms@2.0.1)(@csstools/css-tokenizer@2.0.1):
-    resolution: {integrity: sha512-X2/OuzEbjaxhzm97UJ+95GrMeT29d1Ib+Pu+paGLuRWZnWRK9sI9r3ikmKXPWGA1C4y4JEdBEFpp9jEqCvLeRA==}
-    engines: {node: ^14 || ^16 || >=18}
-    peerDependencies:
-      '@csstools/css-parser-algorithms': ^2.0.0
-      '@csstools/css-tokenizer': ^2.0.0
-    dependencies:
-      '@csstools/css-parser-algorithms': 2.0.1(@csstools/css-tokenizer@2.0.1)
-      '@csstools/css-tokenizer': 2.0.1
+  /@esbuild/sunos-x64@0.19.12:
+    resolution: {integrity: sha512-HKjJwRrW8uWtCQnQOz9qcU3mUZhTUQvi56Q8DPTLLB+DawoiQdjsYq+j+D3s9I8VFtDr+F9CjgXKKC4ss89IeA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [sunos]
+    requiresBuild: true
     dev: true
+    optional: true
 
-  /@csstools/media-query-list-parser@2.1.8(@csstools/css-parser-algorithms@2.6.0)(@csstools/css-tokenizer@2.2.3):
-    resolution: {integrity: sha512-DiD3vG5ciNzeuTEoh74S+JMjQDs50R3zlxHnBnfd04YYfA/kh2KiBCGhzqLxlJcNq+7yNQ3stuZZYLX6wK/U2g==}
-    engines: {node: ^14 || ^16 || >=18}
-    peerDependencies:
-      '@csstools/css-parser-algorithms': ^2.6.0
-      '@csstools/css-tokenizer': ^2.2.3
-    dependencies:
-      '@csstools/css-parser-algorithms': 2.6.0(@csstools/css-tokenizer@2.2.3)
-      '@csstools/css-tokenizer': 2.2.3
+  /@esbuild/win32-arm64@0.19.12:
+    resolution: {integrity: sha512-URgtR1dJnmGvX864pn1B2YUYNzjmXkuJOIqG2HdU62MVS4EHpU2946OZoTMnRUHklGtJdJZ33QfzdjGACXhn1A==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [win32]
+    requiresBuild: true
     dev: true
+    optional: true
 
-  /@csstools/selector-specificity@2.1.1(postcss-selector-parser@6.0.11)(postcss@8.4.31):
-    resolution: {integrity: sha512-jwx+WCqszn53YHOfvFMJJRd/B2GqkCBt+1MJSG6o5/s8+ytHMvDZXsJgUEWLk12UnLd7HYKac4BYU5i/Ron1Cw==}
-    engines: {node: ^14 || ^16 || >=18}
-    peerDependencies:
-      postcss: ^8.4
-      postcss-selector-parser: ^6.0.10
-    dependencies:
-      postcss: 8.4.31
-      postcss-selector-parser: 6.0.11
+  /@esbuild/win32-ia32@0.19.12:
+    resolution: {integrity: sha512-+ZOE6pUkMOJfmxmBZElNOx72NKpIa/HFOMGzu8fqzQJ5kgf6aTGrcJaFsNiVMH4JKpMipyK+7k0n2UXN7a8YKQ==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [win32]
+    requiresBuild: true
     dev: true
+    optional: true
 
-  /@csstools/selector-specificity@3.0.2(postcss-selector-parser@6.0.15):
-    resolution: {integrity: sha512-RpHaZ1h9LE7aALeQXmXrJkRG84ZxIsctEN2biEUmFyKpzFM3zZ35eUMcIzZFsw/2olQE6v69+esEqU2f1MKycg==}
-    engines: {node: ^14 || ^16 || >=18}
-    peerDependencies:
-      postcss-selector-parser: ^6.0.13
-    dependencies:
-      postcss-selector-parser: 6.0.15
+  /@esbuild/win32-x64@0.19.12:
+    resolution: {integrity: sha512-T1QyPSDCyMXaO3pzBkF96E8xMkiRYbUEZADd29SyPGabqxMViNoii+NcK7eWJAEoU6RZyEm5lVSIjTmcdoB9HA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [win32]
+    requiresBuild: true
     dev: true
+    optional: true
 
   /@eslint-community/eslint-utils@4.4.0(eslint@8.44.0):
     resolution: {integrity: sha512-1/sA4dwrzBAyeUoQ6oxahHKmrZvsnLCg4RfxW3ZFGGmQkSNQPFNLV9CUEFQP1x9EYXHTo5p6xdhZM1Ne9p/AfA==}
@@ -7253,13 +7255,6 @@ packages:
       jest-mock: 29.7.0
     dev: true
 
-  /@jest/expect-utils@29.5.0:
-    resolution: {integrity: sha512-fmKzsidoXQT2KwnrwE0SQq3uj8Z763vzR8LnLBwC2qYWEFpjX8daRsk6rHUM1QvNlEW/UJXNXm59ztmJJWs2Mg==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dependencies:
-      jest-get-type: 29.4.3
-    dev: true
-
   /@jest/expect-utils@29.7.0:
     resolution: {integrity: sha512-GlsNBWiFQFCVi9QVSx7f5AgMeLxe9YCCs5PuP2O2LdjDAA8Jh9eX7lA1Jq/xdXw3Wb3hyvlFNfZIfcRetSzYcA==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -7334,18 +7329,18 @@ packages:
       exit: 0.1.2
       glob: 7.2.3
       graceful-fs: 4.2.11
-      istanbul-lib-coverage: 3.2.0
+      istanbul-lib-coverage: 3.2.2
       istanbul-lib-instrument: 6.0.1
-      istanbul-lib-report: 3.0.0
+      istanbul-lib-report: 3.0.1
       istanbul-lib-source-maps: 4.0.1
-      istanbul-reports: 3.1.5
+      istanbul-reports: 3.1.7
       jest-message-util: 29.7.0
       jest-util: 29.7.0
       jest-worker: 29.7.0
       slash: 3.0.0
       string-length: 4.0.2
       strip-ansi: 6.0.1
-      v8-to-istanbul: 9.0.1
+      v8-to-istanbul: 9.2.0
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -7426,7 +7421,7 @@ packages:
     dependencies:
       '@babel/core': 7.20.2
       '@jest/types': 29.6.3
-      '@jridgewell/trace-mapping': 0.3.18
+      '@jridgewell/trace-mapping': 0.3.25
       babel-plugin-istanbul: 6.1.1
       chalk: 4.1.2
       convert-source-map: 2.0.0
@@ -7466,18 +7461,6 @@ packages:
       chalk: 4.1.2
     dev: true
 
-  /@jest/types@29.3.1:
-    resolution: {integrity: sha512-d0S0jmmTpjnhCmNpApgX3jrUZgZ22ivKJRvL2lli5hpCRoNnp1f85r2/wpKfXuYu8E7Jjh1hGfhPyup1NM5AmA==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dependencies:
-      '@jest/schemas': 29.0.0
-      '@types/istanbul-lib-coverage': 2.0.4
-      '@types/istanbul-reports': 3.0.1
-      '@types/node': 20.11.20
-      '@types/yargs': 17.0.13
-      chalk: 4.1.2
-    dev: true
-
   /@jest/types@29.5.0:
     resolution: {integrity: sha512-qbu7kN6czmVRc3xWFQcAN03RAUamgppVUdXrvl1Wr3jlNF93o9mJbGcDWrwGB6ht44u7efB1qCFgVQmca24Uog==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -7502,21 +7485,13 @@ packages:
       chalk: 4.1.2
     dev: true
 
-  /@jridgewell/gen-mapping@0.1.1:
-    resolution: {integrity: sha512-sQXCasFk+U8lWYEe66WxRDOE9PjVz4vSM51fTu3Hw+ClTpUSQb718772vH3pyS5pShp6lvQM7SxgIDXXXmOX7w==}
-    engines: {node: '>=6.0.0'}
-    dependencies:
-      '@jridgewell/set-array': 1.1.2
-      '@jridgewell/sourcemap-codec': 1.4.15
-    dev: true
-
-  /@jridgewell/gen-mapping@0.3.2:
-    resolution: {integrity: sha512-mh65xKQAzI6iBcFzwv28KVWSmCkdRBWoOh+bYQGW3+6OZvbbN3TqMGo5hqYxQniRcH9F2VZIoJCm4pa3BPDK/A==}
+  /@jridgewell/gen-mapping@0.3.5:
+    resolution: {integrity: sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==}
     engines: {node: '>=6.0.0'}
     dependencies:
-      '@jridgewell/set-array': 1.1.2
+      '@jridgewell/set-array': 1.2.1
       '@jridgewell/sourcemap-codec': 1.4.15
-      '@jridgewell/trace-mapping': 0.3.18
+      '@jridgewell/trace-mapping': 0.3.25
     dev: true
 
   /@jridgewell/resolve-uri@3.1.0:
@@ -7524,18 +7499,11 @@ packages:
     engines: {node: '>=6.0.0'}
     dev: true
 
-  /@jridgewell/set-array@1.1.2:
-    resolution: {integrity: sha512-xnkseuNADM0gt2bs+BvhO0p78Mk762YnZdsuzFV018NoG1Sj1SCQvpSqa7XUaTam5vAGasABV9qXASMKnFMwMw==}
+  /@jridgewell/set-array@1.2.1:
+    resolution: {integrity: sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==}
     engines: {node: '>=6.0.0'}
     dev: true
 
-  /@jridgewell/source-map@0.3.5:
-    resolution: {integrity: sha512-UTYAUj/wviwdsMfzoSJspJxbkH5o1snzwX0//0ENX1u/55kkZZkcTZP6u9bwKGkv+dkk9at4m1Cpt0uY80kcpQ==}
-    dependencies:
-      '@jridgewell/gen-mapping': 0.3.2
-      '@jridgewell/trace-mapping': 0.3.18
-    dev: true
-
   /@jridgewell/sourcemap-codec@1.4.14:
     resolution: {integrity: sha512-XPSJHWmi394fuUuzDnGz1wiKqWfo1yXecHQMRf2l6hztTO+nPru658AyDngaBe7isIxEkRsPR3FZh+s7iVa4Uw==}
     dev: true
@@ -7551,6 +7519,13 @@ packages:
       '@jridgewell/sourcemap-codec': 1.4.14
     dev: true
 
+  /@jridgewell/trace-mapping@0.3.25:
+    resolution: {integrity: sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==}
+    dependencies:
+      '@jridgewell/resolve-uri': 3.1.0
+      '@jridgewell/sourcemap-codec': 1.4.15
+    dev: true
+
   /@jridgewell/trace-mapping@0.3.9:
     resolution: {integrity: sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==}
     dependencies:
@@ -7652,54 +7627,54 @@ packages:
       tiny-cookie: 2.4.1
     dev: false
 
-  /@logto/browser@2.2.3:
-    resolution: {integrity: sha512-9xVLXhdF1s82HnCy7H7/uQBGlrhIYg/NQIs+ZtjImH5xrp3wGqw8qtxIKqOa30gC0zA4uTcE1wfUyAp9yFGMLQ==}
+  /@logto/browser@2.2.7:
+    resolution: {integrity: sha512-+tB4QWB4/JSO5pXItX491mRR4Id5dsYlEJchI0gPC8JNX7cl4968/oDXhqQ42XWqFnqX3W5Wx7RgKeV6JtTMhg==}
     dependencies:
-      '@logto/client': 2.4.0
+      '@logto/client': 2.6.3
       '@silverhand/essentials': 2.9.0
       js-base64: 3.7.5
     dev: true
 
-  /@logto/client@2.4.0:
-    resolution: {integrity: sha512-gdswqI5yuov7H/8SU2GoFDKRrlwTbhhRleq2Pnf5Yphq+Kvggu7j7EsixGE97QzomPfe2x8eeWtWoHyI96Q5qA==}
+  /@logto/client@2.6.3:
+    resolution: {integrity: sha512-uZphb17TZD2rXTiYfhPaIpiavMbUec+WwznIWIm2wJ9x4th8UO05egw9eTPiSaoEOZSuoPs6oWBROP1SQ00iBg==}
     dependencies:
-      '@logto/js': 4.0.0
+      '@logto/js': 4.1.1
       '@silverhand/essentials': 2.9.0
       camelcase-keys: 7.0.2
       jose: 5.2.2
     dev: true
 
-  /@logto/cloud@0.2.5-faca9a9(zod@3.22.4):
-    resolution: {integrity: sha512-hUiuzOPd4bKIV6fIKZLQW2Fc8JYmwKWWps7gZoxGbL3uLmAYYci5JHIP+vM7nbNS+oK1V141sy3JjNS1vAkvGA==}
+  /@logto/cloud@0.2.5-ab8a489(zod@3.22.4):
+    resolution: {integrity: sha512-nUD1n2CDe/nu6x4cOhXfJ5VyKKDqkKv+a/u9zSfbIMxIF0nShybd2LiCYJDO0SPuMqLnmlYFg+79KrdPCNvjIQ==}
     engines: {node: ^20.9.0}
     dependencies:
       '@silverhand/essentials': 2.9.0
-      '@withtyped/server': 0.12.9(zod@3.22.4)
+      '@withtyped/server': 0.13.3(zod@3.22.4)
     transitivePeerDependencies:
       - zod
     dev: true
 
-  /@logto/js@4.0.0:
-    resolution: {integrity: sha512-eKLS0HqFjQyf7imKTf2a7FUmMuNeebxFZ2b5A/1qUWSyO+BIxSu0XYI4JZ9qjtWNPvlGmL+jPOkIUuWQ9DZYZw==}
+  /@logto/js@4.1.1:
+    resolution: {integrity: sha512-+RgthBvDw30UojirtAjZeHNfOwDQVURmpjcIBYTIf6afx5F5jJq8b1D/eaFbrCFrmXmatkT2iN7X8kYHui86WQ==}
     dependencies:
       '@silverhand/essentials': 2.9.0
       camelcase-keys: 7.0.2
     dev: true
 
-  /@logto/node@2.4.0:
-    resolution: {integrity: sha512-7e6uUfAqFIKdOrVqEBrLF5mY3oM1lJeix7vME/llbBSZQ4wtFzQOQlPaa62tzA1n77ZSHV5LxOqvdBqcTIkW4Q==}
+  /@logto/node@2.4.4:
+    resolution: {integrity: sha512-3qkhXQKGZX5cVBfWT6n2l0kN9ln3fPShXngHaY5LTBBRd0b2e20h1XIrXCdoGoMmdSp1zntEo2PMv0+fBodzcw==}
     dependencies:
-      '@logto/client': 2.4.0
+      '@logto/client': 2.6.3
       '@silverhand/essentials': 2.9.0
       js-base64: 3.7.5
     dev: true
 
-  /@logto/react@3.0.0(react@18.2.0):
-    resolution: {integrity: sha512-+c0AaPGTLlPszjQJK6qpDULwtZsiaEFoPcgipazvqmj85PRehZplrM2qoBPT/Z/IjJhnA8GM3fin/TPILEbnKQ==}
+  /@logto/react@3.0.5(react@18.2.0):
+    resolution: {integrity: sha512-oCwKBGRf79QRo/MixPi8C8myZwHOx7eMon3/05nho0iiwBPllI2zSUJ7jUOnlFFnKTOLYV03l8pEMFnF+ODKyw==}
     peerDependencies:
       react: '>=16.8.0 || ^18.0.0'
     dependencies:
-      '@logto/browser': 2.2.3
+      '@logto/browser': 2.2.7
       '@silverhand/essentials': 2.9.0
       react: 18.2.0
     dev: true
@@ -7935,6 +7910,28 @@ packages:
       json5: 2.2.1
     dev: true
 
+  /@monaco-editor/loader@1.4.0(monaco-editor@0.46.0):
+    resolution: {integrity: sha512-00ioBig0x642hytVspPl7DbQyaSWRaolYie/UFNjoTdvoKPzo6xrXLhTk9ixgIKcLH5b5vDOjVNiGyY+uDCUlg==}
+    peerDependencies:
+      monaco-editor: '>= 0.21.0 < 1'
+    dependencies:
+      monaco-editor: 0.46.0
+      state-local: 1.0.7
+    dev: true
+
+  /@monaco-editor/react@4.6.0(monaco-editor@0.46.0)(react-dom@18.2.0)(react@18.2.0):
+    resolution: {integrity: sha512-RFkU9/i7cN2bsq/iTkurMWOEErmYcY6JiQI3Jn+WeR/FGISH8JbHERjpS9oRuSOPvDMJI0Z8nJeKkbOs9sBYQw==}
+    peerDependencies:
+      monaco-editor: '>= 0.25.0 < 1'
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0
+      react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0
+    dependencies:
+      '@monaco-editor/loader': 1.4.0(monaco-editor@0.46.0)
+      monaco-editor: 0.46.0
+      react: 18.2.0
+      react-dom: 18.2.0(react@18.2.0)
+    dev: true
+
   /@msgpackr-extract/msgpackr-extract-darwin-arm64@3.0.2:
     resolution: {integrity: sha512-9bfjwDxIDWmmOKusUcqdS4Rw+SETlp9Dy39Xui9BEGEk19dDwH0jhipwFzEff/pFg95NKymc6TOTbRKcWeRqyQ==}
     cpu: [arm64]
@@ -8931,18 +8928,19 @@ packages:
       tslib: 2.6.2
     dev: true
 
-  /@puppeteer/browsers@1.5.0:
-    resolution: {integrity: sha512-za318PweGINh5LnHSph7C4xhs0tmRjCD8EPpzcKlw4nzSPhnULj+LTG3+TGefZvW1ti5gjw2JkdQvQsivBeZlg==}
-    engines: {node: '>=16.3.0'}
+  /@puppeteer/browsers@2.2.0:
+    resolution: {integrity: sha512-MC7LxpcBtdfTbzwARXIkqGZ1Osn3nnZJlm+i0+VqHl72t//Xwl9wICrXT8BwtgC6s1xJNHsxOpvzISUqe92+sw==}
+    engines: {node: '>=18'}
     hasBin: true
     dependencies:
       debug: 4.3.4
       extract-zip: 2.0.1
       progress: 2.0.3
-      proxy-agent: 6.3.0
-      tar-fs: 3.0.4
+      proxy-agent: 6.4.0
+      semver: 7.6.0
+      tar-fs: 3.0.5
       unbzip2-stream: 1.4.3
-      yargs: 17.7.1
+      yargs: 17.7.2
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -9377,6 +9375,28 @@ packages:
     resolution: {integrity: sha512-n9mSO/gsLj0GRFXBRNhaQLRK6qbn6pBnKjMQdFwweKgT12ODBXpgkpXohpOBqSofnoaCQWqiDAT6xpCy/5dMIg==}
     engines: {node: ^18.12.0 || ^20.9.0, pnpm: ^8.0.0}
 
+  /@silverhand/slonik@31.0.0-beta.2:
+    resolution: {integrity: sha512-4IM57Er5We8+hT8IY9z5La1JAGNRFZ63tp3N0XYUYTNV9fLfUXF78yT+PoW4arnf4qc+4n498bMmKgFmt/mo9Q==}
+    engines: {node: ^20.9.0}
+    dependencies:
+      '@types/pg': 8.11.2
+      camelcase: 8.0.0
+      fast-safe-stringify: 2.1.1
+      get-stack-trace: 2.1.1
+      iso8601-duration: 2.1.2
+      p-defer: 4.0.0
+      pg: 8.11.3
+      pg-cursor: 2.10.3(pg@8.11.3)
+      pg-protocol: 1.6.0
+      pg-types: 4.0.2
+      postgres-array: 3.0.2
+      postgres-interval: 4.0.2
+      roarr: 7.21.1
+      serialize-error: 11.0.3
+      through2: 4.0.2
+    transitivePeerDependencies:
+      - pg-native
+
   /@silverhand/ts-config-react@5.0.0(typescript@5.3.3):
     resolution: {integrity: sha512-DQpaG49sY36FhpyFIRAmTA5bG9ASFUVXu+yi29bMdLls51r9nEoBuWxWv2Sh3GnSGxKLq4gmFf+U8Zy/qcnX1w==}
     engines: {node: ^20.9.0}
@@ -9442,6 +9462,7 @@ packages:
   /@sindresorhus/is@6.1.0:
     resolution: {integrity: sha512-BuvU07zq3tQ/2SIgBsEuxKYDyDjC0n7Zir52bpHy2xnBbW81+po43aLFPLbeV3HRAheFbGud1qgcqSYfhtHMAg==}
     engines: {node: '>=16'}
+    dev: false
 
   /@sinonjs/commons@2.0.0:
     resolution: {integrity: sha512-uLa0j859mMrg2slwQYdO/AkrOfmH+X6LTVmNTS9CqexuE2IvVORIkSpJLqePAbEnKJ77aMmCwr1NUZ57120Xcg==}
@@ -9750,6 +9771,7 @@ packages:
     engines: {node: '>=14.16'}
     dependencies:
       defer-to-connect: 2.0.1
+    dev: false
 
   /@testing-library/dom@9.0.0:
     resolution: {integrity: sha512-+/TLgKNFsYUshOY/zXsQOk+PlFQK+eyJ9T13IDVNJEi+M+Un7xlJK+FZKkbGSnf0+7E1G6PlDhkSYQ/GFiruBQ==}
@@ -9903,6 +9925,12 @@ packages:
     resolution: {integrity: sha512-0mPF08jn9zYI0n0Q/Pnz7C4kThdSt+6LD4amsrYDDpgBfrVWa3TcCOxKX1zkGgYniGagRv8heN2cbh+CAn+uuQ==}
     dev: true
 
+  /@types/conventional-commits-parser@5.0.0:
+    resolution: {integrity: sha512-loB369iXNmAZglwWATL+WRe+CRMmmBPtpolYzIebFaX4YA3x+BEfLqhUAV9WanycKI3TG1IMr5bMJDajDKLlUQ==}
+    dependencies:
+      '@types/node': 20.11.20
+    dev: true
+
   /@types/cookiejar@2.1.5:
     resolution: {integrity: sha512-he+DHOWReW0nghN24E1WUqM0efK4kI9oTqDm6XmK8ZPe2djZ90BSNdGnIyCLzCPw7/pogPlGbzI2wHGGmi4O/Q==}
     dev: true
@@ -9983,6 +10011,7 @@ packages:
 
   /@types/http-cache-semantics@4.0.4:
     resolution: {integrity: sha512-1m0bIFVc7eJWyve9S0RnuRgcQqF/Xd5QsUZAZeQFr1Q3/p9JWoQQEqmVy+DPTNpGXwhgIetAoYF8JSc33q29QA==}
+    dev: false
 
   /@types/http-errors@1.8.2:
     resolution: {integrity: sha512-EqX+YQxINb+MeXaIqYDASb6U6FCHbWjkj4a1CKDBks3d/QiB2+PqBLyO72vLDgAO1wUI4O+9gweRcQK11bTL/w==}
@@ -10020,8 +10049,8 @@ packages:
   /@types/jest@29.4.0:
     resolution: {integrity: sha512-VaywcGQ9tPorCX/Jkkni7RWGFfI11whqzs8dvxF41P17Z+z872thvEvlIbznjPJ02kl1HMX3LmLOonsj2n7HeQ==}
     dependencies:
-      expect: 29.5.0
-      pretty-format: 29.5.0
+      expect: 29.7.0
+      pretty-format: 29.7.0
     dev: true
 
   /@types/jsdom@20.0.0:
@@ -10147,12 +10176,6 @@ packages:
     resolution: {integrity: sha512-J8xLz7q2OFulZ2cyGTLE1TbbZcjpno7FaN6zdJNrgAdrJ+DZzh/uFR6YrTb4C+nXakvud8Q4+rbhoIWlYQbUFQ==}
     dev: true
 
-  /@types/node@18.19.3:
-    resolution: {integrity: sha512-k5fggr14DwAytoA/t8rPrIz++lXK7/DqckthCmoZOKNsEbJkId4Z//BqgApXBUGrGddrigYa1oqheo/7YmW4rg==}
-    dependencies:
-      undici-types: 5.26.5
-    dev: true
-
   /@types/node@20.10.4:
     resolution: {integrity: sha512-D08YG6rr8X90YB56tSIuBaddy/UXAA9RKJoFvrsnogAum/0pmjkgi4+2nx96A330FmioegBWmEYQ+syqCFaveg==}
     dependencies:
@@ -10186,11 +10209,19 @@ packages:
 
   /@types/parse-json@4.0.0:
     resolution: {integrity: sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==}
+    dev: true
 
   /@types/parse5@5.0.3:
     resolution: {integrity: sha512-kUNnecmtkunAoQ3CnjmMkzNU/gtxG8guhi+Fk2U/kOpIKjIMKnXGp4IJCgQJrXSgMsWYimYG4TGjz/UzbGEBTw==}
     dev: true
 
+  /@types/pg@8.11.2:
+    resolution: {integrity: sha512-G2Mjygf2jFMU/9hCaTYxJrwdObdcnuQde1gndooZSOHsNSaCehAuwc7EIuSA34Do8Jx2yZ19KtvW8P0j4EuUXw==}
+    dependencies:
+      '@types/node': 20.11.20
+      pg-protocol: 1.6.0
+      pg-types: 4.0.2
+
   /@types/pg@8.6.6:
     resolution: {integrity: sha512-O2xNmXebtwVekJDD+02udOncjVcMZQuTEQEMpKJ0ZRf5E7/9JJX3izhKUcUifBkyKpljyUM6BTgy2trmviKlpw==}
     dependencies:
@@ -10530,16 +10561,79 @@ packages:
     resolution: {integrity: sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==}
     dev: true
 
-  /@withtyped/client@0.7.22(zod@3.22.4):
-    resolution: {integrity: sha512-emNtcO0jc0dFWhvL7eUIRYzhTfn+JqgIvCmXb8ZUFOR8wdSSGrr9VDlm+wgQD06DEBBpmqtTHMMHTNXJdUC/Qw==}
+  /@vitest/coverage-v8@1.4.0(vitest@1.4.0):
+    resolution: {integrity: sha512-4hDGyH1SvKpgZnIByr9LhGgCEuF9DKM34IBLCC/fVfy24Z3+PZ+Ii9hsVBsHvY1umM1aGPEjceRkzxCfcQ10wg==}
+    peerDependencies:
+      vitest: 1.4.0
+    dependencies:
+      '@ampproject/remapping': 2.3.0
+      '@bcoe/v8-coverage': 0.2.3
+      debug: 4.3.4
+      istanbul-lib-coverage: 3.2.2
+      istanbul-lib-report: 3.0.1
+      istanbul-lib-source-maps: 5.0.4
+      istanbul-reports: 3.1.7
+      magic-string: 0.30.7
+      magicast: 0.3.3
+      picocolors: 1.0.0
+      std-env: 3.7.0
+      strip-literal: 2.0.0
+      test-exclude: 6.0.0
+      v8-to-istanbul: 9.2.0
+      vitest: 1.4.0(@types/node@20.10.4)
+    transitivePeerDependencies:
+      - supports-color
+    dev: true
+
+  /@vitest/expect@1.4.0:
+    resolution: {integrity: sha512-Jths0sWCJZ8BxjKe+p+eKsoqev1/T8lYcrjavEaz8auEJ4jAVY0GwW3JKmdVU4mmNPLPHixh4GNXP7GFtAiDHA==}
+    dependencies:
+      '@vitest/spy': 1.4.0
+      '@vitest/utils': 1.4.0
+      chai: 4.4.1
+    dev: true
+
+  /@vitest/runner@1.4.0:
+    resolution: {integrity: sha512-EDYVSmesqlQ4RD2VvWo3hQgTJ7ZrFQ2VSJdfiJiArkCerDAGeyF1i6dHkmySqk573jLp6d/cfqCN+7wUB5tLgg==}
+    dependencies:
+      '@vitest/utils': 1.4.0
+      p-limit: 5.0.0
+      pathe: 1.1.2
+    dev: true
+
+  /@vitest/snapshot@1.4.0:
+    resolution: {integrity: sha512-saAFnt5pPIA5qDGxOHxJ/XxhMFKkUSBJmVt5VgDsAqPTX6JP326r5C/c9UuCMPoXNzuudTPsYDZCoJ5ilpqG2A==}
+    dependencies:
+      magic-string: 0.30.7
+      pathe: 1.1.2
+      pretty-format: 29.7.0
+    dev: true
+
+  /@vitest/spy@1.4.0:
+    resolution: {integrity: sha512-Ywau/Qs1DzM/8Uc+yA77CwSegizMlcgTJuYGAi0jujOteJOUf1ujunHThYo243KG9nAyWT3L9ifPYZ5+As/+6Q==}
+    dependencies:
+      tinyspy: 2.2.1
+    dev: true
+
+  /@vitest/utils@1.4.0:
+    resolution: {integrity: sha512-mx3Yd1/6e2Vt/PUC98DcqTirtfxUyAZ32uK82r8rZzbtBeBo+nqgnjx/LvqQdWsrvNtm14VmurNgcf4nqY5gJg==}
+    dependencies:
+      diff-sequences: 29.6.3
+      estree-walker: 3.0.3
+      loupe: 2.3.7
+      pretty-format: 29.7.0
+    dev: true
+
+  /@withtyped/client@0.8.4(zod@3.22.4):
+    resolution: {integrity: sha512-oX19xZRjUASZLWUzQW4LKhLsDgtwFfWU7mgReKiY/tddwvHLoakLqz1o1MvRDuz+EOoYrQM+VpkwJeMsnbNT1w==}
     dependencies:
-      '@withtyped/server': 0.12.9(zod@3.22.4)
+      '@withtyped/server': 0.13.3(zod@3.22.4)
       '@withtyped/shared': 0.2.2
     transitivePeerDependencies:
       - zod
 
-  /@withtyped/server@0.12.9(zod@3.22.4):
-    resolution: {integrity: sha512-K5zoV9D+WpawbghtlJKF1KOshKkBjq+gYzNRWuZk13YmFWFLcmZn+QCblNP55z9IGdcHWpTRknqb1APuicdzgA==}
+  /@withtyped/server@0.13.3(zod@3.22.4):
+    resolution: {integrity: sha512-MPyjRPQd5JySDnMnXPxGXXnw7AACAl8TLhWPjm4sdBgVMssSrmBbjRxBep0jY64PJ3xzICZh0ArWTRdXyNFIog==}
     peerDependencies:
       zod: ^3.19.1
     dependencies:
@@ -10600,7 +10694,7 @@ packages:
     resolution: {integrity: sha512-umOSDSDrfHbTNPuNpC2NSnnA3LUrqpevPb4T9jRx4MagXNS0rs+gwiTcAvqCRmsD6utzsrzNt+ebm00SNWiC3Q==}
     dependencies:
       acorn: 8.10.0
-      acorn-walk: 8.2.0
+      acorn-walk: 8.3.2
     dev: true
 
   /acorn-jsx@5.3.2(acorn@8.10.0):
@@ -10616,12 +10710,23 @@ packages:
     engines: {node: '>=0.4.0'}
     dev: true
 
+  /acorn-walk@8.3.2:
+    resolution: {integrity: sha512-cjkyv4OtNCIeqhHrfS81QWXoCBPExR/J62oyEqepVw8WaQeSqpW2uhuLPh1m9eWhDuOo/jUXVTlifvesOWp/4A==}
+    engines: {node: '>=0.4.0'}
+    dev: true
+
   /acorn@8.10.0:
     resolution: {integrity: sha512-F0SAmZ8iUtS//m8DmCTA0jlh6TDKkHQyK6xc6V4KDTyZKA9dnvX9/3sRTVQrWm79glUAZbnmmNcdYwUIHWVybw==}
     engines: {node: '>=0.4.0'}
     hasBin: true
     dev: true
 
+  /acorn@8.11.3:
+    resolution: {integrity: sha512-Y9rRfJG5jcKOE0CLisYbojUjIrIEE7AGMzA/Sm4BslANhbS+cDMpgBdcPT91oJ7OuJ9hYJBx59RjbhxVnrF8Xg==}
+    engines: {node: '>=0.4.0'}
+    hasBin: true
+    dev: true
+
   /agent-base@6.0.2:
     resolution: {integrity: sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==}
     engines: {node: '>= 6.0.0'}
@@ -10703,11 +10808,6 @@ packages:
       type-fest: 3.13.1
     dev: false
 
-  /ansi-regex@4.1.1:
-    resolution: {integrity: sha512-ILlv4k/3f6vfQ4OoP2AGvirOktlQ98ZEL1k9FaQjxa3L1abBgbuTDAdPOpvbGncC0BTVQrl+OM8xZGK6tWXt7g==}
-    engines: {node: '>=6'}
-    dev: false
-
   /ansi-regex@5.0.1:
     resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
     engines: {node: '>=8'}
@@ -10869,6 +10969,10 @@ packages:
       tslib: 2.6.2
     dev: false
 
+  /assertion-error@1.1.0:
+    resolution: {integrity: sha512-jgsaNduz+ndvGyFt3uSuWqvy4lCnIJiovtouQN5JZHOKCS2QuhEdbcQHFhVksz2N2U9hXJo8odG7ETyWlEeuDw==}
+    dev: true
+
   /ast-types-flow@0.0.7:
     resolution: {integrity: sha512-eBvWn1lvIApYMhzQMsu9ciLfkBY499mFZlNqG+/9WR7PVlroQw0vG30cOQQbaKz3sCEc44TAOu2ykzqXSNnwag==}
     dev: true
@@ -10880,11 +10984,6 @@ packages:
       tslib: 2.6.2
     dev: true
 
-  /astral-regex@1.0.0:
-    resolution: {integrity: sha512-+Ryf6g3BKoRc7jfp7ad8tM4TtMiaWvbF/1/sQcZPkkS7ag3D5nMBCe2UfOTONtAkaG0tO0ij3C5Lwmf1EiyjHg==}
-    engines: {node: '>=4'}
-    dev: false
-
   /astral-regex@2.0.0:
     resolution: {integrity: sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==}
     engines: {node: '>=8'}
@@ -11006,14 +11105,6 @@ packages:
       '@types/babel__traverse': 7.18.2
     dev: true
 
-  /babel-plugin-macros@2.8.0:
-    resolution: {integrity: sha512-SEP5kJpfGYqYKpBrj5XU3ahw5p5GOHJ0U5ssOSQ/WBVdwkD2Dzlce95exQTs3jOVWPPKLBN2rlEWkCK7dSmLvg==}
-    dependencies:
-      '@babel/runtime': 7.21.0
-      cosmiconfig: 6.0.0
-      resolve: 1.22.2
-    dev: false
-
   /babel-preset-current-node-syntax@1.0.1(@babel/core@7.20.2):
     resolution: {integrity: sha512-M7LQ0bxarkxQoN+vz5aJPsLBn77n8QgTFmo8WK0/44auK2xlCXrYcUxHFxgU7qW5Yzw/CjmLRK2uJzaCd7LvqQ==}
     peerDependencies:
@@ -11061,6 +11152,37 @@ packages:
     resolution: {integrity: sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==}
     dev: true
 
+  /bare-events@2.2.2:
+    resolution: {integrity: sha512-h7z00dWdG0PYOQEvChhOSWvOfkIKsdZGkWr083FgN/HyoQuebSew/cgirYqh9SCuy/hRvxc5Vy6Fw8xAmYHLkQ==}
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /bare-fs@2.2.2:
+    resolution: {integrity: sha512-X9IqgvyB0/VA5OZJyb5ZstoN62AzD7YxVGog13kkfYWYqJYcK0kcqLZ6TrmH5qr4/8//ejVcX4x/a0UvaogXmA==}
+    requiresBuild: true
+    dependencies:
+      bare-events: 2.2.2
+      bare-os: 2.2.1
+      bare-path: 2.1.0
+      streamx: 2.15.1
+    dev: true
+    optional: true
+
+  /bare-os@2.2.1:
+    resolution: {integrity: sha512-OwPyHgBBMkhC29Hl3O4/YfxW9n7mdTr2+SsO29XBWKKJsbgj3mnorDB80r5TiCQgQstgE5ga1qNYrpes6NvX2w==}
+    requiresBuild: true
+    dev: true
+    optional: true
+
+  /bare-path@2.1.0:
+    resolution: {integrity: sha512-DIIg7ts8bdRKwJRJrUMy/PICEaQZaPGZ26lsSx9MJSwIhSrcdHn7/C8W+XmnG/rKi6BaRcz+JO00CjZteybDtw==}
+    requiresBuild: true
+    dependencies:
+      bare-os: 2.2.1
+    dev: true
+    optional: true
+
   /base-x@3.0.9:
     resolution: {integrity: sha512-H7JU6iBHTal1gp56aKoaa//YUxEaAOUiydvrV/pILqIHXTtqxSkATOnDA2u+jZ/61sD+L/412+7kzXRtWukhpQ==}
     dependencies:
@@ -11091,13 +11213,6 @@ packages:
     engines: {node: '>=8'}
     dev: true
 
-  /bl@4.1.0:
-    resolution: {integrity: sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==}
-    dependencies:
-      buffer: 5.7.1
-      inherits: 2.0.4
-      readable-stream: 3.6.2
-
   /bl@5.1.0:
     resolution: {integrity: sha512-tv1ZJHLfTDnXE6tMHv73YgSJaWR2AFuPwMntBe7XL/GBFHnT0CLnsHMogfk5+GzCDC5ZWarSCYaIGATZt9dNsQ==}
     dependencies:
@@ -11146,13 +11261,6 @@ packages:
       wcwidth: 1.0.1
     dev: true
 
-  /brotli-size@4.0.0:
-    resolution: {integrity: sha512-uA9fOtlTRC0iqKfzff1W34DXUA3GyVqbUaeo3Rw3d4gd1eavKVCETXrn3NzO74W+UVkG3UHu8WxUi+XvKI/huA==}
-    engines: {node: '>= 10.16.0'}
-    dependencies:
-      duplexer: 0.1.1
-    dev: true
-
   /browserslist@4.21.4:
     resolution: {integrity: sha512-CBHJJdDmgjl3daYjN5Cp5kbTf1mUhZoS+beLklHIvkOWscs83YAhLlF3Wsh/lciQYAcbBJgTOD44VtG31ZM4Hw==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
@@ -11180,6 +11288,7 @@ packages:
 
   /buffer-from@1.1.2:
     resolution: {integrity: sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==}
+    dev: true
 
   /buffer-writer@2.0.0:
     resolution: {integrity: sha512-a7ZpuTZU1TRtnwyCNW3I5dc0wWNC3VR9S++Ewyk2HHZdrO3CQJqSpd+95Us590V6AL7JqUAH2IwZ/398PmNFgw==}
@@ -11190,6 +11299,7 @@ packages:
     dependencies:
       base64-js: 1.5.1
       ieee754: 1.2.1
+    dev: true
 
   /buffer@6.0.3:
     resolution: {integrity: sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==}
@@ -11198,10 +11308,6 @@ packages:
       ieee754: 1.2.1
     dev: false
 
-  /bufferput@0.1.3:
-    resolution: {integrity: sha512-nmPV88vDNzf0VMU1bdQ4A1oBlRR9y+CXfwWKfyKUgI2ZIkvreNzLMM3tkz0Lapb6f+Cz1V001UWRBsoGVCjqdw==}
-    engines: {node: '>=0.3.0'}
-
   /builtin-modules@3.3.0:
     resolution: {integrity: sha512-zhaCDicdLuWN5UbN5IMnFqNMhNfo919sH85y2/ea+5Yg9TsTkeZxpL+JLbp6cgYFS4sRLp3YV4S6yDuqVWHYOw==}
     engines: {node: '>=6'}
@@ -11217,6 +11323,11 @@ packages:
     engines: {node: '>= 0.8'}
     dev: false
 
+  /cac@6.7.14:
+    resolution: {integrity: sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==}
+    engines: {node: '>=8'}
+    dev: true
+
   /cache-content-type@1.0.1:
     resolution: {integrity: sha512-IKufZ1o4Ut42YUrZSo8+qnMTrFuKkvyoLXUywKz9GJ5BrhOFGhLdkx9sG4KAnVvbY6kEcSFjLQul+DVmBm2bgA==}
     engines: {node: '>= 6.0.0'}
@@ -11227,6 +11338,7 @@ packages:
   /cacheable-lookup@7.0.0:
     resolution: {integrity: sha512-+qJyx4xiKra8mZrcwhjMRMUhD5NR1R8esPkzIYxX96JiecFoxAXFuz/GpR3+ev4PE1WamHip78wV0vcmPQtp8w==}
     engines: {node: '>=14.16'}
+    dev: false
 
   /cacheable-request@10.2.14:
     resolution: {integrity: sha512-zkDT5WAF4hSSoUgyfg5tFIxz8XQK+25W/TLVojJTMKBaxevLBBtLxgqguAuVQB8PVW79FVjHcU+GJ9tVbDZ9mQ==}
@@ -11239,6 +11351,7 @@ packages:
       mimic-response: 4.0.0
       normalize-url: 8.0.0
       responselike: 3.0.0
+    dev: false
 
   /call-bind@1.0.2:
     resolution: {integrity: sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==}
@@ -11253,6 +11366,7 @@ packages:
   /callsites@3.1.0:
     resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==}
     engines: {node: '>=6'}
+    dev: true
 
   /camelcase-css@2.0.1:
     resolution: {integrity: sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==}
@@ -11333,6 +11447,19 @@ packages:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
     dev: true
 
+  /chai@4.4.1:
+    resolution: {integrity: sha512-13sOfMv2+DWduEU+/xbun3LScLoqN17nBeTLUsmDfKdoiC1fr0n9PU4guu4AhRcOVFk/sW8LyZWHuhWtQZiF+g==}
+    engines: {node: '>=4'}
+    dependencies:
+      assertion-error: 1.1.0
+      check-error: 1.0.3
+      deep-eql: 4.1.3
+      get-func-name: 2.0.2
+      loupe: 2.3.7
+      pathval: 1.1.1
+      type-detect: 4.0.8
+    dev: true
+
   /chalk@2.4.2:
     resolution: {integrity: sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==}
     engines: {node: '>=4'}
@@ -11381,6 +11508,12 @@ packages:
   /chardet@0.7.0:
     resolution: {integrity: sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==}
 
+  /check-error@1.0.3:
+    resolution: {integrity: sha512-iKEoDYaRmd1mxM90a2OEfWhjsjPpYPuQ+lMYsoxB126+t8fw7ySEO48nmDg5COTjxDI65/Y2OWpeEHk3ZOe8zg==}
+    dependencies:
+      get-func-name: 2.0.2
+    dev: true
+
   /chokidar@3.5.3:
     resolution: {integrity: sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==}
     engines: {node: '>= 8.10.0'}
@@ -11406,13 +11539,15 @@ packages:
     engines: {node: '>=6.0'}
     dev: true
 
-  /chromium-bidi@0.4.20(devtools-protocol@0.0.1147663):
-    resolution: {integrity: sha512-ruHgVZFEv00mAQMz1tQjfjdG63jiPWrQPF6HLlX2ucqLqVTJoWngeBEKHaJ6n1swV/HSvgnBNbtTRIlcVyW3Fw==}
+  /chromium-bidi@0.5.13(devtools-protocol@0.0.1262051):
+    resolution: {integrity: sha512-OHbYCetDxdW/xmlrafgOiLsIrw4Sp1BEeolbZ1UGJO5v/nekQOJBj/Kzyw6sqKcAVabUTo0GS3cTYgr6zIf00g==}
     peerDependencies:
       devtools-protocol: '*'
     dependencies:
-      devtools-protocol: 0.0.1147663
+      devtools-protocol: 0.0.1262051
       mitt: 3.0.1
+      urlpattern-polyfill: 10.0.0
+      zod: 3.22.4
     dev: true
 
   /ci-info@3.8.0:
@@ -11459,15 +11594,6 @@ packages:
     engines: {node: '>=6'}
     dev: false
 
-  /cli-table3@0.6.3:
-    resolution: {integrity: sha512-w5Jac5SykAeZJKntOxJCrm63Eg5/4dhMWIcuTbo9rpE+brgaSZo0RuNJZeOyMgsUdhDeojvgyQLmjI+K50ZGyg==}
-    engines: {node: 10.* || >= 12.*}
-    dependencies:
-      string-width: 4.2.3
-    optionalDependencies:
-      '@colors/colors': 1.5.0
-    dev: true
-
   /cli-truncate@3.1.0:
     resolution: {integrity: sha512-wfOBkjXteqSnI59oPcJkcPl/ZmwvMMOj340qUIY1SKZCv0B9Cf4D4fAucRkIKQmsIuYK3x1rrgU7MeGRruiuiA==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
@@ -11597,10 +11723,6 @@ packages:
     engines: {node: '>=16'}
     dev: true
 
-  /commander@2.20.3:
-    resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
-    dev: true
-
   /commander@5.1.0:
     resolution: {integrity: sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg==}
     engines: {node: '>= 6'}
@@ -11637,15 +11759,6 @@ packages:
     resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
     dev: true
 
-  /concat-stream@2.0.0:
-    resolution: {integrity: sha512-MWufYdFw53ccGjCA+Ol7XJYpAlW6/prSMzuPOTRnJGcGzuhLn4Scrz7qf6o8bROZ514ltazcIFJZevcfbo0x7A==}
-    engines: {'0': node >= 6.0}
-    dependencies:
-      buffer-from: 1.1.2
-      inherits: 2.0.4
-      readable-stream: 3.6.2
-      typedarray: 0.0.6
-
   /confusing-browser-globals@1.0.11:
     resolution: {integrity: sha512-JsPKdmh8ZkmnHxDk55FZ1TqVLvEQTvoByJZRN9jzI0UjxK/QgAmsphz7PGtqgPieQZ/CQcHWXCR7ATDNhGe+YA==}
     dev: true
@@ -11719,8 +11832,9 @@ packages:
   /core-js@3.34.0:
     resolution: {integrity: sha512-aDdvlDder8QmY91H88GzNi9EtQi2TjvQhpCX6B1v/dAZHU1AuLgHvRh54RiOerpEhEW46Tkf+vgAViB/CWC0ag==}
     requiresBuild: true
+    dev: true
 
-  /cosmiconfig-typescript-loader@5.0.0(@types/node@18.19.3)(cosmiconfig@8.3.6)(typescript@5.0.2):
+  /cosmiconfig-typescript-loader@5.0.0(@types/node@20.11.20)(cosmiconfig@8.3.6)(typescript@5.0.2):
     resolution: {integrity: sha512-+8cK7jRAReYkMwMiG+bxhcNKiHJDM6bR9FD/nGBXOWdMLuYawjF5cGrtLilJ+LGd3ZjCXnJjR5DkfWPoIVlqJA==}
     engines: {node: '>=v16'}
     peerDependencies:
@@ -11728,23 +11842,12 @@ packages:
       cosmiconfig: '>=8.2'
       typescript: '>=4'
     dependencies:
-      '@types/node': 18.19.3
+      '@types/node': 20.11.20
       cosmiconfig: 8.3.6(typescript@5.0.2)
       jiti: 1.21.0
       typescript: 5.0.2
     dev: true
 
-  /cosmiconfig@6.0.0:
-    resolution: {integrity: sha512-xb3ZL6+L8b9JLLCx3ZdoZy4+2ECphCMo2PwqgP1tlfVq6M6YReyzBJtvWWtbDSpNr9hn96pkCiZqUcFEc+54Qg==}
-    engines: {node: '>=8'}
-    dependencies:
-      '@types/parse-json': 4.0.0
-      import-fresh: 3.3.0
-      parse-json: 5.2.0
-      path-type: 4.0.0
-      yaml: 1.10.2
-    dev: false
-
   /cosmiconfig@7.1.0:
     resolution: {integrity: sha512-AdmX6xUzdNASswsFtmwSt7Vj8po9IuqXm0UXz7QKPuEUmPB4XyjGfaAr2PSuELMwkRMVH1EpIkX5bTZGRB3eCA==}
     engines: {node: '>=10'}
@@ -11766,17 +11869,23 @@ packages:
       path-type: 4.0.0
     dev: true
 
-  /cosmiconfig@8.2.0:
-    resolution: {integrity: sha512-3rTMnFJA1tCOPwRxtgF4wd7Ab2qvDbL8jX+3smjIbS4HlZBagTlpERbdN7iAbWlrfxE3M8c27kTwTawQ7st+OQ==}
+  /cosmiconfig@8.3.6(typescript@5.0.2):
+    resolution: {integrity: sha512-kcZ6+W5QzcJ3P1Mt+83OUv/oHFqZHIx8DuxG6eZ5RGMERoLqp4BuGjhHLYGK+Kf5XVkQvqBSmAy/nGWN3qDgEA==}
     engines: {node: '>=14'}
+    peerDependencies:
+      typescript: '>=4.9.5'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
     dependencies:
       import-fresh: 3.3.0
       js-yaml: 4.1.0
       parse-json: 5.2.0
       path-type: 4.0.0
+      typescript: 5.0.2
     dev: true
 
-  /cosmiconfig@8.3.6(typescript@5.0.2):
+  /cosmiconfig@8.3.6(typescript@5.3.3):
     resolution: {integrity: sha512-kcZ6+W5QzcJ3P1Mt+83OUv/oHFqZHIx8DuxG6eZ5RGMERoLqp4BuGjhHLYGK+Kf5XVkQvqBSmAy/nGWN3qDgEA==}
     engines: {node: '>=14'}
     peerDependencies:
@@ -11789,11 +11898,11 @@ packages:
       js-yaml: 4.1.0
       parse-json: 5.2.0
       path-type: 4.0.0
-      typescript: 5.0.2
+      typescript: 5.3.3
     dev: true
 
-  /cosmiconfig@8.3.6(typescript@5.3.3):
-    resolution: {integrity: sha512-kcZ6+W5QzcJ3P1Mt+83OUv/oHFqZHIx8DuxG6eZ5RGMERoLqp4BuGjhHLYGK+Kf5XVkQvqBSmAy/nGWN3qDgEA==}
+  /cosmiconfig@9.0.0(typescript@5.3.3):
+    resolution: {integrity: sha512-itvL5h8RETACmOTFc4UfIyB2RfEHi71Ax6E/PivVxq9NseKbOWpeyHEOIbmAw1rs8Ak0VursQNww7lf7YtUwzg==}
     engines: {node: '>=14'}
     peerDependencies:
       typescript: '>=4.9.5'
@@ -11801,18 +11910,13 @@ packages:
       typescript:
         optional: true
     dependencies:
+      env-paths: 2.2.1
       import-fresh: 3.3.0
       js-yaml: 4.1.0
       parse-json: 5.2.0
-      path-type: 4.0.0
       typescript: 5.3.3
     dev: true
 
-  /crack-json@1.3.0:
-    resolution: {integrity: sha512-JfZ9NPLsU9ejTYgZ7fM+5TIMfTwROTxpi2Twh597GxmiVDwIGZSjaor+zsQBKZ0mmCKOFb9EZZLVeKNf/5UaGg==}
-    engines: {node: '>=8.0'}
-    dev: false
-
   /create-eslint-index@1.0.0:
     resolution: {integrity: sha512-nXvJjnfDytOOaPOonX0h0a1ggMoqrhdekGeZkD6hkcWYvlCWhU719tKFVh8eU04CnMwu3uwe1JjwuUF2C3k2qg==}
     engines: {node: '>=4.0.0'}
@@ -11820,25 +11924,6 @@ packages:
       lodash.get: 4.4.2
     dev: true
 
-  /create-jest@29.7.0(@types/node@18.19.3):
-    resolution: {integrity: sha512-Adz2bdH0Vq3F53KEMJOoftQFutWCukm6J24wbPWRO4k1kMY7gS7ds/uoJkNuV8wDCtWWnuwGcJwpWcih+zEW1Q==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    hasBin: true
-    dependencies:
-      '@jest/types': 29.6.3
-      chalk: 4.1.2
-      exit: 0.1.2
-      graceful-fs: 4.2.11
-      jest-config: 29.7.0(@types/node@18.19.3)
-      jest-util: 29.7.0
-      prompts: 2.4.2
-    transitivePeerDependencies:
-      - '@types/node'
-      - babel-plugin-macros
-      - supports-color
-      - ts-node
-    dev: true
-
   /create-jest@29.7.0(@types/node@20.10.4):
     resolution: {integrity: sha512-Adz2bdH0Vq3F53KEMJOoftQFutWCukm6J24wbPWRO4k1kMY7gS7ds/uoJkNuV8wDCtWWnuwGcJwpWcih+zEW1Q==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -11895,6 +11980,7 @@ packages:
       node-fetch: 2.7.0
     transitivePeerDependencies:
       - encoding
+    dev: false
 
   /cross-spawn@5.1.0:
     resolution: {integrity: sha512-pTgQJ5KC0d2hcY8eyL1IzlBPYjTkyH72XRZPnLyKus2mBfNjQs3klqbJU2VILqZryAZUt9JOb3h/mWMy23/f5A==}
@@ -12079,14 +12165,9 @@ packages:
     resolution: {integrity: sha512-sdQSFB7+llfUcQHUQO3+B8ERRj0Oa4w9POWMI/puGtuf7gFywGmkaLCElnudfTiKZV+NvHqL0ifzdrI8Ro7ESA==}
     dev: true
 
-  /dargs@7.0.0:
-    resolution: {integrity: sha512-2iy1EkLdlBzQGvbweYRFxmFath8+K7+AKB0TlhHWkNuH+TmovaMH/Wp7V7R4u7f4SnX3OgLsU9t1NI9ioDnUpg==}
-    engines: {node: '>=8'}
-    dev: true
-
-  /data-uri-to-buffer@4.0.0:
-    resolution: {integrity: sha512-Vr3mLBA8qWmcuschSLAOogKgQ/Jwxulv3RNE4FXnYWRGujzrRWQI4m12fQqRkwX06C0KanhLr4hK+GydchZsaA==}
-    engines: {node: '>= 12'}
+  /dargs@8.1.0:
+    resolution: {integrity: sha512-wAV9QHOsNbwnWdNW2FYvE1P56wtgSbM+3SZcdGiWQILwVjACCXDCI3Ai8QlCjMDB8YK5zySiXZYBiwGmNY3lnw==}
+    engines: {node: '>=12'}
     dev: true
 
   /data-uri-to-buffer@5.0.1:
@@ -12179,6 +12260,7 @@ packages:
     engines: {node: '>=10'}
     dependencies:
       mimic-response: 3.1.0
+    dev: false
 
   /dedent@1.5.1:
     resolution: {integrity: sha512-+LxW+KLWxu3HW3M2w2ympwtqPrqYRzU8fqi6Fhd18fBALe15blJPI/I4+UHveMVG6lJqB4JNd4UG0S5cnVHwIg==}
@@ -12189,6 +12271,13 @@ packages:
         optional: true
     dev: true
 
+  /deep-eql@4.1.3:
+    resolution: {integrity: sha512-WaEtAOpRA1MQ0eohqZjpGD8zdI0Ovsm8mmFhaDN8dvDZzyoUMcYDnf5Y6iu7HTXxf8JDS23qWa4a+hKCDyOPzw==}
+    engines: {node: '>=6'}
+    dependencies:
+      type-detect: 4.0.8
+    dev: true
+
   /deep-equal@1.0.1:
     resolution: {integrity: sha1-9dJgKStmDghO/0zbyfCK0yR0SLU=}
 
@@ -12216,6 +12305,7 @@ packages:
   /defer-to-connect@2.0.1:
     resolution: {integrity: sha512-4tvttepXG1VaYGrRibk5EwJd1t4udunSOVMdLSAL6mId1ix438oPwPZMALY41FCijukO1L0twNcGsdzS7dHgDg==}
     engines: {node: '>=10'}
+    dev: false
 
   /define-lazy-prop@2.0.0:
     resolution: {integrity: sha512-Ds09qNh8yw3khSjiJjiUInaGX9xlqZDY7JVryGxdxV7NPeuqQfplOpQ66yJFZut3jLa5zOwkXw1g9EI2uKh4Og==}
@@ -12238,11 +12328,6 @@ packages:
       esprima: 4.0.1
     dev: true
 
-  /delay@4.4.1:
-    resolution: {integrity: sha512-aL3AhqtfhOlT/3ai6sWXeqwnw63ATNpnUiN4HL7x9q+My5QtHlO3OIkasmug9LKzpheLdmUKGRKnYXYAS7FQkQ==}
-    engines: {node: '>=6'}
-    dev: false
-
   /delayed-stream@1.0.0:
     resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==}
     engines: {node: '>=0.4.0'}
@@ -12300,18 +12385,14 @@ packages:
     engines: {node: '>=8'}
     dev: true
 
-  /detect-node@2.1.0:
-    resolution: {integrity: sha512-T0NIuQpnTvFDATNuHN5roPwSBG83rFsuO+MXXH9/3N1eFbn4wcPjttvjMLEPWJ0RGUYgQE7cGgS3tNxbqCGM7g==}
-    dev: false
-
   /devlop@1.1.0:
     resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==}
     dependencies:
       dequal: 2.0.3
     dev: true
 
-  /devtools-protocol@0.0.1147663:
-    resolution: {integrity: sha512-hyWmRrexdhbZ1tcJUGpO95ivbRhWXz++F4Ko+n21AY5PNln2ovoJw+8ZMNDTtip+CNFQfrtLVh/w4009dXO/eQ==}
+  /devtools-protocol@0.0.1262051:
+    resolution: {integrity: sha512-YJe4CT5SA8on3Spa+UDtNhEqtuV6Epwz3OZ4HQVLhlRccpZ9/PAYk0/cy/oKxFKRrZPBUPyxympQci4yWNWZ9g==}
     dev: true
 
   /dezalgo@1.0.3:
@@ -12334,11 +12415,6 @@ packages:
       semver: 5.7.2
     dev: false
 
-  /diff-sequences@29.4.3:
-    resolution: {integrity: sha512-ofrBgwpPhCD85kMKtE9RYFFq6OC1A89oW2vvgWZNCwxrUpRUILopY7lsYyMDSjc8g6U6aiO0Qubg6r4Wgt5ZnA==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dev: true
-
   /diff-sequences@29.6.3:
     resolution: {integrity: sha512-EjePK1srD3P08o2j4f0ExnylqRs5B9tJjcp9t1krH2qRi8CCdsYfwe9JgSLurFBWwq4uOlipzfk5fHNvwFKr8Q==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -12458,10 +12534,6 @@ packages:
     engines: {node: '>=6'}
     dev: true
 
-  /duplexer@0.1.1:
-    resolution: {integrity: sha512-sxNZ+ljy+RA1maXoUReeqBBpBC6RLKmg5ewzV+x+mSETmWNoKdZN6vcQjpFROemza23hGFskJtFNoUWUaQ+R4Q==}
-    dev: true
-
   /duplexer@0.1.2:
     resolution: {integrity: sha512-jtD6YG370ZCIi/9GTaJKQxWTZD045+4R4hTk/x1UyoqadyJ9x9CgSi1RlVDQF8U2sxLLSnFkCaMihqljHIWgMg==}
     dev: true
@@ -12506,10 +12578,6 @@ packages:
     resolution: {integrity: sha512-QpLs9D9v9kArv4lfDEgg1X/gN5XLnf/A6l9cs8SPZLRZR3ZkY9+kwIQTxm+fsSej5UMYGE8fdoaZVIBlqG0XTw==}
     dev: false
 
-  /emoji-regex@7.0.3:
-    resolution: {integrity: sha512-CwBLREIQ7LvYFB0WyRvwhq5N5qPhc6PMjD6bYggFlI5YyDgl+0vxq5VHbMOFqLg7hfWzmu8T5Z1QofhmTIhItA==}
-    dev: false
-
   /emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
 
@@ -12562,10 +12630,16 @@ packages:
     engines: {node: '>=0.12'}
     dev: true
 
+  /env-paths@2.2.1:
+    resolution: {integrity: sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==}
+    engines: {node: '>=6'}
+    dev: true
+
   /error-ex@1.3.2:
     resolution: {integrity: sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==}
     dependencies:
       is-arrayish: 0.2.1
+    dev: true
 
   /es-abstract@1.20.4:
     resolution: {integrity: sha512-0UtvRN79eMe2L+UNEF1BwRe364sj/DXhQ/k5FmivgoSdpM90b8Jc0mDzKMGo7QS0BVbOP/bTwBKNnDc9rNzaPA==}
@@ -12612,8 +12686,36 @@ packages:
       is-symbol: 1.0.4
     dev: true
 
-  /es6-error@4.1.1:
-    resolution: {integrity: sha512-Um/+FxMr9CISWh0bi5Zv0iOD+4cFh5qLeks1qhAopKVAJw3drgKbKySikp7wGhDL0HPeaja0P5ULZrxLkniUVg==}
+  /esbuild@0.19.12:
+    resolution: {integrity: sha512-aARqgq8roFBj054KvQr5f1sFu0D65G+miZRCuJyJ0G13Zwx7vRar5Zhn2tkQNzIXcBrNVsv/8stehpj+GAjgbg==}
+    engines: {node: '>=12'}
+    hasBin: true
+    requiresBuild: true
+    optionalDependencies:
+      '@esbuild/aix-ppc64': 0.19.12
+      '@esbuild/android-arm': 0.19.12
+      '@esbuild/android-arm64': 0.19.12
+      '@esbuild/android-x64': 0.19.12
+      '@esbuild/darwin-arm64': 0.19.12
+      '@esbuild/darwin-x64': 0.19.12
+      '@esbuild/freebsd-arm64': 0.19.12
+      '@esbuild/freebsd-x64': 0.19.12
+      '@esbuild/linux-arm': 0.19.12
+      '@esbuild/linux-arm64': 0.19.12
+      '@esbuild/linux-ia32': 0.19.12
+      '@esbuild/linux-loong64': 0.19.12
+      '@esbuild/linux-mips64el': 0.19.12
+      '@esbuild/linux-ppc64': 0.19.12
+      '@esbuild/linux-riscv64': 0.19.12
+      '@esbuild/linux-s390x': 0.19.12
+      '@esbuild/linux-x64': 0.19.12
+      '@esbuild/netbsd-x64': 0.19.12
+      '@esbuild/openbsd-x64': 0.19.12
+      '@esbuild/sunos-x64': 0.19.12
+      '@esbuild/win32-arm64': 0.19.12
+      '@esbuild/win32-ia32': 0.19.12
+      '@esbuild/win32-x64': 0.19.12
+    dev: true
 
   /escalade@3.1.1:
     resolution: {integrity: sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==}
@@ -13145,6 +13247,12 @@ packages:
     resolution: {integrity: sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==}
     dev: true
 
+  /estree-walker@3.0.3:
+    resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==}
+    dependencies:
+      '@types/estree': 1.0.5
+    dev: true
+
   /esutils@2.0.3:
     resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
     engines: {node: '>=0.10.0'}
@@ -13227,17 +13335,6 @@ packages:
     engines: {node: '>=16'}
     dev: true
 
-  /expect@29.5.0:
-    resolution: {integrity: sha512-yM7xqUrCO2JdpFo4XpM82t+PJBFybdqoQuJLDGeDX2ij8NZzqRHyu3Hp188/JX7SWqud+7t4MUdvcgGBICMHZg==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dependencies:
-      '@jest/expect-utils': 29.5.0
-      jest-get-type: 29.4.3
-      jest-matcher-utils: 29.5.0
-      jest-message-util: 29.5.0
-      jest-util: 29.5.0
-    dev: true
-
   /expect@29.7.0:
     resolution: {integrity: sha512-2Zks0hf1VLFYI1kbh0I5jP3KHHyCHpkfyHBzsSXRFgl/Bg9mWYfMW8oD+PdMPlEwy5HNsR9JutYy6pMeOh61nw==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -13408,14 +13505,6 @@ packages:
       pend: 1.2.0
     dev: true
 
-  /fetch-blob@3.2.0:
-    resolution: {integrity: sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ==}
-    engines: {node: ^12.20 || >= 14.13}
-    dependencies:
-      node-domexception: 1.0.0
-      web-streams-polyfill: 3.2.1
-    dev: true
-
   /figures@5.0.0:
     resolution: {integrity: sha512-ej8ksPF4x6e5wvK9yevct0UCXh8TTFlWGVLlgjZuoBH1HwjIfKE/IdL5mq89sFA7zELi1VhKpmtDnrs7zWyeyg==}
     engines: {node: '>=14'}
@@ -13445,11 +13534,6 @@ packages:
       tslib: 2.5.0
     dev: true
 
-  /filesize@10.1.0:
-    resolution: {integrity: sha512-GTLKYyBSDz3nPhlLVPjPWZCnhkd9TrrRArNcy8Z+J2cqScB7h2McAzR6NBX6nYOoWafql0roY8hrocxnZBv9CQ==}
-    engines: {node: '>= 10.4.0'}
-    dev: true
-
   /fill-range@7.0.1:
     resolution: {integrity: sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==}
     engines: {node: '>=8'}
@@ -13510,7 +13594,6 @@ packages:
       locate-path: 7.2.0
       path-exists: 5.0.0
       unicorn-magic: 0.1.0
-    dev: false
 
   /find-yarn-workspace-root2@1.2.16:
     resolution: {integrity: sha512-hr6hb1w8ePMpPVUK39S4RlwJzi+xPLuVuG8XlwXU3KD5Yn3qgBWVfy3AzNlDhWvE1EORCE65/Qm26rFQt3VLVA==}
@@ -13572,6 +13655,7 @@ packages:
   /form-data-encoder@4.0.2:
     resolution: {integrity: sha512-KQVhvhK8ZkWzxKxOr56CPulAhH3dobtuQ4+hNQ+HekH/Wp5gSOafqRAeTphQUJAIk0GBvHZgJ2ZGRWd5kphMuw==}
     engines: {node: '>= 18'}
+    dev: false
 
   /form-data@3.0.1:
     resolution: {integrity: sha512-RHkBKtLWUVwd7SqRIvCZMEvAMoGUp0XU+seQiZejj0COz3RI3hWP4sCv3gZWWLjJTd7rGwcsF5eKZGii0r/hbg==}
@@ -13595,13 +13679,6 @@ packages:
     engines: {node: '>=0.4.x'}
     dev: true
 
-  /formdata-polyfill@4.0.10:
-    resolution: {integrity: sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==}
-    engines: {node: '>=12.20.0'}
-    dependencies:
-      fetch-blob: 3.2.0
-    dev: true
-
   /formidable@2.0.1:
     resolution: {integrity: sha512-rjTMNbp2BpfQShhFbR3Ruk3qk2y9jKpvMW78nJgx8QKtxjDVrwbZG+wvDOmVbifHyOUOQJXxqEy6r0faRrPzTQ==}
     dependencies:
@@ -13619,15 +13696,6 @@ packages:
     engines: {node: '>=0.10.0'}
     dev: true
 
-  /fs-extra@11.1.1:
-    resolution: {integrity: sha512-MGIE4HOvQCeUCzmlHs0vXpih4ysz4wg9qiSAu6cd42lVwPbTM1TjV7RusoyQqMmk/95gdQZX72u+YW+c3eEpFQ==}
-    engines: {node: '>=14.14'}
-    dependencies:
-      graceful-fs: 4.2.11
-      jsonfile: 6.1.0
-      universalify: 2.0.0
-    dev: true
-
   /fs-extra@7.0.1:
     resolution: {integrity: sha512-YJDaCJZEnBmcbw13fvdAM9AwNOJwOzrE4pqMqBq5nFiEqXUqHwlK4B+3pUw6JNvfSPtX05xFHtYy/1ni01eGCw==}
     engines: {node: '>=6 <7 || >=8'}
@@ -13687,7 +13755,7 @@ packages:
     engines: {node: '>=14'}
     dependencies:
       extend: 3.0.2
-      https-proxy-agent: 7.0.1
+      https-proxy-agent: 7.0.4
       is-stream: 2.0.1
       node-fetch: 2.7.0
     transitivePeerDependencies:
@@ -13731,6 +13799,10 @@ packages:
     engines: {node: '>=18'}
     dev: false
 
+  /get-func-name@2.0.2:
+    resolution: {integrity: sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==}
+    dev: true
+
   /get-intrinsic@1.1.3:
     resolution: {integrity: sha512-QJVz1Tj7MS099PevUG5jvnt9tSkXN8K14dxQlikJuPt4uD9hHAHjLyLBiLR5zELelBdD9QNRAXZzsJx0WaDL9A==}
     dependencies:
@@ -13799,16 +13871,14 @@ packages:
       - supports-color
     dev: true
 
-  /git-raw-commits@2.0.11:
-    resolution: {integrity: sha512-VnctFhw+xfj8Va1xtfEqCUD2XDrbAPSJx+hSrE5K7fGdjZruW7XV+QOrN7LF/RJyvspRiD2I0asWsxFp0ya26A==}
-    engines: {node: '>=10'}
+  /git-raw-commits@4.0.0:
+    resolution: {integrity: sha512-ICsMM1Wk8xSGMowkOmPrzo2Fgmfo4bMHLNX6ytHjajRJUqvHOw/TFapQ+QG75c3X/tTDDhOSRPGC52dDbNM8FQ==}
+    engines: {node: '>=16'}
     hasBin: true
     dependencies:
-      dargs: 7.0.0
-      lodash: 4.17.21
-      meow: 8.1.2
-      split2: 3.2.2
-      through2: 4.0.2
+      dargs: 8.1.0
+      meow: 12.1.1
+      split2: 4.2.0
     dev: true
 
   /glob-parent@5.1.2:
@@ -13847,11 +13917,11 @@ packages:
       once: 1.4.0
     dev: true
 
-  /global-dirs@0.1.1:
-    resolution: {integrity: sha512-NknMLn7F2J7aflwFOlGdNIuCDpN3VGoSoB+aap3KABFWbHVn1TCgFC+np23J8W2BiZbjfEw3BFBycSMv1AFblg==}
-    engines: {node: '>=4'}
+  /global-directory@4.0.1:
+    resolution: {integrity: sha512-wHTUcDUoZ1H5/0iVqEudYW4/kAlN5cZ3j/bXn0Dpbizl9iaUVeWSHqiOjsgk6OW2bkLclbBjzewBz6weQ1zA2Q==}
+    engines: {node: '>=18'}
     dependencies:
-      ini: 1.3.8
+      ini: 4.1.1
     dev: true
 
   /global-modules@0.2.3:
@@ -13997,6 +14067,7 @@ packages:
       lowercase-keys: 3.0.0
       p-cancelable: 4.0.1
       responselike: 3.0.0
+    dev: false
 
   /graceful-fs@4.2.10:
     resolution: {integrity: sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==}
@@ -14297,6 +14368,7 @@ packages:
 
   /http-cache-semantics@4.1.1:
     resolution: {integrity: sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==}
+    dev: false
 
   /http-errors@1.4.0:
     resolution: {integrity: sha512-oLjPqve1tuOl5aRhv8GK5eHpqP1C9fb+Ol+XTLjKfLltE44zdDbEdjPSbU7Ch5rSNsVFqZn97SrMmZLdu1/YMw==}
@@ -14347,8 +14419,8 @@ packages:
     transitivePeerDependencies:
       - supports-color
 
-  /http-proxy-agent@7.0.0:
-    resolution: {integrity: sha512-+ZT+iBxVUQ1asugqnD6oWoRiS25AkjNfG085dKJGtGxkdwLQrMKU5wJr2bOOFAXzKcTuqq+7fZlTMgG3SRfIYQ==}
+  /http-proxy-agent@7.0.2:
+    resolution: {integrity: sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==}
     engines: {node: '>= 14'}
     dependencies:
       agent-base: 7.1.0
@@ -14374,6 +14446,7 @@ packages:
     dependencies:
       quick-lru: 5.1.1
       resolve-alpn: 1.2.1
+    dev: false
 
   /https-proxy-agent@5.0.1:
     resolution: {integrity: sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==}
@@ -14384,8 +14457,8 @@ packages:
     transitivePeerDependencies:
       - supports-color
 
-  /https-proxy-agent@7.0.1:
-    resolution: {integrity: sha512-Eun8zV0kcYS1g19r78osiQLEFIRspRUDd9tIfBCTBPBeMieF/EsJNL8VI3xOIdYRDEkjQnqOYPsZ2DsWsVsFwQ==}
+  /https-proxy-agent@7.0.4:
+    resolution: {integrity: sha512-wlwpilI7YdjSkWaQ/7omYBMTliDcmCN8OLihO6I9B86g06lMyAoqgoDpV0XqoaPOKj+0DIdAvnsWfyAAhmimcg==}
     engines: {node: '>= 14'}
     dependencies:
       agent-base: 7.1.0
@@ -14417,12 +14490,6 @@ packages:
     hasBin: true
     dev: true
 
-  /hyperid@2.3.1:
-    resolution: {integrity: sha512-mIbI7Ymn6MCdODaW1/6wdf5lvvXzmPsARN4zTLakMmcziBOuP4PxCBJvHF6kbAIHX6H4vAELx/pDmt0j6Th5RQ==}
-    dependencies:
-      uuid: 8.3.2
-      uuid-parse: 1.1.0
-
   /i18next-browser-languagedetector@7.0.1:
     resolution: {integrity: sha512-Pa5kFwaczXJAeHE56CHG2aWzFBMJNUNghf0Pm4SwSrEMps/PTKqW90EYWlIvhuYStf3Sn1K0vw+gH3+TLdkH1g==}
     dependencies:
@@ -14498,6 +14565,7 @@ packages:
     dependencies:
       parent-module: 1.0.1
       resolve-from: 4.0.0
+    dev: true
 
   /import-in-the-middle@1.3.5:
     resolution: {integrity: sha512-yzHlBqi1EBFrkieAnSt8eTgO5oLSl+YJ7qaOpUH/PMqQOMZoQ/RmDlwnTLQrwYto+gHYjRG+i/IbsB1eDx32NQ==}
@@ -14519,6 +14587,10 @@ packages:
       resolve-cwd: 3.0.0
     dev: true
 
+  /import-meta-resolve@4.0.0:
+    resolution: {integrity: sha512-okYUR7ZQPH+efeuMJGlq4f8ubUgO50kByRPyt/Cy1Io4PSRsPjxME+YlVaCOx+NIToW7hCsZNFJyTPFFKepRSA==}
+    dev: true
+
   /import-modules@2.1.0:
     resolution: {integrity: sha512-8HEWcnkbGpovH9yInoisxaSoIg9Brbul+Ju3Kqe2UsYDUBJD/iQjSgEj0zPcTDPKfPp2fs5xlv1i+JSye/m1/A==}
     engines: {node: '>=8'}
@@ -14566,12 +14638,10 @@ packages:
     resolution: {integrity: sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==}
     dev: true
 
-  /inline-loops.macro@1.2.2:
-    resolution: {integrity: sha512-w5cOGQGnNoBTSibg6IzaIG2OG9sbXJxTn3uzYP717C/SvcJVEFz5Zu1dJwvCLlnwtBWQgcfnV2BNEQaRoIAfIw==}
-    dependencies:
-      '@babel/types': 7.20.2
-      babel-plugin-macros: 2.8.0
-    dev: false
+  /ini@4.1.1:
+    resolution: {integrity: sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g==}
+    engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
+    dev: true
 
   /inline-style-parser@0.1.1:
     resolution: {integrity: sha512-7NXolsK4CAS5+xvdj5OMMbI962hU/wvwoxk+LWR9Ek9bVtyuuYScDN6eS0rUm6TxApFpw7CX1o4uJzcd4AyD3Q==}
@@ -14598,10 +14668,6 @@ packages:
       wrap-ansi: 8.0.1
     dev: false
 
-  /int64-buffer@0.99.1007:
-    resolution: {integrity: sha512-XDBEu44oSTqlvCSiOZ/0FoUkpWu/vwjJLGSKDabNISPQNZ5wub1FodGHBljRsrR0IXRPq7SslshZYMuA55CgTQ==}
-    engines: {node: '>= 4.5.0'}
-
   /internal-slot@1.0.3:
     resolution: {integrity: sha512-O0DB1JC/sPyZl7cIo78n5dR7eUSwwpYPiXRhTzNxZVAMUuB8vlnRFyLxdrVToks6XPLVnFfbzaVd5WLjhgg+vA==}
     engines: {node: '>= 0.4'}
@@ -14641,6 +14707,7 @@ packages:
 
   /is-arrayish@0.2.1:
     resolution: {integrity: sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg==}
+    dev: true
 
   /is-arrayish@0.3.2:
     resolution: {integrity: sha512-eVRqCvVlZbuw3GrM63ovNSNAeA1K16kaR/LRY/92w0zxQ5/1YzwblUX652i4Xs9RwAGjW9d9y6X88t8OaAJfWQ==}
@@ -14717,11 +14784,6 @@ packages:
     engines: {node: '>=0.10.0'}
     dev: true
 
-  /is-fullwidth-code-point@2.0.0:
-    resolution: {integrity: sha512-VHskAKYM8RfSFXwee5t5cbN5PZeq1Wrh6qd5bkyiXIf6UQcN6w/A0eXM9r6t8d+GYOh+o6ZhiEnb88LN/Y8m2w==}
-    engines: {node: '>=4'}
-    dev: false
-
   /is-fullwidth-code-point@3.0.0:
     resolution: {integrity: sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==}
     engines: {node: '>=8'}
@@ -14831,6 +14893,7 @@ packages:
   /is-plain-object@5.0.0:
     resolution: {integrity: sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==}
     engines: {node: '>=0.10.0'}
+    dev: true
 
   /is-potential-custom-element-name@1.0.1:
     resolution: {integrity: sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==}
@@ -14948,11 +15011,11 @@ packages:
     resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
     dev: true
 
-  /iso8601-duration@1.3.0:
-    resolution: {integrity: sha512-K4CiUBzo3YeWk76FuET/dQPH03WE04R94feo5TSKQCXpoXQt9E4yx2CnY737QZnSAI3PI4WlKo/zfqizGx52QQ==}
+  /iso8601-duration@2.1.2:
+    resolution: {integrity: sha512-yXteYUiKv6x8seaDzyBwnZtPpmx766KfvQuaVNyPifYOjmPdOo3ajd4phDNa7Y5mTQGnXsNEcXFtVun1FjYXxQ==}
 
-  /istanbul-lib-coverage@3.2.0:
-    resolution: {integrity: sha512-eOeJ5BHCmHYvQK7xt9GkdHuzuCGS1Y6g9Gvnx3Ym33fz/HpLRYxiS0wHNr+m/MBC8B647Xt608vCDEvhl9c6Mw==}
+  /istanbul-lib-coverage@3.2.2:
+    resolution: {integrity: sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==}
     engines: {node: '>=8'}
     dev: true
 
@@ -14961,9 +15024,9 @@ packages:
     engines: {node: '>=8'}
     dependencies:
       '@babel/core': 7.20.2
-      '@babel/parser': 7.20.3
+      '@babel/parser': 7.24.0
       '@istanbuljs/schema': 0.1.3
-      istanbul-lib-coverage: 3.2.0
+      istanbul-lib-coverage: 3.2.2
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
@@ -14974,20 +15037,20 @@ packages:
     engines: {node: '>=10'}
     dependencies:
       '@babel/core': 7.20.2
-      '@babel/parser': 7.20.3
+      '@babel/parser': 7.24.0
       '@istanbuljs/schema': 0.1.3
-      istanbul-lib-coverage: 3.2.0
+      istanbul-lib-coverage: 3.2.2
       semver: 7.6.0
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /istanbul-lib-report@3.0.0:
-    resolution: {integrity: sha512-wcdi+uAKzfiGT2abPpKZ0hSU1rGQjUQnLvtY5MpQ7QCTahD3VODhcu4wcfY1YtkGaDD5yuydOLINXsfbus9ROw==}
-    engines: {node: '>=8'}
+  /istanbul-lib-report@3.0.1:
+    resolution: {integrity: sha512-GCfE1mtsHGOELCU8e/Z7YWzpmybrx/+dSTfLrvY8qRmaY6zXTKWn6WQIjaAFw069icm6GVMNkgu0NzI4iPZUNw==}
+    engines: {node: '>=10'}
     dependencies:
-      istanbul-lib-coverage: 3.2.0
-      make-dir: 3.1.0
+      istanbul-lib-coverage: 3.2.2
+      make-dir: 4.0.0
       supports-color: 7.2.0
     dev: true
 
@@ -14996,18 +15059,29 @@ packages:
     engines: {node: '>=10'}
     dependencies:
       debug: 4.3.4
-      istanbul-lib-coverage: 3.2.0
+      istanbul-lib-coverage: 3.2.2
       source-map: 0.6.1
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /istanbul-reports@3.1.5:
-    resolution: {integrity: sha512-nUsEMa9pBt/NOHqbcbeJEgqIlY/K7rVWUX6Lql2orY5e9roQOthbR3vtY4zzf2orPELg80fnxxk9zUyPlgwD1w==}
+  /istanbul-lib-source-maps@5.0.4:
+    resolution: {integrity: sha512-wHOoEsNJTVltaJp8eVkm8w+GVkVNHT2YDYo53YdzQEL2gWm1hBX5cGFR9hQJtuGLebidVX7et3+dmDZrmclduw==}
+    engines: {node: '>=10'}
+    dependencies:
+      '@jridgewell/trace-mapping': 0.3.25
+      debug: 4.3.4
+      istanbul-lib-coverage: 3.2.2
+    transitivePeerDependencies:
+      - supports-color
+    dev: true
+
+  /istanbul-reports@3.1.7:
+    resolution: {integrity: sha512-BewmUXImeuRk2YY0PVbxgKAysvhRPUQE0h5QRM++nVWyubKGV0l8qQ5op8+B2DOmwSe63Jivj0BjkPQVf8fP5g==}
     engines: {node: '>=8'}
     dependencies:
       html-escaper: 2.0.2
-      istanbul-lib-report: 3.0.0
+      istanbul-lib-report: 3.0.1
     dev: true
 
   /jest-changed-files@29.7.0:
@@ -15048,34 +15122,6 @@ packages:
       - supports-color
     dev: true
 
-  /jest-cli@29.7.0(@types/node@18.19.3):
-    resolution: {integrity: sha512-OVVobw2IubN/GSYsxETi+gOe7Ka59EFMR/twOU3Jb2GnKKeMGJB5SGUUrEz3SFVmJASUdZUzy83sLNNQ2gZslg==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    hasBin: true
-    peerDependencies:
-      node-notifier: ^8.0.1 || ^9.0.0 || ^10.0.0
-    peerDependenciesMeta:
-      node-notifier:
-        optional: true
-    dependencies:
-      '@jest/core': 29.7.0(ts-node@10.9.2)
-      '@jest/test-result': 29.7.0
-      '@jest/types': 29.6.3
-      chalk: 4.1.2
-      create-jest: 29.7.0(@types/node@18.19.3)
-      exit: 0.1.2
-      import-local: 3.1.0
-      jest-config: 29.7.0(@types/node@18.19.3)
-      jest-util: 29.7.0
-      jest-validate: 29.7.0
-      yargs: 17.7.2
-    transitivePeerDependencies:
-      - '@types/node'
-      - babel-plugin-macros
-      - supports-color
-      - ts-node
-    dev: true
-
   /jest-cli@29.7.0(@types/node@20.10.4):
     resolution: {integrity: sha512-OVVobw2IubN/GSYsxETi+gOe7Ka59EFMR/twOU3Jb2GnKKeMGJB5SGUUrEz3SFVmJASUdZUzy83sLNNQ2gZslg==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -15160,46 +15206,6 @@ packages:
       - ts-node
     dev: true
 
-  /jest-config@29.7.0(@types/node@18.19.3):
-    resolution: {integrity: sha512-uXbpfeQ7R6TZBqI3/TxCU4q4ttk3u0PJeC+E0zbfSoSjq6bJ7buBPxzQPL0ifrkY4DNu4JUdk0ImlBUYi840eQ==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    peerDependencies:
-      '@types/node': '*'
-      ts-node: '>=9.0.0'
-    peerDependenciesMeta:
-      '@types/node':
-        optional: true
-      ts-node:
-        optional: true
-    dependencies:
-      '@babel/core': 7.20.2
-      '@jest/test-sequencer': 29.7.0
-      '@jest/types': 29.6.3
-      '@types/node': 18.19.3
-      babel-jest: 29.7.0(@babel/core@7.20.2)
-      chalk: 4.1.2
-      ci-info: 3.8.0
-      deepmerge: 4.3.1
-      glob: 7.2.3
-      graceful-fs: 4.2.11
-      jest-circus: 29.7.0
-      jest-environment-node: 29.7.0
-      jest-get-type: 29.6.3
-      jest-regex-util: 29.6.3
-      jest-resolve: 29.7.0
-      jest-runner: 29.7.0
-      jest-util: 29.7.0
-      jest-validate: 29.7.0
-      micromatch: 4.0.5
-      parse-json: 5.2.0
-      pretty-format: 29.7.0
-      slash: 3.0.0
-      strip-json-comments: 3.1.1
-    transitivePeerDependencies:
-      - babel-plugin-macros
-      - supports-color
-    dev: true
-
   /jest-config@29.7.0(@types/node@20.10.4):
     resolution: {integrity: sha512-uXbpfeQ7R6TZBqI3/TxCU4q4ttk3u0PJeC+E0zbfSoSjq6bJ7buBPxzQPL0ifrkY4DNu4JUdk0ImlBUYi840eQ==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -15297,16 +15303,6 @@ packages:
       - supports-color
     dev: true
 
-  /jest-diff@29.5.0:
-    resolution: {integrity: sha512-LtxijLLZBduXnHSniy0WMdaHjmQnt3g5sa16W4p0HqukYTTsyTW3GD1q41TyGl5YFXj/5B2U6dlh5FM1LIMgxw==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dependencies:
-      chalk: 4.1.2
-      diff-sequences: 29.4.3
-      jest-get-type: 29.6.3
-      pretty-format: 29.7.0
-    dev: true
-
   /jest-diff@29.7.0:
     resolution: {integrity: sha512-LMIgiIrhigmPrs03JHpxUh2yISK3vLFPkAodPeo0+BuF7wA2FoQbkEg1u8gBYBThncu7e1oEDUfIXVuTqLRUjw==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -15385,11 +15381,6 @@ packages:
       - typescript
     dev: true
 
-  /jest-get-type@29.4.3:
-    resolution: {integrity: sha512-J5Xez4nRRMjk8emnTpWrlkyb9pfRQQanDrvWHhsR1+VUfbwxi30eVcZFlcdGInRibU4G5LwHXpI7IRHU0CY+gg==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dev: true
-
   /jest-get-type@29.6.3:
     resolution: {integrity: sha512-zrteXnqYxfQh7l5FHyL38jL39di8H8rHoecLH3JNxH3BwOrBsNeabdap5e0I23lD4HHI8W5VFBZqG4Eaq5LNcw==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -15445,16 +15436,6 @@ packages:
     resolution: {integrity: sha512-thJdy9ibhDo8k+0arFalNCQBJ0u7eqTfpTzS2MzL3iCLmbRCkI+yhhKSiAxEi55e5ZUyf01ySa0fMqzF+sblAw==}
     dev: true
 
-  /jest-matcher-utils@29.5.0:
-    resolution: {integrity: sha512-lecRtgm/rjIK0CQ7LPQwzCs2VwW6WAahA55YBuI+xqmhm7LAaxokSB8C97yJeYyT+HvQkH741StzpU41wohhWw==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dependencies:
-      chalk: 4.1.2
-      jest-diff: 29.5.0
-      jest-get-type: 29.4.3
-      pretty-format: 29.7.0
-    dev: true
-
   /jest-matcher-utils@29.7.0:
     resolution: {integrity: sha512-sBkD+Xi9DtcChsI3L3u0+N0opgPYnCRPtGcQYrgXmR+hmt/fYfWAL0xRXYU8eWOdfuLgBe0YCW3AFtnRLagq/g==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -15525,7 +15506,7 @@ packages:
       jest-resolve: 29.7.0
     dev: true
 
-  /jest-puppeteer@10.0.1(puppeteer@21.0.0)(typescript@5.3.3):
+  /jest-puppeteer@10.0.1(puppeteer@22.6.0)(typescript@5.3.3):
     resolution: {integrity: sha512-FzC35XbqeuQEt1smXh1EOqhJaRkWqJkyWDMfGkcZ8C59QHXeJ7F/iOmiNqYi6l/OsycUuOPCk+IkjfGfS9YbrQ==}
     engines: {node: '>=16'}
     peerDependencies:
@@ -15533,7 +15514,7 @@ packages:
     dependencies:
       expect-puppeteer: 10.0.0
       jest-environment-puppeteer: 10.0.1(typescript@5.3.3)
-      puppeteer: 21.0.0
+      puppeteer: 22.6.0(typescript@5.3.3)
     transitivePeerDependencies:
       - debug
       - supports-color
@@ -15642,7 +15623,7 @@ packages:
       '@babel/generator': 7.20.4
       '@babel/plugin-syntax-jsx': 7.18.6(@babel/core@7.20.2)
       '@babel/plugin-syntax-typescript': 7.18.6(@babel/core@7.20.2)
-      '@babel/types': 7.20.2
+      '@babel/types': 7.24.0
       '@jest/expect-utils': 29.7.0
       '@jest/transform': 29.7.0
       '@jest/types': 29.6.3
@@ -15746,27 +15727,6 @@ packages:
       supports-color: 8.1.1
     dev: true
 
-  /jest@29.7.0(@types/node@18.19.3):
-    resolution: {integrity: sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    hasBin: true
-    peerDependencies:
-      node-notifier: ^8.0.1 || ^9.0.0 || ^10.0.0
-    peerDependenciesMeta:
-      node-notifier:
-        optional: true
-    dependencies:
-      '@jest/core': 29.7.0(ts-node@10.9.2)
-      '@jest/types': 29.6.3
-      import-local: 3.1.0
-      jest-cli: 29.7.0(@types/node@18.19.3)
-    transitivePeerDependencies:
-      - '@types/node'
-      - babel-plugin-macros
-      - supports-color
-      - ts-node
-    dev: true
-
   /jest@29.7.0(@types/node@20.10.4):
     resolution: {integrity: sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -15863,6 +15823,10 @@ packages:
   /js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
+  /js-tokens@8.0.3:
+    resolution: {integrity: sha512-UfJMcSJc+SEXEl9lH/VLHSZbThQyLpw1vLO1Lb+j4RWDvG3N2f7yj3PVQA3cmkTBNldJ9eFnM+xEXxHIXrYiJw==}
+    dev: true
+
   /js-types@1.0.0:
     resolution: {integrity: sha512-bfwqBW9cC/Lp7xcRpug7YrXm0IVw+T9e3g4mCYnv0Pjr3zIzU9PCQElYU9oSGAWzXlbdl9X5SAMPejO9sxkeUw==}
     engines: {node: '>=0.10.0'}
@@ -15916,7 +15880,7 @@ packages:
       whatwg-encoding: 2.0.0
       whatwg-mimetype: 3.0.0
       whatwg-url: 11.0.0
-      ws: 8.13.0
+      ws: 8.16.0
       xml-name-validator: 4.0.0
     transitivePeerDependencies:
       - bufferutil
@@ -15951,6 +15915,7 @@ packages:
 
   /json-parse-even-better-errors@2.3.1:
     resolution: {integrity: sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==}
+    dev: true
 
   /json-schema-traverse@0.4.1:
     resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==}
@@ -15965,6 +15930,7 @@ packages:
 
   /json-stringify-safe@5.0.1:
     resolution: {integrity: sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==}
+    dev: true
 
   /json5@1.0.1:
     resolution: {integrity: sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==}
@@ -15990,19 +15956,11 @@ packages:
     dev: true
 
   /jsonc-parser@3.2.0:
-    resolution: {integrity: sha512-gfFQZrcTc8CnKXp6Y4/CBT3fTc0OVuDofpre4aEeEpSBPV5X5v4+Vmx+8snU7RLPrNHPKSgLxGo9YuQzz20o+w==}
-    dev: true
-
-  /jsonfile@4.0.0:
-    resolution: {integrity: sha512-m6F1R3z8jjlf2imQHS2Qez5sjKWQzbuuhuJ/FKYFRZvPE3PuHcSMVZzfsLhGVOkfd20obL5SWEBew5ShlquNxg==}
-    optionalDependencies:
-      graceful-fs: 4.2.11
+    resolution: {integrity: sha512-gfFQZrcTc8CnKXp6Y4/CBT3fTc0OVuDofpre4aEeEpSBPV5X5v4+Vmx+8snU7RLPrNHPKSgLxGo9YuQzz20o+w==}
     dev: true
 
-  /jsonfile@6.1.0:
-    resolution: {integrity: sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==}
-    dependencies:
-      universalify: 2.0.0
+  /jsonfile@4.0.0:
+    resolution: {integrity: sha512-m6F1R3z8jjlf2imQHS2Qez5sjKWQzbuuhuJ/FKYFRZvPE3PuHcSMVZzfsLhGVOkfd20obL5SWEBew5ShlquNxg==}
     optionalDependencies:
       graceful-fs: 4.2.11
     dev: true
@@ -16255,8 +16213,8 @@ packages:
       - supports-color
     dev: false
 
-  /ky@1.0.0:
-    resolution: {integrity: sha512-ptUup6btycj2IXLL/L5Bh/QC9ghYC2k/BsnnSf0ccEap8FpCvJ32FL5s5Potb8NkH6HOTdnVGmyI1wkHZ3mfEQ==}
+  /ky@1.2.3:
+    resolution: {integrity: sha512-2IM3VssHfG2zYz2FsHRUqIp8chhLc9uxDMcK2THxgFfv8pQhnMfN8L0ul+iW4RdBl5AglF8ooPIflRm3yNH0IA==}
     engines: {node: '>=18'}
     dev: true
 
@@ -16389,6 +16347,7 @@ packages:
 
   /lines-and-columns@1.2.4:
     resolution: {integrity: sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==}
+    dev: true
 
   /lint-staged@15.0.2:
     resolution: {integrity: sha512-vnEy7pFTHyVuDmCAIFKR5QDO8XLVlPFQQyujQ/STOxe40ICWqJ6knS2wSJ/ffX/Lw0rz83luRDh+ET7toN+rOw==}
@@ -16455,6 +16414,14 @@ packages:
     engines: {node: '>= 12.13.0'}
     dev: true
 
+  /local-pkg@0.5.0:
+    resolution: {integrity: sha512-ok6z3qlYyCDS4ZEU27HaU6x/xZa9Whf8jD4ptH5UZTQYZVYeb9bnZ3ojVhiJNLiXK1Hfc0GNbLXcmZ5plLDDBg==}
+    engines: {node: '>=14'}
+    dependencies:
+      mlly: 1.6.1
+      pkg-types: 1.0.3
+    dev: true
+
   /locate-path@5.0.0:
     resolution: {integrity: sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==}
     engines: {node: '>=8'}
@@ -16473,7 +16440,6 @@ packages:
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
     dependencies:
       p-locate: 6.0.0
-    dev: false
 
   /lodash-es@4.17.21:
     resolution: {integrity: sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==}
@@ -16498,10 +16464,6 @@ packages:
   /lodash.isempty@4.4.0:
     resolution: {integrity: sha512-oKMuF3xEeqDltrGMfDxAPGIVMSSRv8tbRSODbrs4KGsRRLEhrW8N8Rd4DRgB2+621hY8A8XwwrTVhXWpxFvMzg==}
 
-  /lodash.isfunction@3.0.9:
-    resolution: {integrity: sha512-AirXNj15uRIMMPihnkInB4i3NHeb4iBtNg9WRWuK2o31S+ePwwNmDPaTL3o7dTJ+VXNZim7rFs4rxN4YU1oUJw==}
-    dev: true
-
   /lodash.isinteger@4.0.4:
     resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==}
     dev: false
@@ -16603,6 +16565,12 @@ packages:
     dependencies:
       js-tokens: 4.0.0
 
+  /loupe@2.3.7:
+    resolution: {integrity: sha512-zSMINGVYkdpYSOBmLi0D1Uo7JU9nVdQKrHxC8eYlV+9YKK9WePqAlL7lSlorG/U2Fw1w0hTBmaa/jrQ3UbPHtA==}
+    dependencies:
+      get-func-name: 2.0.2
+    dev: true
+
   /lower-case@2.0.2:
     resolution: {integrity: sha512-7fm3l3NAF9WfN6W3JOmf5drwpVqX78JtoGJ3A6W0a6ZnldM41w2fV5D490psKFTpMds8TJse/eHLFFsNHHjHgg==}
     dependencies:
@@ -16617,6 +16585,7 @@ packages:
   /lowercase-keys@3.0.0:
     resolution: {integrity: sha512-ozCC6gdQ+glXOQsveKD0YsDy8DSQFjDTz4zyzEHNV5+JP5D62LmfDZ6o1cycFx9ouG940M5dE8C8CTewdj2YWQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
+    dev: false
 
   /lowlight@1.20.0:
     resolution: {integrity: sha512-8Ktj+prEb1RoCPkEOrPMYUN/nCggB7qAWe3a7OpMjWQkh3l2RD5wKRQ+o8Q8YuI9RG/xs95waaI/E6ym/7NsTw==}
@@ -16660,11 +16629,19 @@ packages:
       '@jridgewell/sourcemap-codec': 1.4.15
     dev: true
 
-  /make-dir@3.1.0:
-    resolution: {integrity: sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==}
-    engines: {node: '>=8'}
+  /magicast@0.3.3:
+    resolution: {integrity: sha512-ZbrP1Qxnpoes8sz47AM0z08U+jW6TyRgZzcWy3Ma3vDhJttwMwAFDMMQFobwdBxByBD46JYmxRzeF7w2+wJEuw==}
     dependencies:
-      semver: 6.3.1
+      '@babel/parser': 7.24.0
+      '@babel/types': 7.24.0
+      source-map-js: 1.0.2
+    dev: true
+
+  /make-dir@4.0.0:
+    resolution: {integrity: sha512-hXdUTZYIVOt1Ex//jAQi+wTZZpUpwBj/0QsOzqegb3rGMMeJiSEu5xLHnYfBrRV4RH2+OCSOO95Is/7x1WJ4bw==}
+    engines: {node: '>=10'}
+    dependencies:
+      semver: 7.6.0
     dev: true
 
   /make-error@1.3.6:
@@ -16923,23 +16900,6 @@ packages:
       yargs-parser: 18.1.3
     dev: true
 
-  /meow@8.1.2:
-    resolution: {integrity: sha512-r85E3NdZ+mpYk1C6RjPFEMSE+s1iZMuHtsHAqY0DT3jZczl0diWUZ8g6oU7h0M9cD2EL+PzaYghhCLzR0ZNn5Q==}
-    engines: {node: '>=10'}
-    dependencies:
-      '@types/minimist': 1.2.5
-      camelcase-keys: 6.2.2
-      decamelize-keys: 1.1.1
-      hard-rejection: 2.1.0
-      minimist-options: 4.1.0
-      normalize-package-data: 3.0.3
-      read-pkg-up: 7.0.1
-      redent: 3.0.0
-      trim-newlines: 3.0.1
-      type-fest: 0.18.1
-      yargs-parser: 20.2.9
-    dev: true
-
   /meow@9.0.0:
     resolution: {integrity: sha512-+obSblOQmRhcyBt62furQqRAQpNyWXo8BuQ5bN7dG8wmwQ+vwHKp/rCFD4CrTP8CsDQD1sjoZ94K417XEUk8IQ==}
     engines: {node: '>=10'}
@@ -17270,10 +17230,12 @@ packages:
   /mimic-response@3.1.0:
     resolution: {integrity: sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==}
     engines: {node: '>=10'}
+    dev: false
 
   /mimic-response@4.0.0:
     resolution: {integrity: sha512-e5ISH9xMYU0DzrT+jl8q2ze9D6eWBto+I8CNpe+VI+K2J/F/k3PdkdTdz4wvGVH4NTpo+NRYTVIuMQEMMcsLqg==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
+    dev: false
 
   /min-indent@1.0.1:
     resolution: {integrity: sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg==}
@@ -17329,20 +17291,29 @@ packages:
     engines: {node: '>= 8.0.0'}
     dev: true
 
-  /mkdirp-classic@0.5.3:
-    resolution: {integrity: sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==}
-    dev: true
-
   /mkdirp@1.0.4:
     resolution: {integrity: sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==}
     engines: {node: '>=10'}
     hasBin: true
     dev: false
 
+  /mlly@1.6.1:
+    resolution: {integrity: sha512-vLgaHvaeunuOXHSmEbZ9izxPx3USsk8KCQ8iC+aTlp5sKRSoZvwhHh5L9VbKSaVC6sJDqbyohIS76E2VmHIPAA==}
+    dependencies:
+      acorn: 8.11.3
+      pathe: 1.1.2
+      pkg-types: 1.0.3
+      ufo: 1.5.2
+    dev: true
+
   /module-details-from-path@1.0.3:
     resolution: {integrity: sha512-ySViT69/76t8VhE1xXHK6Ch4NcDd26gx0MzKXLO+F7NOtnqH68d9zF94nT8ZWSxXh8ELOERsnJO/sWt1xZYw5A==}
     dev: false
 
+  /monaco-editor@0.46.0:
+    resolution: {integrity: sha512-ADwtLIIww+9FKybWscd7OCfm9odsFYHImBRI1v9AviGce55QY8raT+9ihH8jX/E/e6QVSGM+pKj4jSUSRmALNQ==}
+    dev: true
+
   /ms@2.1.2:
     resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==}
 
@@ -17371,9 +17342,6 @@ packages:
       msgpackr-extract: 3.0.2
     dev: true
 
-  /multi-fork@0.0.2:
-    resolution: {integrity: sha1-gFiuxGFBJMftqhWBm4juiJ0+tOA=}
-
   /mute-stream@0.0.8:
     resolution: {integrity: sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==}
     dev: false
@@ -17439,6 +17407,11 @@ packages:
       tslib: 2.5.0
     dev: false
 
+  /no-case@4.0.0:
+    resolution: {integrity: sha512-WmS3EUGw+vXHlTgiUPi3NzbZNwH6+uGX0QLGgqG+aFSJ5rkX/Ee0nuwHBJfZTfQwwR8lGO819NEIwQ7CGhkdEQ==}
+    deprecated: Use `change-case`
+    dev: false
+
   /nock@13.3.1:
     resolution: {integrity: sha512-vHnopocZuI93p2ccivFyGuUfzjq2fxNyNurp7816mlT5V5HF4SzXu8lvLrVzBbNqzs+ODooZ6OksuSUNM7Njkw==}
     engines: {node: '>= 10.13'}
@@ -17459,11 +17432,6 @@ packages:
     resolution: {integrity: sha512-73sE9+3UaLYYFmDsFZnqCInzPyh3MqIwZO9cw58yIqAZhONrrabrYyYe3TuIqtIiOuTXVhsGau8hcrhhwSsDIQ==}
     dev: true
 
-  /node-domexception@1.0.0:
-    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
-    engines: {node: '>=10.5.0'}
-    dev: true
-
   /node-fetch@2.6.7:
     resolution: {integrity: sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==}
     engines: {node: 4.x || >=6.0.0}
@@ -17486,15 +17454,7 @@ packages:
         optional: true
     dependencies:
       whatwg-url: 5.0.0
-
-  /node-fetch@3.3.0:
-    resolution: {integrity: sha512-BKwRP/O0UvoMKp7GNdwPlObhYGB5DQqwhEDQlNKuoqwVYSxkSZCSbHjnFFmUEtwSKRPU4kNK8PbDYYitwaE3QA==}
-    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
-    dependencies:
-      data-uri-to-buffer: 4.0.0
-      fetch-blob: 3.2.0
-      formdata-polyfill: 4.0.10
-    dev: true
+    dev: false
 
   /node-forge@1.3.1:
     resolution: {integrity: sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==}
@@ -17617,6 +17577,7 @@ packages:
   /normalize-url@8.0.0:
     resolution: {integrity: sha512-uVFpKhj5MheNBJRTiMZ9pE/7hD1QTeEvugSJW/OmLzAp78PB5O6adfMNTvmfKhXBkvCzC+rqifWcVYpGFwTjnw==}
     engines: {node: '>=14.16'}
+    dev: false
 
   /npm-run-path@4.0.1:
     resolution: {integrity: sha512-S48WzZW777zhNIrn7gxOlISNAqi9ZC/uQFnRdbeIHhZhCA6UqpkOT8T1G7BvfdgP4Er8gF4sUbaS0i7QvIfCWw==}
@@ -17896,10 +17857,11 @@ packages:
   /p-cancelable@4.0.1:
     resolution: {integrity: sha512-wBowNApzd45EIKdO1LaU+LrMBwAcjfPaYtVzV3lmfM3gf8Z4CHZsiIqlM8TZZ8okYvh5A1cP6gTfCRQtwUpaUg==}
     engines: {node: '>=14.16'}
+    dev: false
 
-  /p-defer@3.0.0:
-    resolution: {integrity: sha512-ugZxsxmtTln604yeYd29EGrNhazN2lywetzpKhfmQjW/VJmhpDmWbiX+h0zL8V91R0UXkhb3KtPmyq9PZw3aYw==}
-    engines: {node: '>=8'}
+  /p-defer@4.0.0:
+    resolution: {integrity: sha512-Vb3QRvQ0Y5XnF40ZUWW7JfLogicVh/EnA5gBIvKDJoYpeI82+1E3AlB9yOcKFS0AhHrWVnAQO39fbR0G99IVEQ==}
+    engines: {node: '>=12'}
 
   /p-filter@2.1.0:
     resolution: {integrity: sha512-ZBxxZ5sL2HghephhpGAQdoskxplTwr7ICaehZwLIlfL6acuVgZPm8yBNuRAFBGEqtD/hmUeq9eqLg2ys9Xr/yw==}
@@ -17925,14 +17887,12 @@ packages:
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
     dependencies:
       yocto-queue: 1.0.0
-    dev: false
 
   /p-limit@5.0.0:
     resolution: {integrity: sha512-/Eaoq+QyLSiXQ4lyYV23f14mZRQcXnxfHrN0vCai+ak9G0pp9iEQukIIZq5NccEvwRB8PUnZT0KsOoDCINS1qQ==}
     engines: {node: '>=18'}
     dependencies:
       yocto-queue: 1.0.0
-    dev: false
 
   /p-locate@4.1.0:
     resolution: {integrity: sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==}
@@ -17952,7 +17912,6 @@ packages:
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
     dependencies:
       p-limit: 4.0.0
-    dev: false
 
   /p-map@2.1.0:
     resolution: {integrity: sha512-y3b8Kpd8OAN444hxfBbFfj1FY/RjtTd8tzYwhUqNYXx0fXx2iX4maP4Qr6qhIKbQXI02wTLAda4fYUbDagTUFw==}
@@ -17984,18 +17943,18 @@ packages:
     resolution: {integrity: sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==}
     engines: {node: '>=6'}
 
-  /pac-proxy-agent@7.0.0:
-    resolution: {integrity: sha512-t4tRAMx0uphnZrio0S0Jw9zg3oDbz1zVhQ/Vy18FjLfP1XOLNUEjaVxYCYRI6NS+BsMBXKIzV6cTLOkO9AtywA==}
+  /pac-proxy-agent@7.0.1:
+    resolution: {integrity: sha512-ASV8yU4LLKBAjqIPMbrgtaKIvxQri/yh2OpI+S6hVa9JRkUI3Y3NPFbfngDtY7oFtSMD3w31Xns89mDa3Feo5A==}
     engines: {node: '>= 14'}
     dependencies:
       '@tootallnate/quickjs-emscripten': 0.23.0
       agent-base: 7.1.0
       debug: 4.3.4
       get-uri: 6.0.1
-      http-proxy-agent: 7.0.0
-      https-proxy-agent: 7.0.1
+      http-proxy-agent: 7.0.2
+      https-proxy-agent: 7.0.4
       pac-resolver: 7.0.0
-      socks-proxy-agent: 8.0.1
+      socks-proxy-agent: 8.0.2
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -18060,6 +18019,7 @@ packages:
     engines: {node: '>=6'}
     dependencies:
       callsites: 3.1.0
+    dev: true
 
   /parse-entities@2.0.0:
     resolution: {integrity: sha512-kkywGpCcRYhqQIchaWqZ875wzpS/bMKhz5HnN3p7wveJTkTtyAB/AlnS0f8DFSqYW1T82t6yEAkEcB+A1I3MbQ==}
@@ -18080,11 +18040,7 @@ packages:
       error-ex: 1.3.2
       json-parse-even-better-errors: 2.3.1
       lines-and-columns: 1.2.4
-
-  /parse-ms@2.1.0:
-    resolution: {integrity: sha512-kHt7kzLoS9VBZfUsiKjv43mr91ea+U05EyKkEtqp7vNbHxmaVuEqN7XxeEVnGrMtYOAxGrDElSi96K7EgO1zCA==}
-    engines: {node: '>=6'}
-    dev: false
+    dev: true
 
   /parse-passwd@1.0.0:
     resolution: {integrity: sha512-1Y1A//QUXEZK7YKz+rD9WydcE1+EuPr6ZBgKecAB8tmoW6UFv0NREVJe1p+jRxtThkcbbKkfwIbWJe/IeE6m2Q==}
@@ -18116,7 +18072,6 @@ packages:
   /path-exists@5.0.0:
     resolution: {integrity: sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
-    dev: false
 
   /path-is-absolute@1.0.1:
     resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
@@ -18154,41 +18109,38 @@ packages:
   /path-type@4.0.0:
     resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==}
     engines: {node: '>=8'}
+    dev: true
+
+  /pathe@1.1.2:
+    resolution: {integrity: sha512-whLdWMYL2TwI08hn8/ZqAbrVemu0LNaNNJZX73O6qaIdCTfXutsLhMkjdENX0qhsQ9uIimo4/aQOmXkoon2nDQ==}
+    dev: true
+
+  /pathval@1.1.1:
+    resolution: {integrity: sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==}
+    dev: true
 
   /pend@1.2.0:
     resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==}
     dev: true
 
+  /pg-cloudflare@1.1.1:
+    resolution: {integrity: sha512-xWPagP/4B6BgFO+EKz3JONXv3YDgvkbVrGw2mTo3D6tVDQRh1e7cqVGvyR3BE+eQgAvx1XhW/iEASj4/jCWl3Q==}
+    requiresBuild: true
+    optional: true
+
   /pg-connection-string@2.5.0:
     resolution: {integrity: sha512-r5o/V/ORTA6TmUnyWZR9nCj1klXCO2CEKNRlVuJptZe85QuhFayC7WeMic7ndayT5IRIR0S0xFxFi2ousartlQ==}
+    dev: true
 
-  /pg-copy-streams-binary@2.2.0:
-    resolution: {integrity: sha512-jPCWgTR8004wz5XOI2sc09+IMwE7YMeINYCabwPMCPtlgj2ay81VLCClMkj/u+xOeisRcN8vCrIZ4FrqlaTyBQ==}
-    dependencies:
-      bl: 4.1.0
-      bufferput: 0.1.3
-      ieee754: 1.2.1
-      int64-buffer: 0.99.1007
-      multi-fork: 0.0.2
-      through2: 3.0.2
-
-  /pg-copy-streams@5.1.1:
-    resolution: {integrity: sha512-ieW6JuiIo/4WQ7n+Wevr9zYvpM1AwUs6EwNCCA0VgKZ6ZQ7Y9k3IW00vqc6svX9FtENhbaTbLN7MxekraCrbfg==}
-    dependencies:
-      obuf: 1.1.2
-    dev: false
-
-  /pg-copy-streams@6.0.2:
-    resolution: {integrity: sha512-74doDsDUI3ti1IzeieA7c/VsTpZkBdgjMeag3BtJFV+3J0m7Z3UMJB8iQW+zUWHZGVF9d/WIRfledEaPfKcPEA==}
-    dependencies:
-      obuf: 1.1.2
+  /pg-connection-string@2.6.2:
+    resolution: {integrity: sha512-ch6OwaeaPYcova4kKZ15sbJ2hKb/VP48ZD2gE7i1J+L4MspCtBMAx8nMgz7bksc7IojCIIWuEhHibSMFH8m8oA==}
 
-  /pg-cursor@2.7.3(pg@8.8.0):
-    resolution: {integrity: sha512-vmjXRMD4jZK/oHaaYk6clTypgHNlzCCAqyLCO5d/UeI42egJVE5H4ZfZWACub3jzkHUXXyvibH207zAJg9iBOw==}
+  /pg-cursor@2.10.3(pg@8.11.3):
+    resolution: {integrity: sha512-rDyBVoqPVnx/PTmnwQAYgusSeAKlTL++gmpf5klVK+mYMFEqsOc6VHHZnPKc/4lOvr4r6fiMuoxSFuBF1dx4FQ==}
     peerDependencies:
       pg: ^8
     dependencies:
-      pg: 8.8.0
+      pg: 8.11.3
 
   /pg-formatter@1.3.0:
     resolution: {integrity: sha512-y1kNdgD+QWzhmYCm91z/k7VGyx6BekQg6ww/krFEEhw1IIB4zEk2xaB0pmueTcc59YFetpiHIKECgHEuw6gyvg==}
@@ -18197,6 +18149,7 @@ packages:
     dependencies:
       shell-quote: 1.7.3
       yargs: 17.7.2
+    dev: true
 
   /pg-int8@1.0.1:
     resolution: {integrity: sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==}
@@ -18212,6 +18165,14 @@ packages:
       pg: '>=8.0'
     dependencies:
       pg: 8.8.0
+    dev: true
+
+  /pg-pool@3.6.1(pg@8.11.3):
+    resolution: {integrity: sha512-jizsIzhkIitxCGfPRzJn1ZdcosIt3pz9Sh3V01fm1vZnbnCMgmGl5wvGGdNN2EL9Rmb0EcFoCkixH4Pu+sP9Og==}
+    peerDependencies:
+      pg: '>=8.0'
+    dependencies:
+      pg: 8.11.3
 
   /pg-protocol@1.6.0:
     resolution: {integrity: sha512-M+PDm637OY5WM307051+bsDia5Xej6d9IR4GwJse1qA1DIhiKlksvrneZOYQq42OM+spubpcNYEo2FcKQrDk+Q==}
@@ -18226,30 +18187,37 @@ packages:
       postgres-date: 1.0.7
       postgres-interval: 1.2.0
 
-  /pg-types@3.0.1:
-    resolution: {integrity: sha512-Q3zN2GyDEOrc9m6lxCru9JakbdVQY5/ylKxSXI/PcIQPVRDNBR7BxdeCtxa9WI+UIoE3JNcyAffGThOxd+V/4g==}
-    engines: {node: '>=8'}
-    dependencies:
-      pg-int8: 1.0.1
-      pg-numeric: 1.0.2
-      postgres-array: 2.0.0
-      postgres-bytea: 3.0.0
-      postgres-date: 1.0.7
-      postgres-interval: 1.2.0
-    dev: false
-
-  /pg-types@4.0.0:
-    resolution: {integrity: sha512-q4I7zG+d2mDg52WdrOA0TmBvab9ZBC8DE8+opl3gSegnH5ml+0pKbICOfRKXgwQ5aa6NRjLoF5pEDs0YpGvFrw==}
+  /pg-types@4.0.2:
+    resolution: {integrity: sha512-cRL3JpS3lKMGsKaWndugWQoLOCoP+Cic8oseVcbr0qhPzYD5DWXK+RZ9LY9wxRf7RQia4SCwQlXk0q6FCPrVng==}
     engines: {node: '>=10'}
     dependencies:
       pg-int8: 1.0.1
       pg-numeric: 1.0.2
-      postgres-array: 3.0.1
+      postgres-array: 3.0.2
       postgres-bytea: 3.0.0
-      postgres-date: 2.0.1
+      postgres-date: 2.1.0
       postgres-interval: 3.0.0
       postgres-range: 1.1.2
 
+  /pg@8.11.3:
+    resolution: {integrity: sha512-+9iuvG8QfaaUrrph+kpF24cXkH1YOOUeArRNYIxq1viYHZagBxrTno7cecY1Fa44tJeZvaoG+Djpkc3JwehN5g==}
+    engines: {node: '>= 8.0.0'}
+    peerDependencies:
+      pg-native: '>=3.0.1'
+    peerDependenciesMeta:
+      pg-native:
+        optional: true
+    dependencies:
+      buffer-writer: 2.0.0
+      packet-reader: 1.0.0
+      pg-connection-string: 2.6.2
+      pg-pool: 3.6.1(pg@8.11.3)
+      pg-protocol: 1.6.0
+      pg-types: 2.2.0
+      pgpass: 1.0.4
+    optionalDependencies:
+      pg-cloudflare: 1.1.1
+
   /pg@8.8.0:
     resolution: {integrity: sha512-UXYN0ziKj+AeNNP7VDMwrehpACThH7LUl/p8TDFpEUuSejCUIwGSfxpHsPvtM6/WXFy6SU4E5RG4IJV/TZAGjw==}
     engines: {node: '>= 8.0.0'}
@@ -18266,6 +18234,7 @@ packages:
       pg-protocol: 1.6.0
       pg-types: 2.2.0
       pgpass: 1.0.4
+    dev: true
 
   /pgpass@1.0.4:
     resolution: {integrity: sha512-YmuA56alyBq7M59vxVBfPJrGSozru8QAdoNlWuW3cz8l+UX3cWge0vTvjKhsSHSJpo3Bom8/Mm6hf0TR5GY0+w==}
@@ -18311,6 +18280,14 @@ packages:
       find-up: 5.0.0
     dev: true
 
+  /pkg-types@1.0.3:
+    resolution: {integrity: sha512-nN7pYi0AQqJnoLPC9eHFQ8AcyaixBUOwvqc5TDnIKCMEE6I0y8P7OKA7fPexsXGCGxQDl/cmrLAp26LhcwxZ4A==}
+    dependencies:
+      jsonc-parser: 3.2.0
+      mlly: 1.6.1
+      pathe: 1.1.2
+    dev: true
+
   /pluralize@8.0.0:
     resolution: {integrity: sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==}
     engines: {node: '>=4'}
@@ -18483,8 +18460,8 @@ packages:
     resolution: {integrity: sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==}
     engines: {node: '>=4'}
 
-  /postgres-array@3.0.1:
-    resolution: {integrity: sha512-h7i53Dw2Yq3a1uuZ6lbVFAkvMMwssJ8jkzeAg0XaZm1XIFF/t/s+tockdqbWTymyEm07dVenOQbFisEi+kj8uA==}
+  /postgres-array@3.0.2:
+    resolution: {integrity: sha512-6faShkdFugNQCLwucjPcY5ARoW1SlbnrZjmGl0IrrqewpvxvhSLHimCVzqeuULCbG0fQv7Dtk1yDbG3xv7Veog==}
     engines: {node: '>=12'}
 
   /postgres-bytea@1.0.0:
@@ -18501,8 +18478,8 @@ packages:
     resolution: {integrity: sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==}
     engines: {node: '>=0.10.0'}
 
-  /postgres-date@2.0.1:
-    resolution: {integrity: sha512-YtMKdsDt5Ojv1wQRvUhnyDJNSr2dGIC96mQVKz7xufp07nfuFONzdaowrMHjlAzY6GDLd4f+LUHHAAM1h4MdUw==}
+  /postgres-date@2.1.0:
+    resolution: {integrity: sha512-K7Juri8gtgXVcDfZttFKVmhglp7epKb1K4pgrkLxehjqkrgPhfG6OO8LHLkfaqkbpjNRnra018XwAr1yQFWGcA==}
     engines: {node: '>=12'}
 
   /postgres-interval@1.2.0:
@@ -18511,17 +18488,12 @@ packages:
     dependencies:
       xtend: 4.0.2
 
-  /postgres-interval@2.1.0:
-    resolution: {integrity: sha512-LM7OHNmCxmFZkxCran7gu2S2sm1FxXrUCcasE3PkuIQS0pm0xGk4iTfEzrDghFSSRkAtNDbLuYevvKrjhAHZBQ==}
-    engines: {node: '>=8'}
-    dev: false
-
   /postgres-interval@3.0.0:
     resolution: {integrity: sha512-BSNDnbyZCXSxgA+1f5UU2GmwhoI0aU5yMxRGO8CdFEcY2BQF9xm/7MqKnYoM1nJDk8nONNWDk9WeSmePFhQdlw==}
     engines: {node: '>=12'}
 
-  /postgres-interval@4.0.0:
-    resolution: {integrity: sha512-OWeL7kyEKJiY7mCmVY+c7/6uhAlt/colA/Nl/Mgls/M3jssrQzFra04iNWnD/qAmG7TsCSgWAASCyiaoBOP/sg==}
+  /postgres-interval@4.0.2:
+    resolution: {integrity: sha512-EMsphSQ1YkQqKZL2cuG0zHkmjCCzQqQ71l2GXITqRwjhRleCdv00bDk/ktaSi0LnlaPzAc3535KTrjXsTdtx7A==}
     engines: {node: '>=12'}
 
   /postgres-range@1.1.2:
@@ -18595,6 +18567,11 @@ packages:
     hasBin: true
     dev: true
 
+  /pretty-bytes@6.1.1:
+    resolution: {integrity: sha512-mQUvGU6aUFQ+rNvTIAcZuWGRT9a6f6Yrg9bHs4ImKF+HZCEK+plBvnAZYSIQztknZF2qnzNtr6F8s0+IuptdlQ==}
+    engines: {node: ^14.13.1 || >=16.0.0}
+    dev: true
+
   /pretty-format@27.5.1:
     resolution: {integrity: sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==}
     engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0}
@@ -18604,15 +18581,6 @@ packages:
       react-is: 17.0.2
     dev: true
 
-  /pretty-format@29.5.0:
-    resolution: {integrity: sha512-V2mGkI31qdttvTFX7Mt4efOqHXqJWMu4/r66Xh3Z3BwZaPfPJgp6/gbwoujRpPUtfEF6AUUWx3Jim3GCw5g/Qw==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-    dependencies:
-      '@jest/schemas': 29.4.3
-      ansi-styles: 5.2.0
-      react-is: 18.2.0
-    dev: true
-
   /pretty-format@29.7.0:
     resolution: {integrity: sha512-Pdlw/oPxN+aXdmM9R00JVC9WVFoCLTKJvDVLgmJ+qAffBMxsV85l/Lu7sNx4zSzPyoL2euImuEwHhOXdEgNFZQ==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
@@ -18622,20 +18590,6 @@ packages:
       react-is: 18.2.0
     dev: true
 
-  /pretty-ms@6.0.1:
-    resolution: {integrity: sha512-ke4njoVmlotekHlHyCZ3wI/c5AMT8peuHs8rKJqekj/oR5G8lND2dVpicFlUz5cbZgE290vvkMuDwfj/OcW1kw==}
-    engines: {node: '>=10'}
-    dependencies:
-      parse-ms: 2.1.0
-    dev: false
-
-  /pretty-ms@7.0.1:
-    resolution: {integrity: sha512-973driJZvxiGOQ5ONsFhOF/DtzPMOMtgC11kCpUrPGMTgqp2q/1gwzCquocrN33is0VZ5GFHXZYMM9l6h67v2Q==}
-    engines: {node: '>=10'}
-    dependencies:
-      parse-ms: 2.1.0
-    dev: false
-
   /prismjs@1.27.0:
     resolution: {integrity: sha512-t13BGPUlFDR7wRB5kQDG4jjl7XeuH6jbJGt11JHPL96qwsEHNX2+68tFXqc1/k+/jALsbSWJKUOT/hcYAZ5LkA==}
     engines: {node: '>=6'}
@@ -18686,18 +18640,18 @@ packages:
     engines: {node: '>=4'}
     dev: true
 
-  /proxy-agent@6.3.0:
-    resolution: {integrity: sha512-0LdR757eTj/JfuU7TL2YCuAZnxWXu3tkJbg4Oq3geW/qFNT/32T0sp2HnZ9O0lMR4q3vwAt0+xCA8SR0WAD0og==}
+  /proxy-agent@6.4.0:
+    resolution: {integrity: sha512-u0piLU+nCOHMgGjRbimiXmA9kM/L9EHh3zL81xCdp7m+Y2pHIsnmbdDoEDoAz5geaonNR6q6+yOPQs6n4T6sBQ==}
     engines: {node: '>= 14'}
     dependencies:
       agent-base: 7.1.0
       debug: 4.3.4
-      http-proxy-agent: 7.0.0
-      https-proxy-agent: 7.0.1
+      http-proxy-agent: 7.0.2
+      https-proxy-agent: 7.0.4
       lru-cache: 7.18.3
-      pac-proxy-agent: 7.0.0
+      pac-proxy-agent: 7.0.1
       proxy-from-env: 1.1.0
-      socks-proxy-agent: 8.0.1
+      socks-proxy-agent: 8.0.2
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -18729,35 +18683,35 @@ packages:
     resolution: {integrity: sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==}
     engines: {node: '>=6'}
 
-  /puppeteer-core@21.0.0:
-    resolution: {integrity: sha512-frnAOQ0pKrwxlYLziy+aB8q7cOm8Ym9Y5VqbdE7alOaOPIK3ynpYLi/1D6XJSKw3WExHmeI2z6TVO85SUxpVAQ==}
-    engines: {node: '>=16.3.0'}
+  /puppeteer-core@22.6.0:
+    resolution: {integrity: sha512-xclyGFhxHfZ9l62uXFm+JpgtJHLIZ1qHc7iR4eaIqBNKA5Dg2sDr8yvylfCx5bMN89QWIaxpV6IHsy0qUynK/g==}
+    engines: {node: '>=18'}
     dependencies:
-      '@puppeteer/browsers': 1.5.0
-      chromium-bidi: 0.4.20(devtools-protocol@0.0.1147663)
-      cross-fetch: 4.0.0
+      '@puppeteer/browsers': 2.2.0
+      chromium-bidi: 0.5.13(devtools-protocol@0.0.1262051)
       debug: 4.3.4
-      devtools-protocol: 0.0.1147663
-      ws: 8.13.0
+      devtools-protocol: 0.0.1262051
+      ws: 8.16.0
     transitivePeerDependencies:
       - bufferutil
-      - encoding
       - supports-color
       - utf-8-validate
     dev: true
 
-  /puppeteer@21.0.0:
-    resolution: {integrity: sha512-a3rpCJuKQ7mzlwMJzKX6GhvGeg4CUn4d9+dv+riQDpY4mns32Q9OnmkfTZ3VlbDhGyrdBf1xXF1Z4y0of00WYg==}
-    engines: {node: '>=16.3.0'}
+  /puppeteer@22.6.0(typescript@5.3.3):
+    resolution: {integrity: sha512-TYeza4rl1YXfxqUVw/0hWUWYX5cicnf6qu5kkDV+t7QrESCjMoSNnva4ZA/MRGQ03HnB9BOFw9nxs/SKek5KDA==}
+    engines: {node: '>=18'}
+    hasBin: true
     requiresBuild: true
     dependencies:
-      '@puppeteer/browsers': 1.5.0
-      cosmiconfig: 8.2.0
-      puppeteer-core: 21.0.0
+      '@puppeteer/browsers': 2.2.0
+      cosmiconfig: 9.0.0(typescript@5.3.3)
+      devtools-protocol: 0.0.1262051
+      puppeteer-core: 22.6.0
     transitivePeerDependencies:
       - bufferutil
-      - encoding
       - supports-color
+      - typescript
       - utf-8-validate
     dev: true
 
@@ -18816,6 +18770,7 @@ packages:
 
   /queue-tick@1.0.1:
     resolution: {integrity: sha512-kJt5qhMxoszgU/62PLP1CJytzd2NKetjSRnyuj31fDd3Rlcz3fzlFdFLD1SItunPwyqEOkca6GbV612BWfaBag==}
+    requiresBuild: true
     dev: true
 
   /quick-lru@4.0.1:
@@ -19520,6 +19475,7 @@ packages:
 
   /resolve-alpn@1.2.1:
     resolution: {integrity: sha512-0a1F4l73/ZFZOakJnQ3FvkJ2+gSTQWz/r2KE5OdDY0TxPm5h4GkqkWWfM47T7HsbnOtcJVEF4epCVy6u7Q3K+g==}
+    dev: false
 
   /resolve-cwd@3.0.0:
     resolution: {integrity: sha512-OrZaX2Mb+rJCpH/6CpSqt9xFVpN++x01XnN2ie9g6P5/3xelLAkXWVADpdz1IHD/KFfEXyE6V0U01OQ3UO2rEg==}
@@ -19539,19 +19495,13 @@ packages:
   /resolve-from@4.0.0:
     resolution: {integrity: sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==}
     engines: {node: '>=4'}
+    dev: true
 
   /resolve-from@5.0.0:
     resolution: {integrity: sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw==}
     engines: {node: '>=8'}
     dev: true
 
-  /resolve-global@1.0.0:
-    resolution: {integrity: sha512-zFa12V4OLtT5XUX/Q4VLvTfBf+Ok0SPc1FNGM/z9ctUdiU618qwKpWnd0CHs3+RqROfyEg/DhuHbMWYqcgljEw==}
-    engines: {node: '>=8'}
-    dependencies:
-      global-dirs: 0.1.1
-    dev: true
-
   /resolve-path@1.4.0:
     resolution: {integrity: sha1-xL2p9e+y/OZSR4c6s2u02DT+Fvc=}
     engines: {node: '>= 0.8'}
@@ -19587,6 +19537,7 @@ packages:
     engines: {node: '>=14.16'}
     dependencies:
       lowercase-keys: 3.0.0
+    dev: false
 
   /restore-cursor@4.0.0:
     resolution: {integrity: sha512-I9fPXU9geO9bHOt9pHHOhOkYerIMsmVaWB0rA2AI9ERh/+x/i7MV5HKBNrg+ljO5eoPVgCcnFuRjJ9uH6I/3eg==}
@@ -19625,18 +19576,6 @@ packages:
       glob: 7.2.3
     dev: true
 
-  /roarr@2.15.4:
-    resolution: {integrity: sha512-CHhPh+UNHD2GTXNYhPWLnU8ONHdI+5DI+4EYIAOaiD63rHeYlZvyh8P+in5999TTSFgUYuKUAjzRI4mdh/p+2A==}
-    engines: {node: '>=8.0'}
-    dependencies:
-      boolean: 3.1.4
-      detect-node: 2.1.0
-      globalthis: 1.0.2
-      json-stringify-safe: 5.0.1
-      semver-compare: 1.0.0
-      sprintf-js: 1.1.2
-    dev: false
-
   /roarr@7.11.0:
     resolution: {integrity: sha512-DKiMaEYHoOZ0JyD4Ohr5KRnqybQ162s3ZL/WNO9oy6EUszYvpp0eLYJErc/U4NI96HYnHsbROhFaH4LYuJPnDg==}
     engines: {node: '>=12.0'}
@@ -19648,18 +19587,27 @@ packages:
       globalthis: 1.0.2
       semver-compare: 1.0.0
 
-  /rollup-plugin-summary@2.0.0(rollup@4.12.0):
-    resolution: {integrity: sha512-7Av6DQeCmVNpFmCdkkbMya1CneeGWhjSXXQ3B4yDO+BvN/Kbohqi3IEYXAvgHP3iIafSfMyOw+PBLFUlvf1ViA==}
-    engines: {node: '>=14.0.0'}
+  /roarr@7.21.1:
+    resolution: {integrity: sha512-3niqt5bXFY1InKU8HKWqqYTYjtrBaxBMnXELXCXUYgtNYGUtZM5rB46HIC430AyacL95iEniGf7RgqsesykLmQ==}
+    engines: {node: '>=18.0'}
+    dependencies:
+      fast-printf: 1.6.9
+      safe-stable-stringify: 2.4.3
+      semver-compare: 1.0.0
+
+  /rollup-plugin-output-size@1.3.0(rollup@4.12.0):
+    resolution: {integrity: sha512-OrTfhj8mxFAO4Yp7OEWwI388uhsiBNDCpfD6tOmcqPfNs5+CWZPDtVmTRZrmXMWfv8skWCOm5ToO4UPy7eRqYg==}
+    engines: {node: '>=14.16.0'}
     peerDependencies:
-      rollup: ^2.68.0||^3.0.0
+      rollup: ^2.0.0 || ^3.0.0 || ^4.0.0
+    peerDependenciesMeta:
+      rollup:
+        optional: true
     dependencies:
-      brotli-size: 4.0.0
-      cli-table3: 0.6.3
-      filesize: 10.1.0
+      colorette: 2.0.20
       gzip-size: 7.0.0
+      pretty-bytes: 6.1.1
       rollup: 4.12.0
-      terser: 5.28.1
     dev: true
 
   /rollup@4.12.0:
@@ -19724,6 +19672,10 @@ packages:
       regexp-tree: 0.1.24
     dev: true
 
+  /safe-stable-stringify@2.4.3:
+    resolution: {integrity: sha512-e2bDA2WJT0wxseVd4lsDP4+3ONX6HpMXQa1ZhFQ7SU+GjvORCmShbCMltrtIDfkYhVHrOcPtj+KhmDBdPdZD1g==}
+    engines: {node: '>=10'}
+
   /safer-buffer@2.1.2:
     resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==}
 
@@ -19788,14 +19740,6 @@ packages:
     dependencies:
       lru-cache: 6.0.0
 
-  /semver@7.5.4:
-    resolution: {integrity: sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==}
-    engines: {node: '>=10'}
-    hasBin: true
-    dependencies:
-      lru-cache: 6.0.0
-    dev: true
-
   /semver@7.6.0:
     resolution: {integrity: sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==}
     engines: {node: '>=10'}
@@ -19803,18 +19747,11 @@ packages:
     dependencies:
       lru-cache: 6.0.0
 
-  /serialize-error@7.0.1:
-    resolution: {integrity: sha512-8I8TjW5KMOKsZQTvoxjuSIa7foAwPWGOts+6o7sgjz41/qMD9VQHEDxi6PBvK2l0MXUmqZyNpUK+T2tQaaElvw==}
-    engines: {node: '>=10'}
-    dependencies:
-      type-fest: 0.13.1
-    dev: false
-
-  /serialize-error@8.1.0:
-    resolution: {integrity: sha512-3NnuWfM6vBYoy5gZFvHiYsVbafvI9vZv/+jlIigFn4oP4zjNPK3LhcY0xSCgeb1a5L8jO71Mit9LlNoi2UfDDQ==}
-    engines: {node: '>=10'}
+  /serialize-error@11.0.3:
+    resolution: {integrity: sha512-2G2y++21dhj2R7iHAdd0FIzjGwuKZld+7Pl/bTU6YIkrC2ZMbVUjm+luj6A6V34Rv9XfKJDKpTWu9W4Gse1D9g==}
+    engines: {node: '>=14.16'}
     dependencies:
-      type-fest: 0.20.2
+      type-fest: 2.19.0
 
   /set-blocking@2.0.0:
     resolution: {integrity: sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==}
@@ -19852,6 +19789,7 @@ packages:
 
   /shell-quote@1.7.3:
     resolution: {integrity: sha512-Vpfqwm4EnqGdlsBFNmHhxhElJYrdfcxPThu+ryKS5J8L/fhAwLazFZtq+S+TWZ9ANj2piSQLGj6NQg+lKPmxrw==}
+    dev: true
 
   /shimmer@1.2.1:
     resolution: {integrity: sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==}
@@ -19864,6 +19802,10 @@ packages:
       get-intrinsic: 1.1.3
       object-inspect: 1.12.2
 
+  /siginfo@2.0.0:
+    resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==}
+    dev: true
+
   /signal-exit@3.0.7:
     resolution: {integrity: sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==}
 
@@ -19896,169 +19838,35 @@ packages:
     dev: true
 
   /sisteransi@1.0.5:
-    resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==}
-    dev: true
-
-  /slash@3.0.0:
-    resolution: {integrity: sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==}
-    engines: {node: '>=8'}
-    dev: true
-
-  /slash@4.0.0:
-    resolution: {integrity: sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==}
-    engines: {node: '>=12'}
-    dev: true
-
-  /slice-ansi@2.1.0:
-    resolution: {integrity: sha512-Qu+VC3EwYLldKa1fCxuuvULvSJOKEgk9pi8dZeCVK7TqBfUNTH4sFkk4joj8afVSfAYgJoSOetjx9QWOJ5mYoQ==}
-    engines: {node: '>=6'}
-    dependencies:
-      ansi-styles: 3.2.1
-      astral-regex: 1.0.0
-      is-fullwidth-code-point: 2.0.0
-    dev: false
-
-  /slice-ansi@4.0.0:
-    resolution: {integrity: sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==}
-    engines: {node: '>=10'}
-    dependencies:
-      ansi-styles: 4.3.0
-      astral-regex: 2.0.0
-      is-fullwidth-code-point: 3.0.0
-    dev: true
-
-  /slice-ansi@5.0.0:
-    resolution: {integrity: sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==}
-    engines: {node: '>=12'}
-    dependencies:
-      ansi-styles: 6.2.1
-      is-fullwidth-code-point: 4.0.0
-    dev: true
-
-  /slonik-interceptor-field-name-transformation@1.6.4(slonik@22.7.1):
-    resolution: {integrity: sha512-VqO3r0iM9ngjauccE6nIkSlgHOLdMMErtPvoG7Z/U+yx6VNKr5VhWbz04FqXk2nvY1fYxDwVMEkjMbFRDNH0zg==}
-    engines: {node: '>=8.0'}
-    peerDependencies:
-      slonik: '*'
-    dependencies:
-      camelcase: 6.3.0
-      core-js: 3.34.0
-      slonik: 22.7.1
-    dev: false
-
-  /slonik-interceptor-preset@1.2.10:
-    resolution: {integrity: sha512-TKy5roPfJh+f7GIaGuJGhS5U51mqFgrlEA5GmfpO+KuqHeUEvjEwju2pKtrQVqqxewN17YSIvJH7ZxNoA7SoYQ==}
-    engines: {node: '>=8.0'}
-    dependencies:
-      slonik: 22.7.1
-      slonik-interceptor-field-name-transformation: 1.6.4(slonik@22.7.1)
-      slonik-interceptor-query-benchmarking: 1.3.10
-      slonik-interceptor-query-logging: 1.4.6(slonik@22.7.1)
-      slonik-interceptor-query-normalisation: 1.1.10
-    transitivePeerDependencies:
-      - pg-native
-    dev: false
-
-  /slonik-interceptor-query-benchmarking@1.3.10:
-    resolution: {integrity: sha512-f9jxhsu+8u0ssf2pdzLx1jSlGODkAitNbGrprJWGOjmnQzZKW4jWaq54DZGwyNv4HotOb9m4Lp0u9XQODKXyng==}
-    engines: {node: '>=8.0'}
-    dependencies:
-      core-js: 3.34.0
-      pg-formatter: 1.3.0
-      pretty-ms: 6.0.1
-      slonik: 22.7.1
-      table: 5.4.6
-      wrap-ansi: 6.2.0
-    transitivePeerDependencies:
-      - pg-native
-    dev: false
-
-  /slonik-interceptor-query-logging@1.4.6(slonik@22.7.1):
-    resolution: {integrity: sha512-ZBUEYizvT4Oxpp8T8UjhnO54LRsGhKSmCZehWalwjGMiaouIqFAho0JaKmCJytoyJdLk2pPUQIW5uFagJ76Oyg==}
-    engines: {node: '>=8.0'}
-    peerDependencies:
-      slonik: '*'
-    dependencies:
-      crack-json: 1.3.0
-      pretty-ms: 7.0.1
-      serialize-error: 8.1.0
-      slonik: 22.7.1
-    dev: false
+    resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==}
+    dev: true
 
-  /slonik-interceptor-query-normalisation@1.1.10:
-    resolution: {integrity: sha512-TAuWVFBVnq7I5KcEY/x1JgVgIVZ0yyyeRlMTzKs+u4wRYhszQW2hMIYnDak/UUfWR1h6wp3+hODiC4gKyBOUcg==}
-    engines: {node: '>=8.0'}
-    dependencies:
-      core-js: 3.34.0
-      slonik: 22.7.1
-    transitivePeerDependencies:
-      - pg-native
-    dev: false
+  /slash@3.0.0:
+    resolution: {integrity: sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==}
+    engines: {node: '>=8'}
+    dev: true
 
-  /slonik-sql-tag-raw@1.1.4(roarr@7.11.0)(slonik@30.1.2):
-    resolution: {integrity: sha512-os6iRAkQgKNoVzudRtLBlxjqmyQHJdPHw/eMIBJDnUfD5dle5uIyEKtblayW7eBr5x7blkzUg4BgvRkeDZeZPA==}
-    engines: {node: '>=10.0'}
-    peerDependencies:
-      roarr: '>=7.0.3'
-      slonik: '>=27.0.0'
-    dependencies:
-      lodash: 4.17.21
-      roarr: 7.11.0
-      serialize-error: 8.1.0
-      slonik: 30.1.2
+  /slash@4.0.0:
+    resolution: {integrity: sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==}
+    engines: {node: '>=12'}
+    dev: true
 
-  /slonik@22.7.1:
-    resolution: {integrity: sha512-88GidNOWv4Bg0CqYLXajqcD0bbLip2soY6B4JzHP7EGDrWUb1WSlu7mIppTJVfcK99mx+jnX3xQq3FJ0DoOXag==}
-    engines: {node: '>=10.0'}
+  /slice-ansi@4.0.0:
+    resolution: {integrity: sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==}
+    engines: {node: '>=10'}
     dependencies:
-      concat-stream: 2.0.0
-      delay: 4.4.1
-      es6-error: 4.1.1
-      get-stack-trace: 2.1.1
-      inline-loops.macro: 1.2.2
-      is-plain-object: 5.0.0
-      iso8601-duration: 1.3.0
-      pg: 8.8.0
-      pg-connection-string: 2.5.0
-      pg-copy-streams: 5.1.1
-      pg-copy-streams-binary: 2.2.0
-      pg-cursor: 2.7.3(pg@8.8.0)
-      pg-types: 3.0.1
-      postgres-array: 2.0.0
-      postgres-interval: 2.1.0
-      roarr: 2.15.4
-      serialize-error: 7.0.1
-      through2: 4.0.2
-      ulid: 2.3.0
-    transitivePeerDependencies:
-      - pg-native
-    dev: false
+      ansi-styles: 4.3.0
+      astral-regex: 2.0.0
+      is-fullwidth-code-point: 3.0.0
+    dev: true
 
-  /slonik@30.1.2:
-    resolution: {integrity: sha512-vNCZT4eEr3cKnm83LF8QOCTfm3TH/XSQdMnG4X3A+V1PVJFG3JKjRMB8jwin/3eYeM6nVCSXeZqlPGlHHXrgBQ==}
-    engines: {node: '>=10.0'}
+  /slice-ansi@5.0.0:
+    resolution: {integrity: sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==}
+    engines: {node: '>=12'}
     dependencies:
-      concat-stream: 2.0.0
-      es6-error: 4.1.1
-      fast-safe-stringify: 2.1.1
-      get-stack-trace: 2.1.1
-      hyperid: 2.3.1
-      is-plain-object: 5.0.0
-      iso8601-duration: 1.3.0
-      p-defer: 3.0.0
-      pg: 8.8.0
-      pg-copy-streams: 6.0.2
-      pg-copy-streams-binary: 2.2.0
-      pg-cursor: 2.7.3(pg@8.8.0)
-      pg-protocol: 1.6.0
-      pg-types: 4.0.0
-      postgres-array: 3.0.1
-      postgres-interval: 4.0.0
-      roarr: 7.11.0
-      serialize-error: 8.1.0
-      through2: 4.0.2
-    transitivePeerDependencies:
-      - pg-native
+      ansi-styles: 6.2.1
+      is-fullwidth-code-point: 4.0.0
+    dev: true
 
   /smart-buffer@4.2.0:
     resolution: {integrity: sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==}
@@ -20085,8 +19893,15 @@ packages:
       tslib: 2.4.1
     dev: false
 
-  /snakecase-keys@6.0.0:
-    resolution: {integrity: sha512-E5a0C3rcj+Cvq+dt41mw6tV6Wx78/JpQyR71GDiyGSXdp3jEvKxv8pIP0tOHmEMiqKVZSwflXtlWwqNn5oTbbQ==}
+  /snake-case@4.0.0:
+    resolution: {integrity: sha512-slvG6efKZ3GYUUZdhPOq/lLIqutwQ4TdPViD1VKqsbf0u76U/aPRswPKjOaAS9T7fAPmRmXuN6C/nM0xsMaFLQ==}
+    deprecated: Use `change-case`
+    dependencies:
+      no-case: 4.0.0
+    dev: false
+
+  /snakecase-keys@7.0.0:
+    resolution: {integrity: sha512-yFnXqBIFFpXlIWiGPvYhfelzQqRVchuM1XIQXVwIFrZuNWBPE6vBkuJitzbl6yMIjjpA40IYxqi88BE9RX2Yxw==}
     engines: {node: '>=18'}
     dependencies:
       map-obj: 4.3.0
@@ -20094,8 +19909,8 @@ packages:
       type-fest: 3.13.1
     dev: false
 
-  /socks-proxy-agent@8.0.1:
-    resolution: {integrity: sha512-59EjPbbgg8U3x62hhKOFVAmySQUcfRQ4C7Q/D5sEHnZTQRrQlNKINks44DMR1gwXp0p4LaVIeccX2KHTTcHVqQ==}
+  /socks-proxy-agent@8.0.2:
+    resolution: {integrity: sha512-8zuqoLv1aP/66PHF5TqwJ7Czm3Yv32urJQHrVyhD7mmA6d61Zv8cIXQYPTWwmg6qlupnPvs/QKDmfa4P/qct2g==}
     engines: {node: '>= 14'}
     dependencies:
       agent-base: 7.1.0
@@ -20125,13 +19940,6 @@ packages:
       source-map: 0.6.1
     dev: true
 
-  /source-map-support@0.5.21:
-    resolution: {integrity: sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==}
-    dependencies:
-      buffer-from: 1.1.2
-      source-map: 0.6.1
-    dev: true
-
   /source-map@0.5.7:
     resolution: {integrity: sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==}
     engines: {node: '>=0.10.0'}
@@ -20212,10 +20020,6 @@ packages:
     resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==}
     dev: true
 
-  /sprintf-js@1.1.2:
-    resolution: {integrity: sha512-VE0SOVEHCk7Qc8ulkWw3ntAzXuqf7S2lvwQaDLRnUeIEaKNQJzV6BwmLKhOqT61aGhfUMrXeaBk+oDGCzvhcug==}
-    dev: false
-
   /sql-parse@0.1.5:
     resolution: {integrity: sha512-e2ExBX6iDHoCDC1zN2NvZV49UMhKVLvvwrDjzSVHFS3TKHKtIpl2nMDQkdlbTjDVvf2bxRYBq9iXAAMZvZpGVA==}
     engines: {node: '>=0.10'}
@@ -20242,6 +20046,14 @@ packages:
       escape-string-regexp: 2.0.0
     dev: true
 
+  /stackback@0.0.2:
+    resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==}
+    dev: true
+
+  /state-local@1.0.7:
+    resolution: {integrity: sha512-HTEHMNieakEnoe33shBYcZ7NX83ACUjCu8c40iOGEZsngj9zRnkqS9j1pqQPXwobB0ZcVTk27REb7COQ0UR59w==}
+    dev: true
+
   /state-toggle@1.0.3:
     resolution: {integrity: sha512-d/5Z4/2iiCnHw6Xzghyhb+GcmF89bxwgXG60wjIiZaxnymbyOmI8Hk4VqHXiVVp6u2ysaskFfXg3ekCj4WNftQ==}
     dev: true
@@ -20255,6 +20067,10 @@ packages:
     engines: {node: '>= 0.8'}
     dev: false
 
+  /std-env@3.7.0:
+    resolution: {integrity: sha512-JPbdCEQLj1w5GilpiHAx3qJvFndqybBysA3qUOnznweH4QbNYUsW/ea8QzSrnh0vNsezMMw5bcVool8lM0gwzg==}
+    dev: true
+
   /stdin-discarder@0.2.2:
     resolution: {integrity: sha512-UhDfHmA92YAlNnCfhmq0VeNL5bDbiZGg7sZ2IvPsXubGkiNa9EC+tUTsjBRsYUAz87btI6/1wf4XoVvQ3uRnmQ==}
     engines: {node: '>=18'}
@@ -20303,15 +20119,6 @@ packages:
   /string-similarity@4.0.4:
     resolution: {integrity: sha512-/q/8Q4Bl4ZKAPjj8WerIBJWALKkaPRfrvhfF8k/B23i4nzrlRj2/go1m90In7nG/3XDSbOo0+pu6RvCTM9RGMQ==}
 
-  /string-width@3.1.0:
-    resolution: {integrity: sha512-vafcv6KjVZKSgz06oM/H6GDBrAtz8vdhQakGjFIvNrHA6y3HCF1CInLy+QLq8dTJPQ1b+KDUqDFctkdRW44e1w==}
-    engines: {node: '>=6'}
-    dependencies:
-      emoji-regex: 7.0.3
-      is-fullwidth-code-point: 2.0.0
-      strip-ansi: 5.2.0
-    dev: false
-
   /string-width@4.2.3:
     resolution: {integrity: sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==}
     engines: {node: '>=8'}
@@ -20371,13 +20178,6 @@ packages:
     dependencies:
       safe-buffer: 5.2.1
 
-  /strip-ansi@5.2.0:
-    resolution: {integrity: sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==}
-    engines: {node: '>=6'}
-    dependencies:
-      ansi-regex: 4.1.1
-    dev: false
-
   /strip-ansi@6.0.1:
     resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
     engines: {node: '>=8'}
@@ -20436,6 +20236,12 @@ packages:
     engines: {node: '>=8'}
     dev: true
 
+  /strip-literal@2.0.0:
+    resolution: {integrity: sha512-f9vHgsCWBq2ugHAkGMiiYY+AYG0D/cbloKKg0nhaaaSNsujdGIpVXCNsrJpCKr5M0f4aI31mr13UjY6GAuXCKA==}
+    dependencies:
+      js-tokens: 8.0.3
+    dev: true
+
   /strnum@1.0.5:
     resolution: {integrity: sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA==}
     dev: false
@@ -20792,16 +20598,6 @@ packages:
       tslib: 2.6.2
     dev: true
 
-  /table@5.4.6:
-    resolution: {integrity: sha512-wmEc8m4fjnob4gt5riFRtTu/6+4rSe12TpAELNSqHMfF3IqnA+CH37USM6/YR3qRZv7e56kAEAtd6nKZaxe0Ug==}
-    engines: {node: '>=6.0.0'}
-    dependencies:
-      ajv: 6.12.6
-      lodash: 4.17.21
-      slice-ansi: 2.1.0
-      string-width: 3.1.0
-    dev: false
-
   /table@6.8.1:
     resolution: {integrity: sha512-Y4X9zqrCftUhMeH2EptSSERdVKt/nEdijTOacGD/97EKjhQ/Qs8RTlEGABSJNNN8lac9kheH+af7yAkEWlgneA==}
     engines: {node: '>=10.0.0'}
@@ -20818,12 +20614,14 @@ packages:
     engines: {node: '>=6'}
     dev: true
 
-  /tar-fs@3.0.4:
-    resolution: {integrity: sha512-5AFQU8b9qLfZCX9zp2duONhPmZv0hGYiBPJsyUdqMjzq/mqVpy/rEUSeHk1+YitmxugaptgBh5oDGU3VsAJq4w==}
+  /tar-fs@3.0.5:
+    resolution: {integrity: sha512-JOgGAmZyMgbqpLwct7ZV8VzkEB6pxXFBVErLtb+XCOqzc6w1xiWKI9GVd6bwk68EX7eJ4DWmfXVmq8K2ziZTGg==}
     dependencies:
-      mkdirp-classic: 0.5.3
       pump: 3.0.0
       tar-stream: 3.1.6
+    optionalDependencies:
+      bare-fs: 2.2.2
+      bare-path: 2.1.0
     dev: true
 
   /tar-stream@3.1.6:
@@ -20865,17 +20663,6 @@ packages:
     engines: {node: '>=8'}
     dev: true
 
-  /terser@5.28.1:
-    resolution: {integrity: sha512-wM+bZp54v/E9eRRGXb5ZFDvinrJIOaTapx3WUokyVGZu5ucVCK55zEgGd5Dl2fSr3jUo5sDiERErUWLY6QPFyA==}
-    engines: {node: '>=10'}
-    hasBin: true
-    dependencies:
-      '@jridgewell/source-map': 0.3.5
-      acorn: 8.10.0
-      commander: 2.20.3
-      source-map-support: 0.5.21
-    dev: true
-
   /test-exclude@6.0.0:
     resolution: {integrity: sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==}
     engines: {node: '>=8'}
@@ -20903,12 +20690,6 @@ packages:
     engines: {node: '>=0.2.6'}
     dev: false
 
-  /through2@3.0.2:
-    resolution: {integrity: sha512-enaDQ4MUyP2W6ZyT6EsMzqBPZaM/avg8iuo+l2d3QCs0J+6RaqkHV/2/lOwDTueBHeJ/2LG9lrLW3d5rWPucuQ==}
-    dependencies:
-      inherits: 2.0.4
-      readable-stream: 3.6.2
-
   /through2@4.0.2:
     resolution: {integrity: sha512-iOqSav00cVxEEICeD7TjLB1sueEL+81Wpzp2bY17uZjZN0pWZPuo4suZ/61VujxmqSGFfgOcNuTZ85QJwNZQpw==}
     dependencies:
@@ -20931,10 +20712,24 @@ packages:
       globrex: 0.1.2
     dev: true
 
+  /tinybench@2.6.0:
+    resolution: {integrity: sha512-N8hW3PG/3aOoZAN5V/NSAEDz0ZixDSSt5b/a05iqtpgfLWMSVuCo7w0k2vVvEjdrIoeGqZzweX2WlyioNIHchA==}
+    dev: true
+
   /tinycolor2@1.6.0:
     resolution: {integrity: sha512-XPaBkWQJdsf3pLKJV9p4qN/S+fm2Oj8AIPo1BTUhg5oxkvm9+SVEGFdhyOz7tTdUTfvxMiAs4sp6/eZO2Ew+pw==}
     dev: true
 
+  /tinypool@0.8.2:
+    resolution: {integrity: sha512-SUszKYe5wgsxnNOVlBYO6IC+8VGWdVGZWAqUxp3UErNBtptZvWbwyUOyzNL59zigz2rCA92QiL3wvG+JDSdJdQ==}
+    engines: {node: '>=14.0.0'}
+    dev: true
+
+  /tinyspy@2.2.1:
+    resolution: {integrity: sha512-KYad6Vy5VDWV4GH3fjpseMQ/XU2BhIYP7Vzd0LG44qRWm/Yt2WCOTicFdvmgo6gWaqooMQCawTtILVQJupKu7A==}
+    engines: {node: '>=14.0.0'}
+    dev: true
+
   /titleize@4.0.0:
     resolution: {integrity: sha512-ZgUJ1K83rhdu7uh7EHAC2BgY5DzoX8V5rTvoWI4vFysggi6YjLe5gUXABPWAU7VkvGP7P/0YiWq+dcPeYDsf1g==}
     engines: {node: '>=18'}
@@ -20953,6 +20748,7 @@ packages:
   /to-fast-properties@2.0.0:
     resolution: {integrity: sha512-/OaKK0xYrs3DmxRYqL/yDc+FxFUVYhDlXMhRmv3z915w2HF1tnN1omB354j8VUGO/hbRzyD6Y3sA7v7GS/ceog==}
     engines: {node: '>=4'}
+    dev: true
 
   /to-regex-range@5.0.1:
     resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==}
@@ -20984,6 +20780,7 @@ packages:
 
   /tr46@0.0.3:
     resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==}
+    dev: false
 
   /tr46@1.0.1:
     resolution: {integrity: sha512-dTpowEjclQ7Kgx5SdBkqRzVhERQXov8/l9Ft9dVM9fmg0W0KQSVaXX9T4i6twCPNtYiZM53lpSSUAwJbFPOHxA==}
@@ -21144,6 +20941,7 @@ packages:
   /type-fest@0.13.1:
     resolution: {integrity: sha512-34R7HTnG0XIJcBSn5XhDd7nNFPRcXYRZrBB2O2jdKqYODldSzBAqzsWoZYYvduky73toYS/ESqxPvkDf/F0XMg==}
     engines: {node: '>=10'}
+    dev: true
 
   /type-fest@0.18.1:
     resolution: {integrity: sha512-OIAYXk8+ISY+qTOwkHtKqzAuxchoMiD9Udx+FSGQDuiRR+PJKJHc2NJAXlbhkGwTt/4/nKZxELY1w3ReWOL8mw==}
@@ -21153,6 +20951,7 @@ packages:
   /type-fest@0.20.2:
     resolution: {integrity: sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==}
     engines: {node: '>=10'}
+    dev: true
 
   /type-fest@0.21.3:
     resolution: {integrity: sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w==}
@@ -21174,6 +20973,10 @@ packages:
     engines: {node: '>=10'}
     dev: true
 
+  /type-fest@2.19.0:
+    resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==}
+    engines: {node: '>=12.20'}
+
   /type-fest@3.13.1:
     resolution: {integrity: sha512-tLq3bSNx+xSpwvAJnzrK0Ep5CLNWjvFTOp71URMaAEWBfRb9nnJiBoUe0tF8bI4ZFO3omgBR6NvnbzVUT3Ly4g==}
     engines: {node: '>=14.16'}
@@ -21190,9 +20993,6 @@ packages:
       media-typer: 0.3.0
       mime-types: 2.1.35
 
-  /typedarray@0.0.6:
-    resolution: {integrity: sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==}
-
   /typescript@5.0.2:
     resolution: {integrity: sha512-wVORMBGO/FAs/++blGNeAVdbNKtIh1rbBL2EyQ1+J9lClJ93KiiKe8PmFIVdXhHcyv44SL9oglmfeSsndo0jRw==}
     engines: {node: '>=12.20'}
@@ -21208,10 +21008,9 @@ packages:
     resolution: {integrity: sha512-00y/AXhx0/SsnI51fTc0rLRmafiGOM4/O+ny10Ps7f+j/b8p/ZY11ytMgznXkOVo4GQ+KwQG5UQLkLGirsACRg==}
     dev: true
 
-  /ulid@2.3.0:
-    resolution: {integrity: sha512-keqHubrlpvT6G2wH0OEfSW4mquYRcbe/J8NMmveoQOjUqmo+hXtO+ORCpWhdbZ7k72UtY61BL7haGxW6enBnjw==}
-    hasBin: true
-    dev: false
+  /ufo@1.5.2:
+    resolution: {integrity: sha512-eiutMaL0J2MKdhcOM1tUy13pIrYnyR87fEd8STJQFrrAwImwvlXkxlZEjaKah8r2viPohld08lt73QfLG1NxMg==}
+    dev: true
 
   /unbox-primitive@1.0.2:
     resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==}
@@ -21246,7 +21045,6 @@ packages:
   /unicorn-magic@0.1.0:
     resolution: {integrity: sha512-lRfVq8fE8gz6QMBuDM6a+LO3IAzTi05H6gCVaUpir2E1Rwpo4ZUog45KpNXKC/Mn3Yb9UDuHumeFTo9iV/D9FQ==}
     engines: {node: '>=18'}
-    dev: false
 
   /unified@11.0.3:
     resolution: {integrity: sha512-jlCV402P+YDcFcB2VcN/n8JasOddqIiaxv118wNBoZXEhOn+lYG7BR4Bfg2BwxvlK58dwbuH2w7GX2esAjL6Mg==}
@@ -21364,11 +21162,6 @@ packages:
     engines: {node: '>= 4.0.0'}
     dev: true
 
-  /universalify@2.0.0:
-    resolution: {integrity: sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==}
-    engines: {node: '>= 10.0.0'}
-    dev: true
-
   /unpipe@1.0.0:
     resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==}
     engines: {node: '>= 0.8'}
@@ -21397,6 +21190,10 @@ packages:
       requires-port: 1.0.0
     dev: true
 
+  /urlpattern-polyfill@10.0.0:
+    resolution: {integrity: sha512-H/A06tKD7sS1O1X2SshBVeA5FLycRpjqiBeqGKmBwBDBy28EnRjORxTNe269KSSr5un5qyWi1iL61wLxpd+ZOg==}
+    dev: true
+
   /use-debounced-loader@0.1.1(react@18.2.0):
     resolution: {integrity: sha512-FbY/ynor7wZV55v1EvvAvu8CvSoEKT1azS2zFb/aLlL0vySbqTM7x9fIcaOJN++E52mVINNDe2VmWWd+Q00S+A==}
     engines: {node: '>=10'}
@@ -21422,12 +21219,10 @@ packages:
     engines: {node: '>= 4'}
     dev: true
 
-  /uuid-parse@1.1.0:
-    resolution: {integrity: sha512-OdmXxA8rDsQ7YpNVbKSJkNzTw2I+S5WsbMDnCtIWSQaosNAcWtFuI/YK1TjzUI6nbkgiqEyh8gWngfcv8Asd9A==}
-
   /uuid@8.3.2:
     resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
     hasBin: true
+    dev: false
 
   /uuid@9.0.1:
     resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
@@ -21442,13 +21237,13 @@ packages:
     resolution: {integrity: sha512-l8lCEmLcLYZh4nbunNZvQCJc5pv7+RCwa8q/LdUx8u7lsWvPDKmpodJAJNwkAhJC//dFY48KuIEmjtd4RViDrA==}
     dev: true
 
-  /v8-to-istanbul@9.0.1:
-    resolution: {integrity: sha512-74Y4LqY74kLE6IFyIjPtkSTWzUZmj8tdHT9Ii/26dvQ6K9Dl2NbEfj0XgU2sHCtKgt5VupqhlO/5aWuqS+IY1w==}
+  /v8-to-istanbul@9.2.0:
+    resolution: {integrity: sha512-/EH/sDgxU2eGxajKdwLCDmQ4FWq+kpi3uCmBGpw1xJtnAxEjlD8j8PEiGWpCIMIs3ciNAgH0d3TTJiUkYzyZjA==}
     engines: {node: '>=10.12.0'}
     dependencies:
-      '@jridgewell/trace-mapping': 0.3.18
+      '@jridgewell/trace-mapping': 0.3.25
       '@types/istanbul-lib-coverage': 2.0.4
-      convert-source-map: 1.9.0
+      convert-source-map: 2.0.0
     dev: true
 
   /validate-npm-package-license@3.0.4:
@@ -21497,6 +21292,232 @@ packages:
       vfile-message: 4.0.2
     dev: true
 
+  /vite-node@1.4.0(@types/node@20.10.4):
+    resolution: {integrity: sha512-VZDAseqjrHgNd4Kh8icYHWzTKSCZMhia7GyHfhtzLW33fZlG9SwsB6CEhgyVOWkJfJ2pFLrp/Gj1FSfAiqH9Lw==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    dependencies:
+      cac: 6.7.14
+      debug: 4.3.4
+      pathe: 1.1.2
+      picocolors: 1.0.0
+      vite: 5.1.6(@types/node@20.10.4)
+    transitivePeerDependencies:
+      - '@types/node'
+      - less
+      - lightningcss
+      - sass
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+    dev: true
+
+  /vite-node@1.4.0(@types/node@20.11.20):
+    resolution: {integrity: sha512-VZDAseqjrHgNd4Kh8icYHWzTKSCZMhia7GyHfhtzLW33fZlG9SwsB6CEhgyVOWkJfJ2pFLrp/Gj1FSfAiqH9Lw==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    dependencies:
+      cac: 6.7.14
+      debug: 4.3.4
+      pathe: 1.1.2
+      picocolors: 1.0.0
+      vite: 5.1.6(@types/node@20.11.20)
+    transitivePeerDependencies:
+      - '@types/node'
+      - less
+      - lightningcss
+      - sass
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+    dev: true
+
+  /vite@5.1.6(@types/node@20.10.4):
+    resolution: {integrity: sha512-yYIAZs9nVfRJ/AiOLCA91zzhjsHUgMjB+EigzFb6W2XTLO8JixBCKCjvhKZaye+NKYHCrkv3Oh50dH9EdLU2RA==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    peerDependencies:
+      '@types/node': ^18.0.0 || >=20.0.0
+      less: '*'
+      lightningcss: ^1.21.0
+      sass: '*'
+      stylus: '*'
+      sugarss: '*'
+      terser: ^5.4.0
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+      less:
+        optional: true
+      lightningcss:
+        optional: true
+      sass:
+        optional: true
+      stylus:
+        optional: true
+      sugarss:
+        optional: true
+      terser:
+        optional: true
+    dependencies:
+      '@types/node': 20.10.4
+      esbuild: 0.19.12
+      postcss: 8.4.35
+      rollup: 4.12.0
+    optionalDependencies:
+      fsevents: 2.3.3
+    dev: true
+
+  /vite@5.1.6(@types/node@20.11.20):
+    resolution: {integrity: sha512-yYIAZs9nVfRJ/AiOLCA91zzhjsHUgMjB+EigzFb6W2XTLO8JixBCKCjvhKZaye+NKYHCrkv3Oh50dH9EdLU2RA==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    peerDependencies:
+      '@types/node': ^18.0.0 || >=20.0.0
+      less: '*'
+      lightningcss: ^1.21.0
+      sass: '*'
+      stylus: '*'
+      sugarss: '*'
+      terser: ^5.4.0
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+      less:
+        optional: true
+      lightningcss:
+        optional: true
+      sass:
+        optional: true
+      stylus:
+        optional: true
+      sugarss:
+        optional: true
+      terser:
+        optional: true
+    dependencies:
+      '@types/node': 20.11.20
+      esbuild: 0.19.12
+      postcss: 8.4.35
+      rollup: 4.12.0
+    optionalDependencies:
+      fsevents: 2.3.3
+    dev: true
+
+  /vitest@1.4.0(@types/node@20.10.4):
+    resolution: {integrity: sha512-gujzn0g7fmwf83/WzrDTnncZt2UiXP41mHuFYFrdwaLRVQ6JYQEiME2IfEjU3vcFL3VKa75XhI3lFgn+hfVsQw==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    peerDependencies:
+      '@edge-runtime/vm': '*'
+      '@types/node': ^18.0.0 || >=20.0.0
+      '@vitest/browser': 1.4.0
+      '@vitest/ui': 1.4.0
+      happy-dom: '*'
+      jsdom: '*'
+    peerDependenciesMeta:
+      '@edge-runtime/vm':
+        optional: true
+      '@types/node':
+        optional: true
+      '@vitest/browser':
+        optional: true
+      '@vitest/ui':
+        optional: true
+      happy-dom:
+        optional: true
+      jsdom:
+        optional: true
+    dependencies:
+      '@types/node': 20.10.4
+      '@vitest/expect': 1.4.0
+      '@vitest/runner': 1.4.0
+      '@vitest/snapshot': 1.4.0
+      '@vitest/spy': 1.4.0
+      '@vitest/utils': 1.4.0
+      acorn-walk: 8.3.2
+      chai: 4.4.1
+      debug: 4.3.4
+      execa: 8.0.1
+      local-pkg: 0.5.0
+      magic-string: 0.30.7
+      pathe: 1.1.2
+      picocolors: 1.0.0
+      std-env: 3.7.0
+      strip-literal: 2.0.0
+      tinybench: 2.6.0
+      tinypool: 0.8.2
+      vite: 5.1.6(@types/node@20.10.4)
+      vite-node: 1.4.0(@types/node@20.10.4)
+      why-is-node-running: 2.2.2
+    transitivePeerDependencies:
+      - less
+      - lightningcss
+      - sass
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+    dev: true
+
+  /vitest@1.4.0(@types/node@20.11.20):
+    resolution: {integrity: sha512-gujzn0g7fmwf83/WzrDTnncZt2UiXP41mHuFYFrdwaLRVQ6JYQEiME2IfEjU3vcFL3VKa75XhI3lFgn+hfVsQw==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    peerDependencies:
+      '@edge-runtime/vm': '*'
+      '@types/node': ^18.0.0 || >=20.0.0
+      '@vitest/browser': 1.4.0
+      '@vitest/ui': 1.4.0
+      happy-dom: '*'
+      jsdom: '*'
+    peerDependenciesMeta:
+      '@edge-runtime/vm':
+        optional: true
+      '@types/node':
+        optional: true
+      '@vitest/browser':
+        optional: true
+      '@vitest/ui':
+        optional: true
+      happy-dom:
+        optional: true
+      jsdom:
+        optional: true
+    dependencies:
+      '@types/node': 20.11.20
+      '@vitest/expect': 1.4.0
+      '@vitest/runner': 1.4.0
+      '@vitest/snapshot': 1.4.0
+      '@vitest/spy': 1.4.0
+      '@vitest/utils': 1.4.0
+      acorn-walk: 8.3.2
+      chai: 4.4.1
+      debug: 4.3.4
+      execa: 8.0.1
+      local-pkg: 0.5.0
+      magic-string: 0.30.7
+      pathe: 1.1.2
+      picocolors: 1.0.0
+      std-env: 3.7.0
+      strip-literal: 2.0.0
+      tinybench: 2.6.0
+      tinypool: 0.8.2
+      vite: 5.1.6(@types/node@20.11.20)
+      vite-node: 1.4.0(@types/node@20.11.20)
+      why-is-node-running: 2.2.2
+    transitivePeerDependencies:
+      - less
+      - lightningcss
+      - sass
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+    dev: true
+
   /void-elements@3.1.0:
     resolution: {integrity: sha1-YU9/v42AHwu18GYfWy9XhXUOTwk=}
     engines: {node: '>=0.10.0'}
@@ -21548,13 +21569,9 @@ packages:
     resolution: {integrity: sha512-wYxSGajtmoP4WxfejAPIr4l0fVh+jeMXZb08wNc0tMg6xsfZXj3cECqIK0G7ZAqUq0PP8WlMDtaOGVBTAWztNw==}
     dev: true
 
-  /web-streams-polyfill@3.2.1:
-    resolution: {integrity: sha512-e0MO3wdXWKrLbL0DgGnUV7WHVuw9OUvL4hjgnPkIeEvESk74gAITi5G606JtZPp39cd8HA9VQzCIvA49LpPN5Q==}
-    engines: {node: '>= 8'}
-    dev: true
-
   /webidl-conversions@3.0.1:
     resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==}
+    dev: false
 
   /webidl-conversions@4.0.2:
     resolution: {integrity: sha512-YQ+BmxuTgd6UXZW3+ICGfyqRyHXVlD5GtQr5+qjiNW7bF0cqrzX500HVXPBOvgXb5YnzDd+h0zqyv61KUD7+Sg==}
@@ -21589,6 +21606,7 @@ packages:
     dependencies:
       tr46: 0.0.3
       webidl-conversions: 3.0.1
+    dev: false
 
   /whatwg-url@7.1.0:
     resolution: {integrity: sha512-WUu7Rg1DroM7oQvGWfOiAK21n74Gg+T4elXEQYkOhtyLeWiJFoOGLXPKI/9gzIie9CtwVLm8wtw6YJdKyxSjeg==}
@@ -21633,6 +21651,15 @@ packages:
       isexe: 2.0.0
     dev: true
 
+  /why-is-node-running@2.2.2:
+    resolution: {integrity: sha512-6tSwToZxTOcotxHeA+qGCq1mVzKR3CwcJGmVcY+QE8SHy6TnpFnh8PAvPNHYr7EcuVeG0QSMxtYCuO1ta/G/oA==}
+    engines: {node: '>=8'}
+    hasBin: true
+    dependencies:
+      siginfo: 2.0.0
+      stackback: 0.0.2
+    dev: true
+
   /word-wrap@1.2.3:
     resolution: {integrity: sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==}
     engines: {node: '>=0.10.0'}
@@ -21699,8 +21726,8 @@ packages:
       signal-exit: 4.1.0
     dev: true
 
-  /ws@8.13.0:
-    resolution: {integrity: sha512-x9vcZYTrFPC7aSIbj7sRCYo7L/Xb8Iy+pW0ng0wt2vCJv7M9HOMy0UoN3rr+IFC7hb7vXoqS+P9ktyLLLhO+LA==}
+  /ws@8.16.0:
+    resolution: {integrity: sha512-HS0c//TP7Ina87TfiPUz1rQzMhHrl/SG2guqRcTOIUYD2q8uhUdNHZYJUaQ8aTGPzCh+c6oawMKW35nFl1dxyQ==}
     engines: {node: '>=10.0.0'}
     peerDependencies:
       bufferutil: ^4.0.1
@@ -21776,6 +21803,7 @@ packages:
   /yaml@1.10.2:
     resolution: {integrity: sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==}
     engines: {node: '>= 6'}
+    dev: true
 
   /yaml@2.3.3:
     resolution: {integrity: sha512-zw0VAJxgeZ6+++/su5AFoqBbZbrEakwu+X0M5HmcwUiBL7AzcuPKjj5we4xfQLp78LkEMpD0cOnUhmgOVy3KdQ==}
@@ -21827,19 +21855,6 @@ packages:
       yargs-parser: 21.1.1
     dev: false
 
-  /yargs@17.7.1:
-    resolution: {integrity: sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==}
-    engines: {node: '>=12'}
-    dependencies:
-      cliui: 8.0.1
-      escalade: 3.1.1
-      get-caller-file: 2.0.5
-      require-directory: 2.1.1
-      string-width: 4.2.3
-      y18n: 5.0.8
-      yargs-parser: 21.1.1
-    dev: true
-
   /yargs@17.7.2:
     resolution: {integrity: sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==}
     engines: {node: '>=12'}
@@ -21851,6 +21866,7 @@ packages:
       string-width: 4.2.3
       y18n: 5.0.8
       yargs-parser: 21.1.1
+    dev: true
 
   /yauzl@2.10.0:
     resolution: {integrity: sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==}
@@ -21875,7 +21891,16 @@ packages:
   /yocto-queue@1.0.0:
     resolution: {integrity: sha512-9bnSc/HEW2uRy67wc+T8UwauLuPJVn28jb+GtJY16iiKWyvmYJRXVT4UamsAEGQfPohgr2q4Tq0sQbQlxTfi1g==}
     engines: {node: '>=12.20'}
-    dev: false
+
+  /zod-to-ts@1.2.0(typescript@5.3.3)(zod@3.22.4):
+    resolution: {integrity: sha512-x30XE43V+InwGpvTySRNz9kB7qFU8DlyEy7BsSTCHPH1R0QasMmHWZDCzYm6bVXtj/9NNJAZF3jW8rzFvH5OFA==}
+    peerDependencies:
+      typescript: ^4.9.4 || ^5.0.2
+      zod: ^3
+    dependencies:
+      typescript: 5.3.3
+      zod: 3.22.4
+    dev: true
 
   /zod@3.22.4:
     resolution: {integrity: sha512-iC+8Io04lddc+mVqQ9AZ7OQ2MrUKGN+oIQyq1vemgt46jwCwLfhq7/pwnBnNXXXZb8VTVLKwp9EDkx+ryxIWmg==}