diff --git a/messages/en.json b/messages/en.json
index 0bc7365815..1ded4a20b6 100644
--- a/messages/en.json
+++ b/messages/en.json
@@ -247,10 +247,8 @@
   "alert-add-new-key": "Select new API key type",
   "alert-cannot-delete-owner-body": "This user is the last super admin of this organization, you cannot delete it. You can either assign the super admin role to another user or delete the organization.",
   "alert-cannot-delete-owner-title": "Cannot delete the last super admin",
-  "alert-confirm-appid-limit": "Limit the API key to certain apps",
   "alert-confirm-delete": "Confirm Delete",
   "alert-confirm-invite": "Confirm invitation",
-  "alert-confirm-org-limit": "Limit the API key to certain organizations",
   "alert-confirm-regenerate": "Confirm regenerating API key",
   "alert-delete-message": "Are you sure you want to delete this",
   "alert-delete-message-plural": "Are you sure you want to delete these",
diff --git a/playwright/e2e/apikeys.spec.ts b/playwright/e2e/apikeys.spec.ts
index e56311c562..e392477d4e 100644
--- a/playwright/e2e/apikeys.spec.ts
+++ b/playwright/e2e/apikeys.spec.ts
@@ -4,7 +4,9 @@ import { expect, test } from '../support/commands'
 async function createReadApiKey(page: Page, keyName: string) {
   await page.click('[data-test="create-key"]')
   await page.locator('#dialog-v2-content input[type="text"]').fill(keyName)
-  await page.locator('#dialog-v2-content input[name="key-type"][value="read"]').check()
+  await page.locator('#dialog-v2-content label').filter({ hasText: 'Read' }).click()
+  await page.locator('#dialog-v2-content label').filter({ hasText: 'Limit the API key to selected organizations?' }).click()
+  await page.locator('#dialog-v2-content label').filter({ hasText: 'Demo org' }).click()
   await page.getByRole('button', { name: 'Create' }).click()
   await expect(page.locator('[data-test="toast"]')).toContainText('Added new API key successfully')
 }
diff --git a/read_replicate/schema_replicate.sql b/read_replicate/schema_replicate.sql
index 05f43f6738..0d74820b35 100644
--- a/read_replicate/schema_replicate.sql
+++ b/read_replicate/schema_replicate.sql
@@ -87,6 +87,40 @@ $$;
 --
 
 
+--
+-- Name: apps; Type: TABLE; Schema: public; Owner: -
+--
+
+CREATE TABLE public.apps (
+    created_at timestamp with time zone DEFAULT now(),
+    app_id character varying NOT NULL,
+    icon_url character varying NOT NULL,
+    user_id uuid,
+    name character varying,
+    last_version character varying,
+    updated_at timestamp with time zone,
+    id uuid DEFAULT gen_random_uuid(),
+    retention bigint DEFAULT '2592000'::bigint NOT NULL,
+    owner_org uuid NOT NULL,
+    default_upload_channel character varying DEFAULT 'production'::character varying NOT NULL,
+    transfer_history jsonb[] DEFAULT '{}'::jsonb[],
+    channel_device_count bigint DEFAULT 0 NOT NULL,
+    manifest_bundle_count bigint DEFAULT 0 NOT NULL,
+    expose_metadata boolean DEFAULT false NOT NULL,
+    allow_preview boolean DEFAULT false NOT NULL,
+    allow_device_custom_id boolean DEFAULT true NOT NULL,
+    need_onboarding boolean DEFAULT false NOT NULL,
+    existing_app boolean DEFAULT false NOT NULL,
+    ios_store_url text,
+    android_store_url text,
+    stats_updated_at timestamp without time zone,
+    stats_refresh_requested_at timestamp without time zone,
+    build_timeout_seconds bigint DEFAULT 900 NOT NULL,
+    build_timeout_updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT apps_build_timeout_seconds_check CHECK (((build_timeout_seconds >= 300) AND (build_timeout_seconds <= 21600)))
+);
+
+
 --
 -- Name: app_versions; Type: TABLE; Schema: public; Owner: -
 --
@@ -132,40 +166,6 @@ ALTER TABLE public.app_versions ALTER COLUMN id ADD GENERATED BY DEFAULT AS IDEN
 );
 
 
---
--- Name: apps; Type: TABLE; Schema: public; Owner: -
---
-
-CREATE TABLE public.apps (
-    created_at timestamp with time zone DEFAULT now(),
-    app_id character varying NOT NULL,
-    icon_url character varying NOT NULL,
-    user_id uuid,
-    name character varying,
-    last_version character varying,
-    updated_at timestamp with time zone,
-    id uuid DEFAULT gen_random_uuid(),
-    retention bigint DEFAULT '2592000'::bigint NOT NULL,
-    owner_org uuid NOT NULL,
-    default_upload_channel character varying DEFAULT 'production'::character varying NOT NULL,
-    transfer_history jsonb[] DEFAULT '{}'::jsonb[],
-    channel_device_count bigint DEFAULT 0 NOT NULL,
-    manifest_bundle_count bigint DEFAULT 0 NOT NULL,
-    expose_metadata boolean DEFAULT false NOT NULL,
-    allow_preview boolean DEFAULT false NOT NULL,
-    allow_device_custom_id boolean DEFAULT true NOT NULL,
-    need_onboarding boolean DEFAULT false NOT NULL,
-    existing_app boolean DEFAULT false NOT NULL,
-    ios_store_url text,
-    android_store_url text,
-    stats_updated_at timestamp without time zone,
-    stats_refresh_requested_at timestamp without time zone,
-    build_timeout_seconds bigint DEFAULT 900 NOT NULL,
-    build_timeout_updated_at timestamp with time zone DEFAULT now() NOT NULL,
-    CONSTRAINT apps_build_timeout_seconds_check CHECK (((build_timeout_seconds >= 300) AND (build_timeout_seconds <= 21600)))
-);
-
-
 --
 -- Name: channel_devices; Type: TABLE; Schema: public; Owner: -
 --
diff --git a/scripts/check-supabase-migration-order.sh b/scripts/check-supabase-migration-order.sh
index 305076efe3..28ce064a79 100755
--- a/scripts/check-supabase-migration-order.sh
+++ b/scripts/check-supabase-migration-order.sh
@@ -55,7 +55,18 @@ added_timestamps_file="${tmp_dir}/added_timestamps.tsv"
 trap 'rm -rf "${tmp_dir}"' EXIT
 
 echo "Checking Supabase migrations against ${base_ref}"
-git fetch --no-tags origin "${target_branch}"
+if ! git fetch --no-tags origin "${target_branch}"; then
+  if git rev-parse --verify --quiet "${base_ref}^{commit}" >/dev/null; then
+    echo "⚠️  Could not fetch ${base_ref}; using existing local ref."
+  elif git rev-parse --verify --quiet "HEAD^1^{commit}" >/dev/null \
+    && git rev-parse --verify --quiet "HEAD^2^{commit}" >/dev/null; then
+    base_ref='HEAD^1'
+    echo "⚠️  Could not fetch origin/${target_branch}; using PR merge base parent."
+  else
+    echo "❌ Could not fetch ${base_ref} and no local fallback was available."
+    exit 1
+  fi
+fi
 
 : > "${base_timestamps_file}"
 while IFS= read -r file; do
diff --git a/scripts/restore_account.ts b/scripts/restore_account.ts
index 7d7d98dcb8..5de83bf64b 100644
--- a/scripts/restore_account.ts
+++ b/scripts/restore_account.ts
@@ -22,12 +22,9 @@ interface ApiKey {
   id: number
   created_at: string
   user_id: string
-  key: string
-  mode: 'all' | 'upload' | 'read' | 'write'
+  key: string | null
   updated_at: string
   name: string
-  limited_to_orgs: string[]
-  limited_to_apps: string[]
   expires_at: string | null
   key_hash: string | null
 }
@@ -90,12 +87,21 @@ async function main() {
       console.log(`  Found ${apikeys.length} API key(s) to restore`)
 
       for (const apikey of apikeys) {
-        // Check if this apikey already exists (by key value)
-        const { data: existingKey } = await supabase
+        if (!apikey.key && !apikey.key_hash) {
+          console.log(`  Skipping API key "${apikey.name}" - no key value or hash to restore`)
+          continue
+        }
+
+        // Check if this apikey already exists by visible key or hash.
+        let existingKeyQuery = supabase
           .from('apikeys')
           .select('id')
-          .eq('key', apikey.key)
-          .single()
+
+        existingKeyQuery = apikey.key
+          ? existingKeyQuery.eq('key', apikey.key)
+          : existingKeyQuery.eq('key_hash', apikey.key_hash)
+
+        const { data: existingKey } = await existingKeyQuery.single()
 
         if (existingKey) {
           console.log(`  Skipping API key "${apikey.name}" - already exists`)
@@ -108,10 +114,8 @@ async function main() {
           .insert({
             user_id: apikey.user_id,
             key: apikey.key,
-            mode: apikey.mode,
             name: apikey.name,
-            limited_to_orgs: apikey.limited_to_orgs || [],
-            limited_to_apps: apikey.limited_to_apps || [],
+            key_hash: apikey.key_hash,
             expires_at: apikey.expires_at,
           })
 
@@ -119,7 +123,7 @@ async function main() {
           console.error(`  Error restoring API key "${apikey.name}":`, insertError)
         }
         else {
-          console.log(`  Restored API key: "${apikey.name}"`)
+          console.log(`  Restored API key: "${apikey.name}" (RBAC bindings must be reassigned)`)
         }
       }
     }
diff --git a/src/components.d.ts b/src/components.d.ts
index 9620ecc5a6..689da7ae98 100644
--- a/src/components.d.ts
+++ b/src/components.d.ts
@@ -19,7 +19,6 @@ declare module 'vue' {
     AdminOnlyModal: typeof import('./components/AdminOnlyModal.vue')['default']
     AdminStatsCard: typeof import('./components/admin/AdminStatsCard.vue')['default']
     AdminTrendChart: typeof import('./components/admin/AdminTrendChart.vue')['default']
-    ApiKeyRbacManager: typeof import('./components/organization/ApiKeyRbacManager.vue')['default']
     AppAccess: typeof import('./components/dashboard/AppAccess.vue')['default']
     AppNotFoundModal: typeof import('./components/AppNotFoundModal.vue')['default']
     AppOnboardingFlow: typeof import('./components/dashboard/AppOnboardingFlow.vue')['default']
diff --git a/src/components/dashboard/AppAccess.vue b/src/components/dashboard/AppAccess.vue
index ced4710829..fd6b45b644 100644
--- a/src/components/dashboard/AppAccess.vue
+++ b/src/components/dashboard/AppAccess.vue
@@ -4,7 +4,6 @@ import type { TableColumn } from '~/components/comp_def'
 import { computed, onMounted, ref, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { toast } from 'vue-sonner'
-import IconInformation from '~icons/heroicons/information-circle'
 import IconLock from '~icons/heroicons/lock-closed'
 import IconPlus from '~icons/heroicons/plus'
 import IconShield from '~icons/heroicons/shield-check'
@@ -60,7 +59,6 @@ const roleBindings = ref<RoleBinding[]>([])
 const availableAppRoles = ref<Role[]>([])
 const search = ref('')
 const currentPage = ref(1)
-const useNewRbac = ref(false)
 const canAssignRoles = ref(false)
 const ownerOrg = ref<string>('')
 
@@ -145,27 +143,6 @@ async function fetchAppDetails() {
   }
 }
 
-async function checkRbacEnabled() {
-  if (!ownerOrg.value)
-    return
-
-  try {
-    const { data, error } = await supabase
-      .from('orgs')
-      .select('use_new_rbac')
-      .eq('id', ownerOrg.value)
-      .single()
-
-    if (error)
-      throw error
-
-    useNewRbac.value = (data as any)?.use_new_rbac || false
-  }
-  catch (error: any) {
-    console.error('Error checking RBAC status:', error)
-  }
-}
-
 async function fetchAppRoleBindings() {
   if (!props.appId || !ownerOrg.value)
     return
@@ -454,7 +431,6 @@ async function removeRoleBinding(bindingId: string) {
 
 async function loadAppAccess() {
   await fetchAppDetails()
-  await checkRbacEnabled()
   if (props.appId) {
     try {
       canAssignRoles.value = await checkPermissions('app.update_user_roles', { appId: props.appId })
@@ -467,14 +443,12 @@ async function loadAppAccess() {
   else {
     canAssignRoles.value = false
   }
-  if (useNewRbac.value) {
-    await Promise.all([
-      fetchAppRoleBindings(),
-      fetchAvailableAppRoles(),
-      fetchAvailableMembers(),
-      fetchAvailableGroups(),
-    ])
-  }
+  await Promise.all([
+    fetchAppRoleBindings(),
+    fetchAvailableAppRoles(),
+    fetchAvailableMembers(),
+    fetchAvailableGroups(),
+  ])
 }
 
 watch(() => props.appId, async () => {
@@ -488,12 +462,6 @@ onMounted(async () => {
 
 <template>
   <div class="w-full px-3 py-2">
-    <!-- RBAC not enabled message -->
-    <div v-if="!useNewRbac" class="mb-4 alert alert-info">
-      <IconInformation class="size-5" />
-      <span>{{ t('rbac-not-enabled-for-org') }}</span>
-    </div>
-
     <!-- Header -->
     <div class="flex items-center justify-between mb-4">
       <div>
@@ -506,7 +474,7 @@ onMounted(async () => {
         </p>
       </div>
       <button
-        v-if="useNewRbac && canAssignRoles"
+        v-if="canAssignRoles"
         class="d-btn d-btn-primary"
         @click="openAssignRoleModal"
       >
@@ -516,7 +484,7 @@ onMounted(async () => {
     </div>
 
     <!-- Search -->
-    <div v-if="useNewRbac" class="mb-4">
+    <div class="mb-4">
       <SearchInput
         v-model="search"
         :placeholder="t('search-role-bindings')"
@@ -526,7 +494,6 @@ onMounted(async () => {
 
     <!-- Role bindings table -->
     <DataTable
-      v-if="useNewRbac"
       :columns="columns"
       :element-list="filteredBindings"
       :total="filteredBindings.length"
diff --git a/src/components/dashboard/AppOnboardingFlow.vue b/src/components/dashboard/AppOnboardingFlow.vue
index 592f179cbe..b8cb319a9d 100644
--- a/src/components/dashboard/AppOnboardingFlow.vue
+++ b/src/components/dashboard/AppOnboardingFlow.vue
@@ -20,7 +20,7 @@ import IconSmartphone from '~icons/lucide/smartphone'
 import IconSparkles from '~icons/lucide/sparkles'
 import IconStore from '~icons/lucide/store'
 import IconTerminal from '~icons/lucide/terminal'
-import { createDefaultApiKey } from '~/services/apikeys'
+import { createDefaultApiKey, findUsablePlainApiKey } from '~/services/apikeys'
 import { createSignedImageUrl, getImmediateImageUrl } from '~/services/storage'
 import { getLocalConfig, isLocal, useSupabase } from '~/services/supabase'
 import { useDialogV2Store } from '~/stores/dialogv2'
@@ -257,18 +257,9 @@ async function ensureApiKey() {
   if (!userId)
     return
 
-  const isLiveKey = (expiresAt: string | null) => !expiresAt || new Date(expiresAt).getTime() > Date.now()
-
-  const { data, error } = await supabase
-    .from('apikeys')
-    .select('key, expires_at')
-    .eq('user_id', userId)
-    .eq('mode', 'all')
-    .order('created_at', { ascending: false })
-
-  const validKey = !error ? data?.find(key => !!key.key && isLiveKey(key.expires_at)) : null
-  if (validKey?.key) {
-    apiKey.value = validKey.key
+  const existingKey = await findUsablePlainApiKey(supabase, userId, currentOrg.value?.gid, resumeAppId.value)
+  if (existingKey) {
+    apiKey.value = existingKey
     return
   }
 
@@ -277,18 +268,16 @@ async function ensureApiKey() {
   if (!claimsUserId)
     return
 
-  const { error: createError } = await createDefaultApiKey(supabase, 'api-key')
+  const { data, error: createError } = await createDefaultApiKey(supabase, 'api-key', {
+    orgId: currentOrg.value?.gid,
+    appId: resumeAppId.value,
+  })
   if (createError)
     throw createError
 
-  const { data: refreshedData } = await supabase
-    .from('apikeys')
-    .select('key, expires_at')
-    .eq('user_id', claimsUserId)
-    .eq('mode', 'all')
-    .order('created_at', { ascending: false })
-
-  apiKey.value = refreshedData?.find(key => !!key.key && isLiveKey(key.expires_at))?.key ?? null
+  apiKey.value = typeof data?.key === 'string'
+    ? data.key
+    : await findUsablePlainApiKey(supabase, claimsUserId, currentOrg.value?.gid, resumeAppId.value)
 }
 
 async function loadResumeApp() {
diff --git a/src/components/dashboard/InviteTeammateModal.vue b/src/components/dashboard/InviteTeammateModal.vue
index ff09f4e328..9692bd0dab 100644
--- a/src/components/dashboard/InviteTeammateModal.vue
+++ b/src/components/dashboard/InviteTeammateModal.vue
@@ -1,5 +1,4 @@
 <script setup lang="ts">
-import type { Database } from '~/types/supabase.types'
 import { computed, ref, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { toast } from 'vue-sonner'
@@ -8,7 +7,7 @@ import { useSupabase } from '~/services/supabase'
 import { sendEvent } from '~/services/tracking'
 import { useDialogV2Store } from '~/stores/dialogv2'
 import { useOrganizationStore } from '~/stores/organization'
-import { notifyExistingUserInvite, resolveInviteNewUserErrorMessage, shouldNotifyExistingUserInvite } from '~/utils/invites'
+import { notifyExistingUserInvite, resolveInviteNewUserErrorMessage } from '~/utils/invites'
 
 interface InviteSuccessPayload {
   email: string
@@ -39,9 +38,8 @@ const inviteCaptchaElement = ref<InstanceType<typeof VueTurnstile> | null>(null)
 const captchaKey = ref(import.meta.env.VITE_CAPTCHA_KEY)
 const shouldUseCaptcha = computed(() => Boolean(captchaKey.value))
 const isInviting = ref(false)
-const useRbacInvites = computed(() => organizationStore.currentOrganization?.use_new_rbac === true)
-const existingUserInviteRole = computed(() => (useRbacInvites.value ? 'org_admin' : 'invite_admin'))
-const newUserInviteRole = computed(() => (useRbacInvites.value ? 'org_admin' : 'admin'))
+const existingUserInviteRole = 'org_admin'
+const newUserInviteRole = 'org_admin'
 const emailDialogTitle = computed(() => props.inviteKind === 'technical'
   ? t('onboarding-invite-option-modal-title')
   : t('invite-teammate-modal-title'))
@@ -212,24 +210,13 @@ async function handleEmailSubmit() {
     let data: string | null = null
     let error: unknown = null
 
-    if (useRbacInvites.value) {
-      const result = await supabase.rpc('invite_user_to_org_rbac', {
-        email,
-        org_id: orgId,
-        role_name: existingUserInviteRole.value,
-      })
-      data = result.data
-      error = result.error
-    }
-    else {
-      const result = await supabase.rpc('invite_user_to_org', {
-        email,
-        org_id: orgId,
-        invite_type: existingUserInviteRole.value as Database['public']['Enums']['user_min_right'],
-      })
-      data = result.data
-      error = result.error
-    }
+    const result = await supabase.rpc('invite_user_to_org_rbac', {
+      email,
+      org_id: orgId,
+      role_name: existingUserInviteRole,
+    })
+    data = result.data
+    error = result.error
 
     if (error) {
       console.error('Error inviting user:', error)
@@ -243,12 +230,10 @@ async function handleEmailSubmit() {
     }
 
     if (data === 'OK') {
-      if (shouldNotifyExistingUserInvite(existingUserInviteRole.value, useRbacInvites.value)) {
-        const notified = await notifyExistingUserInvite(supabase, email, orgId)
-        if (!notified) {
-          console.warn('Failed to send invite email notification, but invite was created')
-          toast.warning(t('org-invite-email-notification-failed'))
-        }
+      const notified = await notifyExistingUserInvite(supabase, email, orgId)
+      if (!notified) {
+        console.warn('Failed to send invite email notification, but invite was created')
+        toast.warning(t('org-invite-email-notification-failed'))
       }
       toast.success(t('org-invited-user'))
       completeInviteSuccess({
@@ -330,7 +315,7 @@ async function handleFullDetailsSubmit() {
       body: {
         email,
         org_id: orgId,
-        invite_type: newUserInviteRole.value,
+        invite_type: newUserInviteRole,
         captcha_token: shouldUseCaptcha.value ? inviteCaptchaToken.value : undefined,
         first_name: firstName,
         last_name: lastName,
diff --git a/src/components/dashboard/StepsApp.vue b/src/components/dashboard/StepsApp.vue
index b6a9316905..746d8c556d 100644
--- a/src/components/dashboard/StepsApp.vue
+++ b/src/components/dashboard/StepsApp.vue
@@ -7,7 +7,7 @@ import IconCheck from '~icons/lucide/check'
 import IconChevronDown from '~icons/lucide/chevron-down'
 import IconLoader from '~icons/lucide/loader-2'
 import InviteTeammateModal from '~/components/dashboard/InviteTeammateModal.vue'
-import { createDefaultApiKey } from '~/services/apikeys'
+import { createDefaultApiKey, findUsablePlainApiKey } from '~/services/apikeys'
 import { pushEvent } from '~/services/posthog'
 import { getLocalConfig, isLocal, useSupabase } from '~/services/supabase'
 import { sendEvent } from '~/services/tracking'
@@ -230,33 +230,30 @@ async function addNewApiKey() {
 
   if (!userId) {
     console.log('Not logged in, cannot regenerate API key')
-    return
+    return null
   }
-  const { error } = await createDefaultApiKey(supabase, t('api-key'))
+  const { data, error } = await createDefaultApiKey(supabase, t('api-key'), {
+    orgId: organizationStore.currentOrganization?.gid,
+    appId: appId.value,
+  })
 
   if (error)
     throw error
+
+  return typeof data?.key === 'string' ? data.key : null
 }
 
 async function getKey(retry = true): Promise<void> {
   isLoading.value = true
   if (!main?.user?.id)
     return
-  const { data, error } = await supabase
-    .from('apikeys')
-    .select()
-    .eq('user_id', main?.user?.id)
-    .eq('mode', 'all')
-
-  if (typeof data !== 'undefined' && data !== null && !error) {
-    if (data.length === 0) {
-      await addNewApiKey()
-      return getKey(false)
-    }
-    apiKey.value = data[0]?.key ?? null
+
+  const existingKey = await findUsablePlainApiKey(supabase, main.user.id, organizationStore.currentOrganization?.gid, appId.value)
+  if (existingKey) {
+    apiKey.value = existingKey
   }
-  else if (retry && main?.user?.id) {
-    return getKey(false)
+  else if (retry) {
+    apiKey.value = await addNewApiKey()
   }
 
   isLoading.value = false
diff --git a/src/components/dashboard/StepsBuild.vue b/src/components/dashboard/StepsBuild.vue
index 422e2865ac..61a5aebe5e 100644
--- a/src/components/dashboard/StepsBuild.vue
+++ b/src/components/dashboard/StepsBuild.vue
@@ -13,7 +13,7 @@ import IconSettings from '~icons/lucide/settings-2'
 import IconTerminal from '~icons/lucide/terminal-square'
 import IconAndroid from '~icons/mdi/android'
 import IconApple from '~icons/mdi/apple'
-import { createDefaultApiKey } from '~/services/apikeys'
+import { createDefaultApiKey, findUsablePlainApiKey } from '~/services/apikeys'
 import { pushEvent } from '~/services/posthog'
 import { getLocalConfig, isLocal, useSupabase } from '~/services/supabase'
 import { sendEvent } from '~/services/tracking'
@@ -222,35 +222,30 @@ async function addNewApiKey() {
 
   if (!userId) {
     console.log('Not logged in, cannot regenerate API key')
-    return
+    return null
   }
-  const { error } = await createDefaultApiKey(supabase, t('api-key'))
+  const { data, error } = await createDefaultApiKey(supabase, t('api-key'), {
+    orgId: organizationStore.currentOrganization?.gid,
+    appId: props.appId,
+  })
 
   if (error)
     throw error
+
+  return typeof data?.key === 'string' ? data.key : null
 }
 
 async function getKey(retry = true): Promise<void> {
   isLoading.value = true
   if (!main?.user?.id)
     return
-  const { data, error } = await supabase
-    .from('apikeys')
-    .select()
-    .eq('user_id', main?.user?.id)
-    .eq('mode', 'all')
-    .order('created_at', { ascending: true })
-    .limit(1)
 
-  if (typeof data !== 'undefined' && data !== null && !error) {
-    if (data.length === 0) {
-      await addNewApiKey()
-      return getKey(false)
-    }
-    apiKey.value = data[0].key ?? '[APIKEY]'
+  const existingKey = await findUsablePlainApiKey(supabase, main.user.id, organizationStore.currentOrganization?.gid, props.appId)
+  if (existingKey) {
+    apiKey.value = existingKey
   }
-  else if (retry && main?.user?.id) {
-    return getKey(false)
+  else if (retry) {
+    apiKey.value = await addNewApiKey() ?? '[APIKEY]'
   }
 
   isLoading.value = false
diff --git a/src/components/dashboard/StepsBundle.vue b/src/components/dashboard/StepsBundle.vue
index cf78d28588..040f11cc6c 100644
--- a/src/components/dashboard/StepsBundle.vue
+++ b/src/components/dashboard/StepsBundle.vue
@@ -5,7 +5,7 @@ import { toast } from 'vue-sonner'
 import arrowBack from '~icons/ion/arrow-back?width=2em&height=2em'
 import IconLoader from '~icons/lucide/loader-2'
 import InviteTeammateModal from '~/components/dashboard/InviteTeammateModal.vue'
-import { createDefaultApiKey } from '~/services/apikeys'
+import { createDefaultApiKey, findUsablePlainApiKey } from '~/services/apikeys'
 import { pushEvent } from '~/services/posthog'
 import { getLocalConfig, isLocal, useSupabase } from '~/services/supabase'
 import { sendEvent } from '~/services/tracking'
@@ -143,33 +143,34 @@ async function addNewApiKey() {
 
   if (!userId) {
     console.log('Not logged in, cannot regenerate API key')
-    return
+    return null
   }
-  const { error } = await createDefaultApiKey(supabase, t('api-key'))
+  const { data, error } = await createDefaultApiKey(supabase, t('api-key'), {
+    orgId: organizationStore.currentOrganization?.gid,
+    appId: props.appId,
+  })
 
   if (error)
     throw error
+
+  return typeof data?.key === 'string' ? data.key : null
 }
 
 async function getKey(retry = true): Promise<void> {
   isLoading.value = true
   if (!main?.user?.id)
     return
-  const { data, error } = await supabase
-    .from('apikeys')
-    .select()
-    .eq('user_id', main?.user?.id)
-    .eq('mode', 'all')
 
-  if (typeof data !== 'undefined' && data !== null && !error) {
-    if (data.length === 0) {
-      await addNewApiKey()
-      return getKey(false)
-    }
-    steps.value[0].command = steps.value[0].command?.replace('[APIKEY]', data[0].key ?? '')
+  const existingKey = await findUsablePlainApiKey(supabase, main.user.id, organizationStore.currentOrganization?.gid, props.appId)
+  if (existingKey) {
+    steps.value[0].command = steps.value[0].command?.replace('[APIKEY]', existingKey)
   }
-  else if (retry && main?.user?.id) {
-    return getKey(false)
+  else if (retry) {
+    const createdKey = await addNewApiKey()
+    if (createdKey)
+      steps.value[0].command = steps.value[0].command?.replace('[APIKEY]', createdKey)
+    else
+      return getKey(false)
   }
 
   isLoading.value = false
diff --git a/src/components/organization/ApiKeyRbacManager.vue b/src/components/organization/ApiKeyRbacManager.vue
deleted file mode 100644
index 84f2f3c475..0000000000
--- a/src/components/organization/ApiKeyRbacManager.vue
+++ /dev/null
@@ -1,481 +0,0 @@
-<script setup lang="ts">
-import type { Ref } from 'vue'
-import type { TableColumn } from '~/components/comp_def'
-import { computed, ref, watch } from 'vue'
-import { useI18n } from 'vue-i18n'
-import { useRouter } from 'vue-router'
-import { toast } from 'vue-sonner'
-import IconArrowPath from '~icons/heroicons/arrow-path'
-import IconTrash from '~icons/heroicons/trash'
-import IconWrench from '~icons/heroicons/wrench'
-import DataTable from '~/components/DataTable.vue'
-import {
-  confirmApiKeyDeletion,
-  confirmApiKeyRegeneration,
-  formatApiKeyScope,
-  isApiKeyExpired,
-  showApiKeySecretModal,
-  sortApiKeyRows,
-} from '~/services/apikeys'
-import { formatDate, formatLocalDate } from '~/services/date'
-import { useSupabase } from '~/services/supabase'
-import { useDialogV2Store } from '~/stores/dialogv2'
-import { getRbacRoleI18nKey } from '~/stores/organization'
-
-interface OrgApiKey {
-  id: number
-  rbac_id: string
-  name: string
-  mode: string
-  limited_to_orgs: string[] | null
-  limited_to_apps: string[] | null
-  user_id: string
-  created_at: string | null
-  expires_at: string | null
-}
-
-interface ApiKeyRow extends OrgApiKey {
-  key_type: 'v2' | 'legacy'
-  org_role: string | null
-}
-
-interface OrgApp {
-  app_id: string
-  name: string | null
-}
-
-interface RoleBinding {
-  id: string
-  principal_id: string
-  role_name: string
-  scope_type: string
-}
-
-type ApiKeyAction = NonNullable<TableColumn['actions']>[number]
-
-const props = defineProps<{
-  orgId: string
-  orgName: string
-  canManage: boolean
-}>()
-
-const { t } = useI18n()
-const router = useRouter()
-const supabase = useSupabase()
-const dialogStore = useDialogV2Store()
-
-const isLoading = ref(false)
-const isSubmitting = ref(false)
-const apiKeys = ref<OrgApiKey[]>([])
-const roleBindings = ref<RoleBinding[]>([])
-const apps = ref<OrgApp[]>([])
-const searchV2 = ref('')
-const searchLegacy = ref('')
-const currentPageV2 = ref(1)
-const currentPageLegacy = ref(1)
-const v2Columns: Ref<TableColumn[]> = ref<TableColumn[]>([])
-const legacyColumns: Ref<TableColumn[]> = ref<TableColumn[]>([])
-const unsupportedApiKeyOrgRoles = new Set(['org_billing_admin'])
-
-const bindingsByPrincipal = computed<Map<string, RoleBinding[]>>(() => {
-  const map = new Map<string, RoleBinding[]>()
-  roleBindings.value.forEach((binding) => {
-    const existing = map.get(binding.principal_id)
-    if (existing)
-      existing.push(binding)
-    else
-      map.set(binding.principal_id, [binding])
-  })
-  return map
-})
-
-const orgBindingsByPrincipal = computed<Map<string, RoleBinding>>(() =>
-  new Map(
-    roleBindings.value
-      .filter(binding => binding.scope_type === 'org')
-      .map(binding => [binding.principal_id, binding]),
-  ),
-)
-
-const appNamesByAppId = computed<Map<string, string>>(() =>
-  new Map(
-    apps.value.map(app => [app.app_id, app.name || app.app_id]),
-  ),
-)
-
-const apiKeyRows = computed<ApiKeyRow[]>(() =>
-  apiKeys.value.map(apiKey => ({
-    ...apiKey,
-    key_type: (bindingsByPrincipal.value.get(apiKey.rbac_id)?.length ?? 0) > 0 ? 'v2' : 'legacy',
-    org_role: (() => {
-      const roleName = orgBindingsByPrincipal.value.get(apiKey.rbac_id)?.role_name ?? null
-      return roleName && !unsupportedApiKeyOrgRoles.has(roleName) ? roleName : null
-    })(),
-  })),
-)
-
-function filterApiKeys(keyType: ApiKeyRow['key_type'], query: string) {
-  const scopedKeys = apiKeyRows.value.filter(apiKey => apiKey.key_type === keyType)
-  if (!query)
-    return scopedKeys
-
-  const q = query.toLowerCase()
-  return scopedKeys.filter((apiKey) => {
-    const roleName = apiKey.org_role ? getRoleDisplayName(apiKey.org_role).toLowerCase() : ''
-    return apiKey.name.toLowerCase().includes(q)
-      || apiKey.mode.toLowerCase().includes(q)
-      || roleName.includes(q)
-      || getOrgScopeDisplay(apiKey).toLowerCase().includes(q)
-      || getAppScopeDisplay(apiKey).toLowerCase().includes(q)
-  })
-}
-
-const v2Keys = computed(() => filterApiKeys('v2', searchV2.value))
-const legacyKeys = computed(() => filterApiKeys('legacy', searchLegacy.value))
-
-const sortedV2Keys = computed(() => sortApiKeyRows(v2Keys.value, v2Columns.value))
-const sortedLegacyKeys = computed(() => sortApiKeyRows(legacyKeys.value, legacyColumns.value))
-
-function createSharedScopeColumns(): TableColumn[] {
-  return [
-    {
-      key: 'expires_at',
-      label: t('expires'),
-      mobile: true,
-      displayFunction: (apiKey: ApiKeyRow) => {
-        if (!apiKey.expires_at)
-          return t('never')
-
-        return isApiKeyExpired(apiKey.expires_at)
-          ? `${formatDate(apiKey.expires_at)} (${t('expired')})`
-          : formatDate(apiKey.expires_at)
-      },
-    },
-    {
-      key: 'created_at',
-      label: t('created'),
-      sortable: true,
-      mobile: true,
-      displayFunction: (apiKey: ApiKeyRow) => apiKey.created_at ? formatLocalDate(apiKey.created_at) : t('none'),
-    },
-    {
-      key: 'limited_to_orgs',
-      label: t('organizations'),
-      mobile: true,
-      displayFunction: (apiKey: ApiKeyRow) => getOrgScopeDisplay(apiKey),
-    },
-    {
-      key: 'limited_to_apps',
-      label: t('apps'),
-      mobile: true,
-      displayFunction: (apiKey: ApiKeyRow) => getAppScopeDisplay(apiKey),
-    },
-  ]
-}
-
-function createActionsColumn(actions: ApiKeyAction[]): TableColumn {
-  return {
-    key: 'actions',
-    label: t('actions'),
-    mobile: true,
-    actions,
-  }
-}
-
-const computedV2Columns = computed<TableColumn[]>(() => {
-  const tableColumns: TableColumn[] = [
-    {
-      key: 'name',
-      label: t('name'),
-      sortable: true,
-      mobile: true,
-      head: true,
-    },
-    {
-      key: 'org_role',
-      label: t('role'),
-      mobile: true,
-      displayFunction: (apiKey: ApiKeyRow) => apiKey.org_role ? getRoleDisplayName(apiKey.org_role) : t('none'),
-    },
-    ...createSharedScopeColumns(),
-  ]
-
-  if (props.canManage) {
-    tableColumns.push(createActionsColumn([
-      {
-        icon: IconWrench,
-        title: t('manage'),
-        onClick: (apiKey: ApiKeyRow) => router.push(`/settings/organization/api-keys/${apiKey.rbac_id}`),
-      },
-      {
-        icon: IconArrowPath,
-        title: t('button-regenerate'),
-        onClick: (apiKey: ApiKeyRow) => regenerateKey(apiKey),
-      },
-      {
-        icon: IconTrash,
-        title: t('delete'),
-        onClick: (apiKey: ApiKeyRow) => deleteKey(apiKey),
-      },
-    ]))
-  }
-
-  return tableColumns
-})
-
-const computedLegacyColumns = computed<TableColumn[]>(() => {
-  const tableColumns: TableColumn[] = [
-    {
-      key: 'name',
-      label: t('name'),
-      sortable: true,
-      mobile: true,
-      head: true,
-    },
-    {
-      key: 'mode',
-      label: t('mode'),
-      mobile: true,
-    },
-    ...createSharedScopeColumns(),
-  ]
-
-  if (props.canManage) {
-    tableColumns.push(createActionsColumn([
-      {
-        icon: IconArrowPath,
-        title: t('button-regenerate'),
-        onClick: (apiKey: ApiKeyRow) => regenerateKey(apiKey),
-      },
-      {
-        icon: IconTrash,
-        title: t('delete'),
-        onClick: (apiKey: ApiKeyRow) => deleteKey(apiKey),
-      },
-    ]))
-  }
-
-  return tableColumns
-})
-
-watch(computedV2Columns, (newColumns: TableColumn[]) => {
-  v2Columns.value = newColumns
-}, { immediate: true })
-
-watch(computedLegacyColumns, (newColumns: TableColumn[]) => {
-  legacyColumns.value = newColumns
-}, { immediate: true })
-
-watch(() => props.orgId, async (orgId) => {
-  if (!orgId) {
-    apiKeys.value = []
-    roleBindings.value = []
-    apps.value = []
-    return
-  }
-
-  searchV2.value = ''
-  searchLegacy.value = ''
-  currentPageV2.value = 1
-  currentPageLegacy.value = 1
-  await refreshData()
-}, { immediate: true })
-
-function getRoleDisplayName(roleName: string): string {
-  const normalized = roleName.replace(/^invite_/, '')
-  const i18nKey = getRbacRoleI18nKey(normalized)
-  return i18nKey ? t(i18nKey) : normalized.replaceAll('_', ' ')
-}
-
-function getOrgScopeDisplay(apiKey: OrgApiKey) {
-  return formatApiKeyScope(apiKey.limited_to_orgs, orgId => orgId === props.orgId ? props.orgName : orgId, '*')
-}
-
-function getAppScopeDisplay(apiKey: OrgApiKey) {
-  return formatApiKeyScope(apiKey.limited_to_apps, appId => appNamesByAppId.value.get(appId) || appId, '*')
-}
-
-async function refreshData() {
-  if (!props.orgId)
-    return
-
-  isLoading.value = true
-  try {
-    await Promise.all([fetchApiKeys(), fetchRoleBindings(), fetchApps()])
-  }
-  catch (error) {
-    console.error('Error loading API keys:', error)
-    toast.error(t('error-fetching-role-bindings'))
-  }
-  finally {
-    isLoading.value = false
-  }
-}
-
-async function fetchApiKeys() {
-  const { data, error } = await supabase.rpc('get_org_apikeys' as any, { p_org_id: props.orgId } as any)
-  if (error)
-    throw error
-  apiKeys.value = (Array.isArray(data) ? data : []) as OrgApiKey[]
-}
-
-async function fetchRoleBindings() {
-  const { data, error } = await supabase
-    .from('role_bindings')
-    .select('id, principal_id, scope_type, roles(name)')
-    .eq('org_id', props.orgId)
-    .eq('principal_type', 'apikey')
-
-  if (error)
-    throw error
-
-  roleBindings.value = ((data || []) as any[]).map(row => ({
-    id: row.id,
-    principal_id: row.principal_id,
-    role_name: row.roles?.name || '',
-    scope_type: row.scope_type,
-  }))
-}
-
-async function fetchApps() {
-  const { data, error } = await supabase
-    .from('apps')
-    .select('app_id, name')
-    .eq('owner_org', props.orgId)
-    .order('name', { ascending: true })
-
-  if (error)
-    throw error
-
-  apps.value = ((data || []) as OrgApp[]).filter(app => !!app.app_id)
-}
-
-function navigateToCreate() {
-  if (!props.canManage)
-    return
-  router.push('/settings/organization/api-keys/new')
-}
-
-async function deleteKey(apiKey: OrgApiKey) {
-  if (!await confirmApiKeyDeletion(dialogStore, t))
-    return
-
-  isSubmitting.value = true
-  try {
-    const { error } = await supabase.from('apikeys').delete().eq('id', apiKey.id)
-    if (error)
-      throw error
-    toast.success(t('removed-apikey'))
-    await refreshData()
-  }
-  catch (error) {
-    console.error('Error deleting API key:', error)
-    toast.error(t('error-removing-apikey'))
-  }
-  finally {
-    isSubmitting.value = false
-  }
-}
-
-async function regenerateKey(apiKey: OrgApiKey) {
-  if (!await confirmApiKeyRegeneration(dialogStore, t))
-    return
-
-  const { data, error } = await supabase.functions.invoke('apikey', {
-    method: 'PUT',
-    body: { id: apiKey.id, regenerate: true },
-  })
-  if (error || !data) {
-    toast.error(t('failed-to-regenerate-api-key'))
-    return
-  }
-
-  if (typeof data.key === 'string') {
-    await showApiKeySecretModal(dialogStore, t, data.key, () => {
-      toast.success(t('key-copied'))
-    })
-  }
-
-  toast.success(t('generated-new-apikey'))
-  await refreshData()
-}
-
-async function reload() {
-  await refreshData()
-}
-</script>
-
-<template>
-  <div>
-    <div class="flex flex-col h-full pb-8 overflow-hidden overflow-y-auto bg-white border shadow-lg md:p-8 md:pb-0 max-h-fit grow md:rounded-lg dark:bg-gray-800 border-slate-300 dark:border-slate-900">
-      <div class="flex justify-between w-full mb-5 ml-2 md:ml-0">
-        <h2 class="text-2xl font-bold dark:text-white text-slate-800">
-          {{ t('api-keys') }}
-        </h2>
-      </div>
-
-      <section class="mb-8">
-        <div class="mb-4">
-          <div class="flex items-center gap-2">
-            <h3 class="text-lg font-semibold dark:text-white text-slate-800">
-              {{ t('api-keys-v2-title') }}
-            </h3>
-            <span class="px-2 py-0.5 text-xs font-medium rounded-full bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-200">
-              {{ v2Keys.length }}
-            </span>
-          </div>
-          <p class="mt-2 text-sm text-slate-500">
-            {{ t('api-keys-v2-description') }}
-          </p>
-        </div>
-
-        <DataTable
-          v-model:columns="v2Columns"
-          v-model:current-page="currentPageV2"
-          v-model:search="searchV2"
-          :show-add="props.canManage"
-          :total="sortedV2Keys.length"
-          :element-list="sortedV2Keys"
-          :search-placeholder="t('search-api-keys')"
-          :is-loading="isLoading"
-          :auto-reload="false"
-          :mobile-fixed-pagination="false"
-          @reload="reload"
-          @reset="refreshData"
-          @add="navigateToCreate"
-        />
-      </section>
-
-      <section class="pt-8 border-t border-slate-200 dark:border-slate-700">
-        <div class="mb-4">
-          <div class="flex items-center gap-2">
-            <h3 class="text-lg font-semibold dark:text-white text-slate-800">
-              {{ t('api-keys-legacy-title') }}
-            </h3>
-            <span class="px-2 py-0.5 text-xs font-medium rounded-full bg-slate-100 text-slate-700 dark:bg-slate-900 dark:text-slate-300">
-              {{ legacyKeys.length }}
-            </span>
-          </div>
-          <p class="mt-2 text-sm text-slate-500">
-            {{ t('api-keys-legacy-description') }}
-          </p>
-        </div>
-
-        <DataTable
-          v-model:columns="legacyColumns"
-          v-model:current-page="currentPageLegacy"
-          v-model:search="searchLegacy"
-          :show-add="false"
-          :total="sortedLegacyKeys.length"
-          :element-list="sortedLegacyKeys"
-          :search-placeholder="t('search-api-keys')"
-          :is-loading="isLoading"
-          :auto-reload="false"
-          :mobile-fixed-pagination="false"
-          @reload="reload"
-          @reset="refreshData"
-        />
-      </section>
-    </div>
-  </div>
-</template>
diff --git a/src/constants/organizationTabs.ts b/src/constants/organizationTabs.ts
index c86aea0509..b0e13c42e7 100644
--- a/src/constants/organizationTabs.ts
+++ b/src/constants/organizationTabs.ts
@@ -5,7 +5,6 @@ import IconPlan from '~icons/heroicons/credit-card'
 import IconCredits from '~icons/heroicons/currency-dollar'
 import IconWebhook from '~icons/heroicons/globe-alt'
 import IconInfo from '~icons/heroicons/information-circle'
-import IconKey from '~icons/heroicons/key'
 import IconSecurity from '~icons/heroicons/shield-check'
 import IconUsers from '~icons/heroicons/users'
 
@@ -13,7 +12,6 @@ export const organizationTabs: Tab[] = [
   { label: 'general', key: '/settings/organization', icon: IconInfo },
   { label: 'members', key: '/settings/organization/members', icon: IconUsers },
   { label: 'groups', key: '/settings/organization/groups', icon: IconUsers },
-  { label: 'api-keys', key: '/settings/organization/api-keys', icon: IconKey },
   { label: 'plans', key: '/settings/organization/plans', icon: IconPlan },
   { label: 'credits', key: '/settings/organization/credits', icon: IconCredits },
   { label: 'security', key: '/settings/organization/security', icon: IconSecurity },
diff --git a/src/env.d.ts b/src/env.d.ts
index e747f8b519..11f02fe2a0 100644
--- a/src/env.d.ts
+++ b/src/env.d.ts
@@ -1,5 +1 @@
 /// <reference types="vite/client" />
-
-interface ImportMetaEnv {
-  readonly VITE_FEATURE_RBAC_SYSTEM?: string
-}
diff --git a/src/layouts/app.vue b/src/layouts/app.vue
index f2e1e1d1e9..68362cbbe7 100644
--- a/src/layouts/app.vue
+++ b/src/layouts/app.vue
@@ -1,7 +1,6 @@
 <script setup lang="ts">
 import type { Tab } from '~/components/comp_def'
-import type { Organization } from '~/stores/organization'
-import { computed, ref, watchEffect } from 'vue'
+import { computed, watchEffect } from 'vue'
 import { useRoute, useRouter } from 'vue-router'
 import PaymentRequiredModal from '~/components/PaymentRequiredModal.vue'
 import Tabs from '~/components/Tabs.vue'
@@ -21,26 +20,12 @@ const appId = computed(() => {
   return match ? match[1] : ''
 })
 
-// Get organization for the current app (not currentOrganization which may be wrong in app context)
-const appOrganization = ref<Organization | null>(null)
-
 watchEffect(async () => {
-  if (appId.value) {
+  if (appId.value)
     await organizationStore.awaitInitialLoad()
-    appOrganization.value = organizationStore.getOrgByAppId(appId.value) ?? null
-  }
 })
 
-// Compute tabs dynamically based on RBAC settings
-const appTabs = computed<Tab[]>(() => {
-  const useNewRbac = appOrganization.value?.use_new_rbac
-
-  if (useNewRbac) {
-    return baseAppTabs
-  }
-
-  return baseAppTabs.filter(t => t.label !== 'access')
-})
+const appTabs = computed<Tab[]>(() => baseAppTabs)
 
 // Check if org payment has failed - only show info tab in this case
 const isOrgUnpaid = computed(() => {
diff --git a/src/layouts/settings.vue b/src/layouts/settings.vue
index b2838bab55..28ff688d65 100644
--- a/src/layouts/settings.vue
+++ b/src/layouts/settings.vue
@@ -110,9 +110,7 @@ watchEffect(() => {
 
 watchEffect(() => {
   const billingEnabled = stripeEnabled.value
-  const hasOrgRbacEnabled = !!organizationStore.currentOrganization?.use_new_rbac
-
-  const needsGroups = hasOrgRbacEnabled
+  const needsGroups = !!organizationStore.currentOrganization?.gid
   const hasGroups = organizationTabs.value.find(tab => tab.key === '/settings/organization/groups')
   if (needsGroups && !hasGroups) {
     const base = baseOrgTabs.find(t => t.key === '/settings/organization/groups')
@@ -125,27 +123,6 @@ watchEffect(() => {
   if (!needsGroups && hasGroups)
     organizationTabs.value = organizationTabs.value.filter(tab => tab.key !== '/settings/organization/groups')
 
-  const needsApiKeys = hasOrgRbacEnabled
-  const hasApiKeys = organizationTabs.value.find(tab => tab.key === '/settings/organization/api-keys')
-  if (needsApiKeys && !hasApiKeys) {
-    const base = baseOrgTabs.find(t => t.key === '/settings/organization/api-keys')
-    const insertAfterKeys = [
-      '/settings/organization/groups',
-      '/settings/organization/members',
-      '/settings/organization',
-    ]
-    const insertAfterIndex = insertAfterKeys
-      .map(key => organizationTabs.value.findIndex(tab => tab.key === key))
-      .find(index => index >= 0) ?? -1
-
-    if (base && insertAfterIndex >= 0)
-      organizationTabs.value.splice(insertAfterIndex + 1, 0, { ...base })
-    else if (base)
-      organizationTabs.value.push({ ...base })
-  }
-  if (!needsApiKeys && hasApiKeys)
-    organizationTabs.value = organizationTabs.value.filter(tab => tab.key !== '/settings/organization/api-keys')
-
   // ensure usage/plans tabs based on permissions (keeps icons from base)
   const needsUsage = billingEnabled && canReadBilling.value
   const hasUsage = organizationTabs.value.find(tab => tab.key === '/settings/organization/usage')
diff --git a/src/pages/ApiKeys.vue b/src/pages/ApiKeys.vue
index 68bef1b707..8d87a1a2b2 100644
--- a/src/pages/ApiKeys.vue
+++ b/src/pages/ApiKeys.vue
@@ -40,6 +40,20 @@ const supabase = useSupabase()
 const keys = ref<Database['public']['Tables']['apikeys']['Row'][]>([])
 const organizationStore = useOrganizationStore()
 const columns: Ref<TableColumn[]> = ref<TableColumn[]>([])
+const roleBindings = ref<Array<{
+  principal_id: string
+  scope_type: string
+  org_id: string | null
+  app_id: string | null
+  role_name: string
+}>>([])
+
+interface ApiKeyApp {
+  id: string | null
+  app_id: string
+  name: string | null
+  owner_org: string
+}
 
 // State for change name dialog
 const newApiKeyName = ref('')
@@ -66,11 +80,11 @@ const minExpirationDate = computed(() => {
 const createAsHashed = ref(false)
 
 // Available apps for selection (populated when showing app dialog)
-const availableApps = ref<Database['public']['Tables']['apps']['Row'][]>([])
+const availableApps = ref<ApiKeyApp[]>([])
 
 // Cache for organization and app names
 const orgCache = ref(new Map<string, string>())
-const appCache = ref(new Map<string, string>())
+const appUuidCache = ref(new Map<string, string>())
 
 // Function to truncate strings (show first 5 and last 5 characters)
 function hideString(str: string | null) {
@@ -92,50 +106,26 @@ const uniqueOrgIds = computed(() => {
     return new Set<string>()
 
   const orgIds = new Set<string>()
-  keys.value.forEach((key) => {
-    if (key.limited_to_orgs && key.limited_to_orgs.length > 0) {
-      key.limited_to_orgs.forEach(orgId => orgIds.add(orgId))
-    }
+  roleBindings.value.forEach((binding) => {
+    if (binding.org_id)
+      orgIds.add(binding.org_id)
   })
 
   return orgIds
 })
 
-// Computed property to get unique app IDs from all API keys
-const uniqueAppIds = computed(() => {
-  if (!keys.value)
-    return new Set<string>()
-
-  const appIds = new Set<string>()
-  keys.value.forEach((key) => {
-    if (key.limited_to_apps && key.limited_to_apps.length > 0) {
-      key.limited_to_apps.forEach(appId => appIds.add(appId))
-    }
-  })
-
-  return appIds
-})
-
 // Helper computed property to get organization name by ID
 const getOrgName = computed(() => {
   return (orgId: string) => orgCache.value.get(orgId) || 'Unknown'
 })
 
-// Helper computed property to get app name by ID
-const getAppName = computed(() => {
-  return (appId: string) => appCache.value.get(appId) || 'Unknown'
-})
-
 // Function to fetch organization and app names in parallel
 async function fetchOrgAndAppNames() {
   if (!keys.value)
     return
 
-  // Collect unique organization and app IDs that aren't already cached
   const uncachedOrgIds = Array.from(uniqueOrgIds.value).filter(id => !orgCache.value.has(id))
-  const uncachedAppIds = Array.from(uniqueAppIds.value).filter(id => !appCache.value.has(id))
 
-  // Fetch organization names in parallel
   if (uncachedOrgIds.length > 0) {
     const orgPromises = uncachedOrgIds.map(async (orgId) => {
       try {
@@ -159,31 +149,6 @@ async function fetchOrgAndAppNames() {
 
     await Promise.all(orgPromises)
   }
-
-  // Fetch app names in parallel
-  if (uncachedAppIds.length > 0) {
-    const appPromises = uncachedAppIds.map(async (appId) => {
-      try {
-        const { data, error } = await supabase
-          .from('apps')
-          .select('app_id, name')
-          .eq('app_id', appId)
-          .single()
-
-        if (error)
-          throw error
-        if (data && data.name)
-          appCache.value.set(appId, data.name)
-        return { id: appId, name: data?.name }
-      }
-      catch (err) {
-        console.error(`Error fetching app name for ${appId}:`, err)
-        return { id: appId, name: 'Unknown' }
-      }
-    })
-
-    await Promise.all(appPromises)
-  }
 }
 
 const searchQuery = ref('')
@@ -209,29 +174,96 @@ const filteredAppsForSelectedOrgs = computed(() => {
   if (!availableApps.value || displayStore.selectedOrganizations.length === 0) {
     return []
   }
-  return (availableApps.value as any).filter((app: Database['public']['Tables']['apps']['Row']) =>
+  return availableApps.value.filter((app: ApiKeyApp) =>
     displayStore.selectedOrganizations.includes(app.owner_org),
   )
 })
 
 function pruneSelectedApps() {
   const allowedAppIds = new Set(
-    filteredAppsForSelectedOrgs.value.map((app: Database['public']['Tables']['apps']['Row']) => app.app_id),
+    filteredAppsForSelectedOrgs.value.map((app: ApiKeyApp) => app.app_id),
   )
 
   displayStore.selectedApps = (displayStore.selectedApps as any)
-    .filter((app: Database['public']['Tables']['apps']['Row']) => allowedAppIds.has(app.app_id))
+    .filter((app: ApiKeyApp) => allowedAppIds.has(app.app_id))
+}
+
+function getBindingsForKey(key: Database['public']['Tables']['apikeys']['Row']) {
+  return roleBindings.value.filter(binding => binding.principal_id === key.rbac_id)
+}
+
+function getOrgScopeForKey(key: Database['public']['Tables']['apikeys']['Row']) {
+  const orgIds = new Set<string>()
+  getBindingsForKey(key).forEach((binding) => {
+    if (binding.org_id)
+      orgIds.add(binding.org_id)
+  })
+  return Array.from(orgIds)
+}
+
+function getAppScopeForKey(key: Database['public']['Tables']['apikeys']['Row']) {
+  const appIds = new Set<string>()
+  getBindingsForKey(key).forEach((binding) => {
+    if (binding.app_id)
+      appIds.add(binding.app_id)
+  })
+  return Array.from(appIds)
+}
+
+function roleForKeyType(keyType: 'read' | 'write' | 'all' | 'upload', appScoped: boolean) {
+  if (keyType === 'all')
+    return appScoped ? 'app_admin' : 'org_admin'
+  if (keyType === 'write')
+    return 'app_developer'
+  if (keyType === 'upload')
+    return 'app_uploader'
+  return 'app_reader'
+}
+
+function buildBindings(keyType: 'read' | 'write' | 'all' | 'upload', orgIds: string[], apps: ApiKeyApp[]) {
+  const bindings: Array<{
+    role_name: string
+    scope_type: 'org' | 'app'
+    org_id: string
+    app_id?: string
+  }> = []
+
+  if (keyType === 'all' && apps.length === 0) {
+    orgIds.forEach((orgId) => {
+      bindings.push({
+        role_name: 'org_admin',
+        scope_type: 'org',
+        org_id: orgId,
+      })
+    })
+    return bindings
+  }
+
+  const orgsWithAppBindings = new Set<string>()
+  apps.forEach((app) => {
+    if (!app.id || !app.owner_org)
+      return
+    bindings.push({
+      role_name: roleForKeyType(keyType, true),
+      scope_type: 'app',
+      org_id: app.owner_org,
+      app_id: app.id,
+    })
+    orgsWithAppBindings.add(app.owner_org)
+  })
+
+  orgIds.forEach((orgId) => {
+    bindings.push({
+      role_name: keyType === 'all' && !orgsWithAppBindings.has(orgId) ? 'org_admin' : 'org_member',
+      scope_type: 'org',
+      org_id: orgId,
+    })
+  })
+
+  return bindings
 }
 
 columns.value = [
-  {
-    key: 'mode',
-    label: t('type'),
-    sortable: true,
-    displayFunction: (row: Database['public']['Tables']['apikeys']['Row']) => {
-      return row.mode ? row.mode.toUpperCase() : 'RBAC'
-    },
-  },
   {
     key: 'key',
     label: t('api-key'),
@@ -272,17 +304,17 @@ columns.value = [
     },
   },
   {
-    key: 'limited_to_orgs',
+    key: 'org_scope',
     label: t('organizations'),
     displayFunction: (row: Database['public']['Tables']['apikeys']['Row']) => {
-      return formatApiKeyScope(row.limited_to_orgs, orgId => getOrgName.value(orgId))
+      return formatApiKeyScope(getOrgScopeForKey(row), orgId => getOrgName.value(orgId), '*')
     },
   },
   {
-    key: 'limited_to_apps',
+    key: 'app_scope',
     label: t('apps'),
     displayFunction: (row: Database['public']['Tables']['apikeys']['Row']) => {
-      return formatApiKeyScope(row.limited_to_apps, appId => getAppName.value(appId))
+      return formatApiKeyScope(getAppScopeForKey(row), appId => appUuidCache.value.get(appId) || appId)
     },
   },
   {
@@ -332,8 +364,9 @@ async function getKeys(retry = true): Promise<void> {
     .from('apikeys')
     .select()
     .eq('user_id', main.user?.id ?? '')
-  if (data && data.length) {
+  if (data) {
     keys.value = data
+    await fetchRoleBindings()
     // Fetch organization and app names after getting API keys
     await fetchOrgAndAppNames()
   }
@@ -344,6 +377,50 @@ async function getKeys(retry = true): Promise<void> {
   isLoading.value = false
 }
 
+async function fetchRoleBindings() {
+  const principalIds = keys.value.map(key => key.rbac_id).filter((rbacId): rbacId is string => !!rbacId)
+  if (principalIds.length === 0) {
+    roleBindings.value = []
+    return
+  }
+
+  const { data, error } = await supabase
+    .from('role_bindings')
+    .select('principal_id, scope_type, org_id, app_id, roles(name)')
+    .eq('principal_type', 'apikey')
+    .in('principal_id', principalIds)
+
+  if (error) {
+    console.error('Cannot load API key role bindings:', error)
+    roleBindings.value = []
+    return
+  }
+
+  roleBindings.value = ((data || []) as any[]).map(binding => ({
+    principal_id: binding.principal_id,
+    scope_type: binding.scope_type,
+    org_id: binding.org_id,
+    app_id: binding.app_id,
+    role_name: binding.roles?.name || '',
+  }))
+
+  const appUuids = [...new Set(roleBindings.value.map(binding => binding.app_id).filter((appId): appId is string => !!appId))]
+  const uncachedAppUuids = appUuids.filter(appId => !appUuidCache.value.has(appId))
+  if (uncachedAppUuids.length > 0) {
+    const { data: apps, error: appsError } = await supabase
+      .from('apps')
+      .select('id, app_id, name')
+      .in('id', uncachedAppUuids)
+
+    if (!appsError && apps) {
+      apps.forEach((app) => {
+        if (app.id)
+          appUuidCache.value.set(app.id, app.name || app.app_id)
+      })
+    }
+  }
+}
+
 async function loadAllApps() {
   try {
     const orgIds = organizationStore.organizations.map(org => org.gid)
@@ -359,7 +436,12 @@ async function loadAllApps() {
       console.error('Cannot load apps:', error)
       return
     }
-    availableApps.value = apps || []
+    availableApps.value = ((apps || []) as ApiKeyApp[]).filter(app => !!app.owner_org)
+    appUuidCache.value = new Map(
+      availableApps.value
+        .filter((app): app is ApiKeyApp & { id: string } => !!app.id)
+        .map(app => [app.id, app.name || app.app_id]),
+    )
   }
   catch (err) {
     console.error('Error loading apps:', err)
@@ -384,7 +466,7 @@ async function createApiKey(keyType: 'read' | 'write' | 'all' | 'upload') {
     }
   }
 
-  let finalSelectedApps: Database['public']['Tables']['apps']['Row'][] = []
+  let finalSelectedApps: ApiKeyApp[] = []
   if (limitToApp) {
     finalSelectedApps = Array.from(displayStore.selectedApps) as any
     if (finalSelectedApps.length === 0) {
@@ -411,16 +493,36 @@ async function createApiKey(keyType: 'read' | 'write' | 'all' | 'upload') {
 
     let plainKeyForDisplay: string | null = null
 
-    // Use the backend API to generate the key server-side
+    const targetOrganizations = limitToOrg
+      ? finalSelectedOrganizations
+      : organizationStore.organizations.map(org => org.gid)
+    if (targetOrganizations.length === 0) {
+      toast.error(t('alert-no-org-selected'))
+      return false
+    }
+
+    const targetApps: ApiKeyApp[] = limitToApp
+      ? finalSelectedApps
+      : keyType === 'all'
+        ? []
+        : availableApps.value.filter(app => !!app.owner_org && targetOrganizations.includes(app.owner_org))
+    const bindingOrganizations = limitToApp
+      ? [...new Set(targetApps.map(app => app.owner_org).filter(Boolean))]
+      : targetOrganizations
+    const bindings = buildBindings(keyType, bindingOrganizations, targetApps)
+    if (bindings.length === 0) {
+      toast.error(t('select-at-least-one-role'))
+      return false
+    }
+
+    // Use the backend API to generate the V2 key server-side
     const { data, error } = await supabase.functions.invoke('apikey', {
       method: 'POST',
       body: {
-        mode: keyType,
         name: newApiKeyName.value.trim(),
-        limited_to_orgs: finalSelectedOrganizations.length > 0 ? finalSelectedOrganizations : [],
-        limited_to_apps: finalSelectedApps.length > 0 ? finalSelectedApps.map(app => app.app_id) : [],
         expires_at: expiresAt,
         hashed: isHashed,
+        bindings,
       },
     })
 
@@ -441,6 +543,7 @@ async function createApiKey(keyType: 'read' | 'write' | 'all' | 'upload') {
     }
     keys.value?.push(createdKey)
     // Fetch org and app names for the new key
+    await fetchRoleBindings()
     await fetchOrgAndAppNames()
 
     // For hashed keys, show the key one time in a modal
@@ -642,14 +745,14 @@ function handleOrgSelection(orgId: string, checked: boolean) {
   }
 }
 
-function handleAppSelection(app: Database['public']['Tables']['apps']['Row'], checked: boolean) {
+function handleAppSelection(app: ApiKeyApp, checked: boolean) {
   if (checked) {
-    if (!(displayStore.selectedApps as any).find((a: Database['public']['Tables']['apps']['Row']) => a.app_id === app.app_id)) {
+    if (!(displayStore.selectedApps as any).find((a: ApiKeyApp) => a.app_id === app.app_id)) {
       displayStore.selectedApps.push(app as any)
     }
   }
   else {
-    displayStore.selectedApps = (displayStore.selectedApps as any).filter((a: Database['public']['Tables']['apps']['Row']) => a.app_id !== app.app_id)
+    displayStore.selectedApps = (displayStore.selectedApps as any).filter((a: ApiKeyApp) => a.app_id !== app.app_id)
   }
 }
 
@@ -969,57 +1072,6 @@ getKeys()
           />
         </div>
       </Teleport>
-
-      <!-- Teleport Content for Organization Selection Modal -->
-      <Teleport v-if="dialogStore.showDialog && dialogStore.dialogOptions?.title === t('alert-confirm-org-limit')" defer to="#dialog-v2-content">
-        <div class="space-y-4">
-          <div class="p-2 overflow-y-auto border rounded-lg max-h-64">
-            <div v-for="org in organizationStore.organizations" :key="org.gid" class="flex items-center gap-2 p-2">
-              <input
-                :id="`org-select-${org.gid}`"
-                :value="org.gid"
-                type="checkbox"
-                class="checkbox"
-                @change="handleOrgSelection(org.gid, ($event.target as HTMLInputElement).checked)"
-              >
-              <label :for="`org-select-${org.gid}`" class="text-sm">
-                {{ org.name }}
-              </label>
-            </div>
-          </div>
-          <div class="flex items-center gap-2 mt-4">
-            <input
-              id="limit-to-app-org"
-              v-model="limitToOrgCheckbox"
-              type="checkbox"
-              class="checkbox"
-            >
-            <label for="limit-to-app-org" class="text-sm">
-              {{ t('limit-to-app') }}
-            </label>
-          </div>
-        </div>
-      </Teleport>
-
-      <!-- Teleport Content for App Selection Modal -->
-      <Teleport v-if="dialogStore.showDialog && dialogStore.dialogOptions?.title === t('alert-confirm-appid-limit')" defer to="#dialog-v2-content">
-        <div class="space-y-4">
-          <div class="p-2 overflow-y-auto border rounded-lg max-h-64">
-            <div v-for="app in availableApps" :key="app.app_id" class="flex items-center gap-2 p-2">
-              <input
-                :id="`app-${app.app_id}`"
-                :value="app"
-                type="checkbox"
-                class="checkbox"
-                @change="handleAppSelection(app as any, ($event.target as HTMLInputElement).checked)"
-              >
-              <label :for="`app-${app.app_id}`" class="text-sm">
-                {{ app.name }}
-              </label>
-            </div>
-          </div>
-        </div>
-      </Teleport>
     </div>
   </div>
 </template>
diff --git a/src/pages/settings/account/index.vue b/src/pages/settings/account/index.vue
index 8258bf8395..19192361b8 100644
--- a/src/pages/settings/account/index.vue
+++ b/src/pages/settings/account/index.vue
@@ -90,34 +90,17 @@ async function checkOrganizationImpact() {
   // Check each organization to see if user is the only super_admin
   for (const org of superAdminOrgs) {
     try {
-      const useNewRbac = org.use_new_rbac === true
-      let superAdminCount = 0
+      const { data: members, error } = await supabase
+        .rpc('get_org_members_rbac', { p_org_id: org.gid })
 
-      if (useNewRbac) {
-        const { data: members, error } = await supabase
-          .rpc('get_org_members_rbac', { p_org_id: org.gid })
-
-        if (error) {
-          console.error('Error getting RBAC org members:', error)
-          continue
-        }
-
-        superAdminCount = members.filter(member =>
-          !member.is_invite && !member.is_tmp && isSuperAdminRole(member.role_name),
-        ).length
+      if (error) {
+        console.error('Error getting RBAC org members:', error)
+        continue
       }
-      else {
-        const { data: members, error } = await supabase
-          .rpc('get_org_members', { guild_id: org.gid })
 
-        if (error) {
-          console.error('Error getting org members:', error)
-          continue
-        }
-
-        // Count super_admins (excluding temporary users)
-        superAdminCount = members.filter(member => isSuperAdminRole(member.role) && !member.is_tmp).length
-      }
+      const superAdminCount = members.filter(member =>
+        !member.is_invite && !member.is_tmp && isSuperAdminRole(member.role_name),
+      ).length
 
       // If user is the only super_admin, this org will be deleted
       if (superAdminCount === 1) {
diff --git a/src/pages/settings/organization/ApiKeys.[id].vue b/src/pages/settings/organization/ApiKeys.[id].vue
index ce21f1b623..d3cdc5c9d6 100644
--- a/src/pages/settings/organization/ApiKeys.[id].vue
+++ b/src/pages/settings/organization/ApiKeys.[id].vue
@@ -1,1029 +1,16 @@
 <script setup lang="ts">
-import { VueDatePicker } from '@vuepic/vue-datepicker'
-import { computedAsync, useDark } from '@vueuse/core'
-import dayjs from 'dayjs'
-import { storeToRefs } from 'pinia'
-import { computed, onMounted, ref, watch } from 'vue'
-import { useI18n } from 'vue-i18n'
-import { useRoute, useRouter } from 'vue-router'
-import { toast } from 'vue-sonner'
-import IconCalendar from '~icons/heroicons/calendar'
-import IconClipboard from '~icons/heroicons/clipboard-document'
-import IconTrash from '~icons/heroicons/trash'
-import { checkPermissions } from '~/services/permissions'
-import { useSupabase } from '~/services/supabase'
-import { useDialogV2Store } from '~/stores/dialogv2'
-import { useDisplayStore } from '~/stores/display'
-import { getRbacRoleI18nKey, useOrganizationStore } from '~/stores/organization'
-import '@vuepic/vue-datepicker/dist/main.css'
+import { onMounted } from 'vue'
+import { useRouter } from 'vue-router'
 
-interface OrgApiKey {
-  id: number
-  rbac_id: string
-  name: string
-  mode: string | null
-  limited_to_orgs: string[] | null
-  limited_to_apps: string[] | null
-  user_id: string
-  owner_email: string
-  created_at: string | null
-  expires_at: string | null
-}
-
-interface Role {
-  id: string
-  name: string
-  scope_type: string
-  description: string | null
-  priority_rank: number
-}
-
-interface RoleBinding {
-  id: string
-  principal_type: string
-  principal_id: string
-  role_name: string
-  scope_type: string
-  app_id: string | null
-}
-
-interface OrgApp {
-  id: string
-  app_id: string
-  name: string | null
-}
-
-interface CreatedApiKeyResult {
-  id: number | string | null
-  key: string | null
-  rbacId: string
-}
-
-const route = useRoute()
 const router = useRouter()
-const { t } = useI18n()
-const isDark = useDark()
-const supabase = useSupabase()
-const dialogStore = useDialogV2Store()
-const organizationStore = useOrganizationStore()
-const { currentOrganization } = storeToRefs(organizationStore)
-const displayStore = useDisplayStore()
-
-const rbacId = computed(() => (route.params as { id: string }).id)
-const isCreateMode = computed(() => rbacId.value === 'new')
-const resolvedUseNewRbac = ref(false)
-
-const canShow = computed(() =>
-  resolvedUseNewRbac.value && !!currentOrganization.value?.gid,
-)
-
-const isPermissionLoading = ref(false)
-const isOrgLoading = ref(true)
-const canManage = computedAsync(async () => {
-  if (!currentOrganization.value?.gid)
-    return false
-  return await checkPermissions('org.update_user_roles', { orgId: currentOrganization.value.gid })
-}, false, { evaluating: isPermissionLoading })
-
-const isLoading = ref(false)
-const isSubmitting = ref(false)
-const showAppDropdown = ref(false)
-const createdPlainKey = ref('')
-const createdKeyDialogMode = ref<'success' | 'partial-failure-plain' | 'partial-failure-hashed'>('success')
-
-// Key data
-const apiKey = ref<OrgApiKey | null>(null)
-const editName = ref('')
-const createAsHashed = ref(false)
-const setExpiration = ref(false)
-const expirationDate = ref<Date | null>(null)
-
-// RBAC
-const roles = ref<Role[]>([])
-const roleBindings = ref<RoleBinding[]>([])
-const apps = ref<OrgApp[]>([])
-const selectedOrgRole = ref('')
-const originalUnsupportedOrgRole = ref('')
-const pendingAppBindings = ref<Record<string, string>>({})
-const unsupportedApiKeyOrgRoles = new Set(['org_billing_admin'])
-
-const minExpirationDate = computed(() => dayjs().add(1, 'day').toDate())
-const callerOrgPriorityRank = computed(() => {
-  const orgId = currentOrganization.value?.gid
-  if (!orgId)
-    return 0
-
-  if (organizationStore.hasPermissionsInRole('super_admin', ['org_super_admin'], orgId))
-    return Number.POSITIVE_INFINITY
-
-  const currentRoleName = currentOrganization.value?.role
-  const currentRole = roles.value.find(role => role.scope_type === 'org' && role.name === currentRoleName)
-  return currentRole?.priority_rank ?? 0
-})
-
-const orgRoles = computed(() => roles.value.filter(r => r.scope_type === 'org' && !unsupportedApiKeyOrgRoles.has(r.name)))
-const appRoles = computed(() => roles.value.filter(r => r.scope_type === 'app'))
-
-const appById = computed(() => new Map(apps.value.map(app => [app.id, app])))
-
-const keyBindings = computed(() =>
-  roleBindings.value.filter(b => b.principal_type === 'apikey' && b.principal_id === rbacId.value),
-)
-
-const keyOrgBinding = computed(() =>
-  keyBindings.value.find(b => b.scope_type === 'org'),
-)
-
-const keyAppBindings = computed(() =>
-  keyBindings.value.filter(b => b.scope_type === 'app' && !!b.app_id),
-)
-
-const orgRoleOptions = computed(() =>
-  orgRoles.value
-    .filter(r => r.name !== 'org_super_admin')
-    .filter(r => r.priority_rank <= callerOrgPriorityRank.value)
-    .map(r => ({ id: r.id, name: r.name, description: getRoleDisplayName(r.name) })),
-)
-
-const appRoleOptions = computed(() =>
-  appRoles.value.map(r => ({ id: r.id, name: r.name, description: getRoleDisplayName(r.name) })),
-)
-
-const rolesWithInheritedAppAccess = new Set(['org_admin', 'org_super_admin'])
-const showAppAccessForm = computed(() =>
-  !!selectedOrgRole.value && !rolesWithInheritedAppAccess.has(selectedOrgRole.value),
-)
-
-const selectedAppIds = computed(() => Object.keys(pendingAppBindings.value))
-const configuredAppIds = computed(() =>
-  Object.entries(pendingAppBindings.value)
-    .filter(([, roleName]) => !!roleName)
-    .map(([appId]) => appId),
-)
-const configuredLimitedAppIds = computed(() =>
-  configuredAppIds.value
-    .map(appId => appById.value.get(appId)?.app_id)
-    .filter((appId): appId is string => !!appId),
-)
-
-const UUID_REGEX = /^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/i
-
-async function refreshCurrentOrganizationState(forceFetchOrganizations = false) {
-  isOrgLoading.value = true
-
-  if (forceFetchOrganizations)
-    await organizationStore.fetchOrganizations()
-
-  await organizationStore.awaitInitialLoad()
-
-  const orgId = currentOrganization.value?.gid
-  if (!orgId) {
-    resolvedUseNewRbac.value = false
-    isOrgLoading.value = false
-    return
-  }
-
-  const { data, error } = await supabase
-    .from('orgs')
-    .select('use_new_rbac')
-    .eq('id', orgId)
-    .single()
 
-  resolvedUseNewRbac.value = error ? !!currentOrganization.value?.use_new_rbac : data?.use_new_rbac === true
-  isOrgLoading.value = false
-}
-
-watch([rbacId, () => currentOrganization.value?.gid], async ([id, orgId]) => {
-  if (!id || !orgId)
-    return
-
-  displayStore.defaultBack = '/settings/organization/api-keys'
-
-  if (id === 'new') {
-    apiKey.value = null
-    editName.value = ''
-    selectedOrgRole.value = ''
-    originalUnsupportedOrgRole.value = ''
-    pendingAppBindings.value = {}
-    createAsHashed.value = false
-    setExpiration.value = false
-    expirationDate.value = null
-    displayStore.NavTitle = t('create-api-key')
-    await Promise.all([fetchRoles(), fetchApps(orgId)])
-  }
-  else if (UUID_REGEX.test(id)) {
-    await loadAll()
-  }
-  else {
-    toast.error(t('invalid-api-key-id'))
-    router.replace('/settings/organization/api-keys')
-  }
-}, { immediate: true })
-
-onMounted(async () => {
-  await refreshCurrentOrganizationState(true)
+onMounted(() => {
+  router.replace('/apikeys')
 })
-
-watch(() => currentOrganization.value?.gid, async (orgId, previousOrgId) => {
-  if (!orgId || orgId === previousOrgId)
-    return
-  await refreshCurrentOrganizationState()
-})
-
-async function loadAll() {
-  isLoading.value = true
-  try {
-    await Promise.all([fetchApiKey(), fetchRoles(), fetchApps()])
-    await fetchRoleBindings()
-  }
-  catch (error) {
-    console.error('Error loading API key data:', error)
-    toast.error(t('error-loading-data'))
-  }
-  finally {
-    isLoading.value = false
-  }
-}
-
-async function fetchApiKey() {
-  const orgId = currentOrganization.value?.gid
-  if (!orgId)
-    return
-  const { data, error } = await supabase.rpc('get_org_apikeys' as any, { p_org_id: orgId } as any)
-  if (error)
-    throw error
-  const keys = (Array.isArray(data) ? data : []) as OrgApiKey[]
-  const found = keys.find(k => k.rbac_id === rbacId.value)
-  if (!found) {
-    toast.error(t('api-key-not-found'))
-    router.replace('/settings/organization/api-keys')
-    return
-  }
-  apiKey.value = found
-  editName.value = found.name
-  displayStore.NavTitle = found.name
-  if (found.expires_at) {
-    setExpiration.value = true
-    expirationDate.value = new Date(found.expires_at)
-  }
-}
-
-async function fetchRoles() {
-  const { data, error } = await supabase
-    .from('roles')
-    .select('id, name, scope_type, description, priority_rank')
-    .eq('is_assignable', true)
-    .in('scope_type', ['org', 'app'])
-    .order('priority_rank', { ascending: false })
-  if (error)
-    throw error
-  roles.value = (data || []) as Role[]
-}
-
-async function fetchRoleBindings() {
-  const orgId = currentOrganization.value?.gid
-  if (!orgId)
-    return
-  const { data, error } = await supabase
-    .from('role_bindings')
-    .select('id, principal_type, principal_id, scope_type, app_id, role_id, roles(name)')
-    .eq('org_id', orgId)
-    .eq('principal_type', 'apikey')
-    .eq('principal_id', rbacId.value)
-  if (error)
-    throw error
-  roleBindings.value = ((data || []) as any[]).map(row => ({
-    id: row.id,
-    principal_type: row.principal_type,
-    principal_id: row.principal_id,
-    scope_type: row.scope_type,
-    app_id: row.app_id,
-    role_name: row.roles?.name || '',
-  }))
-  const currentOrgRoleName = keyOrgBinding.value?.role_name ?? ''
-  originalUnsupportedOrgRole.value = unsupportedApiKeyOrgRoles.has(currentOrgRoleName)
-    ? currentOrgRoleName
-    : ''
-  selectedOrgRole.value = originalUnsupportedOrgRole.value
-    ? ''
-    : currentOrgRoleName
-  const map: Record<string, string> = {}
-  keyAppBindings.value.forEach((b) => {
-    if (b.app_id)
-      map[b.app_id] = b.role_name
-  })
-  pendingAppBindings.value = map
-}
-
-async function fetchApps(orgId = currentOrganization.value?.gid) {
-  if (!orgId)
-    return
-  const { data, error } = await supabase
-    .from('apps')
-    .select('id, app_id, name')
-    .eq('owner_org', orgId)
-    .order('name', { ascending: true })
-  if (error)
-    throw error
-
-  const visibleApps = (data || []).filter((app): app is OrgApp => !!app.id && !!app.app_id)
-  const appAccessChecks = await Promise.all(visibleApps.map(async (app) => {
-    const canManageAppRoles = await checkPermissions('app.update_user_roles', {
-      orgId,
-      appId: app.app_id,
-    })
-
-    return canManageAppRoles ? app : null
-  }))
-
-  apps.value = appAccessChecks.filter((app): app is OrgApp => !!app)
-}
-
-function getRoleDisplayName(roleName: string): string {
-  const normalized = roleName.replace(/^invite_/, '')
-  const i18nKey = getRbacRoleI18nKey(normalized)
-  return i18nKey ? t(i18nKey) : normalized.replaceAll('_', ' ')
-}
-
-function getAppName(appId: string) {
-  const app = appById.value.get(appId)
-  return app ? (app.name || app.app_id) : appId
-}
-
-function toggleApp(appId: string) {
-  if (appId in pendingAppBindings.value) {
-    const updated = { ...pendingAppBindings.value }
-    delete updated[appId]
-    pendingAppBindings.value = updated
-  }
-  else {
-    pendingAppBindings.value = { ...pendingAppBindings.value, [appId]: '' }
-  }
-}
-
-function onAppRoleChange(appId: string, event: Event) {
-  pendingAppBindings.value = { ...pendingAppBindings.value, [appId]: (event.target as HTMLSelectElement).value }
-}
-
-function hasIncompleteAppBindings() {
-  return Object.values(pendingAppBindings.value).some(roleName => !roleName)
-}
-
-async function showOneTimeKeyModal(plainKey: string) {
-  createdKeyDialogMode.value = 'success'
-  createdPlainKey.value = plainKey
-  dialogStore.openDialog({
-    id: 'org-apikey-created',
-    title: t('secure-key-created'),
-    size: 'lg',
-    preventAccidentalClose: true,
-    buttons: [
-      {
-        text: t('ok'),
-        role: 'primary',
-      },
-    ],
-  })
-
-  await dialogStore.onDialogDismiss()
-  createdPlainKey.value = ''
-  createdKeyDialogMode.value = 'success'
-}
-
-async function copyCreatedKey() {
-  if (!createdPlainKey.value)
-    return
-
-  try {
-    await navigator.clipboard.writeText(createdPlainKey.value)
-    toast.success(t('key-copied'))
-  }
-  catch (error) {
-    console.error('Failed to copy created API key:', error)
-    toast.error(t('cannot-copy-key'))
-  }
-}
-
-function validateApiKeyForm() {
-  if (!editName.value.trim()) {
-    toast.error(t('please-enter-api-key-name'))
-    return false
-  }
-
-  if (hasIncompleteAppBindings()) {
-    toast.error(t('select-role-for-each-app'))
-    return false
-  }
-
-  // In create mode, at least one binding (org role or app binding) is required
-  if (isCreateMode.value) {
-    const hasOrgRole = !!selectedOrgRole.value
-    const hasAppBindings = configuredAppIds.value.length > 0
-    if (!hasOrgRole && !hasAppBindings) {
-      toast.error(t('select-at-least-one-role'))
-      return false
-    }
-  }
-
-  return true
-}
-
-function getApiKeyExpirationValue() {
-  return setExpiration.value && expirationDate.value
-    ? dayjs(expirationDate.value).toISOString()
-    : null
-}
-
-function parseCreatedApiKeyResult(data: unknown): CreatedApiKeyResult | null {
-  if (!data || typeof data !== 'object')
-    return null
-
-  const createdApiKey = data as { id?: number | string, key?: string, rbac_id?: string }
-  if (typeof createdApiKey.rbac_id !== 'string' || !createdApiKey.rbac_id)
-    return null
-
-  return {
-    id: typeof createdApiKey.id === 'number' || typeof createdApiKey.id === 'string'
-      ? createdApiKey.id
-      : null,
-    key: typeof createdApiKey.key === 'string' && createdApiKey.key.length > 0
-      ? createdApiKey.key
-      : null,
-    rbacId: createdApiKey.rbac_id,
-  }
-}
-
-async function deleteRoleBinding(bindingId: string) {
-  const { error } = await supabase.functions.invoke(`private/role_bindings/${bindingId}`, { method: 'DELETE' })
-  if (error)
-    throw error
-}
-
-async function updateRoleBindingRole(bindingId: string, roleName: string) {
-  const { error } = await supabase.functions.invoke(`private/role_bindings/${bindingId}`, {
-    method: 'PATCH',
-    body: { role_name: roleName },
-  })
-  if (error)
-    throw error
-}
-
-async function createRoleBinding(roleBinding: Record<string, unknown>) {
-  const { error } = await supabase.functions.invoke('private/role_bindings', {
-    method: 'POST',
-    body: roleBinding,
-  })
-  if (error)
-    throw error
-}
-
-async function createOrgRoleBinding(principalId: string, orgId: string, roleName: string) {
-  await createRoleBinding({
-    principal_type: 'apikey',
-    principal_id: principalId,
-    role_name: roleName,
-    scope_type: 'org',
-    org_id: orgId,
-  })
-}
-
-async function createAppRoleBinding(principalId: string, orgId: string, appId: string, roleName: string) {
-  await createRoleBinding({
-    principal_type: 'apikey',
-    principal_id: principalId,
-    role_name: roleName,
-    scope_type: 'app',
-    org_id: orgId,
-    app_id: appId,
-  })
-}
-
-async function createApiKeyRecord(orgId: string) {
-  // Build bindings array for the atomic API call
-  const bindings: Array<{
-    role_name: string
-    scope_type: 'org' | 'app'
-    org_id: string
-    app_id?: string
-  }> = []
-
-  if (selectedOrgRole.value) {
-    bindings.push({
-      role_name: selectedOrgRole.value,
-      scope_type: 'org',
-      org_id: orgId,
-    })
-  }
-
-  for (const [appId, roleName] of Object.entries(pendingAppBindings.value)) {
-    if (!roleName)
-      continue
-    bindings.push({
-      role_name: roleName,
-      scope_type: 'app',
-      org_id: orgId,
-      app_id: appId,
-    })
-  }
-
-  const { data, error } = await supabase.functions.invoke('apikey', {
-    method: 'POST',
-    body: {
-      name: editName.value.trim(),
-      limited_to_orgs: [orgId],
-      limited_to_apps: configuredLimitedAppIds.value,
-      expires_at: getApiKeyExpirationValue(),
-      hashed: createAsHashed.value,
-      bindings,
-    },
-  })
-
-  if (error)
-    throw error
-
-  const createdApiKey = parseCreatedApiKeyResult(data)
-  if (!createdApiKey)
-    throw new Error(t('failed-to-create-api-key'))
-
-  return createdApiKey
-}
-
-async function finalizeCreatedApiKey(createdPlainKey: string | null) {
-  if (createdPlainKey)
-    await showOneTimeKeyModal(createdPlainKey)
-  else
-    toast.success(t('add-api-key'))
-
-  await router.replace('/settings/organization/api-keys')
-}
-
-function shouldKeepUnsupportedOrgRole(existingRoleName: string | undefined, targetRoleName: string) {
-  return !targetRoleName
-    && !!originalUnsupportedOrgRole.value
-    && existingRoleName === originalUnsupportedOrgRole.value
-}
-
-async function persistOrgRoleBinding(existingBinding: RoleBinding | undefined, orgId: string, targetRoleName: string) {
-  if (existingBinding)
-    await updateRoleBindingRole(existingBinding.id, targetRoleName)
-  else
-    await createOrgRoleBinding(rbacId.value, orgId, targetRoleName)
-}
-
-async function deleteRemovedAppBindings(existingBindings: RoleBinding[], pendingBindings: Record<string, string>) {
-  for (const binding of existingBindings) {
-    if (!binding.app_id || !(binding.app_id in pendingBindings))
-      await deleteRoleBinding(binding.id)
-  }
-}
-
-async function upsertPendingAppBindings(existingBindings: RoleBinding[], pendingBindings: Record<string, string>, orgId: string) {
-  for (const [appId, roleName] of Object.entries(pendingBindings)) {
-    if (!roleName)
-      continue
-
-    const existingBinding = existingBindings.find(binding => binding.app_id === appId)
-    if (existingBinding) {
-      if (existingBinding.role_name !== roleName)
-        await updateRoleBindingRole(existingBinding.id, roleName)
-      continue
-    }
-
-    await createAppRoleBinding(rbacId.value, orgId, appId, roleName)
-  }
-}
-
-async function getUserFacingErrorMessage(error: unknown, fallbackMessage: string) {
-  if (error && typeof error === 'object' && 'context' in error && error.context instanceof Response) {
-    try {
-      const payload = await error.context.clone().json() as { message?: string, error_description?: string }
-      if (typeof payload.message === 'string' && payload.message)
-        return payload.message
-      if (typeof payload.error_description === 'string' && payload.error_description)
-        return payload.error_description
-    }
-    catch {
-    }
-  }
-
-  if (error instanceof Error && error.message)
-    return error.message
-
-  return fallbackMessage
-}
-
-async function createKey() {
-  if (!validateApiKeyForm())
-    return
-
-  const orgId = currentOrganization.value?.gid
-  if (!orgId)
-    return
-
-  isSubmitting.value = true
-  try {
-    // Single atomic call: creates key + bindings in one request
-    const createdApiKey = await createApiKeyRecord(orgId)
-    await finalizeCreatedApiKey(createdApiKey.key)
-  }
-  catch (err) {
-    console.error('Error creating API key:', err)
-    toast.error(await getUserFacingErrorMessage(err, t('failed-to-create-api-key')))
-  }
-  finally {
-    isSubmitting.value = false
-  }
-}
-
-async function saveKey() {
-  if (!apiKey.value || !validateApiKeyForm())
-    return
-
-  isSubmitting.value = true
-  try {
-    const { error } = await supabase
-      .from('apikeys')
-      .update({
-        name: editName.value.trim(),
-        limited_to_orgs: [currentOrganization.value!.gid],
-        limited_to_apps: configuredLimitedAppIds.value,
-      })
-      .eq('id', apiKey.value.id)
-    if (error)
-      throw error
-
-    apiKey.value.name = editName.value.trim()
-    apiKey.value.limited_to_orgs = [currentOrganization.value!.gid]
-    apiKey.value.limited_to_apps = configuredLimitedAppIds.value
-    displayStore.NavTitle = editName.value.trim()
-
-    await saveOrgRole()
-    await syncAppBindings()
-
-    toast.success(t('api-key-updated'))
-  }
-  catch (err) {
-    console.error('Error saving API key:', err)
-    toast.error(t('error-updating-api-key'))
-  }
-  finally {
-    isSubmitting.value = false
-  }
-}
-
-async function saveOrgRole() {
-  const existing = keyOrgBinding.value
-  const target = selectedOrgRole.value
-  const orgId = currentOrganization.value?.gid
-
-  if (shouldKeepUnsupportedOrgRole(existing?.role_name, target))
-    return
-
-  if (!target) {
-    if (existing)
-      await deleteRoleBinding(existing.id)
-    return
-  }
-
-  if (!orgId || existing?.role_name === target)
-    return
-
-  await persistOrgRoleBinding(existing, orgId, target)
-  await fetchRoleBindings()
-}
-
-async function syncAppBindings() {
-  const existing = keyAppBindings.value
-  const pending = pendingAppBindings.value
-  const orgId = currentOrganization.value?.gid
-
-  if (!orgId)
-    return
-
-  await deleteRemovedAppBindings(existing, pending)
-  await upsertPendingAppBindings(existing, pending, orgId)
-
-  await fetchRoleBindings()
-}
 </script>
 
 <template>
-  <div>
-    <div v-if="isOrgLoading || isPermissionLoading" class="flex items-center justify-center py-12">
-      <span class="d-loading d-loading-spinner d-loading-lg" />
-    </div>
-
-    <div
-      v-else-if="!canShow || !canManage"
-      class="flex flex-col bg-white border shadow-lg md:p-6 md:rounded-lg dark:bg-gray-800 border-slate-300 dark:border-slate-900"
-    >
-      <h2 class="text-2xl font-bold dark:text-white text-slate-800">
-        {{ t('api-keys') }}
-      </h2>
-      <p class="mt-2 text-sm text-slate-500">
-        {{ t('api-keys-unavailable') }}
-      </p>
-    </div>
-
-    <div v-else>
-      <div class="flex flex-col bg-white border shadow-lg md:p-8 md:rounded-lg dark:bg-gray-800 border-slate-300 dark:border-slate-900">
-        <!-- Back -->
-        <div class="mb-6">
-          <RouterLink
-            to="/settings/organization/api-keys"
-            class="inline-flex items-center gap-1 text-sm text-slate-500 hover:text-slate-700 dark:hover:text-slate-300"
-          >
-            <span>←</span>
-            <span>{{ t('api-keys') }}</span>
-          </RouterLink>
-        </div>
-
-        <div v-if="isLoading" class="flex items-center justify-center py-12">
-          <span class="d-loading d-loading-spinner d-loading-lg" />
-        </div>
-
-        <template v-else-if="isCreateMode || apiKey">
-          <h1 class="mb-6 text-2xl font-bold dark:text-white text-slate-800">
-            {{ isCreateMode ? t('create-api-key') : apiKey!.name }}
-          </h1>
-
-          <!-- Key info -->
-          <section class="mb-8">
-            <h2 class="mb-4 text-sm font-semibold uppercase text-slate-500">
-              {{ t('key-information') }}
-            </h2>
-            <div class="space-y-4 max-w-lg">
-              <div>
-                <label for="apikey-name" class="block mb-1 text-sm font-medium dark:text-white text-slate-800">
-                  {{ t('name') }} *
-                </label>
-                <input
-                  id="apikey-name"
-                  v-model="editName"
-                  type="text"
-                  class="w-full d-input d-input-bordered"
-                  :placeholder="t('type-new-name')"
-                  :disabled="isSubmitting"
-                >
-              </div>
-
-              <template v-if="isCreateMode">
-                <!-- Secure key -->
-                <div class="p-4 border border-blue-200 rounded-lg bg-blue-50 dark:bg-blue-900/20 dark:border-blue-700">
-                  <div class="flex items-start gap-3">
-                    <input
-                      id="apikey-hashed"
-                      v-model="createAsHashed"
-                      type="checkbox"
-                      class="mt-1 checkbox checkbox-primary"
-                    >
-                    <div>
-                      <label for="apikey-hashed" class="font-medium text-blue-800 cursor-pointer dark:text-blue-200">
-                        {{ t('create-secure-key') }}
-                      </label>
-                      <p class="mt-1 text-sm text-blue-600 dark:text-blue-300">
-                        {{ t('create-secure-key-description') }}
-                      </p>
-                    </div>
-                  </div>
-                </div>
-
-                <!-- Expiration -->
-                <div>
-                  <div class="flex items-center gap-2 mb-2">
-                    <input
-                      id="apikey-expiration"
-                      v-model="setExpiration"
-                      type="checkbox"
-                      class="checkbox"
-                    >
-                    <label for="apikey-expiration" class="text-sm">{{ t('set-expiration-date') }}</label>
-                  </div>
-                  <div v-if="setExpiration">
-                    <VueDatePicker
-                      v-model="expirationDate"
-                      :min-date="minExpirationDate"
-                      :enable-time-picker="false"
-                      :dark="isDark"
-                      teleport="body"
-                      :auto-apply="true"
-                      hide-input-icon
-                      :action-row="{ showCancel: false, showSelect: false, showNow: false, showPreview: false }"
-                      :placeholder="t('select-expiration-date')"
-                    >
-                      <template #trigger>
-                        <button
-                          type="button"
-                          class="flex items-center gap-2 px-3 py-2 text-sm text-left bg-white border border-gray-300 rounded-md dark:text-white dark:bg-gray-800 dark:border-gray-600 hover:bg-gray-50 dark:hover:bg-gray-700"
-                        >
-                          <IconCalendar class="w-4 h-4 text-gray-500" />
-                          <span :class="expirationDate ? 'text-gray-900 dark:text-white' : 'text-gray-500'">
-                            {{ expirationDate ? dayjs(expirationDate).format('YYYY-MM-DD') : t('select-expiration-date') }}
-                          </span>
-                        </button>
-                      </template>
-                    </VueDatePicker>
-                  </div>
-                </div>
-              </template>
-
-              <template v-else-if="apiKey">
-                <div class="text-sm text-slate-500 space-y-1">
-                  <div>{{ t('email') }}: <span class="text-slate-700 dark:text-slate-300">{{ apiKey.owner_email }}</span></div>
-                  <div v-if="apiKey.expires_at">
-                    {{ t('expires') }}: <span class="text-slate-700 dark:text-slate-300">{{ dayjs(apiKey.expires_at).format('YYYY-MM-DD') }}</span>
-                  </div>
-                </div>
-              </template>
-            </div>
-          </section>
-
-          <!-- Org role -->
-          <section class="mb-8">
-            <h2 class="mb-2 text-sm font-semibold uppercase text-slate-500">
-              {{ t('organization') }}
-            </h2>
-            <p class="mb-3 text-sm text-slate-500">
-              {{ t('select-user-role') }}
-            </p>
-            <div class="space-y-2">
-              <label class="flex items-center gap-3 cursor-pointer">
-                <input
-                  v-model="selectedOrgRole"
-                  type="radio"
-                  class="d-radio d-radio-primary d-radio-sm"
-                  name="apikey-org-role"
-                  value=""
-                  :disabled="isSubmitting"
-                >
-                <span class="text-sm text-slate-600 dark:text-slate-400">{{ t('none') }}</span>
-              </label>
-              <label
-                v-for="role in orgRoleOptions"
-                :key="role.id"
-                class="flex items-center gap-3 cursor-pointer"
-              >
-                <input
-                  v-model="selectedOrgRole"
-                  type="radio"
-                  class="d-radio d-radio-primary d-radio-sm"
-                  name="apikey-org-role"
-                  :value="role.name"
-                  :disabled="isSubmitting"
-                >
-                <span class="text-sm font-medium dark:text-white text-slate-800">{{ role.description }}</span>
-              </label>
-            </div>
-          </section>
-
-          <!-- App access -->
-          <section class="mb-8">
-            <h2 class="mb-4 text-sm font-semibold uppercase text-slate-500">
-              {{ t('app-access-control') }}
-            </h2>
-
-            <div v-if="!showAppAccessForm" class="py-4 text-sm text-slate-500">
-              {{ t('app-access-member-only') }}
-            </div>
-
-            <template v-else>
-              <div class="flex justify-end mb-4">
-                <div class="relative">
-                  <button
-                    class="d-btn d-btn-sm d-btn-outline gap-2"
-                    :disabled="isSubmitting"
-                    @click="showAppDropdown = !showAppDropdown"
-                  >
-                    <svg class="w-4 h-4" viewBox="0 0 20 20" fill="currentColor">
-                      <path d="M10.75 4.75a.75.75 0 00-1.5 0v4.5h-4.5a.75.75 0 000 1.5h4.5v4.5a.75.75 0 001.5 0v-4.5h4.5a.75.75 0 000-1.5h-4.5v-4.5z" />
-                    </svg>
-                    {{ t('add-app') }}
-                  </button>
-                  <div v-if="showAppDropdown" class="fixed inset-0 z-10" @click="showAppDropdown = false" />
-                  <div
-                    v-if="showAppDropdown"
-                    class="absolute right-0 top-full mt-1 z-20 bg-white dark:bg-gray-800 border border-slate-200 dark:border-slate-700 rounded-lg shadow-lg min-w-[240px] max-h-60 overflow-y-auto"
-                  >
-                    <div v-if="apps.length === 0" class="px-4 py-3 text-sm text-slate-500">
-                      {{ t('no-apps') }}
-                    </div>
-                    <label
-                      v-for="app in apps"
-                      :key="app.id"
-                      class="flex items-center gap-3 px-4 py-2.5 cursor-pointer hover:bg-slate-50 dark:hover:bg-slate-700 transition-colors"
-                    >
-                      <input
-                        type="checkbox"
-                        class="d-checkbox d-checkbox-sm d-checkbox-primary"
-                        :checked="app.id in pendingAppBindings"
-                        @change="toggleApp(app.id)"
-                      >
-                      <div>
-                        <div class="text-sm font-medium dark:text-white text-slate-800">
-                          {{ app.name || app.app_id }}
-                        </div>
-                        <div v-if="app.name" class="text-xs text-slate-500">
-                          {{ app.app_id }}
-                        </div>
-                      </div>
-                    </label>
-                  </div>
-                </div>
-              </div>
-
-              <div v-if="selectedAppIds.length === 0" class="py-4 text-sm text-slate-500">
-                {{ t('app-access-none') }}
-              </div>
-              <div v-else class="border rounded-lg border-slate-200 dark:border-slate-700 overflow-hidden">
-                <div
-                  v-for="appId in selectedAppIds"
-                  :key="appId"
-                  class="flex items-center gap-4 px-4 py-2.5 border-b last:border-0 border-slate-100 dark:border-slate-700 hover:bg-slate-50/50 dark:hover:bg-slate-700/20"
-                >
-                  <span class="flex-1 text-sm font-medium dark:text-white text-slate-800 truncate">
-                    {{ getAppName(appId) }}
-                  </span>
-                  <select
-                    class="d-select d-select-sm d-select-bordered"
-                    :value="pendingAppBindings[appId] || ''"
-                    :disabled="isSubmitting"
-                    @change="onAppRoleChange(appId, $event)"
-                  >
-                    <option value="">
-                      {{ t('select-role') }}
-                    </option>
-                    <option v-for="role in appRoleOptions" :key="role.id" :value="role.name">
-                      {{ role.description }}
-                    </option>
-                  </select>
-                  <button
-                    class="d-btn d-btn-xs d-btn-ghost text-red-500 shrink-0"
-                    :disabled="isSubmitting"
-                    @click="toggleApp(appId)"
-                  >
-                    <IconTrash class="w-4 h-4" />
-                  </button>
-                </div>
-              </div>
-            </template>
-          </section>
-
-          <!-- Save -->
-          <div class="flex justify-end pt-4 border-t border-slate-200 dark:border-slate-700">
-            <button
-              class="d-btn d-btn-primary"
-              :disabled="isSubmitting || !editName.trim()"
-              @click="isCreateMode ? createKey() : saveKey()"
-            >
-              <span v-if="isSubmitting" class="d-loading d-loading-spinner d-loading-xs" />
-              {{ isCreateMode ? t('create') : t('save-changes') }}
-            </button>
-          </div>
-        </template>
-
-        <div v-else class="py-12 text-center text-slate-500">
-          {{ t('api-key-not-found') }}
-        </div>
-      </div>
-    </div>
-
-    <Teleport
-      v-if="dialogStore.showDialog && dialogStore.dialogOptions?.id === 'org-apikey-created'"
-      to="#dialog-v2-content"
-      defer
-    >
-      <div class="space-y-4">
-        <p class="text-sm text-slate-600">
-          {{
-            createdKeyDialogMode === 'partial-failure-hashed'
-              ? t('api-key-create-partial-failure-warning-hashed')
-              : createdKeyDialogMode === 'partial-failure-plain'
-                ? t('api-key-create-partial-failure-warning-plain')
-                : t('secure-key-warning')
-          }}
-        </p>
-
-        <div class="p-4 border rounded-lg border-blue-200 bg-blue-50">
-          <p class="mb-2 text-sm font-semibold text-blue-800">
-            {{ t('your-api-key') }}
-          </p>
-
-          <div class="flex flex-col gap-3 p-3 border rounded-lg border-blue-200 bg-white sm:flex-row sm:items-start sm:justify-between">
-            <code class="flex-1 text-sm break-all whitespace-pre-wrap text-slate-800">{{ createdPlainKey }}</code>
-
-            <button
-              type="button"
-              class="d-btn d-btn-sm d-btn-outline border-blue-300 text-blue-700 hover:bg-blue-100"
-              @click="copyCreatedKey"
-            >
-              <IconClipboard class="w-4 h-4" />
-              {{ t('copy') }}
-            </button>
-          </div>
-        </div>
-      </div>
-    </Teleport>
-  </div>
+  <div />
 </template>
 
 <route lang="yaml">
diff --git a/src/pages/settings/organization/ApiKeys.vue b/src/pages/settings/organization/ApiKeys.vue
index b1c9d738c2..f3196bdf75 100644
--- a/src/pages/settings/organization/ApiKeys.vue
+++ b/src/pages/settings/organization/ApiKeys.vue
@@ -1,53 +1,16 @@
 <script setup lang="ts">
-import { computedAsync } from '@vueuse/core'
-import { storeToRefs } from 'pinia'
-import { computed, ref } from 'vue'
-import { useI18n } from 'vue-i18n'
-import ApiKeyRbacManager from '~/components/organization/ApiKeyRbacManager.vue'
-import { checkPermissions } from '~/services/permissions'
-import { useDisplayStore } from '~/stores/display'
-import { useOrganizationStore } from '~/stores/organization'
+import { onMounted } from 'vue'
+import { useRouter } from 'vue-router'
 
-const { t } = useI18n()
-const organizationStore = useOrganizationStore()
-const { currentOrganization } = storeToRefs(organizationStore)
-const displayStore = useDisplayStore()
+const router = useRouter()
 
-displayStore.NavTitle = t('api-keys')
-
-const isPermissionLoading = ref(false)
-const canManage = computedAsync(async () => {
-  if (!currentOrganization.value?.gid)
-    return false
-  return await checkPermissions('org.update_user_roles', { orgId: currentOrganization.value.gid })
-}, false, { evaluating: isPermissionLoading })
-
-const canShow = computed(() =>
-  !!currentOrganization.value?.use_new_rbac && !!currentOrganization.value?.gid,
-)
+onMounted(() => {
+  router.replace('/apikeys')
+})
 </script>
 
 <template>
-  <div>
-    <ApiKeyRbacManager
-      v-if="canShow"
-      :org-id="currentOrganization!.gid"
-      :org-name="currentOrganization!.name || currentOrganization!.gid"
-      :can-manage="canManage"
-    />
-
-    <div
-      v-else-if="!isPermissionLoading"
-      class="flex flex-col bg-white border shadow-lg md:p-6 md:rounded-lg dark:bg-gray-800 border-slate-300 dark:border-slate-900"
-    >
-      <h2 class="text-2xl font-bold dark:text-white text-slate-800">
-        {{ t('api-keys') }}
-      </h2>
-      <p class="mt-2 text-sm text-slate-500">
-        {{ t('api-keys-unavailable') }}
-      </p>
-    </div>
-  </div>
+  <div />
 </template>
 
 <route lang="yaml">
diff --git a/src/pages/settings/organization/Groups.[id].vue b/src/pages/settings/organization/Groups.[id].vue
index 15b99c3d60..5b7a1302ec 100644
--- a/src/pages/settings/organization/Groups.[id].vue
+++ b/src/pages/settings/organization/Groups.[id].vue
@@ -82,7 +82,7 @@ const groupId = computed(() => (route.params as { id: string }).id)
 const isCreateMode = computed(() => groupId.value === 'new')
 
 const canShow = computed(() =>
-  !!currentOrganization.value?.use_new_rbac && !!currentOrganization.value?.gid,
+  !!currentOrganization.value?.gid,
 )
 
 const isPermissionLoading = ref(false)
diff --git a/src/pages/settings/organization/Groups.vue b/src/pages/settings/organization/Groups.vue
index 7795d8de8a..370e35ac00 100644
--- a/src/pages/settings/organization/Groups.vue
+++ b/src/pages/settings/organization/Groups.vue
@@ -22,7 +22,7 @@ const canManage = computedAsync(async () => {
 }, false, { evaluating: isPermissionLoading })
 
 const canShow = computed(() =>
-  !!currentOrganization.value?.use_new_rbac && !!currentOrganization.value?.gid,
+  !!currentOrganization.value?.gid,
 )
 </script>
 
diff --git a/src/pages/settings/organization/Members.vue b/src/pages/settings/organization/Members.vue
index f5c7a31019..a25b0d4a9b 100644
--- a/src/pages/settings/organization/Members.vue
+++ b/src/pages/settings/organization/Members.vue
@@ -35,12 +35,10 @@ const search = ref('')
 const columns: Ref<TableColumn[]> = ref<TableColumn[]>([])
 const isLoading = ref(false)
 const currentPage = ref(1)
-const rbacSystemEnabled = import.meta.env.VITE_FEATURE_RBAC_SYSTEM === 'true'
 const dialogStore = useDialogV2Store()
 const emailInput = ref('')
 const displayStore = useDisplayStore()
 displayStore.NavTitle = t('members')
-const useNewRbac = ref(false)
 
 type OrganizationMemberRow = ExtendedOrganizationMember & { is_invite?: boolean }
 type OrganizationMemberRows = OrganizationMemberRow[]
@@ -183,12 +181,9 @@ function isInviteMember(member: OrganizationMemberRow) {
 }
 
 function getMemberRoleLabel(member: OrganizationMemberRow) {
-  if (useNewRbac.value) {
-    const normalizedRole = member.role.replace(/^invite_/, '')
-    const i18nKey = getRbacRoleI18nKey(normalizedRole)
-    return i18nKey ? t(i18nKey) : normalizedRole.replaceAll('_', ' ')
-  }
-  return member.role.replaceAll('_', ' ')
+  const normalizedRole = member.role.replace(/^invite_/, '')
+  const i18nKey = getRbacRoleI18nKey(normalizedRole)
+  return i18nKey ? t(i18nKey) : normalizedRole.replaceAll('_', ' ')
 }
 
 function renderRoleCell(member: OrganizationMemberRow) {
@@ -208,29 +203,6 @@ function renderRoleCell(member: OrganizationMemberRow) {
   return h('div', { class: 'flex flex-wrap items-center gap-2 min-w-0 whitespace-normal' }, content)
 }
 
-async function checkRbacEnabled() {
-  useNewRbac.value = false
-  if (!currentOrganization.value)
-    return
-
-  try {
-    const { data, error } = await supabase
-      .from('orgs')
-      .select('use_new_rbac')
-      .eq('id', currentOrganization.value.gid)
-      .single()
-
-    if (error)
-      throw error
-
-    useNewRbac.value = (data as any)?.use_new_rbac || false
-  }
-  catch (error: any) {
-    useNewRbac.value = false
-    console.error('Error checking RBAC status:', error)
-  }
-}
-
 const isInviteNewUserDialogOpen = ref(false)
 
 function resetInviteCaptcha() {
@@ -266,35 +238,17 @@ const filteredMembers = computed(() => {
 })
 
 const permissionOptions = computed(() => {
-  if (useNewRbac.value) {
-    // Options RBAC
-    const options = [
-      { label: t('role-org-member'), value: 'org_member' },
-      { label: t('role-org-billing-admin'), value: 'org_billing_admin' },
-      { label: t('role-org-admin'), value: 'org_admin' },
-    ]
-
-    if (canUpdateUserRoles.value) {
-      options.push({ label: t('role-org-super-admin'), value: 'org_super_admin' })
-    }
+  const options = [
+    { label: t('role-org-member'), value: 'org_member' },
+    { label: t('role-org-billing-admin'), value: 'org_billing_admin' },
+    { label: t('role-org-admin'), value: 'org_admin' },
+  ]
 
-    return options
+  if (canUpdateUserRoles.value) {
+    options.push({ label: t('role-org-super-admin'), value: 'org_super_admin' })
   }
-  else {
-    // Options legacy
-    const options = [
-      { label: t('key-read'), value: 'read' },
-      { label: t('key-upload'), value: 'upload' },
-      { label: t('key-write'), value: 'write' },
-      { label: t('key-admin'), value: 'admin' },
-    ]
-
-    if (canUpdateUserRoles.value) {
-      options.push({ label: t('key-super-admin'), value: 'super_admin' })
-    }
 
-    return options
-  }
+  return options
 })
 
 const filteredAppAccessApps = computed(() => {
@@ -417,7 +371,7 @@ columns.value = [
     actions: computed(() => [
       {
         icon: IconWrench,
-        title: rbacSystemEnabled ? t('edit-role') : t('actions'),
+        title: t('edit-role'),
         visible: (member: OrganizationMemberRow) => canUpdateUserRoles.value && member.uid !== currentOrganization?.value?.created_by,
         onClick: (member: OrganizationMemberRow) => {
           changeMemberPermission(member)
@@ -427,7 +381,7 @@ columns.value = [
         icon: IconShield,
         title: t('app-access-control'),
         visible: (member: OrganizationMemberRow) => {
-          if (!useNewRbac.value || !canUpdateUserRoles.value || isInviteMember(member))
+          if (!canUpdateUserRoles.value || isInviteMember(member))
             return false
           const normalizedRole = member.role.replace(/^invite_/, '')
           return !['org_super_admin', 'org_admin'].includes(normalizedRole)
@@ -451,53 +405,41 @@ async function reloadData() {
   isLoading.value = true
   const imageLoadRun = ++memberImageLoadRun
   try {
-    await checkRbacEnabled()
-
-    if (useNewRbac.value && currentOrganization.value) {
-      // Utiliser la RPC RBAC pour récupérer les membres
-      const { data: rbacMembers, error: rbError } = await supabase
-        .rpc('get_org_members_rbac', {
-          p_org_id: currentOrganization.value.gid,
-        })
-
-      if (rbError) {
-        console.error('Error fetching RBAC members:', rbError)
-        toast.error(t('error-fetching-members'))
-        return
-      }
+    if (!currentOrganization.value)
+      return
 
-      const memberImageSources: MemberImageSource[] = []
-      // Mapper les données RBAC vers le format attendu par la table
-      members.value = (rbacMembers || []).map((member: any) => {
-        const isInvite = member.is_invite === true
-        const isTmp = member.is_tmp === true
-        const orgUserId = member.org_user_id
-        const hasOrgUserInvite = isInvite && !isTmp && orgUserId != null && orgUserId !== ''
-        const memberKey = String(member.user_id ?? member.email ?? '')
-        memberImageSources.push({ key: memberKey, imageUrl: member.image_url })
-
-        return {
-          id: member.user_id,
-          aid: hasOrgUserInvite ? Number(orgUserId) : -1,
-          uid: member.user_id,
-          email: member.email,
-          image_url: getImmediateImageUrl(member.image_url) || '',
-          role: member.role_name,
-          is_tmp: isTmp,
-          is_invite: isInvite,
-        }
+    const { data: rbacMembers, error: rbError } = await supabase
+      .rpc('get_org_members_rbac', {
+        p_org_id: currentOrganization.value.gid,
       })
-      void loadMemberImages(memberImageSources, imageLoadRun)
-    }
-    else {
-      // Utiliser l'ancienne méthode pour les orgs sans RBAC
-      members.value = await organizationStore.getMembers((signedImages) => {
-        if (imageLoadRun !== memberImageLoadRun)
-          return
 
-        applySignedMemberImages(signedImages)
-      })
+    if (rbError) {
+      console.error('Error fetching RBAC members:', rbError)
+      toast.error(t('error-fetching-members'))
+      return
     }
+
+    const memberImageSources: MemberImageSource[] = []
+    members.value = (rbacMembers || []).map((member: any) => {
+      const isInvite = member.is_invite === true
+      const isTmp = member.is_tmp === true
+      const orgUserId = member.org_user_id
+      const hasOrgUserInvite = isInvite && !isTmp && orgUserId != null && orgUserId !== ''
+      const memberKey = String(member.user_id ?? member.email ?? '')
+      memberImageSources.push({ key: memberKey, imageUrl: member.image_url })
+
+      return {
+        id: member.user_id,
+        aid: hasOrgUserInvite ? Number(orgUserId) : -1,
+        uid: member.user_id,
+        email: member.email,
+        image_url: getImmediateImageUrl(member.image_url) || '',
+        role: member.role_name,
+        is_tmp: isTmp,
+        is_invite: isInvite,
+      }
+    })
+    void loadMemberImages(memberImageSources, imageLoadRun)
   }
   catch (error) {
     console.error('Error reloading members:', error)
@@ -554,9 +496,7 @@ function validateEmail(email: string) {
 
 async function showPermModal(invite: boolean, onConfirm?: (permission: Database['public']['Enums']['user_min_right'] | string) => Promise<boolean>, currentRole?: string): Promise<Database['public']['Enums']['user_min_right'] | string | undefined> {
   const normalizedRole = currentRole?.replace(/^invite_/, '')
-  const initialRole = useNewRbac.value
-    ? (normalizedRole ? normalizedRole.trim().toLowerCase().replace(/\s+/g, '_') : '')
-    : (currentRole ?? '')
+  const initialRole = normalizedRole ? normalizedRole.trim().toLowerCase().replace(/\s+/g, '_') : ''
   selectedPermission.value = initialRole
     ? initialRole as Database['public']['Enums']['user_min_right']
     : undefined
@@ -577,10 +517,8 @@ async function showPermModal(invite: boolean, onConfirm?: (permission: Database[
   }
 
   dialogStore.openDialog({
-    title: useNewRbac.value ? t('select-user-role') : t('select-user-perms'),
-    description: useNewRbac.value
-      ? t('select-user-role-expanded')
-      : t('select-user-perms-expanded'),
+    title: t('select-user-role'),
+    description: t('select-user-role-expanded'),
     size: 'lg',
     preventAccidentalClose: !!onConfirm,
     buttons: [
@@ -687,17 +625,11 @@ async function sendInvitation(email: string, type: Database['public']['Enums']['
 
   isLoading.value = true
   try {
-    const { data, error } = useNewRbac.value
-      ? await supabase.rpc('invite_user_to_org_rbac', {
-          email,
-          org_id: orgId,
-          role_name: type,
-        })
-      : await supabase.rpc('invite_user_to_org', {
-          email,
-          org_id: orgId,
-          invite_type: type as Database['public']['Enums']['user_min_right'],
-        })
+    const { data, error } = await supabase.rpc('invite_user_to_org_rbac', {
+      email,
+      org_id: orgId,
+      role_name: type,
+    })
 
     if (error) {
       console.error('Error inviting user:', error)
@@ -730,7 +662,7 @@ async function handleSendInvitationOutput(output: string, email: string, type: D
   const existingMember = members.value.find(member => member.email.toLowerCase() === email.toLowerCase())
   const hasPendingInvite = existingMember ? isInviteMember(existingMember) : false
 
-  if (orgId && shouldAttemptExistingUserInviteNotification(output, type, useNewRbac.value, hasPendingInvite)) {
+  if (orgId && shouldAttemptExistingUserInviteNotification(output, hasPendingInvite)) {
     const notified = await notifyExistingUserInvite(supabase, email, orgId)
     if (!notified) {
       console.warn('Failed to send invite email notification')
@@ -875,7 +807,7 @@ async function cannotDeleteOwner() {
                   // get member from id
                   const selectedUser = members.value.filter(m => m.id === selectedUserToDelegateAdmin.value)[0]
                   // set user to super admin
-                  _changeMemberPermission(selectedUser, useNewRbac.value ? 'org_super_admin' : 'super_admin')
+                  _changeMemberPermission(selectedUser, 'org_super_admin')
                   selectedUserToDelegateAdmin.value = null
                   // get current member
                   const currentMember = members.value.filter(m => m.uid === main.user?.id)[0]
@@ -1095,64 +1027,20 @@ async function updateRbacInviteRole(member: OrganizationMemberRow, perm: string)
   }
 }
 
-async function updateTmpMemberRole(member: OrganizationMemberRow, perm: Database['public']['Enums']['user_min_right']) {
-  const { data, error } = await supabase.rpc('modify_permissions_tmp', {
-    email: member.email,
-    org_id: currentOrganization.value?.gid ?? '',
-    new_role: perm,
-  })
-
-  if (error) {
-    console.error('Error changing permission for invitation: ', error)
-    toast.error(`${t('cannot-change-permission')}: ${error.message}`)
-    return
-  }
-
-  if (data === 'OK') {
-    toast.success(t('permission-changed'))
-  }
-  else {
-    toast.warning(`${t('unexpected-response')}: ${data}`)
-  }
-
-  await reloadData()
-}
-
-async function updateLegacyMemberRole(member: OrganizationMemberRow, perm: Database['public']['Enums']['user_min_right']) {
-  const { error } = await supabase
-    .from('org_users')
-    .update({ user_right: perm })
-    .eq('id', member.aid)
-
-  if (error) {
-    console.error('Error changing permission: ', error)
-    toast.error(`${t('cannot-change-permission')}: ${error.message}`)
-    return
-  }
-
-  toast.success(t('permission-changed'))
-  await reloadData()
-}
-
 async function _changeMemberPermission(member: OrganizationMemberRow, perm: Database['public']['Enums']['user_min_right'] | string) {
   isLoading.value = true
   try {
-    if (useNewRbac.value && currentOrganization.value) {
-      if (isInviteMember(member)) {
-        await updateRbacInviteRole(member, perm as string)
-      }
-      else {
-        await updateRbacMemberRole(member, perm as string)
-      }
+    if (!currentOrganization.value) {
+      toast.error(t('no-permission'))
       return
     }
 
-    if (member.is_tmp) {
-      await updateTmpMemberRole(member, perm as Database['public']['Enums']['user_min_right'])
-      return
+    if (isInviteMember(member)) {
+      await updateRbacInviteRole(member, perm as string)
+    }
+    else {
+      await updateRbacMemberRole(member, perm as string)
     }
-
-    await updateLegacyMemberRole(member, perm as Database['public']['Enums']['user_min_right'])
   }
   catch (error) {
     console.error('Permission change failed:', error)
@@ -1164,7 +1052,7 @@ async function _changeMemberPermission(member: OrganizationMemberRow, perm: Data
 }
 
 async function changeMemberPermission(member: OrganizationMemberRow) {
-  const isInvite = useNewRbac.value ? isInviteMember(member) : member.role.includes('invite')
+  const isInvite = isInviteMember(member)
   const perm = await showPermModal(isInvite, undefined, member.role)
 
   if (!perm) {
@@ -1214,35 +1102,8 @@ function canDelete(member: OrganizationMemberRow) {
   return currentUserIsAdmin
 }
 
-function handlePermissionSelection(permission: Database['public']['Enums']['user_min_right'] | string, invite: boolean) {
-  if (useNewRbac.value) {
-    // Pour RBAC, on utilise directement le nom du rôle (org_super_admin, org_admin, etc.)
-    // Les invitations RBAC ne nécessitent pas de préfixe 'invite_'
-    selectedPermission.value = permission as any
-  }
-  else if (invite) {
-    // Legacy: ajouter le préfixe invite_ pour les invitations
-    switch (permission) {
-      case 'read':
-        selectedPermission.value = 'invite_read'
-        break
-      case 'upload':
-        selectedPermission.value = 'invite_upload'
-        break
-      case 'write':
-        selectedPermission.value = 'invite_write'
-        break
-      case 'admin':
-        selectedPermission.value = 'invite_admin'
-        break
-      case 'super_admin':
-        selectedPermission.value = 'invite_super_admin'
-        break
-    }
-  }
-  else {
-    selectedPermission.value = permission as any
-  }
+function handlePermissionSelection(permission: Database['public']['Enums']['user_min_right'] | string, _invite: boolean) {
+  selectedPermission.value = permission as any
 }
 
 function handleFormKitPermissionSelection(value: string | undefined) {
@@ -1385,7 +1246,7 @@ function updateAppAccessSaveButton() {
 }
 
 async function openAppAccessModal(member: OrganizationMemberRow) {
-  if (!currentOrganization.value || !useNewRbac.value) {
+  if (!currentOrganization.value) {
     toast.error(t('no-permission'))
     return
   }
@@ -1589,17 +1450,6 @@ async function handleInviteNewUserSubmit() {
           {{ t('members') }}
         </h2>
       </div>
-      <div v-if="rbacSystemEnabled && useNewRbac" class="items-start gap-3 mb-4 d-alert d-alert-info">
-        <IconInformation class="w-6 h-6 text-sky-400 shrink-0" />
-        <div class="text-sm text-slate-100">
-          <p class="font-semibold">
-            {{ t('rbac-system-enabled') }}
-          </p>
-          <p class="text-slate-200">
-            {{ t('rbac-system-enabled-body') }}
-          </p>
-        </div>
-      </div>
       <DataTable
         v-model:columns="columns"
         v-model:current-page="currentPage"
diff --git a/src/services/apikeys.ts b/src/services/apikeys.ts
index db4680fa18..a4b49ea8d5 100644
--- a/src/services/apikeys.ts
+++ b/src/services/apikeys.ts
@@ -6,19 +6,149 @@ import type { Database } from '~/types/supabase.types'
 export async function createDefaultApiKey(
   supabase: SupabaseClient<Database>,
   name: string,
+  options: {
+    orgId?: string | null
+    appId?: string | null
+    hashed?: boolean
+  } = {},
 ) {
+  let orgId = options.orgId ?? null
+  let appUuid: string | null = null
+
+  if (options.appId) {
+    const { data: app, error } = await supabase
+      .from('apps')
+      .select('id, owner_org')
+      .eq('app_id', options.appId)
+      .single()
+
+    if (error)
+      throw error
+
+    if (orgId && app?.owner_org && orgId !== app.owner_org) {
+      throw new Error('appId does not belong to orgId')
+    }
+
+    appUuid = app?.id ?? null
+    orgId = orgId ?? app?.owner_org ?? null
+  }
+
+  if (!orgId) {
+    throw new Error('Cannot create a default API key without an organization')
+  }
+
+  const bindings: Array<{
+    role_name: string
+    scope_type: 'org' | 'app'
+    org_id: string
+    app_id?: string
+  }> = appUuid && !options.orgId
+    ? [
+        {
+          role_name: 'org_member',
+          scope_type: 'org',
+          org_id: orgId,
+        },
+        {
+          role_name: 'app_admin',
+          scope_type: 'app',
+          org_id: orgId,
+          app_id: appUuid,
+        },
+      ]
+    : [
+        {
+          role_name: 'org_admin',
+          scope_type: 'org',
+          org_id: orgId,
+        },
+      ]
+
   return supabase.functions.invoke('apikey', {
     method: 'POST',
     body: {
       name,
-      mode: 'all',
+      hashed: options.hashed === true,
+      bindings,
     },
   })
 }
 
+export async function findUsablePlainApiKey(
+  supabase: SupabaseClient<Database>,
+  userId: string,
+  orgId?: string | null,
+  appId?: string | null,
+): Promise<string | null> {
+  const isLiveKey = (expiresAt: string | null) => !expiresAt || new Date(expiresAt).getTime() > Date.now()
+  let appUuid: string | null = null
+
+  const { data: keys, error } = await supabase
+    .from('apikeys')
+    .select('key, expires_at, rbac_id, created_at')
+    .eq('user_id', userId)
+    .not('key', 'is', null)
+    .order('created_at', { ascending: false })
+
+  if (error || !keys?.length)
+    return null
+
+  const liveKeys = keys.filter(key => key.key && isLiveKey(key.expires_at))
+  if (!liveKeys.length)
+    return null
+
+  if (!orgId)
+    return liveKeys[0].key ?? null
+
+  if (appId) {
+    const { data: app, error: appError } = await supabase
+      .from('apps')
+      .select('id, owner_org')
+      .eq('app_id', appId)
+      .single()
+
+    if (appError || !app?.id || !app.owner_org)
+      return null
+
+    if (app.owner_org !== orgId)
+      return null
+
+    appUuid = app.id
+  }
+
+  const rbacIds = liveKeys.map(key => key.rbac_id).filter((rbacId): rbacId is string => !!rbacId)
+  if (!rbacIds.length)
+    return null
+
+  const { data: bindings, error: bindingsError } = await supabase
+    .from('role_bindings')
+    .select('principal_id, scope_type, app_id, roles(name)')
+    .eq('principal_type', 'apikey')
+    .eq('org_id', orgId)
+    .in('principal_id', rbacIds)
+
+  if (bindingsError || !bindings?.length)
+    return null
+
+  const orgAdminRoles = new Set(['org_super_admin', 'org_admin'])
+  const scopedKeyIds = new Set(((bindings ?? []) as any[])
+    .filter((binding) => {
+      const roleName = Array.isArray(binding.roles) ? binding.roles[0]?.name : binding.roles?.name
+      if (binding.scope_type === 'org' && orgAdminRoles.has(roleName))
+        return true
+      return !!appUuid && binding.scope_type === 'app' && binding.app_id === appUuid
+    })
+    .map(binding => binding.principal_id)
+    .filter((principalId): principalId is string => typeof principalId === 'string'))
+
+  if (!scopedKeyIds.size)
+    return null
+
+  return liveKeys.find(key => scopedKeyIds.has(key.rbac_id))?.key ?? null
+}
+
 interface ApiKeyListRow {
   name?: string | null
-  mode: string | null
   created_at: string | null
 }
 
@@ -79,10 +209,6 @@ export function sortApiKeyRows<T extends ApiKeyListRow>(
           aValue = a.name?.toLowerCase() || ''
           bValue = b.name?.toLowerCase() || ''
           break
-        case 'mode':
-          aValue = (a.mode ?? '').toLowerCase()
-          bValue = (b.mode ?? '').toLowerCase()
-          break
         case 'created_at':
           aValue = a.created_at ? new Date(a.created_at).getTime() : 0
           bValue = b.created_at ? new Date(b.created_at).getTime() : 0
diff --git a/src/services/permissions.ts b/src/services/permissions.ts
index 675e2ac3d5..0d0551adbe 100644
--- a/src/services/permissions.ts
+++ b/src/services/permissions.ts
@@ -2,9 +2,7 @@
  * RBAC Permission System - Frontend
  *
  * This module provides the frontend interface to the backend RBAC permission system.
- * It calls the SQL function rbac_check_permission() which automatically routes
- * between legacy (org_users) and new RBAC (role_bindings) systems based on the org's
- * use_new_rbac flag.
+ * It calls the SQL function rbac_check_permission(), backed by role_bindings.
  *
  * Usage:
  *   import { checkPermissions } from '~/services/permissions'
@@ -125,15 +123,11 @@ export async function hasPermission(
 /**
  * Main permission check function.
  *
- * Calls the SQL function rbac_check_permission() which automatically
- * routes between legacy (check_min_rights) and RBAC systems based on the org's
- * feature flag.
+ * Calls the SQL function rbac_check_permission(), backed by role_bindings.
  *
  * The backend will:
  * 1. Auto-derive parent scopes (orgId from appId, appId from channelId) if needed
- * 2. Detect if the org has use_new_rbac enabled
- * 3. If RBAC: check role_bindings → roles → role_permissions → permissions
- * 4. If legacy: map permission to min_right and check org_users table
+ * 2. Check role_bindings → roles → role_permissions → permissions
  *
  * @param permissions - A permission key or a list of permission keys
  * @param scope - Scope identifiers. Parent scopes are auto-derived by the backend.
diff --git a/src/stores/organization.ts b/src/stores/organization.ts
index 0ae29de5e0..88f68c32f8 100644
--- a/src/stores/organization.ts
+++ b/src/stores/organization.ts
@@ -599,7 +599,7 @@ export const useOrganizationStore = defineStore('organization', () => {
     if (!role)
       return false
 
-    if (org?.use_new_rbac && requiredRoles.length > 0) {
+    if (requiredRoles.length > 0) {
       if (requiredRoles.some(required => matchesRbacRole(role, required)))
         return true
     }
diff --git a/src/types/supabase.types.ts b/src/types/supabase.types.ts
index 8aaf3abd80..cef6aea856 100644
--- a/src/types/supabase.types.ts
+++ b/src/types/supabase.types.ts
@@ -12,6 +12,31 @@ export type Database = {
   __InternalSupabase: {
     PostgrestVersion: "14.5"
   }
+  graphql_public: {
+    Tables: {
+      [_ in never]: never
+    }
+    Views: {
+      [_ in never]: never
+    }
+    Functions: {
+      graphql: {
+        Args: {
+          extensions?: Json
+          operationName?: string
+          query?: string
+          variables?: Json
+        }
+        Returns: Json
+      }
+    }
+    Enums: {
+      [_ in never]: never
+    }
+    CompositeTypes: {
+      [_ in never]: never
+    }
+  }
   public: {
     Tables: {
       apikeys: {
@@ -21,9 +46,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -35,9 +57,6 @@ export type Database = {
           id?: number
           key?: string | null
           key_hash?: string | null
-          limited_to_apps?: string[] | null
-          limited_to_orgs?: string[] | null
-          mode?: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id?: string
           updated_at?: string | null
@@ -49,9 +68,6 @@ export type Database = {
           id?: number
           key?: string | null
           key_hash?: string | null
-          limited_to_apps?: string[] | null
-          limited_to_orgs?: string[] | null
-          mode?: Database["public"]["Enums"]["key_mode"] | null
           name?: string
           rbac_id?: string
           updated_at?: string | null
@@ -469,13 +485,6 @@ export type Database = {
             referencedRelation: "apps"
             referencedColumns: ["app_id"]
           },
-          {
-            foreignKeyName: "build_logs_org_id_fkey"
-            columns: ["org_id"]
-            isOneToOne: false
-            referencedRelation: "orgs"
-            referencedColumns: ["id"]
-          },
         ]
       }
       build_requests: {
@@ -1278,7 +1287,7 @@ export type Database = {
           paying: number | null
           paying_monthly: number | null
           paying_yearly: number | null
-          plan_enterprise: number | null
+          plan_enterprise: number
           plan_enterprise_conversion_rate: number
           plan_enterprise_monthly: number
           plan_enterprise_yearly: number
@@ -1362,7 +1371,7 @@ export type Database = {
           paying?: number | null
           paying_monthly?: number | null
           paying_yearly?: number | null
-          plan_enterprise?: number | null
+          plan_enterprise?: number
           plan_enterprise_conversion_rate?: number
           plan_enterprise_monthly?: number
           plan_enterprise_yearly?: number
@@ -1446,7 +1455,7 @@ export type Database = {
           paying?: number | null
           paying_monthly?: number | null
           paying_yearly?: number | null
-          plan_enterprise?: number | null
+          plan_enterprise?: number
           plan_enterprise_conversion_rate?: number
           plan_enterprise_monthly?: number
           plan_enterprise_yearly?: number
@@ -2946,6 +2955,13 @@ export type Database = {
     }
     Functions: {
       accept_invitation_to_org: { Args: { org_id: string }; Returns: string }
+      apikey_permission_for_keymode: {
+        Args: {
+          keymode: Database["public"]["Enums"]["key_mode"][]
+          scope_type: string
+        }
+        Returns: string
+      }
       app_versions_readable_app_ids: { Args: never; Returns: string[] }
       apply_usage_overage: {
         Args: {
@@ -3137,65 +3153,6 @@ export type Database = {
           wrong_key_count: number
         }[]
       }
-      create_hashed_apikey: {
-        Args: {
-          p_expires_at?: string
-          p_limited_to_apps?: string[]
-          p_limited_to_orgs?: string[]
-          p_mode?: Database["public"]["Enums"]["key_mode"]
-          p_name?: string
-        }
-        Returns: {
-          created_at: string | null
-          expires_at: string | null
-          id: number
-          key: string | null
-          key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
-          name: string
-          rbac_id: string
-          updated_at: string | null
-          user_id: string
-        }
-        SetofOptions: {
-          from: "*"
-          to: "apikeys"
-          isOneToOne: true
-          isSetofReturn: false
-        }
-      }
-      create_hashed_apikey_for_user: {
-        Args: {
-          p_expires_at?: string
-          p_limited_to_apps?: string[]
-          p_limited_to_orgs?: string[]
-          p_mode?: Database["public"]["Enums"]["key_mode"]
-          p_name?: string
-          p_user_id: string
-        }
-        Returns: {
-          created_at: string | null
-          expires_at: string | null
-          id: number
-          key: string | null
-          key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
-          name: string
-          rbac_id: string
-          updated_at: string | null
-          user_id: string
-        }
-        SetofOptions: {
-          from: "*"
-          to: "apikeys"
-          isOneToOne: true
-          isSetofReturn: false
-        }
-      }
       current_request_role: { Args: never; Returns: string }
       delete_accounts_marked_for_deletion: {
         Args: never
@@ -3236,9 +3193,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -3493,9 +3447,6 @@ export type Database = {
           created_at: string
           expires_at: string
           id: number
-          limited_to_apps: string[]
-          limited_to_orgs: string[]
-          mode: Database["public"]["Enums"]["key_mode"]
           name: string
           owner_email: string
           rbac_id: string
@@ -3593,18 +3544,24 @@ export type Database = {
               app_count: number
               can_use_more: boolean
               created_by: string
+              credit_available: number
+              credit_next_expiration: string
+              credit_total: number
               gid: string
               is_canceled: boolean
               is_yearly: boolean
               logo: string
               management_email: string
+              max_apikey_expiration_days: number
               name: string
+              next_stats_update_at: string
               paying: boolean
+              require_apikey_expiration: boolean
               role: string
+              stats_updated_at: string
               subscription_end: string
               subscription_start: string
               trial_left: number
-              use_new_rbac: boolean
             }[]
           }
         | {
@@ -3613,18 +3570,24 @@ export type Database = {
               app_count: number
               can_use_more: boolean
               created_by: string
+              credit_available: number
+              credit_next_expiration: string
+              credit_total: number
               gid: string
               is_canceled: boolean
               is_yearly: boolean
               logo: string
               management_email: string
+              max_apikey_expiration_days: number
               name: string
+              next_stats_update_at: string
               paying: boolean
+              require_apikey_expiration: boolean
               role: string
+              stats_updated_at: string
               subscription_end: string
               subscription_start: string
               trial_left: number
-              use_new_rbac: boolean
             }[]
           }
       get_orgs_v7:
@@ -3988,7 +3951,7 @@ export type Database = {
         | { Args: { userid: string }; Returns: boolean }
       is_rbac_enabled_globally: { Args: never; Returns: boolean }
       is_recent_email_otp_verified: {
-        Args: { user_id: string }
+        Args: { p_user_id: string }
         Returns: boolean
       }
       is_storage_exceeded_by_org: { Args: { org_id: string }; Returns: boolean }
@@ -4335,9 +4298,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -4358,9 +4318,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -4421,6 +4378,25 @@ export type Database = {
         Args: { email: string; org_id: string }
         Returns: string
       }
+      reset_and_seed_app_data: {
+        Args: {
+          p_admin_user_id?: string
+          p_app_id: string
+          p_org_id?: string
+          p_plan_product_id?: string
+          p_stripe_customer_id?: string
+          p_user_id?: string
+        }
+        Returns: undefined
+      }
+      reset_and_seed_app_stats_data: {
+        Args: { p_app_id: string }
+        Returns: undefined
+      }
+      reset_and_seed_data: { Args: never; Returns: undefined }
+      reset_and_seed_stats_data: { Args: never; Returns: undefined }
+      reset_app_data: { Args: { p_app_id: string }; Returns: undefined }
+      reset_app_stats_data: { Args: { p_app_id: string }; Returns: undefined }
       restore_deleted_account: { Args: never; Returns: undefined }
       resync_org_user_role_bindings: {
         Args: { p_org_id: string; p_user_id: string }
@@ -4591,7 +4567,9 @@ export type Database = {
         | "disableAutoUpdateMetadata"
         | "disableAutoUpdateUnderNative"
         | "disableDevBuild"
+        | "disableProdBuild"
         | "disableEmulator"
+        | "disableDevice"
         | "cannotGetBundle"
         | "checksum_fail"
         | "NoChannelOrOverride"
@@ -4612,8 +4590,6 @@ export type Database = {
         | "download_manifest_brotli_fail"
         | "backend_refusal"
         | "download_0"
-        | "disableProdBuild"
-        | "disableDevice"
         | "disablePlatformElectron"
         | "customIdBlocked"
         | "app_crash"
@@ -4804,6 +4780,9 @@ export type CompositeTypes<
     : never
 
 export const Constants = {
+  graphql_public: {
+    Enums: {},
+  },
   public: {
     Enums: {
       action_type: ["mau", "storage", "bandwidth", "build_time"],
@@ -4860,7 +4839,9 @@ export const Constants = {
         "disableAutoUpdateMetadata",
         "disableAutoUpdateUnderNative",
         "disableDevBuild",
+        "disableProdBuild",
         "disableEmulator",
+        "disableDevice",
         "cannotGetBundle",
         "checksum_fail",
         "NoChannelOrOverride",
@@ -4881,8 +4862,6 @@ export const Constants = {
         "download_manifest_brotli_fail",
         "backend_refusal",
         "download_0",
-        "disableProdBuild",
-        "disableDevice",
         "disablePlatformElectron",
         "customIdBlocked",
         "app_crash",
diff --git a/src/utils/invites.ts b/src/utils/invites.ts
index 2c3db8c789..fa790efaa0 100644
--- a/src/utils/invites.ts
+++ b/src/utils/invites.ts
@@ -55,24 +55,15 @@ export async function notifyExistingUserInvite(
   return true
 }
 
-export function shouldNotifyExistingUserInvite(role: string, useNewRbac: boolean) {
-  if (useNewRbac)
-    return true
-
-  return role.startsWith('invite_')
-}
-
 export function shouldAttemptExistingUserInviteNotification(
   output: string,
-  role: string,
-  useNewRbac: boolean,
   hasPendingInvite = false,
 ) {
   if (output === 'ALREADY_INVITED')
-    return hasPendingInvite && shouldNotifyExistingUserInvite(role, useNewRbac)
+    return hasPendingInvite
 
   if (output !== 'OK')
     return false
 
-  return shouldNotifyExistingUserInvite(role, useNewRbac)
+  return true
 }
diff --git a/supabase/functions/_backend/private/accept_invitation.ts b/supabase/functions/_backend/private/accept_invitation.ts
index 642fd94eed..0fad67709a 100644
--- a/supabase/functions/_backend/private/accept_invitation.ts
+++ b/supabase/functions/_backend/private/accept_invitation.ts
@@ -31,6 +31,19 @@ const rbacRoleToLegacy: Record<string, 'read' | 'admin' | 'super_admin'> = {
   org_super_admin: 'super_admin',
 }
 
+const legacyInviteToRbac: Record<string, string> = {
+  read: 'org_member',
+  upload: 'org_member',
+  write: 'org_member',
+  admin: 'org_admin',
+  super_admin: 'org_super_admin',
+  invite_read: 'org_member',
+  invite_upload: 'org_member',
+  invite_write: 'org_member',
+  invite_admin: 'org_admin',
+  invite_super_admin: 'org_super_admin',
+}
+
 // Default password policy (when org has no policy set)
 const DEFAULT_PASSWORD_POLICY: PasswordPolicy = {
   enabled: true,
@@ -157,36 +170,29 @@ async function ensureOrgMembership(
   supabaseAdmin: ReturnType<typeof useSupabaseAdmin>,
   userId: string,
   invitation: any,
-  org: any,
 ) {
-  const rbacRoleName = invitation.rbac_role_name
-  const useRbacInvite = org?.use_new_rbac === true
+  const rbacRoleName = invitation.rbac_role_name ?? legacyInviteToRbac[invitation.role as keyof typeof legacyInviteToRbac]
 
-  if (useRbacInvite && !rbacRoleName) {
+  if (!rbacRoleName) {
     return quickError(500, 'failed_to_accept_invitation', 'Failed to resolve RBAC role', { error: 'Missing RBAC role name' })
   }
 
-  const rbacRoleNameValue = rbacRoleName ?? ''
-  const legacyRight = useRbacInvite
-    ? rbacRoleToLegacy[rbacRoleNameValue] ?? 'read'
-    : invitation.role
+  const legacyRight = rbacRoleToLegacy[rbacRoleName] ?? 'read'
   let rbacRoleId: string | null = null
 
-  if (useRbacInvite) {
-    const { data: role, error: roleError } = await supabaseAdmin
-      .from('roles')
-      .select('id')
-      .eq('name', rbacRoleNameValue)
-      .eq('scope_type', 'org')
-      .single()
-
-    if (roleError || !role) {
-      return quickError(500, 'failed_to_accept_invitation', 'Failed to resolve RBAC role', { error: roleError?.message ?? 'Role not found' })
-    }
+  const { data: role, error: roleError } = await supabaseAdmin
+    .from('roles')
+    .select('id')
+    .eq('name', rbacRoleName)
+    .eq('scope_type', 'org')
+    .single()
 
-    rbacRoleId = role.id
+  if (roleError || !role) {
+    return quickError(500, 'failed_to_accept_invitation', 'Failed to resolve RBAC role', { error: roleError?.message ?? 'Role not found' })
   }
 
+  rbacRoleId = role.id
+
   // Avoid creating duplicates: org_users does not have a unique constraint on (org_id, user_id).
   const { data: existingMembershipRows, error: existingMembershipError } = await supabaseAdmin
     .from('org_users')
@@ -205,7 +211,7 @@ async function ensureOrgMembership(
       .from('org_users')
       .update({
         user_right: legacyRight,
-        rbac_role_name: useRbacInvite ? rbacRoleName : null,
+        rbac_role_name: rbacRoleName,
       })
       .eq('user_id', userId)
       .eq('org_id', invitation.org_id)
@@ -221,7 +227,7 @@ async function ensureOrgMembership(
       user_id: userId,
       org_id: invitation.org_id,
       user_right: legacyRight,
-      rbac_role_name: useRbacInvite ? rbacRoleName : null,
+      rbac_role_name: rbacRoleName,
     })
 
     if (insertIntoMainTableError) {
@@ -229,36 +235,34 @@ async function ensureOrgMembership(
     }
   }
 
-  if (useRbacInvite) {
-    const { error: deleteBindingError } = await supabaseAdmin
-      .from('role_bindings')
-      .delete()
-      .eq('principal_type', 'user')
-      .eq('principal_id', userId)
-      .eq('scope_type', 'org')
-      .eq('org_id', invitation.org_id)
+  const { error: deleteBindingError } = await supabaseAdmin
+    .from('role_bindings')
+    .delete()
+    .eq('principal_type', 'user')
+    .eq('principal_id', userId)
+    .eq('scope_type', 'org')
+    .eq('org_id', invitation.org_id)
 
-    if (deleteBindingError) {
-      return quickError(500, 'failed_to_accept_invitation', 'Failed to clear existing RBAC role bindings', { error: deleteBindingError.message })
-    }
+  if (deleteBindingError) {
+    return quickError(500, 'failed_to_accept_invitation', 'Failed to clear existing RBAC role bindings', { error: deleteBindingError.message })
+  }
 
-    const { error: insertBindingError } = await supabaseAdmin
-      .from('role_bindings')
-      .insert({
-        principal_type: 'user',
-        principal_id: userId,
-        role_id: rbacRoleId as string,
-        scope_type: 'org',
-        org_id: invitation.org_id,
-        granted_by: userId,
-        granted_at: new Date().toISOString(),
-        reason: 'Accepted invitation',
-        is_direct: true,
-      })
+  const { error: insertBindingError } = await supabaseAdmin
+    .from('role_bindings')
+    .insert({
+      principal_type: 'user',
+      principal_id: userId,
+      role_id: rbacRoleId as string,
+      scope_type: 'org',
+      org_id: invitation.org_id,
+      granted_by: userId,
+      granted_at: new Date().toISOString(),
+      reason: 'Accepted invitation',
+      is_direct: true,
+    })
 
-    if (insertBindingError) {
-      return quickError(500, 'failed_to_accept_invitation', 'Failed to create RBAC role binding', { error: insertBindingError.message })
-    }
+  if (insertBindingError) {
+    return quickError(500, 'failed_to_accept_invitation', 'Failed to create RBAC role binding', { error: insertBindingError.message })
   }
 }
 
@@ -297,7 +301,7 @@ app.post('/', async (c) => {
 
   // Get the org's password policy
   const { data: org, error: orgError } = await supabaseAdmin.from('orgs')
-    .select('password_policy_config, use_new_rbac')
+    .select('password_policy_config')
     .eq('id', invitation.org_id)
     .single()
 
@@ -333,7 +337,7 @@ app.post('/', async (c) => {
     }
 
     const userId = session.user?.id ?? existingUser.id
-    await ensureOrgMembership(supabaseAdmin, userId, invitation, org)
+    await ensureOrgMembership(supabaseAdmin, userId, invitation)
 
     // Remove the invite only after the org membership is created successfully.
     const { error: tmpUserDeleteError } = await supabaseAdmin.from('tmp_users').delete().eq('invite_magic_string', baseBody.magic_invite_string)
@@ -398,7 +402,7 @@ app.post('/', async (c) => {
 
       if (!sessionError && session.user?.id) {
         await ensurePublicUserRowExists(c, supabaseAdmin, session.user.id, invitation, body.opt_for_newsletters)
-        await ensureOrgMembership(supabaseAdmin, session.user.id, invitation, org)
+        await ensureOrgMembership(supabaseAdmin, session.user.id, invitation)
 
         const { error: tmpUserDeleteError } = await supabaseAdmin.from('tmp_users').delete().eq('invite_magic_string', body.magic_invite_string)
         if (tmpUserDeleteError) {
@@ -481,7 +485,7 @@ app.post('/', async (c) => {
       return quickError(400, 'sign_in_failed', 'Sign in failed, please retry', { error: sessionError.message })
     }
 
-    await ensureOrgMembership(supabaseAdmin, user.user.id, invitation, org)
+    await ensureOrgMembership(supabaseAdmin, user.user.id, invitation)
 
     // Remove the invite only after the account + org membership are created successfully.
     const { error: tmpUserDeleteError } = await supabaseAdmin.from('tmp_users').delete().eq('invite_magic_string', body.magic_invite_string)
diff --git a/supabase/functions/_backend/private/delete_failed_version.ts b/supabase/functions/_backend/private/delete_failed_version.ts
index a263e9b98a..e0f5384c20 100644
--- a/supabase/functions/_backend/private/delete_failed_version.ts
+++ b/supabase/functions/_backend/private/delete_failed_version.ts
@@ -26,7 +26,6 @@ app.delete('/', middlewareKey(['all', 'write', 'upload']), async (c) => {
       message: 'apikey context',
       apikeyId: (apikey as { id?: number }).id,
       userId: (apikey as { user_id?: string }).user_id,
-      mode: (apikey as { mode?: string }).mode,
     })
   }
   // Auth context is already set by middlewareKey
diff --git a/supabase/functions/_backend/private/groups.ts b/supabase/functions/_backend/private/groups.ts
index 3f391d9c3a..ab79caf025 100644
--- a/supabase/functions/_backend/private/groups.ts
+++ b/supabase/functions/_backend/private/groups.ts
@@ -387,20 +387,7 @@ app.post(
         .limit(1)
 
       if (!targetRbacAccess.length) {
-        const targetLegacyAccess = await drizzle
-          .select({ id: schema.org_users.id })
-          .from(schema.org_users)
-          .where(
-            and(
-              eq(schema.org_users.user_id, targetUserId),
-              eq(schema.org_users.org_id, group.org_id),
-            ),
-          )
-          .limit(1)
-
-        if (!targetLegacyAccess.length) {
-          return c.json({ error: 'User is not a member of this org' }, 400)
-        }
+        return c.json({ error: 'User is not a member of this org' }, 400)
       }
 
       // Add member (ON CONFLICT DO NOTHING for idempotency)
diff --git a/supabase/functions/_backend/private/invite_existing_user_to_org.ts b/supabase/functions/_backend/private/invite_existing_user_to_org.ts
index 0bcb1d4c47..2d3aff0379 100644
--- a/supabase/functions/_backend/private/invite_existing_user_to_org.ts
+++ b/supabase/functions/_backend/private/invite_existing_user_to_org.ts
@@ -1,5 +1,5 @@
 import type { Context } from 'hono'
-import type { MiddlewareKeyVariables } from '../utils/hono.ts'
+import type { AuthInfo, MiddlewareKeyVariables } from '../utils/hono.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../utils/ark_validation.ts'
 import { trackBentoEvent } from '../utils/bento.ts'
@@ -55,6 +55,81 @@ export function getInviteResendRequiredPermission(
   return canInviteUser ? null : 'org.invite_user'
 }
 
+function getInviteTargetRoleName(userRight: string, rbacRoleName?: string | null) {
+  if (rbacRoleName?.trim())
+    return rbacRoleName.trim()
+
+  switch (userRight) {
+    case 'invite_super_admin':
+      return 'org_super_admin'
+    case 'invite_admin':
+      return 'org_admin'
+    case 'invite_read':
+    case 'invite_upload':
+    case 'invite_write':
+      return 'org_member'
+    default:
+      return null
+  }
+}
+
+async function canCallerResendInviteRole(
+  c: AppContext,
+  auth: AuthInfo,
+  orgId: string,
+  userRight: string,
+  rbacRoleName?: string | null,
+) {
+  const targetRoleName = getInviteTargetRoleName(userRight, rbacRoleName)
+  if (!targetRoleName)
+    return false
+
+  let principalType = 'user'
+  let principalId = auth.userId
+  if (auth.authType === 'apikey' && auth.apikey?.rbac_id) {
+    principalType = 'apikey'
+    principalId = auth.apikey.rbac_id
+  }
+  if (!principalId)
+    return false
+
+  const pgClient = getPgClient(c)
+  try {
+    const result = await pgClient.query<{ allowed: boolean }>(`
+      WITH target_role AS (
+        SELECT r.priority_rank
+        FROM public.roles r
+        WHERE r.name = $4
+          AND r.scope_type = public.rbac_scope_org()
+          AND r.is_assignable = true
+        LIMIT 1
+      ),
+      caller_priority AS (
+        SELECT COALESCE(MAX(r.priority_rank), 0) AS max_priority
+        FROM public.role_bindings rb
+        JOIN public.roles r
+          ON r.id = rb.role_id
+          AND r.scope_type = rb.scope_type
+        WHERE rb.principal_type = $1
+          AND rb.principal_id = $2::uuid
+          AND rb.scope_type = public.rbac_scope_org()
+          AND rb.org_id = $3::uuid
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      )
+      SELECT
+        (SELECT max_priority FROM caller_priority) >= COALESCE(
+          (SELECT priority_rank FROM target_role),
+          2147483647
+        ) AS allowed
+    `, [principalType, principalId, orgId, targetRoleName])
+
+    return result.rows[0]?.allowed === true
+  }
+  finally {
+    closeClient(c, pgClient)
+  }
+}
+
 async function lockInviteNotification(c: AppContext, orgId: string, userId: string) {
   const pgClient = getPgClient(c)
   const inviteNotificationLockKey = getInviteNotificationLockKey(orgId, userId)
@@ -203,7 +278,7 @@ app.post('/', middlewareAuth, async (c) => {
   })
   const { data: membership, error: membershipError } = await supabaseAdminClient
     .from('org_users')
-    .select('id, user_right')
+    .select('id, user_right, rbac_role_name')
     .eq('org_id', body.org_id)
     .eq('user_id', invitedUser.id)
     .maybeSingle()
@@ -233,6 +308,20 @@ app.post('/', middlewareAuth, async (c) => {
     })
   }
 
+  const canManageInviteRole = await canCallerResendInviteRole(
+    c,
+    authContext,
+    body.org_id,
+    membership.user_right,
+    membership.rbac_role_name,
+  )
+  if (!canManageInviteRole) {
+    return quickError(403, 'not_authorized', 'Not authorized', {
+      requiredPermission: 'org.update_user_roles',
+      orgId: body.org_id,
+    })
+  }
+
   const inviteCooldownStorageKey = getInviteNotificationCooldownKey(body.org_id, invitedUser.id)
   const inviteCooldownKey = cooldownCache.buildRequest('/private/invite_existing_user_to_org/cooldown', {
     org_id: body.org_id,
diff --git a/supabase/functions/_backend/private/invite_new_user_to_org.ts b/supabase/functions/_backend/private/invite_new_user_to_org.ts
index 786f8165ae..878e6a34a0 100644
--- a/supabase/functions/_backend/private/invite_new_user_to_org.ts
+++ b/supabase/functions/_backend/private/invite_new_user_to_org.ts
@@ -52,14 +52,7 @@ function generateInviteMagicString() {
   return Array.from(bytes, byte => byte.toString(16).padStart(2, '0')).join('')
 }
 
-function resolveInviteRoles(inviteType: string, useNewRbac: boolean) {
-  if (!useNewRbac) {
-    if (rbacInviteRoles.includes(inviteType as RbacInviteRole)) {
-      throw simpleError('invalid_request', 'Invalid invite type')
-    }
-    return { legacyInviteType: inviteType as Database['public']['Enums']['user_min_right'], rbacRoleName: null }
-  }
-
+function resolveInviteRoles(inviteType: string) {
   if (rbacInviteRoles.includes(inviteType as RbacInviteRole)) {
     const rbacRoleName = inviteType as RbacInviteRole
     return { legacyInviteType: rbacRoleToLegacy[rbacRoleName], rbacRoleName }
@@ -137,8 +130,7 @@ async function validateInvite(c: Context, rawBody: any) {
     return { message: 'Failed to invite user', error: orgError?.message ?? 'Organization not found', status: 500 }
   }
 
-  const useNewRbac = org.use_new_rbac === true
-  const { legacyInviteType, rbacRoleName } = resolveInviteRoles(body.invite_type, useNewRbac)
+  const { legacyInviteType, rbacRoleName } = resolveInviteRoles(body.invite_type)
 
   // Get current user ID from JWT
   const authContext = c.get('auth')
diff --git a/supabase/functions/_backend/private/role_bindings.ts b/supabase/functions/_backend/private/role_bindings.ts
index e9169502ff..ba55dc6d45 100644
--- a/supabase/functions/_backend/private/role_bindings.ts
+++ b/supabase/functions/_backend/private/role_bindings.ts
@@ -1,6 +1,5 @@
 import type { Context } from 'hono'
 import type { MiddlewareKeyVariables } from '../utils/hono.ts'
-import type { Database } from '../utils/supabase.types.ts'
 import { sValidator } from '@hono/standard-validator'
 import { and, eq, sql } from 'drizzle-orm'
 import { createHono, useCors } from '../utils/hono.ts'
@@ -41,6 +40,7 @@ type RouteValidationResult<T> = { ok: true, data: T } | { ok: false, response: R
 type RoleBindingRecord = typeof schema.role_bindings.$inferSelect
 type RoleRecord = typeof schema.roles.$inferSelect
 const INVALID_APIKEY_ACCESS_ERROR = 'Invalid API key or access'
+const APIKEY_ORG_READER_ROLE = 'apikey_org_reader'
 
 export const app = createHono('', version)
 
@@ -53,13 +53,11 @@ async function requireAuthAndGuardLimitedKeys(c: Context<MiddlewareKeyVariables>
     return c.json({ error: 'Unauthorized' }, 401)
   }
 
-  // Prevent limited-scope API keys from managing role bindings
+  // API keys must not manage role bindings. V2 API-key permissions are scoped
+  // by these bindings, so allowing keys to mutate them would let a key widen
+  // its own access or mint another broad key.
   if (auth.authType === 'apikey') {
-    const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row'] | undefined
-    const hasLimitedScope = (apikey?.limited_to_orgs?.length ?? 0) > 0 || (apikey?.limited_to_apps?.length ?? 0) > 0
-    if (hasLimitedScope) {
-      return c.json({ error: 'Limited-scope API keys cannot manage role bindings' }, 403)
-    }
+    return c.json({ error: 'API keys cannot manage role bindings' }, 403)
   }
 
   await next()
@@ -169,19 +167,24 @@ async function validateUserPrincipalAccess(
   principalId: string,
   orgId: string,
 ): Promise<ValidationResult<null>> {
-  const activeMembership = await drizzle
-    .select({ user_right: schema.org_users.user_right })
-    .from(schema.org_users)
+  const targetRbacAccess = await drizzle
+    .select({ id: schema.role_bindings.id })
+    .from(schema.role_bindings)
+    .innerJoin(schema.roles, and(
+      eq(schema.role_bindings.role_id, schema.roles.id),
+      eq(schema.role_bindings.scope_type, schema.roles.scope_type),
+    ))
     .where(
       and(
-        eq(schema.org_users.user_id, principalId),
-        eq(schema.org_users.org_id, orgId),
-        sql`(${schema.org_users.user_right} IS NULL OR ${schema.org_users.user_right}::text NOT LIKE 'invite_%')`,
+        eq(schema.role_bindings.principal_type, 'user'),
+        eq(schema.role_bindings.principal_id, principalId),
+        eq(schema.role_bindings.org_id, orgId),
+        sql`(${schema.role_bindings.expires_at} IS NULL OR ${schema.role_bindings.expires_at} > now())`,
       ),
     )
     .limit(1)
 
-  if (activeMembership.length) {
+  if (targetRbacAccess.length) {
     return { ok: true, data: null }
   }
 
@@ -201,28 +204,7 @@ async function validateUserPrincipalAccess(
     return { ok: false, status: 400, error: 'User has not accepted the org invitation yet' }
   }
 
-  const targetRbacAccess = await drizzle
-    .select({ id: schema.role_bindings.id })
-    .from(schema.role_bindings)
-    .innerJoin(schema.roles, and(
-      eq(schema.role_bindings.role_id, schema.roles.id),
-      eq(schema.role_bindings.scope_type, schema.roles.scope_type),
-    ))
-    .where(
-      and(
-        eq(schema.role_bindings.principal_type, 'user'),
-        eq(schema.role_bindings.principal_id, principalId),
-        eq(schema.role_bindings.org_id, orgId),
-        sql`(${schema.role_bindings.expires_at} IS NULL OR ${schema.role_bindings.expires_at} > now())`,
-      ),
-    )
-    .limit(1)
-
-  if (!targetRbacAccess.length) {
-    return { ok: false, status: 400, error: 'User is not a member of this org' }
-  }
-
-  return { ok: true, data: null }
+  return { ok: false, status: 400, error: 'User is not a member of this org' }
 }
 
 async function validateGroupPrincipalAccess(
@@ -256,7 +238,6 @@ async function validateApiKeyPrincipalAccess(
   const [apiKey] = await drizzle
     .select({
       user_id: schema.apikeys.user_id,
-      limited_to_orgs: schema.apikeys.limited_to_orgs,
     })
     .from(schema.apikeys)
     .where(eq(schema.apikeys.rbac_id, principalId))
@@ -271,34 +252,23 @@ async function validateApiKeyPrincipalAccess(
     return { ok: false, status: 400, error: INVALID_APIKEY_ACCESS_ERROR }
   }
 
-  if (apiKey.limited_to_orgs?.length && !apiKey.limited_to_orgs.includes(orgId)) {
-    cloudlogErr({
-      message: 'validatePrincipalAccess: apiKey limited_to_orgs scope excludes target org',
-      principalId,
-      orgId,
-      apiKeyUserId: apiKey.user_id,
-    })
-    return { ok: false, status: 400, error: INVALID_APIKEY_ACCESS_ERROR }
-  }
-
-  // Mirror the user-principal checks: only accept active (non-invite) memberships
-  const [activeMembership] = await drizzle
-    .select({ id: schema.org_users.id })
-    .from(schema.org_users)
+  const [ownerRbacAccess] = await drizzle
+    .select({ id: schema.role_bindings.id })
+    .from(schema.role_bindings)
     .where(
       and(
-        eq(schema.org_users.user_id, apiKey.user_id),
-        eq(schema.org_users.org_id, orgId),
-        sql`(${schema.org_users.user_right} IS NULL OR ${schema.org_users.user_right}::text NOT LIKE 'invite_%')`,
+        eq(schema.role_bindings.principal_type, 'user'),
+        eq(schema.role_bindings.principal_id, apiKey.user_id),
+        eq(schema.role_bindings.org_id, orgId),
+        sql`(${schema.role_bindings.expires_at} IS NULL OR ${schema.role_bindings.expires_at} > now())`,
       ),
     )
     .limit(1)
 
-  if (activeMembership) {
+  if (ownerRbacAccess) {
     return { ok: true, data: null }
   }
 
-  // Check if the owner has a pending invite (same as user-principal validation)
   const [pendingInvite] = await drizzle
     .select({ id: schema.org_users.id })
     .from(schema.org_users)
@@ -322,35 +292,12 @@ async function validateApiKeyPrincipalAccess(
   }
 
   cloudlogErr({
-    message: 'validatePrincipalAccess: apiKey owner legacy membership not found',
+    message: 'validatePrincipalAccess: apiKey owner RBAC access not found',
     principalId,
     orgId,
     apiKeyUserId: apiKey.user_id,
   })
-
-  const [ownerRbacAccess] = await drizzle
-    .select({ id: schema.role_bindings.id })
-    .from(schema.role_bindings)
-    .where(
-      and(
-        eq(schema.role_bindings.principal_type, 'user'),
-        eq(schema.role_bindings.principal_id, apiKey.user_id),
-        eq(schema.role_bindings.org_id, orgId),
-      ),
-    )
-    .limit(1)
-
-  if (!ownerRbacAccess) {
-    cloudlogErr({
-      message: 'validatePrincipalAccess: apiKey owner RBAC access not found',
-      principalId,
-      orgId,
-      apiKeyUserId: apiKey.user_id,
-    })
-    return { ok: false, status: 400, error: INVALID_APIKEY_ACCESS_ERROR }
-  }
-
-  return { ok: true, data: null }
+  return { ok: false, status: 400, error: INVALID_APIKEY_ACCESS_ERROR }
 }
 
 export async function validatePrincipalAccess(
@@ -396,15 +343,6 @@ async function loadManagedBinding(
   return { ok: true, data: binding }
 }
 
-// Maps legacy org_users.user_right values to their equivalent RBAC role names.
-// Only admin-level rights are mapped because lower rights (write/upload/read)
-// cannot pass the checkPermission('org.update_user_roles') gate that precedes
-// every anti-escalation check.
-const LEGACY_RIGHT_TO_ROLE_NAME: Record<string, string> = {
-  super_admin: 'org_super_admin',
-  admin: 'org_admin',
-}
-
 async function loadAssignableRoleForBinding(
   c: Context<MiddlewareKeyVariables>,
   drizzle: ReturnType<typeof getDrizzleClient>,
@@ -463,42 +401,7 @@ async function getCallerMaxPriorityRank(
     )
     .limit(1)
 
-  let maxRank = result[0]?.max_rank ?? 0
-
-  // For JWT callers, also consider legacy org_users.user_right so that admins
-  // who passed checkPermission via check_min_rights (legacy path) are not
-  // blocked by the anti-escalation check when they have no RBAC bindings yet.
-  if (authType === 'jwt') {
-    const [membership] = await drizzle
-      .select({ user_right: schema.org_users.user_right })
-      .from(schema.org_users)
-      .where(
-        and(
-          eq(schema.org_users.user_id, principalId),
-          eq(schema.org_users.org_id, orgId),
-          sql`${schema.org_users.user_right}::text NOT LIKE 'invite_%'`,
-        ),
-      )
-      .limit(1)
-
-    const mappedRoleName = membership?.user_right
-      ? LEGACY_RIGHT_TO_ROLE_NAME[membership.user_right]
-      : undefined
-
-    if (mappedRoleName) {
-      const [role] = await drizzle
-        .select({ priority_rank: schema.roles.priority_rank })
-        .from(schema.roles)
-        .where(eq(schema.roles.name, mappedRoleName))
-        .limit(1)
-
-      if (role && role.priority_rank > maxRank) {
-        maxRank = role.priority_rank
-      }
-    }
-  }
-
-  return maxRank
+  return result[0]?.max_rank ?? 0
 }
 
 // Reusable binding creation logic - used by both the POST route and apikey/post.ts
@@ -511,6 +414,7 @@ export interface CreateBindingParams {
   app_id?: string | null
   channel_id?: string | number | null
   reason?: string
+  allowSystemRole?: boolean
 }
 
 export type CreateBindingResult = {
@@ -538,6 +442,7 @@ export async function createRoleBindingForPrincipal(
     app_id,
     channel_id,
     reason,
+    allowSystemRole = false,
   } = params
 
   // 1. Resolve role by name
@@ -551,7 +456,11 @@ export async function createRoleBindingForPrincipal(
     return { ok: false, status: 404, error: 'Role not found' }
   }
 
-  if (!role.is_assignable) {
+  const canUseSystemRole = allowSystemRole
+    && principal_type === 'apikey'
+    && role_name === APIKEY_ORG_READER_ROLE
+
+  if (!role.is_assignable && !canUseSystemRole) {
     return { ok: false, status: 403, error: 'Role is not assignable' }
   }
 
diff --git a/supabase/functions/_backend/private/sso/check-enforcement.ts b/supabase/functions/_backend/private/sso/check-enforcement.ts
index 4283881cfc..41a13f0213 100644
--- a/supabase/functions/_backend/private/sso/check-enforcement.ts
+++ b/supabase/functions/_backend/private/sso/check-enforcement.ts
@@ -88,22 +88,17 @@ app.post('/', middlewareAuth, async (c) => {
       return c.json({ allowed: true })
     }
 
-    // SSO is enforced - check if user is super_admin (break-glass bypass)
-    const { data: roleData, error: roleError } = await (supabase.from as any)('org_users')
-      .select('user_right')
-      .eq('org_id', orgId)
-      .eq('user_id', userId)
-      .single()
-
-    if (roleError && roleError.code !== 'PGRST116') {
-      // PGRST116 = no rows found (user not in org), which is expected
+    // SSO is enforced - check RBAC super-admin-only permission for break-glass bypass
+    const { data: isSuperAdmin, error: roleError } = await (supabase.rpc as any)('rbac_check_permission', {
+      p_permission_key: 'org.update_billing',
+      p_org_id: orgId,
+    })
+
+    if (roleError) {
       cloudlog({ requestId, context: 'check_enforcement - role query error', error: roleError.message, orgId, userId })
       return quickError(500, 'query_error', 'Failed to check user role')
     }
 
-    // Check if user has super_admin right (break-glass: super admins bypass SSO enforcement)
-    const isSuperAdmin = roleData?.user_right === 'super_admin'
-
     if (isSuperAdmin) {
       cloudlog({ requestId, context: 'check_enforcement - super admin bypass', email, orgId })
       return c.json({ allowed: true })
diff --git a/supabase/functions/_backend/private/upload_link.ts b/supabase/functions/_backend/private/upload_link.ts
index 56e41206e5..ed41b00fac 100644
--- a/supabase/functions/_backend/private/upload_link.ts
+++ b/supabase/functions/_backend/private/upload_link.ts
@@ -27,7 +27,6 @@ app.post('/', middlewareKey(['all', 'write', 'upload']), async (c) => {
     message: 'apikey context',
     apikeyId: apikey.id,
     userId: apikey.user_id,
-    mode: apikey.mode,
   })
   // Auth context is already set by middlewareKey
   if (!(await checkPermission(c, 'app.upload_bundle', { appId: body.app_id }))) {
diff --git a/supabase/functions/_backend/public/apikey/delete.ts b/supabase/functions/_backend/public/apikey/delete.ts
index bbffdb4ef9..707725d553 100644
--- a/supabase/functions/_backend/public/apikey/delete.ts
+++ b/supabase/functions/_backend/public/apikey/delete.ts
@@ -3,6 +3,7 @@ import type { Database } from '../../utils/supabase.types.ts'
 import { BRES, honoFactory, quickError, simpleError } from '../../utils/hono.ts'
 import { middlewareV2 } from '../../utils/hono_middleware.ts'
 import { supabaseWithAuth } from '../../utils/supabase.ts'
+import { apiKeyHasLimitedScope } from './scope.ts'
 
 const app = honoFactory.createApp()
 
@@ -18,9 +19,7 @@ app.delete('/:id', middlewareV2(['all']), async (c) => {
   const auth = c.get('auth') as AuthInfo
   const authApikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row'] | undefined
 
-  const callerHasLimitedScope = (authApikey?.limited_to_orgs?.length ?? 0) > 0
-    || (authApikey?.limited_to_apps?.length ?? 0) > 0
-  if (auth.authType === 'apikey' && callerHasLimitedScope) {
+  if (auth.authType === 'apikey' && await apiKeyHasLimitedScope(c, authApikey)) {
     throw quickError(401, 'cannot_delete_apikey', 'You cannot do that as a limited API key', { apikeyId: authApikey?.id })
   }
 
@@ -37,17 +36,31 @@ app.delete('/:id', middlewareV2(['all']), async (c) => {
   // Use supabaseWithAuth which handles both JWT and API key authentication
   const supabase = supabaseWithAuth(c, auth)
 
-  const { data: apikey, error: apikeyError } = await supabase.from('apikeys').select('*').or(`key.eq.${id},id.eq.${id}`).eq('user_id', auth.userId).single()
+  const baseQuery = supabase
+    .from('apikeys')
+    .select('*')
+    .eq('user_id', auth.userId)
+
+  const apikeyQuery = /^\d+$/.test(id)
+    ? baseQuery.eq('id', Number(id))
+    : baseQuery.eq('key', id)
+
+  const { data: apikey, error: apikeyError } = await apikeyQuery.single()
   if (!apikey || apikeyError) {
     throw quickError(404, 'api_key_not_found', 'API key not found', { supabaseError: apikeyError })
   }
 
-  const { error } = await supabase
+  const deleteBaseQuery = supabase
     .from('apikeys')
     .delete()
-    .or(`key.eq.${id},id.eq.${id}`)
     .eq('user_id', auth.userId)
 
+  const deleteQuery = /^\d+$/.test(id)
+    ? deleteBaseQuery.eq('id', Number(id))
+    : deleteBaseQuery.eq('key', id)
+
+  const { error } = await deleteQuery
+
   if (error) {
     throw quickError(500, 'failed_to_delete_apikey', 'Failed to delete API key', { supabaseError: error })
   }
diff --git a/supabase/functions/_backend/public/apikey/get.ts b/supabase/functions/_backend/public/apikey/get.ts
index d2f2b04b7f..45b1fc956f 100644
--- a/supabase/functions/_backend/public/apikey/get.ts
+++ b/supabase/functions/_backend/public/apikey/get.ts
@@ -3,6 +3,7 @@ import type { Database } from '../../utils/supabase.types.ts'
 import { honoFactory, quickError, simpleError } from '../../utils/hono.ts'
 import { middlewareV2 } from '../../utils/hono_middleware.ts'
 import { supabaseWithAuth } from '../../utils/supabase.ts'
+import { apiKeyHasLimitedScope } from './scope.ts'
 
 const app = honoFactory.createApp()
 
@@ -18,9 +19,7 @@ app.get('/', middlewareV2(['all']), async (c) => {
   const auth = c.get('auth') as AuthInfo
   const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row'] | undefined
 
-  const callerHasLimitedScope = (apikey?.limited_to_orgs?.length ?? 0) > 0
-    || (apikey?.limited_to_apps?.length ?? 0) > 0
-  if (auth.authType === 'apikey' && callerHasLimitedScope) {
+  if (auth.authType === 'apikey' && await apiKeyHasLimitedScope(c, apikey)) {
     throw quickError(401, 'cannot_list_apikeys', 'You cannot do that as a limited API key', { apikeyId: apikey?.id })
   }
 
@@ -43,9 +42,7 @@ app.get('/:id', middlewareV2(['all']), async (c) => {
   const auth = c.get('auth') as AuthInfo
   const authApikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row'] | undefined
 
-  const callerHasLimitedScope = (authApikey?.limited_to_orgs?.length ?? 0) > 0
-    || (authApikey?.limited_to_apps?.length ?? 0) > 0
-  if (auth.authType === 'apikey' && callerHasLimitedScope) {
+  if (auth.authType === 'apikey' && await apiKeyHasLimitedScope(c, authApikey)) {
     throw quickError(401, 'cannot_get_apikey', 'You cannot do that as a limited API key', { apikeyId: authApikey?.id })
   }
 
@@ -61,11 +58,16 @@ app.get('/:id', middlewareV2(['all']), async (c) => {
 
   // Use supabaseWithAuth which handles both JWT and API key authentication
   const supabase = supabaseWithAuth(c, auth)
-  const { data: fetchedApikey, error } = await supabase
+  const baseQuery = supabase
     .from('apikeys')
     .select('*')
-    .or(`key.eq.${id},id.eq.${id}`)
     .eq('user_id', auth.userId)
+
+  const apikeyQuery = /^\d+$/.test(id)
+    ? baseQuery.eq('id', Number(id))
+    : baseQuery.eq('key', id)
+
+  const { data: fetchedApikey, error } = await apikeyQuery
     .single()
   if (error) {
     throw quickError(404, 'failed_to_get_apikey', 'Failed to get API key', { supabaseError: error })
diff --git a/supabase/functions/_backend/public/apikey/post.ts b/supabase/functions/_backend/public/apikey/post.ts
index 695b2003bb..51c4be014a 100644
--- a/supabase/functions/_backend/public/apikey/post.ts
+++ b/supabase/functions/_backend/public/apikey/post.ts
@@ -8,8 +8,7 @@ import { middlewareV2 } from '../../utils/hono_middleware.ts'
 import { cloudlog, cloudlogErr } from '../../utils/logging.ts'
 import { closeClient, getDrizzleClient, getPgClient } from '../../utils/pg.ts'
 import { checkPermission } from '../../utils/rbac.ts'
-import { resolveApikeyPolicyOrgIds, supabaseAdmin, supabaseWithAuth, validateExpirationAgainstOrgPolicies, validateExpirationDate } from '../../utils/supabase.ts'
-import { Constants } from '../../utils/supabase.types.ts'
+import { supabaseWithAuth, validateExpirationAgainstOrgPolicies, validateExpirationDate } from '../../utils/supabase.ts'
 
 interface BindingInput {
   role_name: string
@@ -20,39 +19,20 @@ interface BindingInput {
   reason?: string
 }
 
+type EnrichedBindingInput = BindingInput & { allowSystemRole?: boolean }
 type ApiKeyRow = Database['public']['Tables']['apikeys']['Row']
 
 type DrizzleExecutor = Pick<ReturnType<typeof getDrizzleClient>, 'execute'>
 
 interface CreateApiKeyRecordParams {
   userId: string
-  mode: Database['public']['Enums']['key_mode'] | null
   name: string
-  limitedToOrgs: string[]
-  limitedToApps: string[]
   expiresAt: string | null
   isHashed: boolean
 }
 
 const app = honoFactory.createApp()
-
-function apiKeyHasLimitedScope(apikey: ApiKeyRow | undefined) {
-  return (apikey?.limited_to_orgs?.length ?? 0) > 0 || (apikey?.limited_to_apps?.length ?? 0) > 0
-}
-
-function uuidSqlArray(values: string[]) {
-  if (!values.length)
-    return sql`ARRAY[]::uuid[]`
-
-  return sql`ARRAY[${sql.join(values.map(value => sql`${value}::uuid`), sql`, `)}]::uuid[]`
-}
-
-function textSqlArray(values: string[]) {
-  if (!values.length)
-    return sql`ARRAY[]::text[]`
-
-  return sql`ARRAY[${sql.join(values.map(value => sql`${value}::text`), sql`, `)}]::text[]`
-}
+const APIKEY_ORG_READER_ROLE = 'apikey_org_reader'
 
 async function createApiKeyRecord(
   db: DrizzleExecutor,
@@ -63,20 +43,14 @@ async function createApiKeyRecord(
       user_id,
       key,
       key_hash,
-      mode,
       name,
-      limited_to_orgs,
-      limited_to_apps,
       expires_at
     )
     VALUES (
       ${params.userId}::uuid,
       CASE WHEN ${params.isHashed}::boolean THEN NULL ELSE ${plainKey}::text END,
       CASE WHEN ${params.isHashed}::boolean THEN encode(extensions.digest(${plainKey}::text, 'sha256'), 'hex') ELSE NULL END,
-      ${params.mode}::public.key_mode,
       ${params.name}::text,
-      ${uuidSqlArray(params.limitedToOrgs)},
-      ${textSqlArray(params.limitedToApps)},
       ${params.expiresAt}::timestamptz
     )
     RETURNING *`)
@@ -86,38 +60,23 @@ async function createApiKeyRecord(
     throw new Error('API key insert returned no rows')
   }
 
+  apiKey.id = Number(apiKey.id)
   apiKey.key = plainKey
   return apiKey
 }
 
 app.post('/', middlewareV2(['all']), async (c) => {
   const auth = c.get('auth') as AuthInfo
-  const apikey = c.get('apikey') as ApiKeyRow | undefined
 
   const body = await parseBody<any>(c)
 
-  const orgId = body.org_id
-  const appId = body.app_id
   const name = body.name ?? ''
-  if (body.limited_to_apps !== undefined && !Array.isArray(body.limited_to_apps)) {
-    throw simpleError('invalid_limited_to_apps', 'limited_to_apps must be an array of app ids')
-  }
-  if (body.limited_to_orgs !== undefined && !Array.isArray(body.limited_to_orgs)) {
-    throw simpleError('invalid_limited_to_orgs', 'limited_to_orgs must be an array of org ids')
-  }
-  const limitedToApps: string[] = Array.isArray(body.limited_to_apps) ? [...body.limited_to_apps] : []
-  const limitedToOrgs: string[] = Array.isArray(body.limited_to_orgs) ? [...body.limited_to_orgs] : []
-  if (!limitedToApps.every(item => typeof item === 'string')) {
-    throw simpleError('invalid_limited_to_apps', 'limited_to_apps must be an array of app ids')
-  }
-  if (!limitedToOrgs.every(item => typeof item === 'string')) {
-    throw simpleError('invalid_limited_to_orgs', 'limited_to_orgs must be an array of org ids')
-  }
 
-  // API key callers must be full legacy keys. Limited keys, write keys, and
-  // RBAC-managed keys must not be able to mint broader credentials.
-  if (auth.authType === 'apikey' && (apikey?.mode !== 'all' || apiKeyHasLimitedScope(apikey))) {
-    throw simpleError('cannot_create_apikey', 'You cannot create API keys with this API key', { keyId: apikey?.id })
+  if (auth.authType !== 'jwt' || !auth.userId) {
+    if (auth.authType === 'apikey') {
+      throw simpleError('cannot_create_apikey', 'API keys cannot create other API keys')
+    }
+    throw simpleError('not_authorized', 'Only user sessions can create API keys')
   }
   const expiresAt = body.expires_at ?? null
   const isHashed = body.hashed === true
@@ -144,19 +103,11 @@ app.post('/', middlewareV2(['all']), async (c) => {
 
   const hasBindings = bindings.length > 0
 
-  // mode is required when no bindings are provided, optional (null) otherwise
-  const mode = body.mode ?? null
   if (!name) {
     throw simpleError('name_is_required', 'Name is required')
   }
-  if (!hasBindings && !mode) {
-    throw simpleError('mode_is_required', 'Mode is required when no bindings are provided')
-  }
-  if (mode !== null) {
-    const validModes = Constants.public.Enums.key_mode
-    if (!validModes.includes(mode)) {
-      throw simpleError('invalid_mode', 'Invalid mode')
-    }
+  if (!hasBindings) {
+    throw simpleError('bindings_required', 'API key bindings are required')
   }
 
   // Validate expiration date format (throws if invalid)
@@ -164,168 +115,116 @@ app.post('/', middlewareV2(['all']), async (c) => {
 
   // Use supabaseWithAuth which handles both JWT and API key authentication
   const supabase = supabaseWithAuth(c, auth)
-  const policyLookupSupabase = supabaseAdmin(c)
 
-  if (orgId) {
-    const { data: org, error } = await supabase.from('orgs').select('*').eq('id', orgId).single()
-    if (!org || error) {
-      throw quickError(404, 'org_not_found', 'Org not found', { supabaseError: error })
-    }
-    limitedToOrgs.splice(0, limitedToOrgs.length, org.id)
-  }
-  if (appId) {
-    const { data: app, error } = await supabase.from('apps').select('*').eq('id', appId).single()
-    if (!app || error) {
-      throw quickError(404, 'app_not_found', 'App not found', { supabaseError: error })
-    }
-    limitedToApps.splice(0, limitedToApps.length, app.app_id)
-  }
+  const resolvedBindings = bindings
 
   // Validate expiration against org policies (throws if invalid)
-  const allOrgIds = await resolveApikeyPolicyOrgIds(supabase, {
-    limitedToApps,
-    limitedToOrgs,
-    policyLookupSupabase,
-  })
+  const allOrgIds = [...new Set(resolvedBindings.map(binding => binding.org_id))]
   await validateExpirationAgainstOrgPolicies(allOrgIds, expiresAt, supabase)
 
   let apikeyData: ApiKeyRow | null = null
 
-  if (hasBindings) {
-    let pgClient: ReturnType<typeof getPgClient> | undefined
-    try {
-      // Check RBAC permission for each unique org in the bindings before creating anything.
-      const bindingOrgIds = [...new Set(bindings.map(b => b.org_id))]
-      for (const bindingOrgId of bindingOrgIds) {
-        if (!(await checkPermission(c, 'org.update_user_roles', { orgId: bindingOrgId }))) {
-          throw quickError(403, 'forbidden_binding', `Forbidden - Admin rights required for org ${bindingOrgId}`)
+  let pgClient: ReturnType<typeof getPgClient> | undefined
+  try {
+    // Check RBAC permission for each unique org in the bindings before creating anything.
+    for (const bindingOrgId of allOrgIds) {
+      if (!(await checkPermission(c, 'org.update_user_roles', { orgId: bindingOrgId }))) {
+        throw quickError(403, 'forbidden_binding', `Forbidden - Admin rights required for org ${bindingOrgId}`)
+      }
+    }
+
+    pgClient = getPgClient(c)
+    const drizzle = getDrizzleClient(pgClient)
+    const createdBindings: unknown[] = []
+    const callerPrincipalId = auth.userId
+
+    await drizzle.transaction(async (tx) => {
+      apikeyData = await createApiKeyRecord(tx, {
+        userId: auth.userId,
+        name,
+        expiresAt,
+        isHashed,
+      })
+
+      if (!apikeyData.rbac_id) {
+        throw new Error('Created API key is missing rbac_id')
+      }
+
+      // App-scoped keys still need org.read for CLI warning compatibility, but
+      // must not gain org-wide app reads through org_member.
+      const enrichedBindings: EnrichedBindingInput[] = [...resolvedBindings]
+      const orgsWithOrgBinding = new Set(
+        resolvedBindings.filter(b => b.scope_type === 'org').map(b => b.org_id),
+      )
+      for (const b of resolvedBindings) {
+        if (b.scope_type === 'app' && !orgsWithOrgBinding.has(b.org_id)) {
+          enrichedBindings.push({
+            role_name: APIKEY_ORG_READER_ROLE,
+            scope_type: 'org',
+            org_id: b.org_id,
+            reason: 'API key app-scope org read compatibility',
+            allowSystemRole: true,
+          })
+          orgsWithOrgBinding.add(b.org_id)
         }
       }
 
-      pgClient = getPgClient(c)
-      const drizzle = getDrizzleClient(pgClient)
-      const createdBindings: unknown[] = []
-      const callerPrincipalId = auth.authType === 'apikey' ? auth.apikey!.rbac_id : auth.userId
-
-      await drizzle.transaction(async (tx) => {
-        apikeyData = await createApiKeyRecord(tx, {
-          userId: auth.userId,
-          mode,
-          name,
-          limitedToOrgs,
-          limitedToApps,
-          expiresAt,
-          isHashed,
-        })
-
-        if (!apikeyData.rbac_id) {
-          throw new Error('Created API key is missing rbac_id')
+      for (const binding of enrichedBindings) {
+        const bindingParams: CreateBindingParams = {
+          principal_type: 'apikey',
+          principal_id: apikeyData.rbac_id,
+          role_name: binding.role_name,
+          scope_type: binding.scope_type,
+          org_id: binding.org_id,
+          app_id: binding.app_id,
+          channel_id: binding.channel_id,
+          reason: binding.reason,
+          allowSystemRole: binding.allowSystemRole === true,
         }
 
-        // Mirror the user-binding invariant: every org that has app-level bindings
-        // must also have an org-level binding (at minimum org_member) so that the
-        // API key carries org.read — required by get_organization_cli_warnings and
-        // other org-scoped checks.
-        const enrichedBindings: BindingInput[] = [...bindings]
-        const orgsWithOrgBinding = new Set(
-          bindings.filter(b => b.scope_type === 'org').map(b => b.org_id),
+        const result = await createRoleBindingForPrincipal(
+          tx as unknown as ReturnType<typeof getDrizzleClient>,
+          bindingParams,
+          auth.userId,
+          'jwt',
+          callerPrincipalId,
         )
-        for (const b of bindings) {
-          if (b.scope_type === 'app' && !orgsWithOrgBinding.has(b.org_id)) {
-            enrichedBindings.push({ role_name: 'org_member', scope_type: 'org', org_id: b.org_id })
-            orgsWithOrgBinding.add(b.org_id)
-          }
-        }
 
-        for (const binding of enrichedBindings) {
-          const bindingParams: CreateBindingParams = {
-            principal_type: 'apikey',
-            principal_id: apikeyData.rbac_id,
-            role_name: binding.role_name,
-            scope_type: binding.scope_type,
-            org_id: binding.org_id,
-            app_id: binding.app_id,
-            channel_id: binding.channel_id,
-            reason: binding.reason,
-          }
-
-          const result = await createRoleBindingForPrincipal(
-            tx as unknown as ReturnType<typeof getDrizzleClient>,
-            bindingParams,
-            auth.userId,
-            auth.authType as 'jwt' | 'apikey',
-            callerPrincipalId,
-          )
-
-          if (!result.ok) {
-            cloudlogErr({
-              requestId: c.get('requestId'),
-              message: 'apikey_binding_failed',
-              binding,
-              error: result.error,
-            })
-            throw quickError(result.status as any, 'binding_failed', result.error)
-          }
-
-          createdBindings.push(result.data)
+        if (!result.ok) {
+          cloudlogErr({
+            requestId: c.get('requestId'),
+            message: 'apikey_binding_failed',
+            binding,
+            error: result.error,
+          })
+          throw quickError(result.status as any, 'binding_failed', result.error)
         }
-      })
 
-      cloudlog({
-        requestId: c.get('requestId'),
-        message: 'apikey_bindings_created',
-        apikeyId: (apikeyData as ApiKeyRow | null)?.id,
-        bindingsCount: createdBindings.length,
-      })
-    }
-    catch (error: any) {
-      if (error?.status) {
-        throw error
+        createdBindings.push(result.data)
       }
-      cloudlogErr({
-        requestId: c.get('requestId'),
-        message: 'apikey_bindings_unexpected_error',
-        error,
-      })
-      throw simpleError('binding_creation_failed', 'Failed to create role bindings for the API key')
-    }
-    finally {
-      if (pgClient) {
-        await closeClient(c, pgClient)
-      }
-    }
-  }
-  else if (isHashed) {
-    const { data, error } = await supabase.rpc('create_hashed_apikey', {
-      p_mode: mode,
-      p_name: name,
-      p_limited_to_orgs: limitedToOrgs,
-      p_limited_to_apps: limitedToApps,
-      p_expires_at: expiresAt,
     })
-    apikeyData = data
-    if (error || !apikeyData) {
-      throw simpleError('failed_to_create_apikey', 'Failed to create API key', { supabaseError: error })
+
+    cloudlog({
+      requestId: c.get('requestId'),
+      message: 'apikey_bindings_created',
+      apikeyId: (apikeyData as ApiKeyRow | null)?.id,
+      bindingsCount: createdBindings.length,
+    })
+  }
+  catch (error: any) {
+    if (error?.status) {
+      throw error
     }
+    cloudlogErr({
+      requestId: c.get('requestId'),
+      message: 'apikey_bindings_unexpected_error',
+      error,
+    })
+    throw simpleError('binding_creation_failed', 'Failed to create role bindings for the API key')
   }
-  else {
-    const { data, error } = await supabase
-      .from('apikeys')
-      .insert({
-        user_id: auth.userId,
-        key: null,
-        key_hash: null,
-        mode,
-        name,
-        limited_to_apps: limitedToApps,
-        limited_to_orgs: limitedToOrgs,
-        expires_at: expiresAt,
-      })
-      .select()
-      .single()
-    apikeyData = data
-    if (error || !apikeyData) {
-      throw simpleError('failed_to_create_apikey', 'Failed to create API key', { supabaseError: error })
+  finally {
+    if (pgClient) {
+      await closeClient(c, pgClient)
     }
   }
 
diff --git a/supabase/functions/_backend/public/apikey/put.ts b/supabase/functions/_backend/public/apikey/put.ts
index 91a94382f6..f8fa2651cf 100644
--- a/supabase/functions/_backend/public/apikey/put.ts
+++ b/supabase/functions/_backend/public/apikey/put.ts
@@ -3,8 +3,8 @@ import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import type { Database } from '../../utils/supabase.types.ts'
 import { honoFactory, parseBody, quickError, simpleError } from '../../utils/hono.ts'
 import { middlewareV2 } from '../../utils/hono_middleware.ts'
-import { resolveApikeyPolicyOrgIds, supabaseAdmin, supabaseWithAuth, validateExpirationAgainstOrgPolicies, validateExpirationDate } from '../../utils/supabase.ts'
-import { Constants } from '../../utils/supabase.types.ts'
+import { supabaseAdmin, supabaseWithAuth, validateExpirationAgainstOrgPolicies, validateExpirationDate } from '../../utils/supabase.ts'
+import { apiKeyHasLimitedScope } from './scope.ts'
 
 const app = honoFactory.createApp()
 
@@ -19,9 +19,6 @@ function isValidIdFormat(id: string): boolean {
 interface ApiKeyPut {
   id?: string | number
   name?: string
-  mode?: 'read' | 'write' | 'all' | 'upload'
-  limited_to_apps?: string[]
-  limited_to_orgs?: string[]
   expires_at?: string | null
   regenerate?: boolean
 }
@@ -32,14 +29,12 @@ async function handlePut(c: Context<MiddlewareKeyVariables>, idParam?: string) {
   const authApikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row'] | undefined
 
   // Block any constrained API key from mutating other keys owned by the same user.
-  const callerHasLimitedScope = (authApikey?.limited_to_orgs?.length ?? 0) > 0
-    || (authApikey?.limited_to_apps?.length ?? 0) > 0
-  if (auth.authType === 'apikey' && callerHasLimitedScope) {
+  if (auth.authType === 'apikey' && await apiKeyHasLimitedScope(c, authApikey)) {
     throw quickError(401, 'cannot_update_apikey', 'You cannot do that as a limited API key', { requestId, apikeyId: authApikey?.id })
   }
 
   const body = await parseBody<ApiKeyPut>(c)
-  const { id, name, mode, limited_to_apps, limited_to_orgs, expires_at, regenerate } = body
+  const { id, name, expires_at, regenerate } = body
 
   const resolvedId = typeof idParam === 'string' && idParam.length > 0 ? idParam : (id !== undefined ? String(id) : '')
   if (!resolvedId) {
@@ -60,15 +55,6 @@ async function handlePut(c: Context<MiddlewareKeyVariables>, idParam?: string) {
   if (name !== undefined) {
     updateData.name = name
   }
-  if (mode !== undefined) {
-    updateData.mode = mode
-  }
-  if (limited_to_apps !== undefined) {
-    updateData.limited_to_apps = limited_to_apps
-  }
-  if (limited_to_orgs !== undefined) {
-    updateData.limited_to_orgs = limited_to_orgs
-  }
   // Handle expires_at: null means remove expiration, undefined means don't update.
   if (expires_at !== undefined) {
     updateData.expires_at = expires_at
@@ -80,25 +66,12 @@ async function handlePut(c: Context<MiddlewareKeyVariables>, idParam?: string) {
     throw simpleError('name_must_be_a_string', 'Name must be a string', { requestId })
   }
 
-  const validModes = Constants.public.Enums.key_mode
-  if (mode !== undefined && (typeof mode !== 'string' || !validModes.includes(mode as any))) {
-    throw simpleError('invalid_mode', `Invalid mode. Must be one of: ${validModes.join(', ')}`, { requestId })
-  }
-
-  if (limited_to_apps !== undefined && (!Array.isArray(limited_to_apps) || !limited_to_apps.every(item => typeof item === 'string'))) {
-    throw simpleError('limited_to_apps_must_be_an_array_of_strings', 'limited_to_apps must be an array of strings', { requestId })
-  }
-
-  if (limited_to_orgs !== undefined && (!Array.isArray(limited_to_orgs) || !limited_to_orgs.every(item => typeof item === 'string'))) {
-    throw simpleError('limited_to_orgs_must_be_an_array_of_strings', 'limited_to_orgs must be an array of strings', { requestId })
-  }
-
   if (regenerate !== undefined && typeof regenerate !== 'boolean') {
     throw simpleError('regenerate_must_be_boolean', 'regenerate must be a boolean', { requestId })
   }
 
   if (!hasUpdates && !regenerate) {
-    throw simpleError('no_valid_fields_provided_for_update', 'No valid fields provided for update. Provide name, mode, limited_to_apps, limited_to_orgs, or expires_at.', { requestId })
+    throw simpleError('no_valid_fields_provided_for_update', 'No valid fields provided for update. Provide name, expires_at, or regenerate.', { requestId })
   }
 
   // Use supabaseWithAuth which handles both JWT and API key authentication
@@ -108,7 +81,7 @@ async function handlePut(c: Context<MiddlewareKeyVariables>, idParam?: string) {
   // Check if the apikey to update exists (RLS handles ownership)
   const baseQuery = supabase
     .from('apikeys')
-    .select('id, limited_to_orgs, limited_to_apps, expires_at, key, key_hash') // Also fetch scope + expires_at for policy validation
+    .select('id, rbac_id, expires_at, key, key_hash')
     .eq('user_id', auth.userId)
 
   // Avoid PostgREST cast errors by querying only the relevant column:
@@ -127,20 +100,24 @@ async function handlePut(c: Context<MiddlewareKeyVariables>, idParam?: string) {
   if (!existingApikey) {
     throw quickError(404, 'api_key_not_found_or_access_denied', 'API key not found or access denied', { requestId })
   }
-
-  const nextLimitedToOrgs = limited_to_orgs !== undefined ? limited_to_orgs : (existingApikey.limited_to_orgs || [])
-  const nextLimitedToApps = limited_to_apps !== undefined ? limited_to_apps : (existingApikey.limited_to_apps || [])
+  if (!existingApikey.rbac_id) {
+    throw quickError(409, 'apikey_missing_rbac_bindings', 'API key is missing RBAC bindings and cannot be updated', { requestId, apikeyId: existingApikey.id })
+  }
 
   // Validate expiration against org policies (only if expiration or scopes are changing)
-  if (expires_at !== undefined || limited_to_orgs !== undefined || limited_to_apps !== undefined) {
-    // Use new expires_at if provided, otherwise fall back to existing
-    const expirationToValidate = expires_at !== undefined ? expires_at : (existingApikey.expires_at ?? null)
-    const orgsToValidate = await resolveApikeyPolicyOrgIds(supabase, {
-      limitedToApps: nextLimitedToApps,
-      limitedToOrgs: nextLimitedToOrgs,
-      policyLookupSupabase,
-    })
-    await validateExpirationAgainstOrgPolicies(orgsToValidate, expirationToValidate, supabase)
+  if (expires_at !== undefined) {
+    const { data: bindings, error: bindingError } = await policyLookupSupabase
+      .from('role_bindings')
+      .select('org_id')
+      .eq('principal_type', 'apikey')
+      .eq('principal_id', existingApikey.rbac_id)
+
+    if (bindingError) {
+      throw quickError(500, 'failed_to_load_apikey_bindings', 'Failed to load API key bindings', { requestId, supabaseError: bindingError })
+    }
+
+    const orgsToValidate = [...new Set((bindings || []).map(binding => binding.org_id).filter((orgId): orgId is string => !!orgId))]
+    await validateExpirationAgainstOrgPolicies(orgsToValidate, expires_at, supabase)
   }
 
   const isHashedKey = existingApikey.key_hash !== null
diff --git a/supabase/functions/_backend/public/apikey/scope.ts b/supabase/functions/_backend/public/apikey/scope.ts
new file mode 100644
index 0000000000..d2f0b22e1f
--- /dev/null
+++ b/supabase/functions/_backend/public/apikey/scope.ts
@@ -0,0 +1,81 @@
+import type { Context } from 'hono'
+import type { MiddlewareKeyVariables } from '../../utils/hono.ts'
+import type { Database } from '../../utils/supabase.types.ts'
+import { closeClient, getPgClient } from '../../utils/pg.ts'
+
+type ApiKeyRow = Database['public']['Tables']['apikeys']['Row']
+
+export async function apiKeyHasLimitedScope(c: Context<MiddlewareKeyVariables>, apikey: ApiKeyRow | undefined) {
+  if (!apikey)
+    return false
+
+  if (!apikey.rbac_id)
+    return false
+
+  const pgClient = getPgClient(c)
+  try {
+    const result = await pgClient.query<{ is_limited: boolean }>(
+      `
+      WITH user_orgs AS (
+        SELECT rb.org_id
+        FROM public.role_bindings rb
+        WHERE rb.principal_type = public.rbac_principal_user()
+          AND rb.principal_id = $1::uuid
+          AND rb.org_id IS NOT NULL
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+        UNION
+
+        SELECT g.org_id
+        FROM public.group_members gm
+        INNER JOIN public.groups g ON g.id = gm.group_id
+        INNER JOIN public.role_bindings rb
+          ON rb.principal_type = public.rbac_principal_group()
+          AND rb.principal_id = gm.group_id
+          AND rb.org_id = g.org_id
+        WHERE gm.user_id = $1::uuid
+          AND rb.org_id IS NOT NULL
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      ),
+      active_bindings AS (
+        SELECT rb.scope_type, rb.org_id, r.name AS role_name
+        FROM public.role_bindings rb
+        INNER JOIN public.roles r ON r.id = rb.role_id
+        WHERE rb.principal_type = public.rbac_principal_apikey()
+          AND rb.principal_id = $2::uuid
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      )
+      SELECT (
+        EXISTS (
+          SELECT 1
+          FROM active_bindings
+          WHERE scope_type <> public.rbac_scope_org()
+        )
+        OR EXISTS (
+          SELECT 1
+          FROM user_orgs u
+          WHERE NOT EXISTS (
+            SELECT 1
+            FROM active_bindings b
+            WHERE b.scope_type = public.rbac_scope_org()
+              AND b.org_id = u.org_id
+              AND b.role_name IN (public.rbac_role_org_super_admin(), public.rbac_role_org_admin())
+          )
+        )
+        OR NOT EXISTS (
+          SELECT 1
+          FROM active_bindings b
+          WHERE b.scope_type = public.rbac_scope_org()
+            AND b.role_name IN (public.rbac_role_org_super_admin(), public.rbac_role_org_admin())
+        )
+      ) AS is_limited
+      `,
+      [apikey.user_id, apikey.rbac_id],
+    )
+
+    return result.rows[0]?.is_limited ?? true
+  }
+  finally {
+    await closeClient(c, pgClient)
+  }
+}
diff --git a/supabase/functions/_backend/public/app/get.ts b/supabase/functions/_backend/public/app/get.ts
index 87f0cb38c6..4258760219 100644
--- a/supabase/functions/_backend/public/app/get.ts
+++ b/supabase/functions/_backend/public/app/get.ts
@@ -18,9 +18,6 @@ export async function get(c: Context<MiddlewareKeyVariables>, appId: string, api
   if (!(await checkPermission(c, 'app.read', { appId }))) {
     throw quickError(401, 'cannot_access_app', 'You can\'t access this app', { app_id: appId })
   }
-  if (apikey.limited_to_apps && apikey.limited_to_apps.length > 0 && !apikey.limited_to_apps.includes(appId)) {
-    throw quickError(401, 'cannot_access_app', 'You can\'t access this app', { app_id: appId })
-  }
 
   const { data, error: dbError } = await supabaseApikey(c, apikey.key)
     .from('apps')
@@ -66,17 +63,8 @@ export async function getAll(c: Context, apikey: Database['public']['Tables']['a
 
     query = query.eq('owner_org', orgId)
   }
-  // If the user has limited access to specific apps, filter by those
-  else if (apikey.limited_to_apps && apikey.limited_to_apps.length > 0) {
-    query = query.in('app_id', apikey.limited_to_apps)
-  }
-  // If the user has limited access to specific orgs, filter by those
-  else if (apikey.limited_to_orgs && apikey.limited_to_orgs.length > 0) {
-    query = query.in('owner_org', apikey.limited_to_orgs)
-  }
-  // Otherwise, get all organizations the user is a member of and filter by those
   else {
-    // Get list of orgs the user is a member of via RPC (avoids direct org_users select).
+    // Get list of orgs this key can read via RPC (avoids direct org_users select).
     const { data: userOrgs, error: orgsError } = await supabaseApikey(c, apikey.key)
       .rpc('get_orgs_v6')
 
diff --git a/supabase/functions/_backend/public/device/index.ts b/supabase/functions/_backend/public/device/index.ts
index 8a90a927a3..61423e4480 100644
--- a/supabase/functions/_backend/public/device/index.ts
+++ b/supabase/functions/_backend/public/device/index.ts
@@ -23,7 +23,6 @@ function logDeviceRequestContext(
     message: `device ${operation} apikey context`,
     apikeyId: apikey.id,
     userId: apikey.user_id,
-    mode: apikey.mode,
   })
 }
 
diff --git a/supabase/functions/_backend/public/organization/members/post.ts b/supabase/functions/_backend/public/organization/members/post.ts
index 0f3c751c23..6659c903e7 100644
--- a/supabase/functions/_backend/public/organization/members/post.ts
+++ b/supabase/functions/_backend/public/organization/members/post.ts
@@ -42,50 +42,20 @@ export async function post(c: Context<MiddlewareKeyVariables>, bodyRaw: any, _ap
 
   const supabase = supabaseApikey(c, _apikey?.key)
 
-  const { data: org, error: orgError } = await supabase
-    .from('orgs')
-    .select('use_new_rbac')
-    .eq('id', body.orgId)
-    .single()
-
-  if (orgError) {
-    throw simpleError('cannot_access_organization', 'You can\'t access this organization', { error: orgError.message })
-  }
-
-  const useNewRbac = org?.use_new_rbac === true
   const isRbacRole = rbacInviteRoles.includes(body.invite_type as RbacInviteRole)
   const legacyInviteType = body.invite_type as LegacyInviteRole
   const rbacRoleName = isRbacRole
     ? (body.invite_type as RbacInviteRole)
     : legacyToRbac[legacyInviteType]
 
-  if (!useNewRbac && isRbacRole) {
+  if (!rbacRoleName)
     throw simpleError('invalid_body', 'Invalid invite type', { invite_type: body.invite_type })
-  }
 
-  let data: string | null = null
-  let error: unknown = null
-
-  if (useNewRbac) {
-    const result = await supabase.rpc('invite_user_to_org_rbac', {
-      email: body.email,
-      org_id: body.orgId,
-      role_name: rbacRoleName ?? 'org_member',
-    })
-    data = result.data
-    error = result.error
-  }
-  else {
-    const legacyInviteType = body.invite_type as LegacyInviteRole
-    const inviteType = `invite_${legacyInviteType}` as Database['public']['Enums']['user_min_right']
-    const result = await supabase.rpc('invite_user_to_org', {
-      email: body.email,
-      org_id: body.orgId,
-      invite_type: inviteType,
-    })
-    data = result.data
-    error = result.error
-  }
+  const { data, error } = await supabase.rpc('invite_user_to_org_rbac', {
+    email: body.email,
+    org_id: body.orgId,
+    role_name: rbacRoleName,
+  })
 
   if (error) {
     throw simpleError('error_inviting_user_to_organization', 'Error inviting user to organization', { error })
diff --git a/supabase/functions/_backend/public/organization/post.ts b/supabase/functions/_backend/public/organization/post.ts
index d121f96c82..5741092446 100644
--- a/supabase/functions/_backend/public/organization/post.ts
+++ b/supabase/functions/_backend/public/organization/post.ts
@@ -3,7 +3,7 @@ import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import type { Database } from '../../utils/supabase.types.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
-import { simpleError } from '../../utils/hono.ts'
+import { quickError, simpleError } from '../../utils/hono.ts'
 import { supabaseAdmin, supabaseWithAuth } from '../../utils/supabase.ts'
 import { normalizeWebsiteUrl } from './website.ts'
 
@@ -84,6 +84,9 @@ export async function post(
   if (!auth?.userId) {
     throw simpleError('not_authorized', 'Not authorized')
   }
+  if (auth.authType === 'apikey') {
+    throw quickError(401, 'invalid_apikey', 'API keys cannot create organizations')
+  }
 
   const supabase = supabaseWithAuth(c, auth)
   const { data: self, error: userErr } = await supabase.from('users').select('email').eq('id', auth.userId).single()
diff --git a/supabase/functions/_backend/public/statistics/index.ts b/supabase/functions/_backend/public/statistics/index.ts
index 2f4c1db61e..34be4cae51 100644
--- a/supabase/functions/_backend/public/statistics/index.ts
+++ b/supabase/functions/_backend/public/statistics/index.ts
@@ -161,20 +161,6 @@ function getAuthenticatedSupabase(c: Context, auth: AuthInfo) {
   return supabaseClient(c, authorization)
 }
 
-function denyAppLimitedApiKeyOutsideScope(auth: AuthInfo, appId: string) {
-  if (auth.authType !== 'apikey')
-    return
-
-  const limitedToApps = auth.apikey?.limited_to_apps
-  if (!Array.isArray(limitedToApps) || limitedToApps.length === 0)
-    return
-
-  // Deny before app lookups so real sibling apps and missing apps are indistinguishable to scoped keys.
-  if (!limitedToApps.includes(appId)) {
-    throw quickError(401, 'no_access_to_app', 'No access to app', { data: auth.userId ?? null })
-  }
-}
-
 function isRetryableStatsError(error: unknown) {
   return isRetryablePostgrestError(error)
 }
@@ -696,8 +682,6 @@ function buildNativeVersionCounts(rows: NativeVersionUsageRow[], dates: string[]
 async function getAuthorizedStatsAppClient(c: Context, appId: string) {
   const auth = c.get('auth') as AuthInfo
 
-  denyAppLimitedApiKeyOutsideScope(auth, appId)
-
   if (!await checkPermission(c, 'app.read', { appId })) {
     throw quickError(401, 'no_access_to_app', 'No access to app', { data: auth?.userId ?? null })
   }
@@ -871,8 +855,6 @@ app.get('/app/:app_id', async (c) => {
   const body = bodyParsed.data
   const auth = c.get('auth') as AuthInfo
 
-  denyAppLimitedApiKeyOutsideScope(auth, appId)
-
   // Use unified RBAC permission check
   if (!await checkPermission(c, 'app.read', { appId })) {
     throw quickError(401, 'no_access_to_app', 'No access to app', { data: auth?.userId ?? null })
@@ -907,16 +889,6 @@ app.get('/org/:org_id', async (c) => {
   if (!(await checkPermission(c, 'org.read', { orgId }))) {
     throw quickError(401, 'no_access_to_organization', 'No access to organization', { data: auth?.userId ?? null })
   }
-  if (auth.authType === 'apikey' && auth.apikey!.limited_to_orgs && auth.apikey!.limited_to_orgs.length > 0) {
-    if (!auth.apikey!.limited_to_orgs.includes(orgId)) {
-      throw quickError(401, 'invalid_apikey', 'Invalid apikey', { data: auth.apikey!.key })
-    }
-  }
-
-  if (auth.authType === 'apikey' && auth.apikey!.limited_to_apps && auth.apikey!.limited_to_apps.length > 0) {
-    throw quickError(401, 'invalid_apikey', 'Invalid apikey', { data: auth.apikey!.key })
-  }
-
   // Use authenticated client - RLS will enforce access
   const supabase = getAuthenticatedSupabase(c, auth)
 
@@ -1008,8 +980,14 @@ app.get('/user', async (c) => {
   }
 
   let stats: Array<{ data: any, error: any }> = []
-  if (auth.authType === 'apikey' && auth.apikey!.limited_to_apps && auth.apikey!.limited_to_apps.length > 0) {
-    stats = await Promise.all(auth.apikey!.limited_to_apps.map(appId => getNormalStats(c, appId, null, body.from, body.to, supabase, auth.authType === 'jwt', false, body.noAccumulate ?? false)))
+  if (auth.authType === 'apikey') {
+    const { data: apps, error: appsError } = await supabase.rpc('get_accessible_apps_for_apikey_v2', {
+      apikey: c.get('capgkey') as string,
+    })
+    if (appsError) {
+      throw quickError(404, 'apps_not_found', 'Apps not found', { error: appsError })
+    }
+    stats = await Promise.all((apps ?? []).map(app => getNormalStats(c, app.app_id, null, body.from, body.to, supabase, false, false, body.noAccumulate ?? false)))
   }
   else {
     stats = await Promise.all(orgIds.map(orgId => getNormalStats(c, null, orgId, body.from, body.to, supabase, auth.authType === 'jwt', false, body.noAccumulate ?? false)))
diff --git a/supabase/functions/_backend/public/webhooks/index.ts b/supabase/functions/_backend/public/webhooks/index.ts
index f8d9f7b439..56716b0fe7 100644
--- a/supabase/functions/_backend/public/webhooks/index.ts
+++ b/supabase/functions/_backend/public/webhooks/index.ts
@@ -3,6 +3,7 @@ import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import type { Database } from '../../utils/supabase.types.ts'
 import { getBodyOrQuery, honoFactory, quickError, simpleError } from '../../utils/hono.ts'
 import { middlewareV2 } from '../../utils/hono_middleware.ts'
+import { closeClient, getPgClient, logPgError } from '../../utils/pg.ts'
 import { apikeyHasOrgRight, apikeyHasOrgRightWithPolicy, hasOrgRight, hasOrgRightApikey, supabaseApikey } from '../../utils/supabase.ts'
 import { deleteWebhook } from './delete.ts'
 import { getDeliveries, retryDelivery } from './deliveries.ts'
@@ -13,15 +14,50 @@ import { test } from './test.ts'
 
 export const app = honoFactory.createApp()
 
-function assertOrgWebhookScope(
+async function apiKeyHasAppScopedBinding(
+  c: Context<MiddlewareKeyVariables, any, any>,
+  apikey: Database['public']['Tables']['apikeys']['Row'],
+): Promise<boolean> {
+  if (!apikey.rbac_id)
+    return false
+
+  const pgClient = getPgClient(c)
+  try {
+    const result = await pgClient.query<{ has_app_scope: boolean }>(
+      `
+      SELECT EXISTS (
+        SELECT 1
+        FROM public.role_bindings
+        WHERE principal_type = public.rbac_principal_apikey()
+          AND principal_id = $1::uuid
+          AND scope_type <> public.rbac_scope_org()
+          AND (expires_at IS NULL OR expires_at > now())
+      ) AS has_app_scope
+      `,
+      [apikey.rbac_id],
+    )
+
+    return result.rows[0]?.has_app_scope ?? true
+  }
+  catch (error) {
+    logPgError(c, 'apiKeyHasAppScopedBinding', error)
+    return true
+  }
+  finally {
+    await closeClient(c, pgClient)
+  }
+}
+
+async function assertOrgWebhookScope(
+  c: Context<MiddlewareKeyVariables, any, any>,
   orgId: string,
   apikey: Database['public']['Tables']['apikeys']['Row'],
-): void {
-  if (apikey.limited_to_apps?.length) {
+): Promise<void> {
+  if (await apiKeyHasAppScopedBinding(c, apikey)) {
     throw simpleError('no_permission', 'App-scoped API keys cannot manage organization webhooks', { org_id: orgId })
   }
 
-  if (!apikeyHasOrgRight(apikey, orgId)) {
+  if (!(await apikeyHasOrgRight(c, apikey, orgId))) {
     throw simpleError('invalid_org_id', 'You can\'t access this organization', { org_id: orgId })
   }
 }
@@ -69,7 +105,7 @@ async function assertWebhookApiKeyChain(
   apiKeyChain: Database['public']['Tables']['apikeys']['Row'][],
 ) {
   for (const apikey of apiKeyChain) {
-    assertOrgWebhookScope(orgId, apikey)
+    await assertOrgWebhookScope(c, orgId, apikey)
   }
 
   for (const apikey of apiKeyChain) {
diff --git a/supabase/functions/_backend/triggers/on_user_delete.ts b/supabase/functions/_backend/triggers/on_user_delete.ts
index 5ec33a8531..b63245e152 100644
--- a/supabase/functions/_backend/triggers/on_user_delete.ts
+++ b/supabase/functions/_backend/triggers/on_user_delete.ts
@@ -38,27 +38,6 @@ function isBindingActive(binding: RbacBinding, now: Date) {
   return !expiresAt || new Date(expiresAt) > now
 }
 
-async function fetchLegacySuperAdminOrgIds(
-  c: Context,
-  supabase: ReturnType<typeof supabaseAdmin>,
-  userId: string,
-) {
-  const { data, error } = await supabase
-    .from('org_users')
-    .select('org_id')
-    .eq('user_id', userId)
-    .eq('user_right', 'super_admin')
-
-  if (error) {
-    logFailure(c, 'legacy super admin lookup failed', error)
-    return null
-  }
-
-  return (data ?? [])
-    .map(item => item.org_id)
-    .filter((orgId): orgId is string => Boolean(orgId))
-}
-
 async function fetchDirectRbacBindings(
   c: Context,
   supabase: ReturnType<typeof supabaseAdmin>,
@@ -125,12 +104,11 @@ async function fetchGroupRbacBindings(
 }
 
 function collectCandidateOrgIds(
-  legacyOrgIds: string[],
   directBindings: RbacBinding[],
   groupBindings: RbacBinding[],
   now: Date,
 ) {
-  const candidateOrgIds = new Set<string>(legacyOrgIds)
+  const candidateOrgIds = new Set<string>()
 
   for (const binding of directBindings) {
     if (!isBindingActive(binding, now))
@@ -151,25 +129,6 @@ function collectCandidateOrgIds(
   return Array.from(candidateOrgIds)
 }
 
-async function fetchLegacySuperAdmins(
-  c: Context,
-  supabase: ReturnType<typeof supabaseAdmin>,
-  orgIds: string[],
-) {
-  const { data, error } = await supabase
-    .from('org_users')
-    .select('org_id, user_id')
-    .in('org_id', orgIds)
-    .eq('user_right', 'super_admin')
-
-  if (error || !data) {
-    logFailure(c, 'legacy super admin count failed', error)
-    return null
-  }
-
-  return data
-}
-
 async function fetchRbacUserAdmins(
   c: Context,
   supabase: ReturnType<typeof supabaseAdmin>,
@@ -246,7 +205,6 @@ function buildGroupMembersByGroup(groupMembers: GroupMember[]) {
 }
 
 function buildOrgAdminUsers(
-  legacySuperAdmins: Array<{ org_id: string | null, user_id: string | null }>,
   rbacUserAdmins: RbacBinding[],
   activeGroupBindings: RbacBinding[],
   groupMembersByGroup: Map<string, string[]>,
@@ -261,10 +219,6 @@ function buildOrgAdminUsers(
     orgAdminUsers.set(orgId, existing)
   }
 
-  for (const item of legacySuperAdmins) {
-    addOrgAdminUser(item.org_id, item.user_id)
-  }
-
   for (const binding of rbacUserAdmins) {
     if (!isBindingActive(binding, now))
       continue
@@ -355,12 +309,7 @@ async function deleteUser(c: Context, record: Database['public']['Tables']['user
   const supabase = supabaseAdmin(c)
   const now = new Date()
 
-  // 1. Find organizations where this user is the only super admin
-  const legacyOrgIds = await fetchLegacySuperAdminOrgIds(c, supabase, record.id)
-  if (!legacyOrgIds) {
-    return c.json(BRES)
-  }
-
+  // 1. Find organizations where this user is the only RBAC super admin
   const directRbacBindings = await fetchDirectRbacBindings(c, supabase, record.id)
   if (!directRbacBindings) {
     return c.json(BRES)
@@ -376,17 +325,12 @@ async function deleteUser(c: Context, record: Database['public']['Tables']['user
     return c.json(BRES)
   }
 
-  const orgIds = collectCandidateOrgIds(legacyOrgIds, directRbacBindings, groupRbacBindings, now)
+  const orgIds = collectCandidateOrgIds(directRbacBindings, groupRbacBindings, now)
   if (orgIds.length === 0) {
     return c.json(BRES)
   }
 
   // For each org where user is super admin, check if they are the only one
-  const legacySuperAdmins = await fetchLegacySuperAdmins(c, supabase, orgIds)
-  if (!legacySuperAdmins) {
-    return c.json(BRES)
-  }
-
   const rbacUserAdmins = await fetchRbacUserAdmins(c, supabase, orgIds)
   if (!rbacUserAdmins) {
     return c.json(BRES)
@@ -409,7 +353,6 @@ async function deleteUser(c: Context, record: Database['public']['Tables']['user
 
   const groupMembersByGroup = buildGroupMembersByGroup(groupMembers)
   const orgAdminUsers = buildOrgAdminUsers(
-    legacySuperAdmins,
     rbacUserAdmins,
     activeGroupBindings,
     groupMembersByGroup,
diff --git a/supabase/functions/_backend/utils/hono_middleware.ts b/supabase/functions/_backend/utils/hono_middleware.ts
index e24899fc78..e0a10b2b11 100644
--- a/supabase/functions/_backend/utils/hono_middleware.ts
+++ b/supabase/functions/_backend/utils/hono_middleware.ts
@@ -1,6 +1,6 @@
 import type { Context } from 'hono'
 import type { Database } from './supabase.types.ts'
-import { and, eq, inArray, isNull, or, sql } from 'drizzle-orm'
+import { and, eq, isNull, or, sql } from 'drizzle-orm'
 import { getClaimsFromJWT, honoFactory, quickError, simpleRateLimit } from './hono.ts'
 import { cloudlog } from './logging.ts'
 import { closeClient, getDrizzleClient, getPgClient, logPgError } from './pg.ts'
@@ -170,11 +170,9 @@ type FindApikeyByValueResult = {
   user_id: string
   key: string | null
   key_hash: string | null
-  mode: Database['public']['Enums']['key_mode'] | null
+  rbac_id: string
   updated_at: string | null
   name: string
-  limited_to_orgs: string[] | null
-  limited_to_apps: string[] | null
   expires_at: string | null
 } & Record<string, unknown>
 
@@ -200,12 +198,6 @@ async function checkKeyPg(
       return null
     }
 
-    // Check if mode is allowed (NULL mode = RBAC-managed, always passes mode check)
-    if (apiKey.mode !== null && !rights.includes(apiKey.mode)) {
-      cloudlog({ requestId: _c.get('requestId'), message: 'Invalid apikey mode (pg)', keyStringPrefix: keyString?.substring(0, 8), rights, mode: apiKey.mode })
-      return null
-    }
-
     // Check if key is expired
     if (apiKey.expires_at && new Date(apiKey.expires_at) < new Date()) {
       cloudlog({ requestId: _c.get('requestId'), message: 'Apikey expired (pg)', keyStringPrefix: keyString?.substring(0, 8) })
@@ -218,11 +210,10 @@ async function checkKeyPg(
       created_at: apiKey.created_at,
       user_id: apiKey.user_id,
       key: apiKey.key,
-      mode: apiKey.mode,
+      key_hash: apiKey.key_hash,
+      rbac_id: apiKey.rbac_id,
       updated_at: apiKey.updated_at,
       name: apiKey.name,
-      limited_to_orgs: apiKey.limited_to_orgs || [],
-      limited_to_apps: apiKey.limited_to_apps || [],
       expires_at: apiKey.expires_at,
     } as Database['public']['Tables']['apikeys']['Row']
   }
@@ -239,14 +230,13 @@ async function checkKeyPg(
 async function checkKeyByIdPg(
   _c: Context,
   id: number,
-  rights: Database['public']['Enums']['key_mode'][],
+  _rights: Database['public']['Enums']['key_mode'][],
   drizzleClient: ReturnType<typeof getDrizzleClient>,
   expectedUserId?: string,
 ): Promise<Database['public']['Tables']['apikeys']['Row'] | null> {
   try {
     const conditions = [
       eq(schema.apikeys.id, id),
-      or(isNull(schema.apikeys.mode), inArray(schema.apikeys.mode, rights)),
       notExpiredCondition,
     ]
     if (expectedUserId) {
@@ -272,11 +262,10 @@ async function checkKeyByIdPg(
       created_at: result.created_at?.toISOString() || null,
       user_id: result.user_id,
       key: result.key,
-      mode: result.mode,
+      key_hash: result.key_hash,
+      rbac_id: result.rbac_id,
       updated_at: result.updated_at?.toISOString() || null,
       name: result.name,
-      limited_to_orgs: result.limited_to_orgs || [],
-      limited_to_apps: result.limited_to_apps || [],
       expires_at: result.expires_at?.toISOString() || null,
     } as Database['public']['Tables']['apikeys']['Row']
   }
@@ -354,18 +343,6 @@ function setSubkeyAuthContext(c: Context, userId: string, subkey: Database['publ
   c.set('capgkey', subkeySecret)
 }
 
-/**
- * Returns true when a subkey explicitly limits access to zero apps and zero orgs.
- *
- * @param subkey - The row representing the subkey to evaluate.
- * @returns True when both app and org limit lists are empty.
- */
-function hasEmptySubkeyLimits(subkey: Database['public']['Tables']['apikeys']['Row']) {
-  const apps = subkey.limited_to_apps
-  const orgs = subkey.limited_to_orgs
-  return Array.isArray(apps) && apps.length === 0 && Array.isArray(orgs) && orgs.length === 0
-}
-
 /**
  * Ensures the subkey enforces at least one organization or application limit.
  *
@@ -373,8 +350,93 @@ function hasEmptySubkeyLimits(subkey: Database['public']['Tables']['apikeys']['R
  * @param subkey - The candidate subkey row.
  * @returns quickError response when invalid limits are detected, otherwise null.
  */
-function validateSubkeyLimits(c: Context, subkey: Database['public']['Tables']['apikeys']['Row']) {
-  if (hasEmptySubkeyLimits(subkey)) {
+async function hasLimitedRbacSubkeyScope(
+  c: Context,
+  subkey: Database['public']['Tables']['apikeys']['Row'],
+) {
+  if (!subkey.rbac_id)
+    return false
+
+  let pgClient: ReturnType<typeof getPgClient> | null = null
+  try {
+    pgClient = getPgClient(c)
+    const result = await pgClient.query<{ is_limited: boolean }>(
+      `
+      WITH user_orgs AS (
+        SELECT rb.org_id
+        FROM public.role_bindings rb
+        WHERE rb.principal_type = public.rbac_principal_user()
+          AND rb.principal_id = $1::uuid
+          AND rb.org_id IS NOT NULL
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+        UNION
+
+        SELECT g.org_id
+        FROM public.group_members gm
+        INNER JOIN public.groups g ON g.id = gm.group_id
+        INNER JOIN public.role_bindings rb
+          ON rb.principal_type = public.rbac_principal_group()
+          AND rb.principal_id = gm.group_id
+          AND rb.org_id = g.org_id
+        WHERE gm.user_id = $1::uuid
+          AND rb.org_id IS NOT NULL
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      ),
+      active_bindings AS (
+        SELECT rb.scope_type, rb.org_id, r.name AS role_name
+        FROM public.role_bindings rb
+        INNER JOIN public.roles r ON r.id = rb.role_id
+        WHERE rb.principal_type = public.rbac_principal_apikey()
+          AND rb.principal_id = $2::uuid
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      )
+      SELECT (
+        EXISTS (SELECT 1 FROM active_bindings)
+        AND (
+          EXISTS (
+            SELECT 1
+            FROM active_bindings
+            WHERE scope_type <> public.rbac_scope_org()
+          )
+          OR EXISTS (
+            SELECT 1
+            FROM user_orgs u
+            WHERE NOT EXISTS (
+              SELECT 1
+              FROM active_bindings b
+              WHERE b.scope_type = public.rbac_scope_org()
+                AND b.org_id = u.org_id
+                AND b.role_name IN (public.rbac_role_org_super_admin(), public.rbac_role_org_admin())
+            )
+          )
+          OR NOT EXISTS (
+            SELECT 1
+            FROM active_bindings b
+            WHERE b.scope_type = public.rbac_scope_org()
+              AND b.role_name IN (public.rbac_role_org_super_admin(), public.rbac_role_org_admin())
+          )
+        )
+      ) AS is_limited
+      `,
+      [subkey.user_id, subkey.rbac_id],
+    )
+
+    return result.rows[0]?.is_limited === true
+  }
+  catch (error) {
+    logPgError(c, 'hasLimitedRbacSubkeyScope', error)
+    return false
+  }
+  finally {
+    if (pgClient) {
+      await closeClient(c, pgClient)
+    }
+  }
+}
+
+async function validateSubkeyLimits(c: Context, subkey: Database['public']['Tables']['apikeys']['Row']) {
+  if (!(await hasLimitedRbacSubkeyScope(c, subkey))) {
     cloudlog({
       requestId: c.get('requestId'),
       message: 'Invalid subkey, no limited apps or orgs',
@@ -548,7 +610,7 @@ async function foundAPIKey(c: Context, capgkeyString: string, rights: Database['
     if (userError) {
       return userError
     }
-    const limitError = validateSubkeyLimits(c, subkey)
+    const limitError = await validateSubkeyLimits(c, subkey)
     if (limitError) {
       return limitError
     }
@@ -674,7 +736,7 @@ export function middlewareKey(rights: Database['public']['Enums']['key_mode'][],
       if (userError) {
         return userError
       }
-      const limitError = validateSubkeyLimits(c, subkey)
+      const limitError = await validateSubkeyLimits(c, subkey)
       if (limitError) {
         return limitError
       }
diff --git a/supabase/functions/_backend/utils/org_email_notifications.ts b/supabase/functions/_backend/utils/org_email_notifications.ts
index 7296505357..28410bb3ae 100644
--- a/supabase/functions/_backend/utils/org_email_notifications.ts
+++ b/supabase/functions/_backend/utils/org_email_notifications.ts
@@ -1,6 +1,6 @@
 import type { Context } from 'hono'
 import { parseCronExpression } from 'cron-schedule'
-import { and, eq, inArray, isNull } from 'drizzle-orm'
+import { and, eq, inArray } from 'drizzle-orm'
 import { isBentoConfigured, trackBentoEvent } from './bento.ts'
 import { CacheHelper } from './cache.ts'
 import { cloudlog } from './logging.ts'
@@ -165,7 +165,7 @@ function isOrgPreferenceEnabled(org: OrgWithPreferences, preferenceKey: EmailPre
 }
 
 /**
- * Get all admin/super_admin members of an organization who have the specified email preference enabled.
+ * Get all RBAC admin/super_admin members of an organization who have the specified email preference enabled.
  * Returns array of emails that should receive the notification.
  */
 async function getEligibleOrgMemberEmails(
@@ -180,29 +180,6 @@ async function getEligibleOrgMemberEmails(
   const userIds = new Set<string>()
 
   try {
-    let legacyMembers: { user_id: string | null }[] = []
-    try {
-      legacyMembers = await drizzle
-        .select({ user_id: schema.org_users.user_id })
-        .from(schema.org_users)
-        .where(
-          and(
-            eq(schema.org_users.org_id, orgId),
-            inArray(schema.org_users.user_right, ['admin', 'super_admin']),
-            isNull(schema.org_users.app_id),
-          ),
-        )
-    }
-    catch (error) {
-      resolutionFailed = true
-      cloudlog({ requestId: c.get('requestId'), message: 'getEligibleOrgMemberEmails legacy error', orgId, error })
-    }
-
-    for (const member of legacyMembers ?? []) {
-      if (member.user_id)
-        userIds.add(member.user_id)
-    }
-
     let rbacUserBindings: { principal_id: string | null, expires_at: Date | null }[] = []
     try {
       rbacUserBindings = await drizzle
diff --git a/supabase/functions/_backend/utils/plugin_parser.ts b/supabase/functions/_backend/utils/plugin_parser.ts
index 481f560d68..8e142b104c 100644
--- a/supabase/functions/_backend/utils/plugin_parser.ts
+++ b/supabase/functions/_backend/utils/plugin_parser.ts
@@ -22,6 +22,8 @@ function getInvalidCode(c: Context) {
   return c.req.method === 'GET' || c.req.method === 'DELETE' ? 'invalid_query_parameters' : 'invalid_json_body'
 }
 
+const commonSemverRegex = /^(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)$/
+
 export function makeDevice(devBody: AppInfos | DeviceLink | AppStats, allowCustomID = true): DeviceWithoutCreatedAt {
   const normalizedCustomId = normalizeCustomId(devBody.custom_id)
   const customId = allowCustomID ? normalizedCustomId : undefined
@@ -54,7 +56,7 @@ export function parsePluginBody<T extends AppInfos | DeviceLink | AppStats>(c: C
     throw simpleError('missing_app_id', 'Cannot find app_id', { body })
   }
   // Only validate version_build if it's provided (not required for GET /channel_self)
-  if (body.version_build) {
+  if (body.version_build && !commonSemverRegex.test(body.version_build)) {
     const coerce = tryParse(fixSemver(body.version_build))
     if (!coerce) {
       throw simpleError('semver_error', `Native version: ${body.version_build} doesn't follow semver convention, please check https://capgo.app/semver_tester/ to learn more about semver usage in Capgo`, { version_build: body.version_build })
diff --git a/supabase/functions/_backend/utils/plugin_validation.ts b/supabase/functions/_backend/utils/plugin_validation.ts
index 8e7bf535f1..e697323a59 100644
--- a/supabase/functions/_backend/utils/plugin_validation.ts
+++ b/supabase/functions/_backend/utils/plugin_validation.ts
@@ -31,10 +31,14 @@ import {
 type UnknownRecord = Record<string, unknown>
 type DevicePlatform = 'ios' | 'android' | 'electron'
 
-const DEVICE_PLATFORMS = new Set<DevicePlatform>(['ios', 'android', 'electron'])
 const MAX_STATS_METADATA_FIELDS = 30
 const MAX_STATS_METADATA_KEY_LENGTH = 64
 const MAX_STATS_METADATA_VALUE_LENGTH = 2048
+const commonSemverRegex = /^(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)$/
+
+function isDevicePlatformValue(value: unknown): value is DevicePlatform {
+  return value === 'ios' || value === 'android' || value === 'electron'
+}
 
 function isRecord(value: unknown): value is UnknownRecord {
   return value !== null && typeof value === 'object' && !Array.isArray(value)
@@ -167,11 +171,11 @@ function validateRequiredDevicePlatform(input: UnknownRecord, issues: Validation
     issues.push(fieldIssue('platform', MISSING_STRING_PLATFORM))
     return undefined
   }
-  if (typeof value !== 'string' || !DEVICE_PLATFORMS.has(value as DevicePlatform)) {
+  if (!isDevicePlatformValue(value)) {
     issues.push(fieldIssue('platform', INVALID_STRING_PLATFORM))
     return undefined
   }
-  return value as DevicePlatform
+  return value
 }
 
 function validateRequiredPluginVersion(input: UnknownRecord, issues: ValidationIssue[]): string | undefined {
@@ -180,7 +184,7 @@ function validateRequiredPluginVersion(input: UnknownRecord, issues: ValidationI
     issues.push(fieldIssue('plugin_version', MISSING_STRING_PLUGIN_VERSION))
     return undefined
   }
-  if (typeof value !== 'string' || !canParse(value)) {
+  if (typeof value !== 'string' || (!commonSemverRegex.test(value) && !canParse(value))) {
     issues.push(fieldIssue('plugin_version', INVALID_STRING_PLUGIN_VERSION))
     return undefined
   }
@@ -267,7 +271,7 @@ function createPluginSchema<T>(validateFields: (input: UnknownRecord, issues: Va
 }
 
 export function isDevicePlatform(value: unknown): value is DevicePlatform {
-  return typeof value === 'string' && DEVICE_PLATFORMS.has(value as DevicePlatform)
+  return isDevicePlatformValue(value)
 }
 
 export const updateRequestSchema = createPluginSchema<AppInfos>((input, issues) => {
diff --git a/supabase/functions/_backend/utils/postgres_schema.ts b/supabase/functions/_backend/utils/postgres_schema.ts
index c467f47e75..ec6e429c02 100644
--- a/supabase/functions/_backend/utils/postgres_schema.ts
+++ b/supabase/functions/_backend/utils/postgres_schema.ts
@@ -178,11 +178,8 @@ export const apikeys = pgTable('apikeys', {
   user_id: uuid('user_id').notNull(),
   key: varchar('key'),
   key_hash: varchar('key_hash'),
-  mode: keyModePgEnum('mode').notNull(),
   updated_at: timestamp('updated_at').defaultNow(),
   name: varchar('name').notNull(),
-  limited_to_orgs: uuid('limited_to_orgs').array(),
-  limited_to_apps: varchar('limited_to_apps').array(),
   expires_at: timestamp('expires_at', { withTimezone: true }),
   rbac_id: uuid('rbac_id').notNull(),
 })
diff --git a/supabase/functions/_backend/utils/rbac.ts b/supabase/functions/_backend/utils/rbac.ts
index 02dab8942e..574f2e6837 100644
--- a/supabase/functions/_backend/utils/rbac.ts
+++ b/supabase/functions/_backend/utils/rbac.ts
@@ -1,9 +1,7 @@
 /**
  * RBAC Permission System
  *
- * This module provides a unified permission checking system that routes between
- * legacy role-based checks (check_min_rights) and the new RBAC permission system
- * based on the org's feature flag.
+ * This module provides permission checks backed by role_bindings.
  *
  * Usage:
  *   import { checkPermission } from './rbac.ts'
@@ -96,46 +94,12 @@ export interface RbacContextVariables {
   resolvedOrgId?: string
 }
 
-function deniesExplicitApiKeyScope(
-  c: Context<MiddlewareKeyVariables>,
-  scope: PermissionScope,
-) {
-  const auth = c.get('auth')
-  if (auth?.authType !== 'apikey' || !auth.apikey)
-    return false
-
-  const limitedToApps = auth.apikey.limited_to_apps
-  if (scope.appId && Array.isArray(limitedToApps) && limitedToApps.length > 0 && !limitedToApps.includes(scope.appId)) {
-    cloudlog({
-      requestId: c.get('requestId'),
-      message: 'checkPermission: explicit api key app scope denied',
-      appId: scope.appId,
-      keyId: auth.apikey.id,
-    })
-    return true
-  }
-
-  const limitedToOrgs = auth.apikey.limited_to_orgs
-  if (scope.orgId && Array.isArray(limitedToOrgs) && limitedToOrgs.length > 0 && !limitedToOrgs.includes(scope.orgId)) {
-    cloudlog({
-      requestId: c.get('requestId'),
-      message: 'checkPermission: explicit api key org scope denied',
-      orgId: scope.orgId,
-      keyId: auth.apikey.id,
-    })
-    return true
-  }
-
-  return false
-}
-
 // =============================================================================
-// Legacy Mapping
+// Compatibility Mapping
 // =============================================================================
 
 /**
- * Maps RBAC permissions to legacy user_min_right values.
- * Used for fallback when org doesn't have RBAC enabled.
+ * Maps RBAC permissions to user_min_right values for compatibility callers.
  */
 const PERMISSION_TO_LEGACY_RIGHT: Record<Permission, Database['public']['Enums']['user_min_right']> = {
   // Org permissions
@@ -229,9 +193,7 @@ export async function isRbacEnabledForOrg(
 /**
  * Main permission check function.
  *
- * Uses the SQL function rbac_check_permission_direct which automatically
- * routes between legacy (check_min_rights) and RBAC systems based on
- * the org's feature flag.
+ * Uses the SQL function rbac_check_permission_direct.
  *
  * @param c - Hono context with auth info
  * @param permission - The RBAC permission to check (e.g., 'app.upload_bundle')
@@ -272,8 +234,6 @@ export async function checkPermission(
   }
 
   const { userId, apikey } = auth
-  if (deniesExplicitApiKeyScope(c, scope))
-    return false
 
   // For hashed keys, apikey.key is null, so we use capgkey from the request header
   const apikeyString = apikey?.key ?? c.get('capgkey') ?? null
@@ -293,7 +253,33 @@ export async function checkPermission(
     pgClient = getPgClient(c)
     const drizzleClient = getDrizzleClient(pgClient)
 
-    // Use the unified SQL function that handles legacy/RBAC routing
+    if (auth.authType === 'apikey' && apikey?.rbac_id) {
+      if (!apikeyString)
+        return false
+
+      const rbacOnlyResult = await drizzleClient.execute(
+        sql`SELECT public.rbac_check_permission_direct(
+          ${permission},
+          ${userId}::uuid,
+          ${orgId}::uuid,
+          ${appId},
+          ${channelId}::bigint,
+          ${apikeyString}
+        ) AS allowed`,
+      )
+
+      const rbacOnlyAllowed = (rbacOnlyResult.rows[0] as any)?.allowed === true
+      cloudlog({
+        requestId: c.get('requestId'),
+        message: 'checkPermission: rbac-only apikey result',
+        permission,
+        scope,
+        allowed: rbacOnlyAllowed,
+      })
+      return rbacOnlyAllowed
+    }
+
+    // Use the unified SQL function for JWT checks and non-key fallbacks.
     const result = await drizzleClient.execute(
       sql`SELECT public.rbac_check_permission_direct(
         ${permission},
@@ -417,6 +403,7 @@ export async function checkPermissionPg(
   }
 
   const { orgId = null, appId = null, channelId = null } = scope
+  const auth = c.get('auth')
 
   cloudlog({
     requestId: c.get('requestId'),
@@ -428,7 +415,33 @@ export async function checkPermissionPg(
   })
 
   try {
-    // Use the unified SQL function that handles legacy/RBAC routing
+    if (auth?.authType === 'apikey' && auth.apikey?.rbac_id) {
+      if (!apikeyString)
+        return false
+
+      const rbacOnlyResult = await drizzleClient.execute(
+        sql`SELECT public.rbac_check_permission_direct(
+          ${permission},
+          ${userId}::uuid,
+          ${orgId}::uuid,
+          ${appId},
+          ${channelId}::bigint,
+          ${apikeyString}
+        ) AS allowed`,
+      )
+
+      const rbacOnlyAllowed = (rbacOnlyResult.rows[0] as any)?.allowed === true
+      cloudlog({
+        requestId: c.get('requestId'),
+        message: 'checkPermissionPg: rbac-only apikey result',
+        permission,
+        scope,
+        allowed: rbacOnlyAllowed,
+      })
+      return rbacOnlyAllowed
+    }
+
+    // Use the unified SQL function for JWT checks and non-key fallbacks.
     const result = await drizzleClient.execute(
       sql`SELECT public.rbac_check_permission_direct(
         ${permission},
diff --git a/supabase/functions/_backend/utils/supabase.ts b/supabase/functions/_backend/utils/supabase.ts
index 4b9514b5ea..a69246bdfd 100644
--- a/supabase/functions/_backend/utils/supabase.ts
+++ b/supabase/functions/_backend/utils/supabase.ts
@@ -7,6 +7,7 @@ import { createClient } from '@supabase/supabase-js'
 import { buildNormalizedDeviceForWrite, hasComparableDeviceChanged, nullableString } from './deviceComparison.ts'
 import { simpleError } from './hono.ts'
 import { cloudlog, cloudlogErr } from './logging.ts'
+import { closeClient, getPgClient } from './pg.ts'
 import { createCustomer } from './stripe.ts'
 import { Constants } from './supabase.types.ts'
 import { getEnv, isStripeConfigured } from './utils.ts'
@@ -295,12 +296,31 @@ export async function hasAppRightApikey(c: Context<MiddlewareKeyVariables, any,
   return data
 }
 
-export function apikeyHasOrgRight(key: Database['public']['Tables']['apikeys']['Row'], orgId: string) {
-  if (key.limited_to_apps?.length)
+export async function apikeyHasOrgRight(c: Context, key: Database['public']['Tables']['apikeys']['Row'], orgId: string) {
+  if (!key.rbac_id)
     return false
-  if (!key.limited_to_orgs || key.limited_to_orgs.length === 0)
-    return true
-  return key.limited_to_orgs.includes(orgId)
+
+  const pgClient = getPgClient(c)
+  try {
+    const result = await pgClient.query<{ allowed: boolean }>(
+      `
+      SELECT public.rbac_has_permission(
+        public.rbac_principal_apikey(),
+        $1::uuid,
+        public.rbac_perm_org_read(),
+        $2::uuid,
+        NULL::varchar,
+        NULL::bigint
+      ) AS allowed
+      `,
+      [key.rbac_id, orgId],
+    )
+
+    return result.rows[0]?.allowed === true
+  }
+  finally {
+    closeClient(c, pgClient)
+  }
 }
 
 /**
@@ -313,12 +333,10 @@ export async function apikeyHasOrgRightWithPolicy(
   orgId: string,
   supabase: SupabaseClient<Database>,
 ): Promise<{ valid: boolean, error?: string }> {
-  // First check basic org access
-  if (!apikeyHasOrgRight(key, orgId)) {
+  if (!(await apikeyHasOrgRight(c, key, orgId))) {
     return { valid: false, error: 'invalid_org_id' }
   }
 
-  // Then check if org requires expiring keys
   const policyCheck = await checkApikeyMeetsOrgPolicy(c, key, orgId, supabase)
   if (!policyCheck.valid) {
     return policyCheck
@@ -805,46 +823,181 @@ export async function isAllowedActionOrg(c: Context, orgId: string): Promise<boo
 }
 
 export async function createApiKey(c: Context, userId: string) {
-  // check if user has apikeys
   if (!userId) {
     cloudlogErr({ requestId: c.get('requestId'), message: 'createApiKey error', userId, error: 'userId is null' })
     return
   }
-  const total = await supabaseAdmin(c)
-    .from('apikeys')
-    .select('id', { count: 'exact', head: true })
-    .eq('user_id', userId)
-    .then(res => res.count ?? null)
-  if (total === null) {
-    cloudlogErr({ requestId: c.get('requestId'), message: 'createApiKey error', userId, error: 'total is null' })
-    return
+
+  const pgClient = getPgClient(c)
+  let inTransaction = false
+  try {
+    await pgClient.query('BEGIN')
+    inTransaction = true
+
+    const userLockResult = await pgClient.query(
+      'SELECT id FROM auth.users WHERE id = $1::uuid FOR UPDATE',
+      [userId],
+    )
+    if (userLockResult.rowCount === 0) {
+      cloudlogErr({ requestId: c.get('requestId'), message: 'createApiKey error', userId, error: 'user not found' })
+      await pgClient.query('ROLLBACK')
+      return
+    }
+
+    const totalResult = await pgClient.query<{ count: string }>(
+      'SELECT count(*)::text AS count FROM public.apikeys WHERE user_id = $1::uuid',
+      [userId],
+    )
+    const total = Number(totalResult.rows[0]?.count ?? '0')
+    if (!Number.isFinite(total)) {
+      cloudlogErr({ requestId: c.get('requestId'), message: 'createApiKey error', userId, error: 'total is invalid' })
+      await pgClient.query('ROLLBACK')
+      return
+    }
+    if (total > 0) {
+      await pgClient.query('ROLLBACK')
+      return
+    }
+
+    const orgResult = await pgClient.query<{ org_id: string }>(
+      `SELECT DISTINCT rb.org_id
+       FROM public.role_bindings rb
+       WHERE rb.principal_type = public.rbac_principal_user()
+         AND rb.principal_id = $1::uuid
+         AND rb.org_id IS NOT NULL
+         AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+       UNION
+
+       SELECT DISTINCT g.org_id
+       FROM public.group_members gm
+       INNER JOIN public.groups g ON g.id = gm.group_id
+       INNER JOIN public.role_bindings rb
+         ON rb.principal_type = public.rbac_principal_group()
+         AND rb.principal_id = gm.group_id
+         AND rb.org_id = g.org_id
+       WHERE gm.user_id = $1::uuid
+         AND rb.org_id IS NOT NULL
+         AND (rb.expires_at IS NULL OR rb.expires_at > now())`,
+      [userId],
+    )
+    if (orgResult.rows.length === 0) {
+      cloudlog({ requestId: c.get('requestId'), message: 'createApiKey skipped, no org membership', userId })
+      await pgClient.query('ROLLBACK')
+      return
+    }
+
+    await pgClient.query(
+      `WITH inserted AS (
+         INSERT INTO public.apikeys (
+           user_id,
+           key,
+           key_hash,
+           name
+         )
+         SELECT
+           $1::uuid,
+           gen_random_uuid()::text,
+           NULL,
+           default_key.name
+         FROM (VALUES ('all'), ('upload'), ('read')) AS default_key(name)
+         RETURNING user_id, rbac_id, name
+       ),
+       current_orgs AS (
+         SELECT DISTINCT rb.org_id
+         FROM public.role_bindings rb
+         WHERE rb.principal_type = public.rbac_principal_user()
+           AND rb.principal_id = $1::uuid
+           AND rb.org_id IS NOT NULL
+           AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+         UNION
+
+         SELECT DISTINCT g.org_id
+         FROM public.group_members gm
+         INNER JOIN public.groups g ON g.id = gm.group_id
+         INNER JOIN public.role_bindings rb
+           ON rb.principal_type = public.rbac_principal_group()
+           AND rb.principal_id = gm.group_id
+           AND rb.org_id = g.org_id
+         WHERE gm.user_id = $1::uuid
+           AND rb.org_id IS NOT NULL
+           AND (rb.expires_at IS NULL OR rb.expires_at > now())
+       ),
+       org_bindings AS (
+         INSERT INTO public.role_bindings (
+           principal_type,
+           principal_id,
+           role_id,
+           scope_type,
+           org_id,
+           granted_by,
+           reason,
+           is_direct
+         )
+         SELECT
+           public.rbac_principal_apikey(),
+           inserted.rbac_id,
+           roles.id,
+           public.rbac_scope_org(),
+           current_orgs.org_id,
+           inserted.user_id,
+           'Default API key V2 binding',
+           true
+         FROM inserted
+         CROSS JOIN current_orgs
+         JOIN public.roles roles
+           ON roles.name = CASE
+             WHEN inserted.name = 'all' THEN public.rbac_role_org_admin()
+             ELSE public.rbac_role_org_member()
+           END
+         ON CONFLICT DO NOTHING
+       )
+       INSERT INTO public.role_bindings (
+         principal_type,
+         principal_id,
+         role_id,
+         scope_type,
+         org_id,
+         app_id,
+         granted_by,
+         reason,
+         is_direct
+       )
+       SELECT
+         public.rbac_principal_apikey(),
+         inserted.rbac_id,
+         roles.id,
+         public.rbac_scope_app(),
+         apps.owner_org,
+         apps.id,
+         inserted.user_id,
+         'Default API key V2 app binding',
+         true
+       FROM inserted
+       JOIN current_orgs ON true
+       JOIN public.apps apps ON apps.owner_org = current_orgs.org_id
+       JOIN public.roles roles
+         ON roles.name = CASE inserted.name
+           WHEN 'upload' THEN public.rbac_role_app_uploader()
+           WHEN 'read' THEN public.rbac_role_app_reader()
+           ELSE NULL
+         END
+       WHERE inserted.name IN ('upload', 'read')
+       ON CONFLICT DO NOTHING`,
+      [userId],
+    )
+    await pgClient.query('COMMIT')
+  }
+  catch (error) {
+    if (inTransaction) {
+      await pgClient.query('ROLLBACK').catch(() => {})
+    }
+    cloudlogErr({ requestId: c.get('requestId'), message: 'createApiKey error', userId, error })
+  }
+  finally {
+    closeClient(c, pgClient)
   }
-  if (total === 0) {
-    // create apikeys
-    return supabaseAdmin(c)
-      .from('apikeys')
-      .insert([
-        {
-          user_id: userId,
-          key: crypto.randomUUID(),
-          mode: 'all',
-          name: 'all',
-        },
-        {
-          user_id: userId,
-          key: crypto.randomUUID(),
-          mode: 'upload',
-          name: 'upload',
-        },
-        {
-          user_id: userId,
-          key: crypto.randomUUID(),
-          mode: 'read',
-          name: 'read',
-        },
-      ])
-  }
-  return Promise.resolve()
 }
 
 export async function customerToSegmentOrg(
@@ -1502,12 +1655,6 @@ export async function checkKey(c: Context, authorization: string | undefined, su
       return null
     }
 
-    // Check if mode is allowed (NULL mode = RBAC-managed, always passes mode check)
-    if (data.mode !== null && !allowed.includes(data.mode)) {
-      cloudlog({ requestId: c.get('requestId'), message: 'Invalid apikey mode', authorizationPrefix: authorization?.substring(0, 8), allowed, mode: data.mode })
-      return null
-    }
-
     // Check if key is expired
     if (data.expires_at && new Date(data.expires_at) < new Date()) {
       cloudlog({ requestId: c.get('requestId'), message: 'Apikey expired', authorizationPrefix: authorization?.substring(0, 8) })
@@ -1530,7 +1677,7 @@ export async function checkKeyById(
   c: Context,
   id: number,
   supabase: SupabaseClient<Database>,
-  allowed: Database['public']['Enums']['key_mode'][],
+  _allowed: Database['public']['Enums']['key_mode'][],
   userId?: string,
 ): Promise<Database['public']['Tables']['apikeys']['Row'] | null> {
   if (!id)
@@ -1541,7 +1688,6 @@ export async function checkKeyById(
       .from('apikeys')
       .select('*')
       .eq('id', id)
-      .or(`mode.is.null,mode.in.(${allowed.join(',')})`)
       .or('expires_at.is.null,expires_at.gt.now()')
     if (userId) {
       query = query.eq('user_id', userId)
diff --git a/supabase/functions/_backend/utils/supabase.types.ts b/supabase/functions/_backend/utils/supabase.types.ts
index 8aaf3abd80..cef6aea856 100644
--- a/supabase/functions/_backend/utils/supabase.types.ts
+++ b/supabase/functions/_backend/utils/supabase.types.ts
@@ -12,6 +12,31 @@ export type Database = {
   __InternalSupabase: {
     PostgrestVersion: "14.5"
   }
+  graphql_public: {
+    Tables: {
+      [_ in never]: never
+    }
+    Views: {
+      [_ in never]: never
+    }
+    Functions: {
+      graphql: {
+        Args: {
+          extensions?: Json
+          operationName?: string
+          query?: string
+          variables?: Json
+        }
+        Returns: Json
+      }
+    }
+    Enums: {
+      [_ in never]: never
+    }
+    CompositeTypes: {
+      [_ in never]: never
+    }
+  }
   public: {
     Tables: {
       apikeys: {
@@ -21,9 +46,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -35,9 +57,6 @@ export type Database = {
           id?: number
           key?: string | null
           key_hash?: string | null
-          limited_to_apps?: string[] | null
-          limited_to_orgs?: string[] | null
-          mode?: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id?: string
           updated_at?: string | null
@@ -49,9 +68,6 @@ export type Database = {
           id?: number
           key?: string | null
           key_hash?: string | null
-          limited_to_apps?: string[] | null
-          limited_to_orgs?: string[] | null
-          mode?: Database["public"]["Enums"]["key_mode"] | null
           name?: string
           rbac_id?: string
           updated_at?: string | null
@@ -469,13 +485,6 @@ export type Database = {
             referencedRelation: "apps"
             referencedColumns: ["app_id"]
           },
-          {
-            foreignKeyName: "build_logs_org_id_fkey"
-            columns: ["org_id"]
-            isOneToOne: false
-            referencedRelation: "orgs"
-            referencedColumns: ["id"]
-          },
         ]
       }
       build_requests: {
@@ -1278,7 +1287,7 @@ export type Database = {
           paying: number | null
           paying_monthly: number | null
           paying_yearly: number | null
-          plan_enterprise: number | null
+          plan_enterprise: number
           plan_enterprise_conversion_rate: number
           plan_enterprise_monthly: number
           plan_enterprise_yearly: number
@@ -1362,7 +1371,7 @@ export type Database = {
           paying?: number | null
           paying_monthly?: number | null
           paying_yearly?: number | null
-          plan_enterprise?: number | null
+          plan_enterprise?: number
           plan_enterprise_conversion_rate?: number
           plan_enterprise_monthly?: number
           plan_enterprise_yearly?: number
@@ -1446,7 +1455,7 @@ export type Database = {
           paying?: number | null
           paying_monthly?: number | null
           paying_yearly?: number | null
-          plan_enterprise?: number | null
+          plan_enterprise?: number
           plan_enterprise_conversion_rate?: number
           plan_enterprise_monthly?: number
           plan_enterprise_yearly?: number
@@ -2946,6 +2955,13 @@ export type Database = {
     }
     Functions: {
       accept_invitation_to_org: { Args: { org_id: string }; Returns: string }
+      apikey_permission_for_keymode: {
+        Args: {
+          keymode: Database["public"]["Enums"]["key_mode"][]
+          scope_type: string
+        }
+        Returns: string
+      }
       app_versions_readable_app_ids: { Args: never; Returns: string[] }
       apply_usage_overage: {
         Args: {
@@ -3137,65 +3153,6 @@ export type Database = {
           wrong_key_count: number
         }[]
       }
-      create_hashed_apikey: {
-        Args: {
-          p_expires_at?: string
-          p_limited_to_apps?: string[]
-          p_limited_to_orgs?: string[]
-          p_mode?: Database["public"]["Enums"]["key_mode"]
-          p_name?: string
-        }
-        Returns: {
-          created_at: string | null
-          expires_at: string | null
-          id: number
-          key: string | null
-          key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
-          name: string
-          rbac_id: string
-          updated_at: string | null
-          user_id: string
-        }
-        SetofOptions: {
-          from: "*"
-          to: "apikeys"
-          isOneToOne: true
-          isSetofReturn: false
-        }
-      }
-      create_hashed_apikey_for_user: {
-        Args: {
-          p_expires_at?: string
-          p_limited_to_apps?: string[]
-          p_limited_to_orgs?: string[]
-          p_mode?: Database["public"]["Enums"]["key_mode"]
-          p_name?: string
-          p_user_id: string
-        }
-        Returns: {
-          created_at: string | null
-          expires_at: string | null
-          id: number
-          key: string | null
-          key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
-          name: string
-          rbac_id: string
-          updated_at: string | null
-          user_id: string
-        }
-        SetofOptions: {
-          from: "*"
-          to: "apikeys"
-          isOneToOne: true
-          isSetofReturn: false
-        }
-      }
       current_request_role: { Args: never; Returns: string }
       delete_accounts_marked_for_deletion: {
         Args: never
@@ -3236,9 +3193,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -3493,9 +3447,6 @@ export type Database = {
           created_at: string
           expires_at: string
           id: number
-          limited_to_apps: string[]
-          limited_to_orgs: string[]
-          mode: Database["public"]["Enums"]["key_mode"]
           name: string
           owner_email: string
           rbac_id: string
@@ -3593,18 +3544,24 @@ export type Database = {
               app_count: number
               can_use_more: boolean
               created_by: string
+              credit_available: number
+              credit_next_expiration: string
+              credit_total: number
               gid: string
               is_canceled: boolean
               is_yearly: boolean
               logo: string
               management_email: string
+              max_apikey_expiration_days: number
               name: string
+              next_stats_update_at: string
               paying: boolean
+              require_apikey_expiration: boolean
               role: string
+              stats_updated_at: string
               subscription_end: string
               subscription_start: string
               trial_left: number
-              use_new_rbac: boolean
             }[]
           }
         | {
@@ -3613,18 +3570,24 @@ export type Database = {
               app_count: number
               can_use_more: boolean
               created_by: string
+              credit_available: number
+              credit_next_expiration: string
+              credit_total: number
               gid: string
               is_canceled: boolean
               is_yearly: boolean
               logo: string
               management_email: string
+              max_apikey_expiration_days: number
               name: string
+              next_stats_update_at: string
               paying: boolean
+              require_apikey_expiration: boolean
               role: string
+              stats_updated_at: string
               subscription_end: string
               subscription_start: string
               trial_left: number
-              use_new_rbac: boolean
             }[]
           }
       get_orgs_v7:
@@ -3988,7 +3951,7 @@ export type Database = {
         | { Args: { userid: string }; Returns: boolean }
       is_rbac_enabled_globally: { Args: never; Returns: boolean }
       is_recent_email_otp_verified: {
-        Args: { user_id: string }
+        Args: { p_user_id: string }
         Returns: boolean
       }
       is_storage_exceeded_by_org: { Args: { org_id: string }; Returns: boolean }
@@ -4335,9 +4298,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -4358,9 +4318,6 @@ export type Database = {
           id: number
           key: string | null
           key_hash: string | null
-          limited_to_apps: string[] | null
-          limited_to_orgs: string[] | null
-          mode: Database["public"]["Enums"]["key_mode"] | null
           name: string
           rbac_id: string
           updated_at: string | null
@@ -4421,6 +4378,25 @@ export type Database = {
         Args: { email: string; org_id: string }
         Returns: string
       }
+      reset_and_seed_app_data: {
+        Args: {
+          p_admin_user_id?: string
+          p_app_id: string
+          p_org_id?: string
+          p_plan_product_id?: string
+          p_stripe_customer_id?: string
+          p_user_id?: string
+        }
+        Returns: undefined
+      }
+      reset_and_seed_app_stats_data: {
+        Args: { p_app_id: string }
+        Returns: undefined
+      }
+      reset_and_seed_data: { Args: never; Returns: undefined }
+      reset_and_seed_stats_data: { Args: never; Returns: undefined }
+      reset_app_data: { Args: { p_app_id: string }; Returns: undefined }
+      reset_app_stats_data: { Args: { p_app_id: string }; Returns: undefined }
       restore_deleted_account: { Args: never; Returns: undefined }
       resync_org_user_role_bindings: {
         Args: { p_org_id: string; p_user_id: string }
@@ -4591,7 +4567,9 @@ export type Database = {
         | "disableAutoUpdateMetadata"
         | "disableAutoUpdateUnderNative"
         | "disableDevBuild"
+        | "disableProdBuild"
         | "disableEmulator"
+        | "disableDevice"
         | "cannotGetBundle"
         | "checksum_fail"
         | "NoChannelOrOverride"
@@ -4612,8 +4590,6 @@ export type Database = {
         | "download_manifest_brotli_fail"
         | "backend_refusal"
         | "download_0"
-        | "disableProdBuild"
-        | "disableDevice"
         | "disablePlatformElectron"
         | "customIdBlocked"
         | "app_crash"
@@ -4804,6 +4780,9 @@ export type CompositeTypes<
     : never
 
 export const Constants = {
+  graphql_public: {
+    Enums: {},
+  },
   public: {
     Enums: {
       action_type: ["mau", "storage", "bandwidth", "build_time"],
@@ -4860,7 +4839,9 @@ export const Constants = {
         "disableAutoUpdateMetadata",
         "disableAutoUpdateUnderNative",
         "disableDevBuild",
+        "disableProdBuild",
         "disableEmulator",
+        "disableDevice",
         "cannotGetBundle",
         "checksum_fail",
         "NoChannelOrOverride",
@@ -4881,8 +4862,6 @@ export const Constants = {
         "download_manifest_brotli_fail",
         "backend_refusal",
         "download_0",
-        "disableProdBuild",
-        "disableDevice",
         "disablePlatformElectron",
         "customIdBlocked",
         "app_crash",
diff --git a/supabase/migrations/20260523143000_migrate_apikeys_to_v2_timestamp_fix.sql b/supabase/migrations/20260523143000_migrate_apikeys_to_v2_timestamp_fix.sql
new file mode 100644
index 0000000000..e2bee91a8c
--- /dev/null
+++ b/supabase/migrations/20260523143000_migrate_apikeys_to_v2_timestamp_fix.sql
@@ -0,0 +1,2980 @@
+-- Move every existing API key to RBAC-backed bindings and remove the old key scope columns.
+
+DO $$
+DECLARE
+  v_org_id uuid;
+BEGIN
+  FOR v_org_id IN
+    SELECT id FROM public.orgs
+  LOOP
+    PERFORM public.rbac_migrate_org_users_to_bindings(v_org_id, NULL::uuid);
+  END LOOP;
+END;
+$$;
+
+-- Existing-user invites used to create role_bindings before the user accepted
+-- the invitation. Pending invites must not grant active RBAC access.
+DELETE FROM public.role_bindings
+WHERE principal_type = public.rbac_principal_user()
+  AND reason = 'Invited via invite_user_to_org_rbac';
+
+UPDATE public.orgs
+SET use_new_rbac = true
+WHERE use_new_rbac IS DISTINCT FROM true;
+
+ALTER TABLE public.orgs
+  ALTER COLUMN use_new_rbac SET DEFAULT true;
+
+CREATE OR REPLACE FUNCTION public.rbac_is_enabled_for_org(p_org_id uuid) RETURNS boolean
+LANGUAGE plpgsql
+STABLE
+SET search_path = ''
+AS $$
+BEGIN
+  PERFORM p_org_id;
+  RETURN true;
+END;
+$$;
+
+ALTER FUNCTION public.rbac_is_enabled_for_org(uuid) OWNER TO "postgres";
+REVOKE ALL ON FUNCTION public.rbac_is_enabled_for_org(uuid) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION public.rbac_is_enabled_for_org(uuid) TO "authenticated";
+GRANT EXECUTE ON FUNCTION public.rbac_is_enabled_for_org(uuid) TO "service_role";
+
+COMMENT ON FUNCTION public.rbac_is_enabled_for_org(uuid) IS 'Compatibility helper retained for old callers. RBAC is always enabled.';
+
+CREATE OR REPLACE FUNCTION public.rbac_role_apikey_org_reader() RETURNS text
+LANGUAGE sql
+IMMUTABLE
+PARALLEL SAFE
+SET search_path = ''
+AS $$ SELECT 'apikey_org_reader'::text $$;
+
+ALTER FUNCTION public.rbac_role_apikey_org_reader() OWNER TO "postgres";
+REVOKE ALL ON FUNCTION public.rbac_role_apikey_org_reader() FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION public.rbac_role_apikey_org_reader() TO "anon";
+GRANT EXECUTE ON FUNCTION public.rbac_role_apikey_org_reader() TO "authenticated";
+GRANT EXECUTE ON FUNCTION public.rbac_role_apikey_org_reader() TO "service_role";
+
+INSERT INTO public.roles (name, scope_type, description, priority_rank, is_assignable, created_by)
+VALUES (
+  public.rbac_role_apikey_org_reader(),
+  public.rbac_scope_org(),
+  'API key compatibility role: org metadata read only',
+  10,
+  false,
+  NULL
+)
+ON CONFLICT (name) DO UPDATE
+SET
+  scope_type = EXCLUDED.scope_type,
+  description = EXCLUDED.description,
+  priority_rank = EXCLUDED.priority_rank,
+  is_assignable = EXCLUDED.is_assignable;
+
+INSERT INTO public.role_permissions (role_id, permission_id)
+SELECT r.id, p.id
+FROM public.roles r
+JOIN public.permissions p ON p.key = public.rbac_perm_org_read()
+WHERE r.name = public.rbac_role_apikey_org_reader()
+ON CONFLICT DO NOTHING;
+
+CREATE TEMP TABLE _apikey_v2_current_orgs ON COMMIT DROP AS
+SELECT DISTINCT source.user_id, source.org_id
+FROM (
+  SELECT ou.user_id, ou.org_id
+  FROM public.org_users ou
+  WHERE ou.user_right IS NULL OR ou.user_right::text NOT LIKE 'invite_%'
+
+  UNION
+
+  SELECT rb.principal_id AS user_id, rb.org_id
+  FROM public.role_bindings rb
+  WHERE rb.principal_type = public.rbac_principal_user()
+    AND rb.org_id IS NOT NULL
+    AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+  UNION
+
+  SELECT gm.user_id, g.org_id
+  FROM public.group_members gm
+  JOIN public.groups g ON g.id = gm.group_id
+  JOIN public.role_bindings rb
+    ON rb.principal_type = public.rbac_principal_group()
+    AND rb.principal_id = gm.group_id
+    AND rb.org_id = g.org_id
+  WHERE rb.org_id IS NOT NULL
+    AND (rb.expires_at IS NULL OR rb.expires_at > now())
+) source
+WHERE source.user_id IS NOT NULL
+  AND source.org_id IS NOT NULL;
+
+CREATE TEMP TABLE _apikey_v2_seed ON COMMIT DROP AS
+SELECT
+  ak.id,
+  ak.user_id,
+  ak.rbac_id,
+  ak.mode,
+  COALESCE(ak.limited_to_orgs, '{}'::uuid[]) AS limited_to_orgs,
+  COALESCE(ak.limited_to_apps, '{}'::text[]) AS limited_to_apps,
+  COALESCE(array_length(ak.limited_to_orgs, 1), 0) > 0 AS has_org_limit,
+  COALESCE(array_length(ak.limited_to_apps, 1), 0) > 0 AS has_app_limit
+FROM public.apikeys ak;
+
+CREATE TEMP TABLE _apikey_v2_target_orgs ON COMMIT DROP AS
+SELECT DISTINCT
+  keys.id AS key_id,
+  keys.user_id,
+  keys.rbac_id,
+  orgs.org_id
+FROM _apikey_v2_seed keys
+JOIN _apikey_v2_current_orgs orgs ON orgs.user_id = keys.user_id
+WHERE NOT keys.has_org_limit
+  OR orgs.org_id = ANY(keys.limited_to_orgs);
+
+CREATE TEMP TABLE _apikey_v2_target_apps ON COMMIT DROP AS
+SELECT DISTINCT
+  keys.id AS key_id,
+  keys.user_id,
+  keys.rbac_id,
+  apps.owner_org,
+  apps.id AS app_uuid,
+  apps.app_id
+FROM _apikey_v2_seed keys
+JOIN _apikey_v2_target_orgs orgs ON orgs.key_id = keys.id
+JOIN public.apps apps ON apps.owner_org = orgs.org_id
+WHERE NOT keys.has_app_limit
+  OR apps.app_id::text = ANY(keys.limited_to_apps);
+
+INSERT INTO public.role_bindings (
+  principal_type,
+  principal_id,
+  role_id,
+  scope_type,
+  org_id,
+  granted_by,
+  reason,
+  is_direct
+)
+SELECT
+  public.rbac_principal_apikey(),
+  bindings.rbac_id,
+  roles.id,
+  public.rbac_scope_org(),
+  bindings.org_id,
+  bindings.user_id,
+  'Migrated API key to RBAC bindings',
+  true
+FROM (
+  SELECT
+    keys.id AS key_id,
+    keys.user_id,
+    keys.rbac_id,
+    orgs.org_id,
+    CASE
+      WHEN keys.mode = 'all'::public.key_mode THEN public.rbac_role_org_super_admin()
+      ELSE public.rbac_role_org_member()
+    END AS role_name
+  FROM _apikey_v2_seed keys
+  JOIN _apikey_v2_target_orgs orgs ON orgs.key_id = keys.id
+  WHERE NOT keys.has_app_limit
+
+  UNION
+
+  SELECT
+    keys.id AS key_id,
+    keys.user_id,
+    keys.rbac_id,
+    apps.owner_org AS org_id,
+    public.rbac_role_apikey_org_reader() AS role_name
+  FROM _apikey_v2_seed keys
+  JOIN _apikey_v2_target_apps apps ON apps.key_id = keys.id
+  WHERE keys.has_app_limit
+) bindings
+JOIN public.roles roles ON roles.name = bindings.role_name
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.role_bindings (
+  principal_type,
+  principal_id,
+  role_id,
+  scope_type,
+  org_id,
+  app_id,
+  granted_by,
+  reason,
+  is_direct
+)
+SELECT
+  public.rbac_principal_apikey(),
+  keys.rbac_id,
+  roles.id,
+  public.rbac_scope_app(),
+  apps.owner_org,
+  apps.app_uuid,
+  keys.user_id,
+  'Migrated API key app binding',
+  true
+FROM _apikey_v2_seed keys
+JOIN _apikey_v2_target_apps apps ON apps.key_id = keys.id
+JOIN public.roles roles
+  ON roles.name = CASE keys.mode
+    WHEN 'all'::public.key_mode THEN public.rbac_role_app_admin()
+    WHEN 'write'::public.key_mode THEN public.rbac_role_app_developer()
+    WHEN 'upload'::public.key_mode THEN public.rbac_role_app_uploader()
+    WHEN 'read'::public.key_mode THEN public.rbac_role_app_reader()
+    ELSE NULL
+  END
+WHERE keys.mode IN ('read'::public.key_mode, 'upload'::public.key_mode, 'write'::public.key_mode)
+  OR (keys.mode = 'all'::public.key_mode AND keys.has_app_limit)
+ON CONFLICT DO NOTHING;
+
+DO $$
+DECLARE
+  missing_count bigint;
+BEGIN
+  SELECT count(*)
+  INTO missing_count
+  FROM (
+    SELECT
+      keys.id AS key_id,
+      keys.rbac_id,
+      orgs.org_id
+    FROM _apikey_v2_seed keys
+    JOIN _apikey_v2_target_orgs orgs ON orgs.key_id = keys.id
+    WHERE NOT keys.has_app_limit
+
+    UNION
+
+    SELECT
+      keys.id AS key_id,
+      keys.rbac_id,
+      apps.owner_org AS org_id
+    FROM _apikey_v2_seed keys
+    JOIN _apikey_v2_target_apps apps ON apps.key_id = keys.id
+    WHERE keys.has_app_limit
+  ) expected_orgs
+  WHERE NOT EXISTS (
+    SELECT 1
+    FROM public.role_bindings rb
+    WHERE rb.principal_type = public.rbac_principal_apikey()
+      AND rb.principal_id = expected_orgs.rbac_id
+      AND rb.scope_type = public.rbac_scope_org()
+      AND rb.org_id = expected_orgs.org_id
+  );
+
+  IF missing_count > 0 THEN
+    RAISE EXCEPTION 'apikey_v2_migration_missing_org_bindings: %', missing_count;
+  END IF;
+
+  SELECT count(*)
+  INTO missing_count
+  FROM _apikey_v2_seed keys
+  JOIN _apikey_v2_target_apps apps ON apps.key_id = keys.id
+  WHERE (
+      keys.mode IN ('read'::public.key_mode, 'upload'::public.key_mode, 'write'::public.key_mode)
+      OR (keys.mode = 'all'::public.key_mode AND keys.has_app_limit)
+    )
+    AND NOT EXISTS (
+      SELECT 1
+      FROM public.role_bindings rb
+      WHERE rb.principal_type = public.rbac_principal_apikey()
+        AND rb.principal_id = keys.rbac_id
+        AND rb.scope_type = public.rbac_scope_app()
+        AND rb.org_id = apps.owner_org
+        AND rb.app_id = apps.app_uuid
+    );
+
+  IF missing_count > 0 THEN
+    RAISE EXCEPTION 'apikey_v2_migration_missing_app_bindings: %', missing_count;
+  END IF;
+END;
+$$;
+
+CREATE OR REPLACE FUNCTION "public"."cleanup_apikey_role_bindings"() RETURNS "trigger"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+BEGIN
+  DELETE FROM public.role_bindings
+  WHERE principal_type = public.rbac_principal_apikey()
+    AND principal_id = OLD.rbac_id;
+
+  RETURN OLD;
+END;
+$$;
+
+ALTER FUNCTION "public"."cleanup_apikey_role_bindings"() OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."cleanup_apikey_role_bindings"() FROM PUBLIC;
+
+DROP TRIGGER IF EXISTS "cleanup_apikey_role_bindings_on_delete" ON "public"."apikeys";
+CREATE TRIGGER "cleanup_apikey_role_bindings_on_delete"
+BEFORE DELETE ON "public"."apikeys"
+FOR EACH ROW EXECUTE FUNCTION "public"."cleanup_apikey_role_bindings"();
+
+CREATE OR REPLACE FUNCTION "public"."apikey_permission_for_keymode"(
+  "keymode" "public"."key_mode"[],
+  "scope_type" "text"
+) RETURNS "text"
+LANGUAGE "plpgsql" STABLE SECURITY DEFINER
+SET search_path = ''
+AS $$
+BEGIN
+  IF scope_type = public.rbac_scope_org() THEN
+    RETURN CASE
+      WHEN 'read'::public.key_mode = ANY(keymode) THEN public.rbac_perm_org_read()
+      WHEN 'upload'::public.key_mode = ANY(keymode) THEN public.rbac_perm_org_update_settings()
+      WHEN 'write'::public.key_mode = ANY(keymode) THEN public.rbac_perm_org_update_settings()
+      ELSE public.rbac_perm_org_update_user_roles()
+    END;
+  END IF;
+
+  RETURN CASE
+    WHEN 'read'::public.key_mode = ANY(keymode) THEN public.rbac_perm_app_read()
+    WHEN 'upload'::public.key_mode = ANY(keymode) THEN public.rbac_perm_app_upload_bundle()
+    WHEN 'write'::public.key_mode = ANY(keymode) THEN public.rbac_perm_app_update_settings()
+    ELSE public.rbac_perm_app_update_user_roles()
+  END;
+END;
+$$;
+
+ALTER FUNCTION "public"."apikey_permission_for_keymode"("public"."key_mode"[], "text") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."apikey_permission_for_keymode"("public"."key_mode"[], "text") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."apikey_permission_for_keymode"("public"."key_mode"[], "text") TO "anon";
+GRANT EXECUTE ON FUNCTION "public"."apikey_permission_for_keymode"("public"."key_mode"[], "text") TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."apikey_permission_for_keymode"("public"."key_mode"[], "text") TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."get_identity"("keymode" "public"."key_mode"[]) RETURNS "uuid"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  auth_uid uuid;
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+BEGIN
+  PERFORM keymode;
+  SELECT auth.uid() INTO auth_uid;
+  IF auth_uid IS NOT NULL THEN
+    RETURN auth_uid;
+  END IF;
+
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NULL THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN NULL;
+  END IF;
+
+  RETURN api_key.user_id;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_identity"("keymode" "public"."key_mode"[]) OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."get_identity_apikey_only"("keymode" "public"."key_mode"[]) RETURNS "uuid"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+BEGIN
+  PERFORM keymode;
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NULL THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN NULL;
+  END IF;
+
+  RETURN api_key.user_id;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_identity_apikey_only"("keymode" "public"."key_mode"[]) OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."get_identity_apikey_only"("public"."key_mode"[]) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."get_identity_apikey_only"("public"."key_mode"[]) TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."get_identity_for_apikey_creation"() RETURNS "uuid"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  auth_uid uuid;
+BEGIN
+  SELECT auth.uid() INTO auth_uid;
+  IF auth_uid IS NOT NULL THEN
+    RETURN auth_uid;
+  END IF;
+
+  PERFORM public.pg_log('deny: APIKEY_CREATE_WITH_API_KEY_DISABLED', '{}'::jsonb);
+  RETURN NULL;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_identity_for_apikey_creation"() OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."get_identity_for_apikey_creation"() FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."get_identity_for_apikey_creation"() TO "anon";
+GRANT EXECUTE ON FUNCTION "public"."get_identity_for_apikey_creation"() TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."get_identity_for_apikey_creation"() TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."get_identity_org_allowed"("keymode" "public"."key_mode"[], "org_id" "uuid") RETURNS "uuid"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  auth_uid uuid;
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+  required_permission text;
+BEGIN
+  SELECT auth.uid() INTO auth_uid;
+  IF auth_uid IS NOT NULL THEN
+    RETURN auth_uid;
+  END IF;
+
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NULL THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN NULL;
+  END IF;
+
+  required_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_org());
+  IF public.rbac_has_permission(public.rbac_principal_apikey(), api_key.rbac_id, required_permission, org_id, NULL, NULL) THEN
+    RETURN api_key.user_id;
+  END IF;
+
+  RETURN NULL;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_identity_org_allowed"("keymode" "public"."key_mode"[], "org_id" "uuid") OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."get_identity_org_allowed_apikey_only"("keymode" "public"."key_mode"[], "org_id" "uuid") RETURNS "uuid"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+  required_permission text;
+BEGIN
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NULL THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN NULL;
+  END IF;
+
+  required_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_org());
+  IF public.rbac_has_permission(public.rbac_principal_apikey(), api_key.rbac_id, required_permission, org_id, NULL, NULL) THEN
+    RETURN api_key.user_id;
+  END IF;
+
+  RETURN NULL;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_identity_org_allowed_apikey_only"("keymode" "public"."key_mode"[], "org_id" "uuid") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."get_identity_org_allowed_apikey_only"("public"."key_mode"[], "uuid") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."get_identity_org_allowed_apikey_only"("public"."key_mode"[], "uuid") TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."get_identity_org_appid"("keymode" "public"."key_mode"[], "org_id" "uuid", "app_id" character varying) RETURNS "uuid"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  auth_uid uuid;
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+  required_permission text;
+BEGIN
+  SELECT auth.uid() INTO auth_uid;
+  IF auth_uid IS NOT NULL THEN
+    RETURN auth_uid;
+  END IF;
+
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NULL THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN NULL;
+  END IF;
+
+  required_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_app());
+  IF public.rbac_has_permission(public.rbac_principal_apikey(), api_key.rbac_id, required_permission, org_id, app_id, NULL) THEN
+    RETURN api_key.user_id;
+  END IF;
+
+  RETURN NULL;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_identity_org_appid"("keymode" "public"."key_mode"[], "org_id" "uuid", "app_id" character varying) OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."is_allowed_capgkey"("apikey" "text", "keymode" "public"."key_mode"[]) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key public.apikeys%ROWTYPE;
+  required_org_permission text;
+  required_app_permission text;
+BEGIN
+  SELECT * INTO api_key FROM public.find_apikey_by_value(apikey) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN false;
+  END IF;
+
+  required_org_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_org());
+  required_app_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_app());
+
+  RETURN EXISTS (
+    SELECT 1
+    FROM public.role_bindings rb
+    WHERE rb.principal_type = public.rbac_principal_apikey()
+      AND rb.principal_id = api_key.rbac_id
+      AND rb.org_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      AND public.rbac_has_permission(
+        public.rbac_principal_apikey(),
+        api_key.rbac_id,
+        required_org_permission,
+        rb.org_id,
+        NULL::character varying,
+        NULL::bigint
+      )
+  )
+  OR EXISTS (
+    SELECT 1
+    FROM public.role_bindings rb
+    JOIN public.apps ON public.apps.id = rb.app_id
+    WHERE rb.principal_type = public.rbac_principal_apikey()
+      AND rb.principal_id = api_key.rbac_id
+      AND rb.app_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+      AND public.rbac_has_permission(
+        public.rbac_principal_apikey(),
+        api_key.rbac_id,
+        required_app_permission,
+        public.apps.owner_org,
+        public.apps.app_id,
+        NULL::bigint
+      )
+  );
+END;
+$$;
+
+ALTER FUNCTION "public"."is_allowed_capgkey"("apikey" "text", "keymode" "public"."key_mode"[]) OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."is_allowed_capgkey"("apikey" "text", "keymode" "public"."key_mode"[], "app_id" character varying) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key public.apikeys%ROWTYPE;
+  app_org_id uuid;
+  required_permission text;
+BEGIN
+  SELECT * INTO api_key FROM public.find_apikey_by_value(apikey) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN false;
+  END IF;
+
+  SELECT owner_org INTO app_org_id
+  FROM public.apps
+  WHERE apps.app_id = is_allowed_capgkey.app_id
+  LIMIT 1;
+
+  IF app_org_id IS NULL THEN
+    RETURN false;
+  END IF;
+
+  required_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_app());
+  RETURN public.rbac_has_permission(public.rbac_principal_apikey(), api_key.rbac_id, required_permission, app_org_id, app_id, NULL);
+END;
+$$;
+
+ALTER FUNCTION "public"."is_allowed_capgkey"("apikey" "text", "keymode" "public"."key_mode"[], "app_id" character varying) OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "capgo_private"."matches_app_storage_apikey_owner"("folder_user_id" "text", "target_app_id" character varying, "keymode" "public"."key_mode"[]) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+  target_app record;
+  required_permission text;
+BEGIN
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NULL THEN
+    RETURN false;
+  END IF;
+
+  SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+  IF api_key.id IS NULL OR public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN false;
+  END IF;
+
+  SELECT user_id, owner_org
+  INTO target_app
+  FROM public.apps
+  WHERE app_id = target_app_id
+  LIMIT 1;
+
+  IF target_app.user_id IS NULL THEN
+    RETURN false;
+  END IF;
+
+  IF api_key.user_id::text <> folder_user_id OR target_app.user_id <> api_key.user_id THEN
+    RETURN false;
+  END IF;
+
+  required_permission := public.apikey_permission_for_keymode(keymode, public.rbac_scope_app());
+  RETURN public.rbac_has_permission(public.rbac_principal_apikey(), api_key.rbac_id, required_permission, target_app.owner_org, target_app_id, NULL);
+END;
+$$;
+
+ALTER FUNCTION "capgo_private"."matches_app_storage_apikey_owner"("folder_user_id" "text", "target_app_id" character varying, "keymode" "public"."key_mode"[]) OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."has_app_right_apikey"("appid" character varying, "right" "public"."user_min_right", "userid" "uuid", "apikey" "text") RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key public.apikeys%ROWTYPE;
+  org_id uuid;
+  permission_key text;
+BEGIN
+  SELECT * INTO api_key FROM public.find_apikey_by_value(apikey) LIMIT 1;
+  IF api_key.id IS NULL OR api_key.user_id IS DISTINCT FROM userid THEN
+    RETURN false;
+  END IF;
+
+  IF public.is_apikey_expired(api_key.expires_at) THEN
+    RETURN false;
+  END IF;
+
+  SELECT owner_org INTO org_id
+  FROM public.apps
+  WHERE app_id = appid
+  LIMIT 1;
+
+  IF org_id IS NULL THEN
+    RETURN false;
+  END IF;
+
+  permission_key := CASE
+    WHEN "right" = 'read'::public.user_min_right THEN public.rbac_perm_app_read()
+    WHEN "right" = 'upload'::public.user_min_right THEN public.rbac_perm_app_upload_bundle()
+    WHEN "right" = 'write'::public.user_min_right THEN public.rbac_perm_app_update_settings()
+    ELSE public.rbac_perm_app_update_user_roles()
+  END;
+
+  RETURN public.rbac_has_permission(public.rbac_principal_apikey(), api_key.rbac_id, permission_key, org_id, appid, NULL);
+END;
+$$;
+
+ALTER FUNCTION "public"."has_app_right_apikey"("appid" character varying, "right" "public"."user_min_right", "userid" "uuid", "apikey" "text") OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."rbac_check_permission_direct"(
+  "p_permission_key" "text",
+  "p_user_id" "uuid",
+  "p_org_id" "uuid",
+  "p_app_id" character varying,
+  "p_channel_id" bigint,
+  "p_apikey" "text" DEFAULT NULL::"text"
+) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_allowed boolean := false;
+  v_effective_org_id uuid := p_org_id;
+  v_effective_user_id uuid := p_user_id;
+  v_effective_app_id character varying := p_app_id;
+  v_api_key public.apikeys%ROWTYPE;
+  v_channel_org_id uuid;
+  v_channel_app_id character varying;
+  v_channel_scope boolean := p_channel_id IS NOT NULL;
+  v_override boolean;
+BEGIN
+  IF p_permission_key IS NULL OR p_permission_key = '' THEN
+    RETURN false;
+  END IF;
+
+  IF v_effective_org_id IS NULL AND p_app_id IS NOT NULL THEN
+    SELECT owner_org INTO v_effective_org_id
+    FROM public.apps
+    WHERE app_id = p_app_id
+    LIMIT 1;
+  END IF;
+
+  IF p_channel_id IS NOT NULL THEN
+    SELECT owner_org, app_id
+    INTO v_channel_org_id, v_channel_app_id
+    FROM public.channels
+    WHERE id = p_channel_id
+    LIMIT 1;
+
+    IF v_channel_org_id IS NOT NULL THEN
+      v_effective_org_id := v_channel_org_id;
+      v_effective_app_id := v_channel_app_id;
+    END IF;
+  END IF;
+
+  IF p_apikey IS NOT NULL THEN
+    SELECT * INTO v_api_key
+    FROM public.find_apikey_by_value(p_apikey)
+    LIMIT 1;
+
+    IF v_api_key.id IS NULL
+      OR (p_user_id IS NOT NULL AND p_user_id IS DISTINCT FROM v_api_key.user_id)
+      OR v_effective_org_id IS NULL
+    THEN
+      RETURN false;
+    END IF;
+
+    IF public.is_apikey_expired(v_api_key.expires_at) THEN
+      RETURN false;
+    END IF;
+
+    v_effective_user_id := v_api_key.user_id;
+
+    IF (SELECT enforcing_2fa FROM public.orgs WHERE id = v_effective_org_id)
+      AND NOT public.has_2fa_enabled(v_effective_user_id)
+    THEN
+      RETURN false;
+    END IF;
+
+    IF public.user_meets_password_policy(v_effective_user_id, v_effective_org_id) = false THEN
+      RETURN false;
+    END IF;
+
+    v_allowed := public.rbac_has_permission(
+      public.rbac_principal_apikey(),
+      v_api_key.rbac_id,
+      p_permission_key,
+      v_effective_org_id,
+      v_effective_app_id,
+      p_channel_id
+    );
+
+    IF v_channel_scope THEN
+      SELECT o.is_allowed INTO v_override
+      FROM public.channel_permission_overrides o
+      WHERE o.principal_type = public.rbac_principal_apikey()
+        AND o.principal_id = v_api_key.rbac_id
+        AND o.channel_id = p_channel_id
+        AND o.permission_key = p_permission_key
+      LIMIT 1;
+
+      IF v_override IS NOT NULL THEN
+        v_allowed := v_override;
+      END IF;
+    END IF;
+
+    RETURN v_allowed;
+  END IF;
+
+  IF v_effective_org_id IS NOT NULL THEN
+    IF (SELECT enforcing_2fa FROM public.orgs WHERE id = v_effective_org_id)
+      AND (v_effective_user_id IS NULL OR NOT public.has_2fa_enabled(v_effective_user_id))
+    THEN
+      RETURN false;
+    END IF;
+
+    IF public.user_meets_password_policy(v_effective_user_id, v_effective_org_id) = false THEN
+      RETURN false;
+    END IF;
+  END IF;
+
+  IF v_effective_user_id IS NULL THEN
+    RETURN false;
+  END IF;
+
+  v_allowed := public.rbac_has_permission(
+    public.rbac_principal_user(),
+    v_effective_user_id,
+    p_permission_key,
+    v_effective_org_id,
+    v_effective_app_id,
+    p_channel_id
+  );
+
+  IF v_channel_scope THEN
+    SELECT o.is_allowed INTO v_override
+    FROM public.channel_permission_overrides o
+    WHERE o.principal_type = public.rbac_principal_user()
+      AND o.principal_id = v_effective_user_id
+      AND o.channel_id = p_channel_id
+      AND o.permission_key = p_permission_key
+    LIMIT 1;
+
+    IF v_override IS NOT NULL THEN
+      v_allowed := v_override;
+    END IF;
+  END IF;
+
+  RETURN v_allowed;
+END;
+$$;
+
+ALTER FUNCTION "public"."rbac_check_permission_direct"("p_permission_key" "text", "p_user_id" "uuid", "p_org_id" "uuid", "p_app_id" character varying, "p_channel_id" bigint, "p_apikey" "text") OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."rbac_check_permission_direct_no_password_policy"(
+  "p_permission_key" "text",
+  "p_user_id" "uuid",
+  "p_org_id" "uuid",
+  "p_app_id" character varying,
+  "p_channel_id" bigint,
+  "p_apikey" "text" DEFAULT NULL::"text"
+) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_effective_org_id uuid := p_org_id;
+  v_effective_user_id uuid := p_user_id;
+  v_effective_app_id character varying := p_app_id;
+  v_api_key public.apikeys%ROWTYPE;
+  v_channel_org_id uuid;
+  v_channel_app_id character varying;
+BEGIN
+  IF p_permission_key IS NULL OR p_permission_key = '' THEN
+    RETURN false;
+  END IF;
+
+  IF v_effective_org_id IS NULL AND p_app_id IS NOT NULL THEN
+    SELECT owner_org INTO v_effective_org_id
+    FROM public.apps
+    WHERE app_id = p_app_id
+    LIMIT 1;
+  END IF;
+
+  IF p_channel_id IS NOT NULL THEN
+    SELECT owner_org, app_id
+    INTO v_channel_org_id, v_channel_app_id
+    FROM public.channels
+    WHERE id = p_channel_id
+    LIMIT 1;
+
+    IF v_channel_org_id IS NOT NULL THEN
+      v_effective_org_id := v_channel_org_id;
+      v_effective_app_id := v_channel_app_id;
+    END IF;
+  END IF;
+
+  IF p_apikey IS NOT NULL THEN
+    SELECT * INTO v_api_key
+    FROM public.find_apikey_by_value(p_apikey)
+    LIMIT 1;
+
+    IF v_api_key.id IS NULL
+      OR (p_user_id IS NOT NULL AND p_user_id IS DISTINCT FROM v_api_key.user_id)
+      OR v_effective_org_id IS NULL
+    THEN
+      RETURN false;
+    END IF;
+
+    IF public.is_apikey_expired(v_api_key.expires_at) THEN
+      RETURN false;
+    END IF;
+
+    v_effective_user_id := v_api_key.user_id;
+
+    IF (SELECT enforcing_2fa FROM public.orgs WHERE id = v_effective_org_id)
+      AND NOT public.has_2fa_enabled(v_effective_user_id)
+    THEN
+      RETURN false;
+    END IF;
+
+    RETURN public.rbac_has_permission(
+      public.rbac_principal_apikey(),
+      v_api_key.rbac_id,
+      p_permission_key,
+      v_effective_org_id,
+      v_effective_app_id,
+      p_channel_id
+    );
+  END IF;
+
+  IF v_effective_org_id IS NOT NULL THEN
+    IF (SELECT enforcing_2fa FROM public.orgs WHERE id = v_effective_org_id)
+      AND (v_effective_user_id IS NULL OR NOT public.has_2fa_enabled(v_effective_user_id))
+    THEN
+      RETURN false;
+    END IF;
+  END IF;
+
+  IF v_effective_user_id IS NULL THEN
+    RETURN false;
+  END IF;
+
+  RETURN public.rbac_has_permission(
+    public.rbac_principal_user(),
+    v_effective_user_id,
+    p_permission_key,
+    v_effective_org_id,
+    v_effective_app_id,
+    p_channel_id
+  );
+END;
+$$;
+
+ALTER FUNCTION "public"."rbac_check_permission_direct_no_password_policy"("p_permission_key" "text", "p_user_id" "uuid", "p_org_id" "uuid", "p_app_id" character varying, "p_channel_id" bigint, "p_apikey" "text") OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."check_min_rights"(
+  "min_right" "public"."user_min_right",
+  "org_id" "uuid",
+  "app_id" character varying,
+  "channel_id" bigint
+) RETURNS boolean
+LANGUAGE "plpgsql"
+SET search_path = ''
+AS $$
+BEGIN
+  RETURN public.check_min_rights(min_right, (SELECT auth.uid()), org_id, app_id, channel_id);
+END;
+$$;
+
+ALTER FUNCTION "public"."check_min_rights"("min_right" "public"."user_min_right", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."check_min_rights"(
+  "min_right" "public"."user_min_right",
+  "user_id" "uuid",
+  "org_id" "uuid",
+  "app_id" character varying,
+  "channel_id" bigint
+) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_perm text;
+  v_scope text;
+  v_apikey text;
+  v_effective_org_id uuid := org_id;
+  v_app_owner_org uuid;
+  v_org_enforcing_2fa boolean;
+  v_password_policy_ok boolean;
+BEGIN
+  IF app_id IS NOT NULL THEN
+    SELECT owner_org INTO v_app_owner_org
+    FROM public.apps
+    WHERE public.apps.app_id = check_min_rights.app_id
+    LIMIT 1;
+
+    IF v_app_owner_org IS NOT NULL THEN
+      IF v_effective_org_id IS NOT NULL AND v_effective_org_id IS DISTINCT FROM v_app_owner_org THEN
+        PERFORM public.pg_log('deny: CHECK_MIN_RIGHTS_APP_ORG_MISMATCH', jsonb_build_object(
+          'org_id', v_effective_org_id,
+          'app_owner_org', v_app_owner_org,
+          'app_id', app_id,
+          'channel_id', channel_id,
+          'min_right', min_right::text,
+          'user_id', user_id
+        ));
+        RETURN false;
+      END IF;
+
+      v_effective_org_id := v_app_owner_org;
+    END IF;
+  END IF;
+
+  IF v_effective_org_id IS NULL AND channel_id IS NOT NULL THEN
+    SELECT owner_org INTO v_effective_org_id
+    FROM public.channels
+    WHERE public.channels.id = channel_id
+    LIMIT 1;
+  END IF;
+
+  SELECT public.get_apikey_header() INTO v_apikey;
+
+  IF v_effective_org_id IS NOT NULL AND NOT (v_apikey IS NOT NULL AND user_id IS NULL) THEN
+    SELECT enforcing_2fa INTO v_org_enforcing_2fa
+    FROM public.orgs
+    WHERE id = v_effective_org_id;
+
+    IF v_org_enforcing_2fa = true AND (user_id IS NULL OR NOT public.has_2fa_enabled(user_id)) THEN
+      PERFORM public.pg_log('deny: CHECK_MIN_RIGHTS_2FA_ENFORCEMENT', jsonb_build_object(
+        'org_id', COALESCE(org_id, v_effective_org_id),
+        'app_id', app_id,
+        'channel_id', channel_id,
+        'min_right', min_right::text,
+        'user_id', user_id
+      ));
+      RETURN false;
+    END IF;
+
+    v_password_policy_ok := public.user_meets_password_policy(user_id, v_effective_org_id);
+    IF v_password_policy_ok = false THEN
+      PERFORM public.pg_log('deny: CHECK_MIN_RIGHTS_PASSWORD_POLICY_ENFORCEMENT', jsonb_build_object(
+        'org_id', COALESCE(org_id, v_effective_org_id),
+        'app_id', app_id,
+        'channel_id', channel_id,
+        'min_right', min_right::text,
+        'user_id', user_id
+      ));
+      RETURN false;
+    END IF;
+  END IF;
+
+  IF channel_id IS NOT NULL THEN
+    v_scope := public.rbac_scope_channel();
+  ELSIF app_id IS NOT NULL THEN
+    v_scope := public.rbac_scope_app();
+  ELSE
+    v_scope := public.rbac_scope_org();
+  END IF;
+
+  v_perm := public.rbac_permission_for_legacy(min_right, v_scope);
+  RETURN public.rbac_check_permission_direct(v_perm, user_id, v_effective_org_id, app_id, channel_id, v_apikey);
+END;
+$$;
+
+ALTER FUNCTION "public"."check_min_rights"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."check_min_rights"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."check_min_rights"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) TO "anon";
+GRANT EXECUTE ON FUNCTION "public"."check_min_rights"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."check_min_rights"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."check_min_rights_legacy"(
+  "min_right" "public"."user_min_right",
+  "user_id" "uuid",
+  "org_id" "uuid",
+  "app_id" character varying,
+  "channel_id" bigint
+) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+BEGIN
+  RETURN public.check_min_rights(min_right, user_id, org_id, app_id, channel_id);
+END;
+$$;
+
+ALTER FUNCTION "public"."check_min_rights_legacy"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."check_min_rights_legacy"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."check_min_rights_legacy"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."check_min_rights_legacy_no_password_policy"(
+  "min_right" "public"."user_min_right",
+  "user_id" "uuid",
+  "org_id" "uuid",
+  "app_id" character varying,
+  "channel_id" bigint
+) RETURNS boolean
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_perm text;
+  v_scope text;
+BEGIN
+  IF channel_id IS NOT NULL THEN
+    v_scope := public.rbac_scope_channel();
+  ELSIF app_id IS NOT NULL THEN
+    v_scope := public.rbac_scope_app();
+  ELSE
+    v_scope := public.rbac_scope_org();
+  END IF;
+
+  v_perm := public.rbac_permission_for_legacy(min_right, v_scope);
+  RETURN public.rbac_check_permission_direct_no_password_policy(v_perm, user_id, org_id, app_id, channel_id, NULL);
+END;
+$$;
+
+ALTER FUNCTION "public"."check_min_rights_legacy_no_password_policy"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."check_min_rights_legacy_no_password_policy"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."check_min_rights_legacy_no_password_policy"("min_right" "public"."user_min_right", "user_id" "uuid", "org_id" "uuid", "app_id" character varying, "channel_id" bigint) TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."app_versions_readable_app_ids"() RETURNS character varying[]
+LANGUAGE "plpgsql" STABLE SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_user_id uuid;
+  v_api_key_text text;
+  v_api_key public.apikeys%ROWTYPE;
+  v_allowed character varying[] := '{}'::character varying[];
+BEGIN
+  SELECT auth.uid() INTO v_user_id;
+  SELECT public.get_apikey_header() INTO v_api_key_text;
+
+  IF v_user_id IS NULL AND v_api_key_text IS NULL THEN
+    RETURN v_allowed;
+  END IF;
+
+  IF v_api_key_text IS NOT NULL THEN
+    SELECT * INTO v_api_key FROM public.find_apikey_by_value(v_api_key_text) LIMIT 1;
+    IF v_api_key.id IS NULL OR public.is_apikey_expired(v_api_key.expires_at) THEN
+      RETURN v_allowed;
+    END IF;
+    v_user_id := v_api_key.user_id;
+  END IF;
+
+  SELECT COALESCE(array_agg(DISTINCT apps.app_id), '{}'::character varying[])
+  INTO v_allowed
+  FROM public.apps
+  WHERE CASE
+    WHEN v_api_key.id IS NOT NULL THEN public.rbac_check_permission_direct(public.rbac_perm_app_read(), v_user_id, apps.owner_org, apps.app_id, NULL, v_api_key_text)
+    ELSE public.check_min_rights('read'::public.user_min_right, v_user_id, apps.owner_org, apps.app_id, NULL::bigint)
+  END;
+
+  RETURN v_allowed;
+END;
+$$;
+
+ALTER FUNCTION "public"."app_versions_readable_app_ids"() OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."audit_logs_allowed_orgs"() RETURNS "uuid"[]
+LANGUAGE "plpgsql" STABLE SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_user_id uuid;
+  v_api_key_text text;
+  v_api_key public.apikeys%ROWTYPE;
+  v_permission text := public.rbac_permission_for_legacy(public.rbac_right_super_admin(), public.rbac_scope_org());
+  v_allowed uuid[] := '{}'::uuid[];
+BEGIN
+  SELECT auth.uid() INTO v_user_id;
+  SELECT public.get_apikey_header() INTO v_api_key_text;
+
+  IF v_user_id IS NULL AND v_api_key_text IS NULL THEN
+    RETURN v_allowed;
+  END IF;
+
+  IF v_api_key_text IS NOT NULL THEN
+    SELECT * INTO v_api_key FROM public.find_apikey_by_value(v_api_key_text) LIMIT 1;
+    IF v_api_key.id IS NULL OR public.is_apikey_expired(v_api_key.expires_at) THEN
+      RETURN v_allowed;
+    END IF;
+    v_user_id := v_api_key.user_id;
+  END IF;
+
+  SELECT COALESCE(array_agg(DISTINCT orgs.id), '{}'::uuid[])
+  INTO v_allowed
+  FROM public.orgs
+  WHERE CASE
+    WHEN v_api_key.id IS NOT NULL THEN public.rbac_check_permission_direct(v_permission, v_user_id, orgs.id, NULL, NULL, v_api_key_text)
+    ELSE public.rbac_check_permission_direct(v_permission, v_user_id, orgs.id, NULL, NULL, NULL)
+  END;
+
+  RETURN v_allowed;
+END;
+$$;
+
+ALTER FUNCTION "public"."audit_logs_allowed_orgs"() OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."usage_credit_readable_org_ids"() RETURNS "uuid"[]
+LANGUAGE "plpgsql" STABLE SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_user_id uuid;
+  v_api_key_text text;
+  v_api_key public.apikeys%ROWTYPE;
+  v_permission text := public.rbac_permission_for_legacy(public.rbac_right_admin(), public.rbac_scope_org());
+  v_allowed uuid[] := '{}'::uuid[];
+BEGIN
+  SELECT auth.uid() INTO v_user_id;
+  SELECT public.get_apikey_header() INTO v_api_key_text;
+
+  IF v_user_id IS NULL AND v_api_key_text IS NULL THEN
+    RETURN v_allowed;
+  END IF;
+
+  IF v_api_key_text IS NOT NULL THEN
+    SELECT * INTO v_api_key FROM public.find_apikey_by_value(v_api_key_text) LIMIT 1;
+    IF v_api_key.id IS NULL OR public.is_apikey_expired(v_api_key.expires_at) THEN
+      RETURN v_allowed;
+    END IF;
+    v_user_id := v_api_key.user_id;
+  END IF;
+
+  SELECT COALESCE(array_agg(DISTINCT orgs.id), '{}'::uuid[])
+  INTO v_allowed
+  FROM public.orgs
+  WHERE CASE
+    WHEN v_api_key.id IS NOT NULL THEN public.rbac_check_permission_direct(v_permission, v_user_id, orgs.id, NULL, NULL, v_api_key_text)
+    ELSE public.check_min_rights('admin'::public.user_min_right, v_user_id, orgs.id, NULL::character varying, NULL::bigint)
+  END;
+
+  RETURN v_allowed;
+END;
+$$;
+
+ALTER FUNCTION "public"."usage_credit_readable_org_ids"() OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."get_user_org_ids"() RETURNS TABLE("org_id" "uuid")
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key_text text;
+  api_key public.apikeys%ROWTYPE;
+  v_user_id uuid;
+BEGIN
+  SELECT public.get_apikey_header() INTO api_key_text;
+
+  IF api_key_text IS NOT NULL THEN
+    SELECT * INTO api_key FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+    IF api_key.id IS NULL THEN
+      RAISE EXCEPTION 'Invalid API key provided';
+    END IF;
+    IF public.is_apikey_expired(api_key.expires_at) THEN
+      RAISE EXCEPTION 'API key has expired';
+    END IF;
+
+    RETURN QUERY
+    SELECT DISTINCT scoped.org_uuid
+    FROM (
+      SELECT rb.org_id AS org_uuid
+      FROM public.role_bindings rb
+      WHERE rb.principal_type = public.rbac_principal_apikey()
+        AND rb.principal_id = api_key.rbac_id
+        AND rb.org_id IS NOT NULL
+        AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+      UNION
+
+      SELECT apps.owner_org AS org_uuid
+      FROM public.role_bindings rb
+      JOIN public.apps ON apps.id = rb.app_id
+      WHERE rb.principal_type = public.rbac_principal_apikey()
+        AND rb.principal_id = api_key.rbac_id
+        AND rb.app_id IS NOT NULL
+        AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+      UNION
+
+      SELECT apps.owner_org AS org_uuid
+      FROM public.role_bindings rb
+      JOIN public.channels ch ON ch.rbac_id = rb.channel_id
+      JOIN public.apps ON apps.app_id = ch.app_id
+      WHERE rb.principal_type = public.rbac_principal_apikey()
+        AND rb.principal_id = api_key.rbac_id
+        AND rb.channel_id IS NOT NULL
+        AND (rb.expires_at IS NULL OR rb.expires_at > now())
+    ) scoped
+    WHERE scoped.org_uuid IS NOT NULL;
+    RETURN;
+  END IF;
+
+  SELECT public.get_identity() INTO v_user_id;
+  IF v_user_id IS NULL THEN
+    RAISE EXCEPTION 'No authentication provided - API key or valid session required';
+  END IF;
+
+  RETURN QUERY
+  SELECT DISTINCT scoped.org_uuid
+  FROM (
+    SELECT rb.org_id AS org_uuid
+    FROM public.role_bindings rb
+    WHERE rb.principal_type = public.rbac_principal_user()
+      AND rb.principal_id = v_user_id
+      AND rb.org_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+    UNION
+
+    SELECT apps.owner_org AS org_uuid
+    FROM public.role_bindings rb
+    JOIN public.apps ON apps.id = rb.app_id
+    WHERE rb.principal_type = public.rbac_principal_user()
+      AND rb.principal_id = v_user_id
+      AND rb.app_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+    UNION
+
+    SELECT rb.org_id AS org_uuid
+    FROM public.role_bindings rb
+    JOIN public.group_members gm ON gm.group_id = rb.principal_id
+    WHERE rb.principal_type = public.rbac_principal_group()
+      AND gm.user_id = v_user_id
+      AND rb.org_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+
+    UNION
+
+    SELECT ou.org_id AS org_uuid
+    FROM public.org_users ou
+    WHERE ou.user_id = v_user_id
+      AND ou.user_right::text LIKE 'invite_%'
+  ) scoped
+  WHERE scoped.org_uuid IS NOT NULL;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_user_org_ids"() OWNER TO "postgres";
+COMMENT ON FUNCTION "public"."get_user_org_ids"() IS 'Org id list for authenticated users or RBAC-scoped API keys.';
+
+CREATE OR REPLACE FUNCTION "public"."get_orgs_v6"() RETURNS TABLE("gid" "uuid", "created_by" "uuid", "logo" "text", "name" "text", "role" character varying, "paying" boolean, "trial_left" integer, "can_use_more" boolean, "is_canceled" boolean, "app_count" bigint, "subscription_start" timestamp with time zone, "subscription_end" timestamp with time zone, "management_email" "text", "is_yearly" boolean, "stats_updated_at" timestamp without time zone, "next_stats_update_at" timestamp with time zone, "credit_available" numeric, "credit_total" numeric, "credit_next_expiration" timestamp with time zone, "require_apikey_expiration" boolean, "max_apikey_expiration_days" integer)
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_user_id uuid;
+  v_api_key_text text;
+  v_api_key public.apikeys%ROWTYPE;
+BEGIN
+  SELECT public.get_apikey_header() INTO v_api_key_text;
+  IF v_api_key_text IS NOT NULL THEN
+    SELECT * INTO v_api_key FROM public.find_apikey_by_value(v_api_key_text) LIMIT 1;
+    IF v_api_key.id IS NULL THEN
+      RAISE EXCEPTION 'Invalid API key provided';
+    END IF;
+    IF public.is_apikey_expired(v_api_key.expires_at) THEN
+      RAISE EXCEPTION 'API key has expired';
+    END IF;
+    v_user_id := v_api_key.user_id;
+  ELSE
+    SELECT public.get_identity() INTO v_user_id;
+  END IF;
+
+  IF v_user_id IS NULL THEN
+    RAISE EXCEPTION 'No authentication provided - API key or valid session required';
+  END IF;
+
+  RETURN QUERY
+  SELECT orgs.*
+  FROM public.get_orgs_v6(v_user_id) orgs
+  JOIN public.get_user_org_ids() allowed_orgs ON allowed_orgs.org_id = orgs.gid;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_orgs_v6"() OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."get_orgs_v7"("userid" "uuid") RETURNS TABLE("gid" "uuid", "created_by" "uuid", "created_at" timestamp with time zone, "logo" "text", "website" "text", "name" "text", "role" character varying, "paying" boolean, "trial_left" integer, "can_use_more" boolean, "is_canceled" boolean, "app_count" bigint, "subscription_start" timestamp with time zone, "subscription_end" timestamp with time zone, "management_email" "text", "is_yearly" boolean, "stats_updated_at" timestamp without time zone, "stats_refresh_requested_at" timestamp without time zone, "next_stats_update_at" timestamp with time zone, "credit_available" numeric, "credit_total" numeric, "credit_next_expiration" timestamp with time zone, "enforcing_2fa" boolean, "2fa_has_access" boolean, "enforce_hashed_api_keys" boolean, "password_policy_config" "jsonb", "password_has_access" boolean, "require_apikey_expiration" boolean, "max_apikey_expiration_days" integer, "enforce_encrypted_bundles" boolean, "required_encryption_key" character varying, "use_new_rbac" boolean)
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+BEGIN
+  RETURN QUERY
+  WITH app_counts AS (
+    SELECT owner_org, COUNT(*) AS cnt
+    FROM public.apps
+    GROUP BY owner_org
+  ),
+  rbac_role_candidates AS (
+    SELECT rb.org_id, r.name, r.priority_rank
+    FROM public.role_bindings rb
+    JOIN public.roles r ON rb.role_id = r.id
+    WHERE rb.principal_type = public.rbac_principal_user()
+      AND rb.principal_id = userid
+      AND rb.scope_type = public.rbac_scope_org()
+      AND rb.org_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+    UNION ALL
+    SELECT rb.org_id, r.name, r.priority_rank
+    FROM public.role_bindings rb
+    JOIN public.group_members gm ON gm.group_id = rb.principal_id
+    JOIN public.roles r ON rb.role_id = r.id
+    WHERE rb.principal_type = public.rbac_principal_group()
+      AND gm.user_id = userid
+      AND rb.scope_type = public.rbac_scope_org()
+      AND rb.org_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+  ),
+  rbac_org_roles AS (
+    SELECT org_id, (ARRAY_AGG(rbac_role_candidates.name ORDER BY rbac_role_candidates.priority_rank DESC))[1] AS role_name
+    FROM rbac_role_candidates
+    GROUP BY org_id
+  ),
+  rbac_org_ids AS (
+    SELECT org_id
+    FROM rbac_org_roles
+    UNION
+    SELECT apps.owner_org
+    FROM public.role_bindings rb
+    JOIN public.apps ON apps.id = rb.app_id
+    WHERE rb.principal_type = public.rbac_principal_user()
+      AND rb.principal_id = userid
+      AND rb.app_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+    UNION
+    SELECT apps.owner_org
+    FROM public.role_bindings rb
+    JOIN public.channels ch ON ch.rbac_id = rb.channel_id
+    JOIN public.apps ON apps.app_id = ch.app_id
+    WHERE rb.principal_type = public.rbac_principal_user()
+      AND rb.principal_id = userid
+      AND rb.channel_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+    UNION
+    SELECT rb.org_id
+    FROM public.role_bindings rb
+    JOIN public.group_members gm ON gm.group_id = rb.principal_id
+    WHERE rb.principal_type = public.rbac_principal_group()
+      AND gm.user_id = userid
+      AND rb.org_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+    UNION
+    SELECT apps.owner_org
+    FROM public.role_bindings rb
+    JOIN public.group_members gm ON gm.group_id = rb.principal_id
+    JOIN public.apps ON apps.id = rb.app_id
+    WHERE rb.principal_type = public.rbac_principal_group()
+      AND gm.user_id = userid
+      AND rb.app_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+    UNION
+    SELECT apps.owner_org
+    FROM public.role_bindings rb
+    JOIN public.group_members gm ON gm.group_id = rb.principal_id
+    JOIN public.channels ch ON ch.rbac_id = rb.channel_id
+    JOIN public.apps ON apps.app_id = ch.app_id
+    WHERE rb.principal_type = public.rbac_principal_group()
+      AND gm.user_id = userid
+      AND rb.channel_id IS NOT NULL
+      AND (rb.expires_at IS NULL OR rb.expires_at > now())
+  ),
+  user_orgs AS (
+    SELECT rbac_org_ids.org_id
+    FROM rbac_org_ids
+    WHERE rbac_org_ids.org_id IS NOT NULL
+    UNION
+    SELECT ou.org_id
+    FROM public.org_users ou
+    WHERE ou.user_id = userid
+      AND ou.user_right::text LIKE 'invite_%'
+  ),
+  time_constants AS (
+    SELECT
+      NOW() AS current_time,
+      date_trunc('MONTH', NOW()) AS current_month_start,
+      '0 DAYS'::INTERVAL AS zero_day_interval
+  ),
+  paying_orgs_ordered AS (
+    SELECT
+      o.id,
+      ROW_NUMBER() OVER (ORDER BY o.id ASC) - 1 AS preceding_count
+    FROM public.orgs o
+    JOIN public.stripe_info si ON o.customer_id = si.customer_id
+    CROSS JOIN time_constants tc
+    WHERE (
+      (si.status = 'succeeded'
+        AND (si.canceled_at IS NULL OR si.canceled_at > tc.current_time)
+        AND si.subscription_anchor_end > tc.current_time)
+      OR si.trial_at > tc.current_time
+    )
+  ),
+  billing_cycles AS (
+    SELECT
+      o.id AS org_id,
+      CASE
+        WHEN COALESCE(si.subscription_anchor_start - date_trunc('MONTH', si.subscription_anchor_start), tc.zero_day_interval)
+             > tc.current_time - tc.current_month_start
+        THEN date_trunc('MONTH', tc.current_time - INTERVAL '1 MONTH')
+             + COALESCE(si.subscription_anchor_start - date_trunc('MONTH', si.subscription_anchor_start), tc.zero_day_interval)
+        ELSE tc.current_month_start
+             + COALESCE(si.subscription_anchor_start - date_trunc('MONTH', si.subscription_anchor_start), tc.zero_day_interval)
+      END AS cycle_start
+    FROM public.orgs o
+    CROSS JOIN time_constants tc
+    LEFT JOIN public.stripe_info si ON o.customer_id = si.customer_id
+  ),
+  two_fa_access AS (
+    SELECT
+      o.id AS org_id,
+      o.enforcing_2fa,
+      CASE
+        WHEN o.enforcing_2fa = false THEN true
+        ELSE public.has_2fa_enabled(userid)
+      END AS "2fa_has_access",
+      (o.enforcing_2fa = true AND NOT public.has_2fa_enabled(userid)) AS should_redact_2fa
+    FROM public.orgs o
+    JOIN user_orgs uo ON uo.org_id = o.id
+  ),
+  password_policy_access AS (
+    SELECT
+      o.id AS org_id,
+      o.password_policy_config,
+      public.user_meets_password_policy(userid, o.id) AS password_has_access,
+      NOT public.user_meets_password_policy(userid, o.id) AS should_redact_password
+    FROM public.orgs o
+    JOIN user_orgs uo ON uo.org_id = o.id
+  )
+  SELECT
+    o.id AS gid,
+    o.created_by,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::timestamptz
+      ELSE o.created_at
+    END AS created_at,
+    o.logo,
+    o.website,
+    o.name,
+    COALESCE(ou.user_right::varchar, ror.role_name::varchar, public.rbac_role_org_member()::varchar) AS role,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN false
+      ELSE COALESCE(si.status = 'succeeded', false)
+    END AS paying,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN 0
+      ELSE GREATEST(COALESCE((si.trial_at::date - NOW()::date), 0), 0)::integer
+    END AS trial_left,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN false
+      ELSE COALESCE((si.status = 'succeeded' AND si.is_good_plan = true)
+        OR (si.trial_at::date - NOW()::date > 0)
+        OR COALESCE(ucb.available_credits, 0) > 0, false)
+    END AS can_use_more,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN false
+      ELSE COALESCE(si.status = 'canceled', false)
+    END AS is_canceled,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN 0::bigint
+      ELSE COALESCE(ac.cnt, 0)
+    END AS app_count,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::timestamptz
+      ELSE bc.cycle_start
+    END AS subscription_start,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::timestamptz
+      ELSE (bc.cycle_start + INTERVAL '1 MONTH')
+    END AS subscription_end,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::text
+      ELSE o.management_email
+    END AS management_email,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN false
+      ELSE COALESCE(si.price_id = p.price_y_id, false)
+    END AS is_yearly,
+    o.stats_updated_at,
+    o.stats_refresh_requested_at,
+    CASE
+      WHEN poo.id IS NOT NULL THEN
+        public.get_next_cron_time('0 3 * * *', NOW()) + make_interval(mins => poo.preceding_count::int * 4)
+      ELSE NULL
+    END AS next_stats_update_at,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::numeric
+      ELSE COALESCE(ucb.available_credits, 0)
+    END AS credit_available,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::numeric
+      ELSE COALESCE(ucb.total_credits, 0)
+    END AS credit_total,
+    CASE
+      WHEN tfa.should_redact_2fa OR ppa.should_redact_password THEN NULL::timestamptz
+      ELSE ucb.next_expiration
+    END AS credit_next_expiration,
+    tfa.enforcing_2fa,
+    tfa."2fa_has_access",
+    o.enforce_hashed_api_keys,
+    ppa.password_policy_config,
+    ppa.password_has_access,
+    o.require_apikey_expiration,
+    o.max_apikey_expiration_days,
+    o.enforce_encrypted_bundles,
+    o.required_encryption_key,
+    true AS use_new_rbac
+  FROM public.orgs o
+  JOIN user_orgs uo ON uo.org_id = o.id
+  LEFT JOIN public.org_users ou
+    ON ou.user_id = userid
+    AND o.id = ou.org_id
+    AND ou.user_right::text LIKE 'invite_%'
+  LEFT JOIN rbac_org_roles ror ON ror.org_id = o.id
+  LEFT JOIN two_fa_access tfa ON tfa.org_id = o.id
+  LEFT JOIN password_policy_access ppa ON ppa.org_id = o.id
+  LEFT JOIN public.stripe_info si ON o.customer_id = si.customer_id
+  LEFT JOIN public.plans p ON si.product_id = p.stripe_id
+  LEFT JOIN app_counts ac ON ac.owner_org = o.id
+  LEFT JOIN public.usage_credit_balances ucb ON ucb.org_id = o.id
+  LEFT JOIN paying_orgs_ordered poo ON poo.id = o.id
+  LEFT JOIN billing_cycles bc ON bc.org_id = o.id;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_orgs_v7"("userid" "uuid") OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."get_orgs_v7"() RETURNS TABLE("gid" "uuid", "created_by" "uuid", "created_at" timestamp with time zone, "logo" "text", "website" "text", "name" "text", "role" character varying, "paying" boolean, "trial_left" integer, "can_use_more" boolean, "is_canceled" boolean, "app_count" bigint, "subscription_start" timestamp with time zone, "subscription_end" timestamp with time zone, "management_email" "text", "is_yearly" boolean, "stats_updated_at" timestamp without time zone, "stats_refresh_requested_at" timestamp without time zone, "next_stats_update_at" timestamp with time zone, "credit_available" numeric, "credit_total" numeric, "credit_next_expiration" timestamp with time zone, "enforcing_2fa" boolean, "2fa_has_access" boolean, "enforce_hashed_api_keys" boolean, "password_policy_config" "jsonb", "password_has_access" boolean, "require_apikey_expiration" boolean, "max_apikey_expiration_days" integer, "enforce_encrypted_bundles" boolean, "required_encryption_key" character varying, "use_new_rbac" boolean)
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_user_id uuid;
+  v_api_key_text text;
+  v_api_key public.apikeys%ROWTYPE;
+BEGIN
+  SELECT public.get_apikey_header() INTO v_api_key_text;
+  IF v_api_key_text IS NOT NULL THEN
+    SELECT * INTO v_api_key FROM public.find_apikey_by_value(v_api_key_text) LIMIT 1;
+    IF v_api_key.id IS NULL THEN
+      RAISE EXCEPTION 'Invalid API key provided';
+    END IF;
+    IF public.is_apikey_expired(v_api_key.expires_at) THEN
+      RAISE EXCEPTION 'API key has expired';
+    END IF;
+    v_user_id := v_api_key.user_id;
+  ELSE
+    SELECT public.get_identity() INTO v_user_id;
+  END IF;
+
+  IF v_user_id IS NULL THEN
+    RAISE EXCEPTION 'No authentication provided - API key or valid session required';
+  END IF;
+
+  RETURN QUERY
+  SELECT orgs.*
+  FROM public.get_orgs_v7(v_user_id) orgs
+  JOIN public.get_user_org_ids() allowed_orgs ON allowed_orgs.org_id = orgs.gid;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_orgs_v7"() OWNER TO "postgres";
+
+DROP FUNCTION IF EXISTS "public"."get_org_apikeys"("p_org_id" "uuid");
+CREATE OR REPLACE FUNCTION "public"."get_org_apikeys"("p_org_id" "uuid") RETURNS TABLE(
+  "id" bigint,
+  "rbac_id" "uuid",
+  "name" "text",
+  "user_id" "uuid",
+  "owner_email" character varying,
+  "created_at" timestamp with time zone,
+  "expires_at" timestamp with time zone
+)
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+BEGIN
+  IF NOT public.rbac_check_permission_direct(
+    public.rbac_perm_org_update_user_roles(),
+    auth.uid(),
+    p_org_id,
+    NULL,
+    NULL,
+    NULL
+  ) THEN
+    RAISE EXCEPTION 'NO_RIGHTS';
+  END IF;
+
+  RETURN QUERY
+  SELECT DISTINCT
+    ak.id,
+    ak.rbac_id,
+    ak.name::text,
+    ak.user_id,
+    users.email,
+    ak.created_at,
+    ak.expires_at
+  FROM public.apikeys ak
+  JOIN public.users users ON users.id = ak.user_id
+  JOIN public.role_bindings rb
+    ON rb.principal_type = public.rbac_principal_apikey()
+    AND rb.principal_id = ak.rbac_id
+    AND rb.org_id = p_org_id
+    AND (rb.expires_at IS NULL OR rb.expires_at > now())
+  ORDER BY ak.created_at DESC;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_org_apikeys"("p_org_id" "uuid") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."get_org_apikeys"("p_org_id" "uuid") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."get_org_apikeys"("p_org_id" "uuid") TO "service_role";
+GRANT EXECUTE ON FUNCTION "public"."get_org_apikeys"("p_org_id" "uuid") TO "authenticated";
+
+CREATE OR REPLACE FUNCTION "public"."rbac_org_role_for_legacy_right"("legacy_right" "public"."user_min_right")
+RETURNS text
+LANGUAGE "plpgsql"
+IMMUTABLE
+SET search_path = ''
+AS $$
+BEGIN
+  IF legacy_right >= public.rbac_right_super_admin()::public.user_min_right THEN
+    RETURN public.rbac_role_org_super_admin();
+  ELSIF legacy_right >= public.rbac_right_admin()::public.user_min_right THEN
+    RETURN public.rbac_role_org_admin();
+  END IF;
+
+  RETURN public.rbac_role_org_member();
+END;
+$$;
+
+ALTER FUNCTION "public"."rbac_org_role_for_legacy_right"("public"."user_min_right") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."rbac_org_role_for_legacy_right"("public"."user_min_right") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."rbac_org_role_for_legacy_right"("public"."user_min_right") TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."invite_user_to_org_rbac"("email" character varying, "org_id" "uuid", "role_name" "text") RETURNS character varying
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  org record;
+  invited_user record;
+  current_record record;
+  current_tmp_user record;
+  role_id uuid;
+  role_priority integer;
+  caller_max_priority integer := 0;
+  legacy_right public.user_min_right;
+  invite_right public.user_min_right;
+  api_key_text text;
+  api_key_row public.apikeys%ROWTYPE;
+  v_granted_by uuid;
+  v_principal_type text;
+  v_principal_id uuid;
+BEGIN
+  SELECT * INTO org FROM public.orgs WHERE public.orgs.id = invite_user_to_org_rbac.org_id;
+  IF org IS NULL THEN
+    RETURN 'NO_ORG';
+  END IF;
+
+  SELECT r.id, r.priority_rank INTO role_id, role_priority
+  FROM public.roles r
+  WHERE r.name = invite_user_to_org_rbac.role_name
+    AND r.scope_type = public.rbac_scope_org()
+    AND r.is_assignable = true
+  LIMIT 1;
+
+  IF role_id IS NULL THEN
+    RETURN 'ROLE_NOT_FOUND';
+  END IF;
+
+  SELECT public.get_apikey_header() INTO api_key_text;
+  IF api_key_text IS NOT NULL THEN
+    SELECT * INTO api_key_row FROM public.find_apikey_by_value(api_key_text) LIMIT 1;
+    v_granted_by := api_key_row.user_id;
+    v_principal_type := public.rbac_principal_apikey();
+    v_principal_id := api_key_row.rbac_id;
+  ELSE
+    v_granted_by := auth.uid();
+    v_principal_type := public.rbac_principal_user();
+    v_principal_id := auth.uid();
+  END IF;
+
+  IF invite_user_to_org_rbac.role_name = public.rbac_role_org_super_admin() THEN
+    IF NOT public.rbac_check_permission_direct(public.rbac_perm_org_update_user_roles(), auth.uid(), invite_user_to_org_rbac.org_id, NULL, NULL, api_key_text) THEN
+      RETURN 'NO_RIGHTS';
+    END IF;
+  ELSE
+    IF NOT public.rbac_check_permission_direct(public.rbac_perm_org_invite_user(), auth.uid(), invite_user_to_org_rbac.org_id, NULL, NULL, api_key_text) THEN
+      RETURN 'NO_RIGHTS';
+    END IF;
+  END IF;
+
+  IF v_principal_id IS NULL THEN
+    RETURN 'NO_RIGHTS';
+  END IF;
+
+  SELECT COALESCE(MAX(r.priority_rank), 0) INTO caller_max_priority
+  FROM public.role_bindings rb
+  JOIN public.roles r
+    ON r.id = rb.role_id
+    AND r.scope_type = rb.scope_type
+  WHERE rb.principal_type = v_principal_type
+    AND rb.principal_id = v_principal_id
+    AND rb.org_id = invite_user_to_org_rbac.org_id
+    AND (rb.expires_at IS NULL OR rb.expires_at > now());
+
+  IF caller_max_priority < role_priority THEN
+    RETURN 'NO_RIGHTS';
+  END IF;
+
+  legacy_right := public.rbac_legacy_right_for_org_role(invite_user_to_org_rbac.role_name);
+  invite_right := public.transform_role_to_invite(legacy_right);
+
+  SELECT public.users.id INTO invited_user FROM public.users WHERE public.users.email = invite_user_to_org_rbac.email;
+
+  IF invited_user IS NOT NULL THEN
+    SELECT public.org_users.id INTO current_record
+    FROM public.org_users
+    WHERE public.org_users.user_id = invited_user.id
+      AND public.org_users.org_id = invite_user_to_org_rbac.org_id;
+
+    IF current_record IS NOT NULL THEN
+      RETURN 'ALREADY_INVITED';
+    ELSE
+      INSERT INTO public.org_users (user_id, org_id, user_right, rbac_role_name)
+      VALUES (invited_user.id, invite_user_to_org_rbac.org_id, invite_right, invite_user_to_org_rbac.role_name);
+
+      INSERT INTO public.role_bindings (
+        principal_type, principal_id, role_id, scope_type, org_id,
+        granted_by, granted_at, expires_at, reason, is_direct
+      ) VALUES (
+        public.rbac_principal_user(), invited_user.id, role_id, public.rbac_scope_org(), invite_user_to_org_rbac.org_id,
+        COALESCE(v_granted_by, invited_user.id), now(), now() - INTERVAL '1 second', 'Pending invitation', true
+      ) ON CONFLICT DO NOTHING;
+
+      RETURN 'OK';
+    END IF;
+  ELSE
+    SELECT * INTO current_tmp_user
+    FROM public.tmp_users
+    WHERE public.tmp_users.email = invite_user_to_org_rbac.email
+      AND public.tmp_users.org_id = invite_user_to_org_rbac.org_id;
+
+    IF current_tmp_user IS NOT NULL THEN
+      IF current_tmp_user.cancelled_at IS NOT NULL THEN
+        IF current_tmp_user.cancelled_at > (CURRENT_TIMESTAMP - INTERVAL '3 hours') THEN
+          RETURN 'TOO_RECENT_INVITATION_CANCELATION';
+        ELSE
+          RETURN 'NO_EMAIL';
+        END IF;
+      ELSE
+        RETURN 'ALREADY_INVITED';
+      END IF;
+    ELSE
+      RETURN 'NO_EMAIL';
+    END IF;
+  END IF;
+END;
+$$;
+
+ALTER FUNCTION "public"."invite_user_to_org_rbac"("email" character varying, "org_id" "uuid", "role_name" "text") OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."invite_user_to_org"(
+  "email" character varying,
+  "org_id" "uuid",
+  "invite_type" "public"."user_min_right"
+) RETURNS character varying
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  legacy_right public.user_min_right;
+  role_name text;
+BEGIN
+  legacy_right := public.transform_role_to_non_invite(invite_type);
+  role_name := public.rbac_org_role_for_legacy_right(legacy_right);
+
+  RETURN public.invite_user_to_org_rbac(email, org_id, role_name);
+END;
+$$;
+
+ALTER FUNCTION "public"."invite_user_to_org"("email" character varying, "org_id" "uuid", "invite_type" "public"."user_min_right") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."invite_user_to_org"("email" character varying, "org_id" "uuid", "invite_type" "public"."user_min_right") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."invite_user_to_org"("email" character varying, "org_id" "uuid", "invite_type" "public"."user_min_right") TO "anon";
+GRANT EXECUTE ON FUNCTION "public"."invite_user_to_org"("email" character varying, "org_id" "uuid", "invite_type" "public"."user_min_right") TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."invite_user_to_org"("email" character varying, "org_id" "uuid", "invite_type" "public"."user_min_right") TO "service_role";
+
+COMMENT ON FUNCTION "public"."invite_user_to_org"("email" character varying, "org_id" "uuid", "invite_type" "public"."user_min_right") IS 'Compatibility wrapper for old invite callers. Legacy role inputs are converted to RBAC roles.';
+
+CREATE OR REPLACE FUNCTION "public"."accept_invitation_to_org"("org_id" "uuid") RETURNS character varying
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+SET row_security = off
+AS $$
+DECLARE
+  invite public.org_users%ROWTYPE;
+  invite_user_id uuid;
+  invite_org_id uuid;
+  legacy_right public.user_min_right;
+  role_name text;
+  role_id uuid;
+BEGIN
+  SELECT public.org_users.*
+  INTO invite
+  FROM public.org_users
+  WHERE public.org_users.org_id = accept_invitation_to_org.org_id
+    AND public.org_users.user_id = (SELECT auth.uid())
+  ORDER BY (public.org_users.user_right::text LIKE 'invite_%') DESC,
+    public.org_users.created_at DESC NULLS LAST,
+    public.org_users.id DESC
+  LIMIT 1;
+
+  IF invite.id IS NOT NULL AND invite.user_right::text NOT LIKE 'invite_%' THEN
+    RETURN 'INVALID_ROLE';
+  END IF;
+
+  IF invite.id IS NOT NULL THEN
+    invite_user_id := invite.user_id;
+    invite_org_id := invite.org_id;
+    legacy_right := public.transform_role_to_non_invite(invite.user_right);
+    role_name := COALESCE(invite.rbac_role_name, public.rbac_org_role_for_legacy_right(legacy_right));
+  ELSE
+    SELECT rb.principal_id, rb.org_id, r.name
+    INTO invite_user_id, invite_org_id, role_name
+    FROM public.role_bindings rb
+    JOIN public.roles r
+      ON r.id = rb.role_id
+      AND r.scope_type = rb.scope_type
+    WHERE rb.principal_type = public.rbac_principal_user()
+      AND rb.principal_id = (SELECT auth.uid())
+      AND rb.org_id = accept_invitation_to_org.org_id
+      AND rb.scope_type = public.rbac_scope_org()
+      AND rb.reason IN ('Pending invitation', 'Invited via invite_user_to_org_rbac')
+    ORDER BY rb.granted_at DESC NULLS LAST
+    LIMIT 1;
+
+    IF invite_user_id IS NULL THEN
+      RETURN 'NO_INVITE';
+    END IF;
+
+    legacy_right := public.rbac_legacy_right_for_org_role(role_name);
+  END IF;
+
+  IF role_name IS NULL THEN
+    RETURN 'ROLE_NOT_FOUND';
+  END IF;
+
+  SELECT public.roles.id INTO role_id
+  FROM public.roles
+  WHERE public.roles.name = role_name
+    AND public.roles.scope_type = public.rbac_scope_org()
+    AND public.roles.is_assignable = true
+  LIMIT 1;
+
+  IF role_id IS NULL THEN
+    RETURN 'ROLE_NOT_FOUND';
+  END IF;
+
+  UPDATE public.org_users
+  SET user_right = legacy_right,
+      rbac_role_name = role_name,
+      updated_at = CURRENT_TIMESTAMP
+  WHERE public.org_users.id = invite.id;
+
+  IF invite.id IS NULL THEN
+    INSERT INTO public.org_users (user_id, org_id, user_right, rbac_role_name)
+    VALUES (invite_user_id, invite_org_id, legacy_right, role_name);
+  END IF;
+
+  DELETE FROM public.role_bindings
+  WHERE public.role_bindings.principal_type = public.rbac_principal_user()
+    AND public.role_bindings.principal_id = invite_user_id
+    AND public.role_bindings.scope_type = public.rbac_scope_org()
+    AND public.role_bindings.org_id = invite_org_id;
+
+  INSERT INTO public.role_bindings (
+    principal_type,
+    principal_id,
+    role_id,
+    scope_type,
+    org_id,
+    app_id,
+    channel_id,
+    granted_by,
+    granted_at,
+    reason,
+    is_direct
+  ) VALUES (
+    public.rbac_principal_user(),
+    invite_user_id,
+    role_id,
+    public.rbac_scope_org(),
+    invite_org_id,
+    NULL,
+    NULL,
+    auth.uid(),
+    now(),
+    'Accepted invitation',
+    true
+  ) ON CONFLICT DO NOTHING;
+
+  RETURN 'OK';
+END;
+$$;
+
+ALTER FUNCTION "public"."accept_invitation_to_org"("org_id" "uuid") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."accept_invitation_to_org"("org_id" "uuid") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."accept_invitation_to_org"("org_id" "uuid") TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."accept_invitation_to_org"("org_id" "uuid") TO "service_role";
+
+COMMENT ON FUNCTION "public"."accept_invitation_to_org"("org_id" "uuid") IS 'Accepts a pending org invite and creates the active RBAC binding. Kept for old clients.';
+
+CREATE OR REPLACE FUNCTION "public"."modify_permissions_tmp"(
+  "email" "text",
+  "org_id" "uuid",
+  "new_role" "public"."user_min_right"
+) RETURNS character varying
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  tmp_user record;
+  non_invite_role public.user_min_right;
+  v_rbac_role_name text;
+BEGIN
+  non_invite_role := public.transform_role_to_non_invite(new_role);
+  v_rbac_role_name := public.rbac_org_role_for_legacy_right(non_invite_role);
+
+  PERFORM 1 FROM public.orgs WHERE public.orgs.id = modify_permissions_tmp.org_id;
+  IF NOT FOUND THEN
+    RETURN 'NO_ORG';
+  END IF;
+
+  IF NOT public.check_min_rights(
+    'admin'::public.user_min_right,
+    (SELECT public.get_identity_org_allowed('{read,upload,write,all}'::public.key_mode[], modify_permissions_tmp.org_id)),
+    modify_permissions_tmp.org_id,
+    NULL::varchar,
+    NULL::bigint
+  ) THEN
+    RETURN 'NO_RIGHTS';
+  END IF;
+
+  IF non_invite_role = 'super_admin'::public.user_min_right
+    AND NOT public.check_min_rights(
+      'super_admin'::public.user_min_right,
+      (SELECT public.get_identity_org_allowed('{read,upload,write,all}'::public.key_mode[], modify_permissions_tmp.org_id)),
+      modify_permissions_tmp.org_id,
+      NULL::varchar,
+      NULL::bigint
+    )
+  THEN
+    RETURN 'NO_RIGHTS_FOR_SUPER_ADMIN';
+  END IF;
+
+  SELECT * INTO tmp_user
+  FROM public.tmp_users
+  WHERE public.tmp_users.email = modify_permissions_tmp.email
+    AND public.tmp_users.org_id = modify_permissions_tmp.org_id;
+
+  IF NOT FOUND THEN
+    RETURN 'NO_INVITATION';
+  END IF;
+  IF tmp_user.cancelled_at IS NOT NULL THEN
+    RETURN 'INVITATION_CANCELLED';
+  END IF;
+
+  UPDATE public.tmp_users
+  SET role = non_invite_role,
+      rbac_role_name = v_rbac_role_name,
+      updated_at = CURRENT_TIMESTAMP
+  WHERE public.tmp_users.id = tmp_user.id;
+
+  RETURN 'OK';
+END;
+$$;
+
+ALTER FUNCTION "public"."modify_permissions_tmp"("email" "text", "org_id" "uuid", "new_role" "public"."user_min_right") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."modify_permissions_tmp"("email" "text", "org_id" "uuid", "new_role" "public"."user_min_right") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."modify_permissions_tmp"("email" "text", "org_id" "uuid", "new_role" "public"."user_min_right") TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."modify_permissions_tmp"("email" "text", "org_id" "uuid", "new_role" "public"."user_min_right") TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."enforce_apikey_expiration_policy"()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  scoped_org record;
+BEGIN
+  IF TG_OP = 'UPDATE'
+    AND NEW.expires_at IS NOT DISTINCT FROM OLD.expires_at THEN
+    RETURN NEW;
+  END IF;
+
+  FOR scoped_org IN
+    SELECT DISTINCT
+      public.orgs.id,
+      public.orgs.require_apikey_expiration,
+      public.orgs.max_apikey_expiration_days
+    FROM public.role_bindings
+    JOIN public.orgs ON public.orgs.id = public.role_bindings.org_id
+    WHERE public.role_bindings.principal_type = public.rbac_principal_apikey()
+      AND public.role_bindings.principal_id = NEW.rbac_id
+      AND public.role_bindings.org_id IS NOT NULL
+  LOOP
+    IF scoped_org.require_apikey_expiration AND NEW.expires_at IS NULL THEN
+      RAISE EXCEPTION USING
+        ERRCODE = 'P0001',
+        MESSAGE = 'expiration_required',
+        DETAIL = 'This organization requires API keys to have an expiration date';
+    END IF;
+
+    IF scoped_org.max_apikey_expiration_days IS NOT NULL
+      AND NEW.expires_at IS NOT NULL
+      AND NEW.expires_at > clock_timestamp() + make_interval(days => scoped_org.max_apikey_expiration_days)
+    THEN
+      RAISE EXCEPTION USING
+        ERRCODE = 'P0001',
+        MESSAGE = 'expiration_exceeds_max',
+        DETAIL = format('API key expiration cannot exceed %s days for this organization', scoped_org.max_apikey_expiration_days);
+    END IF;
+  END LOOP;
+
+  RETURN NEW;
+END;
+$$;
+
+ALTER FUNCTION "public"."enforce_apikey_expiration_policy"() OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."enforce_apikey_expiration_policy"() FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."enforce_apikey_expiration_policy"() TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."enforce_apikey_role_binding_expiration_policy"()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  api_key_row public.apikeys%ROWTYPE;
+  scoped_org record;
+BEGIN
+  IF NEW.principal_type <> public.rbac_principal_apikey()
+    OR NEW.org_id IS NULL
+    OR (NEW.expires_at IS NOT NULL AND NEW.expires_at <= now()) THEN
+    RETURN NEW;
+  END IF;
+
+  SELECT *
+  INTO api_key_row
+  FROM public.apikeys
+  WHERE public.apikeys.rbac_id = NEW.principal_id
+  LIMIT 1;
+
+  IF api_key_row.id IS NULL THEN
+    RETURN NEW;
+  END IF;
+
+  SELECT
+    public.orgs.id,
+    public.orgs.require_apikey_expiration,
+    public.orgs.max_apikey_expiration_days
+  INTO scoped_org
+  FROM public.orgs
+  WHERE public.orgs.id = NEW.org_id
+  LIMIT 1;
+
+  IF scoped_org.id IS NULL THEN
+    RETURN NEW;
+  END IF;
+
+  IF scoped_org.require_apikey_expiration AND api_key_row.expires_at IS NULL THEN
+    RAISE EXCEPTION USING
+      ERRCODE = 'P0001',
+      MESSAGE = 'expiration_required',
+      DETAIL = 'This organization requires API keys to have an expiration date';
+  END IF;
+
+  IF scoped_org.max_apikey_expiration_days IS NOT NULL
+    AND api_key_row.expires_at IS NOT NULL
+    AND api_key_row.expires_at > clock_timestamp() + make_interval(days => scoped_org.max_apikey_expiration_days)
+  THEN
+    RAISE EXCEPTION USING
+      ERRCODE = 'P0001',
+      MESSAGE = 'expiration_exceeds_max',
+      DETAIL = format('API key expiration cannot exceed %s days for this organization', scoped_org.max_apikey_expiration_days);
+  END IF;
+
+  RETURN NEW;
+END;
+$$;
+
+ALTER FUNCTION "public"."enforce_apikey_role_binding_expiration_policy"() OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."enforce_apikey_role_binding_expiration_policy"() FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."enforce_apikey_role_binding_expiration_policy"() TO "service_role";
+
+DROP TRIGGER IF EXISTS "role_bindings_enforce_apikey_expiration_policy" ON "public"."role_bindings";
+CREATE TRIGGER "role_bindings_enforce_apikey_expiration_policy"
+BEFORE INSERT OR UPDATE OF principal_type, principal_id, org_id, expires_at
+ON "public"."role_bindings"
+FOR EACH ROW
+EXECUTE FUNCTION "public"."enforce_apikey_role_binding_expiration_policy"();
+
+CREATE OR REPLACE FUNCTION "public"."check_apikey_hashed_key_enforcement"("apikey_row" "public"."apikeys")
+RETURNS boolean
+LANGUAGE "plpgsql"
+SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  scoped_enforced_org_exists boolean;
+BEGIN
+  IF apikey_row.key IS NULL AND apikey_row.key_hash IS NOT NULL THEN
+    RETURN true;
+  END IF;
+
+  WITH scoped_orgs AS (
+    SELECT public.role_bindings.org_id
+    FROM public.role_bindings
+    WHERE apikey_row.rbac_id IS NOT NULL
+      AND public.role_bindings.principal_type = public.rbac_principal_apikey()
+      AND public.role_bindings.principal_id = apikey_row.rbac_id
+      AND public.role_bindings.scope_type = public.rbac_scope_org()
+      AND public.role_bindings.org_id IS NOT NULL
+      AND (public.role_bindings.expires_at IS NULL OR public.role_bindings.expires_at > now())
+
+    UNION
+
+    SELECT public.apps.owner_org
+    FROM public.role_bindings
+    JOIN public.apps ON public.apps.id = public.role_bindings.app_id
+    WHERE apikey_row.rbac_id IS NOT NULL
+      AND public.role_bindings.principal_type = public.rbac_principal_apikey()
+      AND public.role_bindings.principal_id = apikey_row.rbac_id
+      AND public.role_bindings.scope_type = public.rbac_scope_app()
+      AND public.role_bindings.app_id IS NOT NULL
+      AND (public.role_bindings.expires_at IS NULL OR public.role_bindings.expires_at > now())
+
+    UNION
+
+    SELECT public.apps.owner_org
+    FROM public.role_bindings
+    JOIN public.channels ON public.channels.rbac_id = public.role_bindings.channel_id
+    JOIN public.apps ON public.apps.app_id = public.channels.app_id
+    WHERE apikey_row.rbac_id IS NOT NULL
+      AND public.role_bindings.principal_type = public.rbac_principal_apikey()
+      AND public.role_bindings.principal_id = apikey_row.rbac_id
+      AND public.role_bindings.scope_type = public.rbac_scope_channel()
+      AND public.role_bindings.channel_id IS NOT NULL
+      AND (public.role_bindings.expires_at IS NULL OR public.role_bindings.expires_at > now())
+  )
+  SELECT EXISTS (
+    SELECT 1
+    FROM scoped_orgs
+    JOIN public.orgs ON public.orgs.id = scoped_orgs.org_id
+    WHERE public.orgs.enforce_hashed_api_keys = true
+  )
+  INTO scoped_enforced_org_exists;
+
+  IF scoped_enforced_org_exists THEN
+    PERFORM public.pg_log(
+      'deny: ORG_REQUIRES_HASHED_API_KEY',
+      jsonb_build_object('apikey_id', apikey_row.id, 'user_id', apikey_row.user_id)
+    );
+    RETURN false;
+  END IF;
+
+  RETURN true;
+END;
+$$;
+
+ALTER FUNCTION "public"."check_apikey_hashed_key_enforcement"("public"."apikeys") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."check_apikey_hashed_key_enforcement"("public"."apikeys") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."check_apikey_hashed_key_enforcement"("public"."apikeys") TO "service_role";
+
+CREATE OR REPLACE FUNCTION "public"."find_apikey_by_value"("key_value" "text") RETURNS SETOF "public"."apikeys"
+    LANGUAGE "plpgsql" SECURITY DEFINER
+    SET search_path = ''
+    AS $$
+DECLARE
+  apikey_row public.apikeys%ROWTYPE;
+BEGIN
+  SELECT public.apikeys.*
+  INTO apikey_row
+  FROM public.apikeys
+  WHERE public.apikeys.key = key_value
+    OR public.apikeys.key_hash = encode(extensions.digest(key_value, 'sha256'), 'hex')
+  LIMIT 1;
+
+  IF apikey_row.id IS NULL THEN
+    RETURN;
+  END IF;
+
+  IF NOT public.check_apikey_hashed_key_enforcement(apikey_row) THEN
+    RETURN;
+  END IF;
+
+  RETURN NEXT apikey_row;
+END;
+$$;
+
+ALTER FUNCTION "public"."find_apikey_by_value"("key_value" "text") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."find_apikey_by_value"("key_value" "text") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."find_apikey_by_value"("key_value" "text") TO "service_role";
+
+DROP POLICY IF EXISTS "Allow admin to select webhooks" ON "public"."webhooks";
+DROP POLICY IF EXISTS "Allow admin to insert webhooks" ON "public"."webhooks";
+DROP POLICY IF EXISTS "Allow admin to update webhooks" ON "public"."webhooks";
+DROP POLICY IF EXISTS "Allow admin to delete webhooks" ON "public"."webhooks";
+
+CREATE POLICY "Allow admin to select webhooks"
+ON "public"."webhooks"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+CREATE POLICY "Allow admin to insert webhooks"
+ON "public"."webhooks"
+FOR INSERT
+TO "authenticated", "anon"
+WITH CHECK (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+CREATE POLICY "Allow admin to update webhooks"
+ON "public"."webhooks"
+FOR UPDATE
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+)
+WITH CHECK (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+CREATE POLICY "Allow admin to delete webhooks"
+ON "public"."webhooks"
+FOR DELETE
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+DROP POLICY IF EXISTS "Allow org members to select webhook_deliveries" ON "public"."webhook_deliveries";
+DROP POLICY IF EXISTS "Allow admin to insert webhook_deliveries" ON "public"."webhook_deliveries";
+DROP POLICY IF EXISTS "Allow admin to update webhook_deliveries" ON "public"."webhook_deliveries";
+
+CREATE POLICY "Allow org members to select webhook_deliveries"
+ON "public"."webhook_deliveries"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'read'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+CREATE POLICY "Allow admin to insert webhook_deliveries"
+ON "public"."webhook_deliveries"
+FOR INSERT
+TO "authenticated", "anon"
+WITH CHECK (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+CREATE POLICY "Allow admin to update webhook_deliveries"
+ON "public"."webhook_deliveries"
+FOR UPDATE
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+)
+WITH CHECK (
+  public.check_min_rights(
+    'admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    org_id,
+    NULL::character varying,
+    NULL::bigint
+  )
+);
+
+DROP POLICY IF EXISTS "Allow owner to insert own apikeys" ON "public"."apikeys";
+DROP POLICY IF EXISTS "Deny client insert on apikeys" ON "public"."apikeys";
+CREATE POLICY "Deny client insert on apikeys" ON "public"."apikeys"
+AS RESTRICTIVE
+FOR INSERT
+TO "anon", "authenticated"
+WITH CHECK (false);
+
+DROP POLICY IF EXISTS "Allow owner to update own apikeys" ON "public"."apikeys";
+DROP POLICY IF EXISTS "Allow owner to update own V2 apikeys" ON "public"."apikeys";
+CREATE POLICY "Allow owner to update own apikeys" ON "public"."apikeys"
+FOR UPDATE
+TO "anon", "authenticated"
+USING (
+  "user_id" = (SELECT public.get_identity_for_apikey_creation())
+)
+WITH CHECK (
+  "user_id" = (SELECT public.get_identity_for_apikey_creation())
+);
+
+-- API-key compatibility identity functions are intentionally not authorization
+-- gates for owner-scoped user/account tables. Those rows stay JWT-only.
+DROP POLICY IF EXISTS "Allow owner to select own apikeys" ON "public"."apikeys";
+CREATE POLICY "Allow owner to select own apikeys" ON "public"."apikeys"
+FOR SELECT
+TO "authenticated"
+USING (
+  "user_id" = (SELECT auth.uid())
+);
+
+DROP POLICY IF EXISTS "Allow owner to delete own apikeys" ON "public"."apikeys";
+CREATE POLICY "Allow owner to delete own apikeys" ON "public"."apikeys"
+FOR DELETE
+TO "authenticated"
+USING (
+  "user_id" = (SELECT auth.uid())
+);
+
+DROP POLICY IF EXISTS "Allow owner to insert own users" ON "public"."users";
+CREATE POLICY "Allow owner to insert own users" ON "public"."users"
+FOR INSERT
+TO "authenticated"
+WITH CHECK (
+  "id" = (SELECT auth.uid())
+  AND (SELECT public.is_not_deleted("users"."email"))
+);
+
+DROP POLICY IF EXISTS "Allow owner to select own user" ON "public"."users";
+CREATE POLICY "Allow owner to select own user" ON "public"."users"
+FOR SELECT
+TO "authenticated"
+USING (
+  "id" = (SELECT auth.uid())
+  AND (SELECT public.is_not_deleted("users"."email"))
+);
+
+DROP POLICY IF EXISTS "Allow owner to update own users" ON "public"."users";
+CREATE POLICY "Allow owner to update own users" ON "public"."users"
+FOR UPDATE
+TO "authenticated"
+USING (
+  "id" = (SELECT auth.uid())
+  AND (SELECT public.is_not_deleted("users"."email"))
+)
+WITH CHECK (
+  "id" = (SELECT auth.uid())
+  AND (SELECT public.is_not_deleted("users"."email"))
+);
+
+DROP POLICY IF EXISTS "Allow insert org for apikey or user" ON "public"."orgs";
+DROP POLICY IF EXISTS "Allow insert org for user" ON "public"."orgs";
+CREATE POLICY "Allow insert org for user" ON "public"."orgs"
+FOR INSERT
+TO "authenticated"
+WITH CHECK (
+  "created_by" = (SELECT auth.uid())
+);
+
+DROP POLICY IF EXISTS "Allow all for auth (super_admin+)" ON "public"."apps";
+CREATE POLICY "Allow all for auth (super_admin+)" ON "public"."apps"
+FOR DELETE
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'super_admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    owner_org,
+    app_id,
+    NULL::bigint
+  )
+);
+
+DROP POLICY IF EXISTS "Allow all for auth (super_admin+)" ON "public"."app_versions";
+CREATE POLICY "Allow all for auth (super_admin+)" ON "public"."app_versions"
+FOR DELETE
+TO "authenticated", "anon"
+USING (
+  public.check_min_rights(
+    'super_admin'::public.user_min_right,
+    CASE
+      WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+      ELSE (SELECT auth.uid())
+    END,
+    owner_org,
+    app_id,
+    NULL::bigint
+  )
+);
+
+DROP POLICY IF EXISTS "Allow update for auth (write+)" ON "public"."app_versions";
+DROP POLICY IF EXISTS "Allow update for api keys (write,all,upload) (upload+)" ON "public"."app_versions";
+DROP POLICY IF EXISTS "Allow update for auth and api keys" ON "public"."app_versions";
+CREATE POLICY "Allow update for auth and api keys"
+ON "public"."app_versions"
+FOR UPDATE
+TO "authenticated", "anon"
+USING (
+  EXISTS (
+    SELECT 1
+    FROM (SELECT auth.uid() AS uid, public.get_apikey_header() AS apikey) AS identity
+    WHERE (
+        identity.uid IS NOT NULL
+        AND public.check_min_rights(
+          'write'::public.user_min_right,
+          identity.uid,
+          owner_org,
+          app_id,
+          NULL::bigint
+        )
+      )
+      OR (
+        identity.uid IS NULL
+        AND identity.apikey IS NOT NULL
+        AND public.check_min_rights(
+          'upload'::public.user_min_right,
+          NULL::uuid,
+          owner_org,
+          app_id,
+          NULL::bigint
+        )
+      )
+  )
+)
+WITH CHECK (
+  EXISTS (
+    SELECT 1
+    FROM (SELECT auth.uid() AS uid, public.get_apikey_header() AS apikey) AS identity
+    WHERE (
+        identity.uid IS NOT NULL
+        AND public.check_min_rights(
+          'write'::public.user_min_right,
+          identity.uid,
+          owner_org,
+          app_id,
+          NULL::bigint
+        )
+      )
+      OR (
+        identity.uid IS NULL
+        AND identity.apikey IS NOT NULL
+        AND public.check_min_rights(
+          'upload'::public.user_min_right,
+          NULL::uuid,
+          owner_org,
+          app_id,
+          NULL::bigint
+        )
+      )
+  )
+);
+
+DROP POLICY IF EXISTS "Allow insert for auth (write+)" ON "public"."channel_devices";
+CREATE POLICY "Allow insert for auth (write+)" ON "public"."channel_devices"
+FOR INSERT
+TO "authenticated"
+WITH CHECK (
+  public.check_min_rights(
+    'write'::public.user_min_right,
+    (SELECT auth.uid()),
+    owner_org,
+    app_id,
+    NULL::bigint
+  )
+);
+
+DROP POLICY IF EXISTS "Allow read for auth (read+)" ON "public"."daily_bandwidth";
+CREATE POLICY "Allow read for auth (read+)" ON "public"."daily_bandwidth"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  EXISTS (
+    SELECT 1
+    FROM public.apps
+    WHERE apps.app_id = daily_bandwidth.app_id
+      AND public.check_min_rights(
+        'read'::public.user_min_right,
+        CASE
+          WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+          ELSE (SELECT auth.uid())
+        END,
+        apps.owner_org,
+        daily_bandwidth.app_id,
+        NULL::bigint
+      )
+  )
+);
+
+DROP POLICY IF EXISTS "Allow read for auth (read+)" ON "public"."daily_mau";
+CREATE POLICY "Allow read for auth (read+)" ON "public"."daily_mau"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  EXISTS (
+    SELECT 1
+    FROM public.apps
+    WHERE apps.app_id = daily_mau.app_id
+      AND public.check_min_rights(
+        'read'::public.user_min_right,
+        CASE
+          WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+          ELSE (SELECT auth.uid())
+        END,
+        apps.owner_org,
+        daily_mau.app_id,
+        NULL::bigint
+      )
+  )
+);
+
+DROP POLICY IF EXISTS "Allow read for auth (read+)" ON "public"."daily_storage";
+CREATE POLICY "Allow read for auth (read+)" ON "public"."daily_storage"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  EXISTS (
+    SELECT 1
+    FROM public.apps
+    WHERE apps.app_id = daily_storage.app_id
+      AND public.check_min_rights(
+        'read'::public.user_min_right,
+        CASE
+          WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+          ELSE (SELECT auth.uid())
+        END,
+        apps.owner_org,
+        daily_storage.app_id,
+        NULL::bigint
+      )
+  )
+);
+
+DROP POLICY IF EXISTS "Allow read for auth (read+)" ON "public"."daily_version";
+CREATE POLICY "Allow read for auth (read+)" ON "public"."daily_version"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  EXISTS (
+    SELECT 1
+    FROM public.apps
+    WHERE apps.app_id = daily_version.app_id
+      AND public.check_min_rights(
+        'read'::public.user_min_right,
+        CASE
+          WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+          ELSE (SELECT auth.uid())
+        END,
+        apps.owner_org,
+        daily_version.app_id,
+        NULL::bigint
+      )
+  )
+);
+
+DROP POLICY IF EXISTS "Allow apikey to read" ON "public"."stats";
+DROP POLICY IF EXISTS "Allow read for auth (read+)" ON "public"."stats";
+CREATE POLICY "Allow read for auth (read+)" ON "public"."stats"
+FOR SELECT
+TO "authenticated", "anon"
+USING (
+  EXISTS (
+    SELECT 1
+    FROM public.apps
+    WHERE apps.app_id = stats.app_id
+      AND public.check_min_rights(
+        'read'::public.user_min_right,
+        CASE
+          WHEN (SELECT public.get_apikey_header()) IS NOT NULL THEN NULL::uuid
+          ELSE (SELECT auth.uid())
+        END,
+        apps.owner_org,
+        stats.app_id,
+        NULL::bigint
+      )
+  )
+);
+
+CREATE OR REPLACE FUNCTION "public"."get_total_metrics"() RETURNS TABLE(
+  "mau" bigint,
+  "storage" bigint,
+  "bandwidth" bigint,
+  "build_time_unit" bigint,
+  "get" bigint,
+  "fail" bigint,
+  "install" bigint,
+  "uninstall" bigint
+)
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_request_org_id uuid;
+  v_org_id_text text;
+  v_auth_uid uuid;
+  v_request_apikey text;
+BEGIN
+  SELECT auth.uid() INTO v_auth_uid;
+  SELECT public.get_apikey_header() INTO v_request_apikey;
+
+  IF v_auth_uid IS NULL AND (v_request_apikey IS NULL OR v_request_apikey = '') THEN
+    RETURN;
+  END IF;
+
+  SELECT current_setting('request.jwt.claim.org_id', true) INTO v_org_id_text;
+
+  IF v_org_id_text IS NOT NULL AND v_org_id_text <> '' THEN
+    BEGIN
+      v_request_org_id := v_org_id_text::uuid;
+    EXCEPTION WHEN invalid_text_representation THEN
+      v_request_org_id := NULL;
+    END;
+  END IF;
+
+  IF v_request_org_id IS NOT NULL AND NOT EXISTS (
+    SELECT 1
+    FROM public.get_user_org_ids() allowed_orgs
+    WHERE allowed_orgs.org_id = v_request_org_id
+  ) THEN
+    RETURN;
+  END IF;
+
+  IF v_request_org_id IS NULL THEN
+    SELECT allowed_orgs.org_id
+    INTO v_request_org_id
+    FROM public.get_user_org_ids() allowed_orgs
+    ORDER BY allowed_orgs.org_id
+    LIMIT 1;
+  END IF;
+
+  IF v_request_org_id IS NULL THEN
+    RETURN;
+  END IF;
+
+  RETURN QUERY
+  SELECT
+    metrics.mau,
+    metrics.storage,
+    metrics.bandwidth,
+    metrics.build_time_unit,
+    metrics.get,
+    metrics.fail,
+    metrics.install,
+    metrics.uninstall
+  FROM public.get_total_metrics(v_request_org_id) AS metrics;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_total_metrics"() OWNER TO "postgres";
+
+CREATE OR REPLACE FUNCTION "public"."regenerate_hashed_apikey"("p_apikey_id" bigint) RETURNS "public"."apikeys"
+LANGUAGE "plpgsql"
+SET search_path = ''
+AS $$
+DECLARE
+  v_user_id uuid;
+BEGIN
+  SELECT public.get_identity_for_apikey_creation() INTO v_user_id;
+  IF v_user_id IS NULL THEN
+    RAISE EXCEPTION 'No authentication provided';
+  END IF;
+
+  RETURN public.regenerate_hashed_apikey_for_user(p_apikey_id, v_user_id);
+END;
+$$;
+
+ALTER FUNCTION "public"."regenerate_hashed_apikey"("p_apikey_id" bigint) OWNER TO "postgres";
+
+DROP FUNCTION IF EXISTS "public"."create_hashed_apikey"("public"."key_mode", "text", "uuid"[], "text"[], timestamp with time zone);
+DROP FUNCTION IF EXISTS "public"."create_hashed_apikey_for_user"("uuid", "public"."key_mode", "text", "uuid"[], "text"[], timestamp with time zone);
+
+ALTER TABLE "public"."apikeys"
+  DROP COLUMN IF EXISTS "mode",
+  DROP COLUMN IF EXISTS "limited_to_orgs",
+  DROP COLUMN IF EXISTS "limited_to_apps";
+
+CREATE OR REPLACE FUNCTION "public"."get_accessible_apps_for_apikey_v2"(
+  "apikey" "text" DEFAULT NULL
+) RETURNS SETOF "public"."apps"
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_request_apikey text;
+  v_api_key public.apikeys%ROWTYPE;
+BEGIN
+  SELECT public.get_apikey_header() INTO v_request_apikey;
+
+  IF v_request_apikey IS NULL OR v_request_apikey = '' THEN
+    RETURN;
+  END IF;
+
+  IF apikey IS NOT NULL AND apikey <> '' AND apikey IS DISTINCT FROM v_request_apikey THEN
+    RETURN;
+  END IF;
+
+  SELECT * INTO v_api_key
+  FROM public.find_apikey_by_value(v_request_apikey)
+  LIMIT 1;
+
+  IF v_api_key.id IS NULL OR public.is_apikey_expired(v_api_key.expires_at) THEN
+    RETURN;
+  END IF;
+
+  RETURN QUERY
+  SELECT apps.*
+  FROM public.apps
+  WHERE public.rbac_check_permission_direct(
+    public.rbac_perm_app_read(),
+    v_api_key.user_id,
+    apps.owner_org,
+    apps.app_id,
+    NULL,
+    v_request_apikey
+  )
+  ORDER BY apps.created_at DESC;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_accessible_apps_for_apikey_v2"("apikey" "text") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."get_accessible_apps_for_apikey_v2"("apikey" "text") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."get_accessible_apps_for_apikey_v2"("apikey" "text") TO "anon";
+GRANT EXECUTE ON FUNCTION "public"."get_accessible_apps_for_apikey_v2"("apikey" "text") TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."get_accessible_apps_for_apikey_v2"("apikey" "text") TO "service_role";
+COMMENT ON FUNCTION "public"."get_accessible_apps_for_apikey_v2"("apikey" "text") IS 'Returns apps visible to the request capgkey using RBAC permission checks. The apikey argument is retained for CLI compatibility and must match the header when provided.';
+
+CREATE OR REPLACE FUNCTION "public"."get_organization_cli_warnings"(
+  "orgid" "uuid",
+  "cli_version" "text"
+) RETURNS "jsonb"[]
+LANGUAGE "plpgsql" SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  messages jsonb[] := ARRAY[]::jsonb[];
+  request_apikey text;
+  api_key public.apikeys%ROWTYPE;
+  fallback_app_id text;
+  has_org_read boolean;
+BEGIN
+  PERFORM cli_version;
+
+  has_org_read := public.cli_check_permission(
+    permission_key := public.rbac_perm_org_read(),
+    org_id := orgid
+  );
+
+  IF NOT has_org_read THEN
+    SELECT public.get_apikey_header() INTO request_apikey;
+
+    IF request_apikey IS NOT NULL AND request_apikey <> '' THEN
+      SELECT *
+      INTO api_key
+      FROM public.find_apikey_by_value(request_apikey)
+      LIMIT 1;
+
+      IF api_key.id IS NOT NULL
+        AND NOT public.is_apikey_expired(api_key.expires_at)
+      THEN
+        SELECT public.apps.app_id
+        INTO fallback_app_id
+        FROM public.role_bindings rb
+        JOIN public.apps ON public.apps.id = rb.app_id
+        WHERE rb.principal_type = public.rbac_principal_apikey()
+          AND rb.principal_id = api_key.rbac_id
+          AND rb.scope_type = public.rbac_scope_app()
+          AND rb.app_id IS NOT NULL
+          AND public.apps.owner_org = orgid
+          AND (rb.expires_at IS NULL OR rb.expires_at > now())
+        ORDER BY public.apps.app_id
+        LIMIT 1;
+
+        IF fallback_app_id IS NOT NULL THEN
+          has_org_read := public.cli_check_permission(
+            permission_key := public.rbac_perm_app_read(),
+            org_id := orgid,
+            app_id := fallback_app_id
+          );
+        END IF;
+      END IF;
+    END IF;
+  END IF;
+
+  IF NOT has_org_read THEN
+    messages := array_append(messages, jsonb_build_object(
+      'message', 'API key does not have read access to this organization',
+      'fatal', true
+    ));
+    RETURN messages;
+  END IF;
+
+  IF (
+    public.is_paying_and_good_plan_org_action(orgid, ARRAY['mau']::public.action_type[]) = true
+    AND public.is_paying_and_good_plan_org_action(orgid, ARRAY['bandwidth']::public.action_type[]) = true
+    AND public.is_paying_and_good_plan_org_action(orgid, ARRAY['storage']::public.action_type[]) = false
+  ) THEN
+    messages := array_append(messages, jsonb_build_object(
+      'message', 'You have exceeded your storage limit.\nUpload will fail, but you can still download your data.\nMAU and bandwidth limits are not exceeded.\nIn order to upload your plan, please upgrade your plan here: https://console.capgo.app/settings/plans.',
+      'fatal', true
+    ));
+  END IF;
+
+  RETURN messages;
+END;
+$$;
+
+ALTER FUNCTION "public"."get_organization_cli_warnings"("orgid" "uuid", "cli_version" "text") OWNER TO "postgres";
+REVOKE ALL ON FUNCTION "public"."get_organization_cli_warnings"("orgid" "uuid", "cli_version" "text") FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION "public"."get_organization_cli_warnings"("orgid" "uuid", "cli_version" "text") TO "anon";
+GRANT EXECUTE ON FUNCTION "public"."get_organization_cli_warnings"("orgid" "uuid", "cli_version" "text") TO "authenticated";
+GRANT EXECUTE ON FUNCTION "public"."get_organization_cli_warnings"("orgid" "uuid", "cli_version" "text") TO "service_role";
+COMMENT ON FUNCTION "public"."get_organization_cli_warnings"("orgid" "uuid", "cli_version" "text") IS 'CLI compatibility warning helper backed by RBAC API key bindings. App-scoped V2 keys are accepted for old CLI warning checks when they can read at least one app in the requested org.';
diff --git a/supabase/seed.sql b/supabase/seed.sql
index 52cbdaad34..091fb7ecee 100644
--- a/supabase/seed.sql
+++ b/supabase/seed.sql
@@ -520,42 +520,42 @@ BEGIN
     ('e4f5a6b7-c8d9-4ea0-9f1a-2b3c4d5e6f70', '6aa76066-55ef-4238-ade6-0b32334a4097', 'super_admin'::"public"."user_min_right", null, null),
     ('e5f6a7b8-c9d0-4e1f-9a2b-3c4d5e6f7a82', '6aa76066-55ef-4238-ade6-0b32334a4097', 'super_admin'::"public"."user_min_right", null, null);
 
-    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "mode", "updated_at", "name") VALUES
-    (1, NOW(), 'c591b04e-cf29-4945-b9a0-776d0672061a', 'c591b04e-cf29-4945-b9a0-776d0672061e', 'upload', NOW(), 'admin upload'),
-    (2, NOW(), 'c591b04e-cf29-4945-b9a0-776d0672061a', '67eeaff4-ae4c-49a6-8eb1-0875f5369de1', 'read', NOW(), 'admin read'),
-    (3, NOW(), 'c591b04e-cf29-4945-b9a0-776d0672061a', 'ae6e7458-c46d-4c00-aa3b-153b0b8520eb', 'all', NOW(), 'admin all'),
-    (4, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', 'c591b04e-cf29-4945-b9a0-776d0672061b', 'upload', NOW(), 'test upload'),
-    (5, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '67eeaff4-ae4c-49a6-8eb1-0875f5369de0', 'read', NOW(), 'test read'),
-    (6, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', 'ae6e7458-c46d-4c00-aa3b-153b0b8520ea', 'all', NOW(), 'test all'),
-    (7, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '985640ce-4031-4cfd-8095-d1d1066b6b3b', 'write', NOW(), 'test write'),
-    (8, NOW(), '6f0d1a2e-59ed-4769-b9d7-4d9615b28fe5', 'ab4d9a98-ec25-4af8-933c-2aae4aa52b85', 'upload', NOW(), 'test2 upload'),
-    (9, NOW(), '6f0d1a2e-59ed-4769-b9d7-4d9615b28fe5', 'ac4d9a98-ec25-4af8-933c-2aae4aa52b85', 'all', NOW(), 'test2 all'),
+    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "updated_at", "name") VALUES
+    (1, NOW(), 'c591b04e-cf29-4945-b9a0-776d0672061a', 'c591b04e-cf29-4945-b9a0-776d0672061e', NOW(), 'admin upload'),
+    (2, NOW(), 'c591b04e-cf29-4945-b9a0-776d0672061a', '67eeaff4-ae4c-49a6-8eb1-0875f5369de1', NOW(), 'admin read'),
+    (3, NOW(), 'c591b04e-cf29-4945-b9a0-776d0672061a', 'ae6e7458-c46d-4c00-aa3b-153b0b8520eb', NOW(), 'admin all'),
+    (4, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', 'c591b04e-cf29-4945-b9a0-776d0672061b', NOW(), 'test upload'),
+    (5, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '67eeaff4-ae4c-49a6-8eb1-0875f5369de0', NOW(), 'test read'),
+    (6, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', 'ae6e7458-c46d-4c00-aa3b-153b0b8520ea', NOW(), 'test all'),
+    (7, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '985640ce-4031-4cfd-8095-d1d1066b6b3b', NOW(), 'test write'),
+    (8, NOW(), '6f0d1a2e-59ed-4769-b9d7-4d9615b28fe5', 'ab4d9a98-ec25-4af8-933c-2aae4aa52b85', NOW(), 'test2 upload'),
+    (9, NOW(), '6f0d1a2e-59ed-4769-b9d7-4d9615b28fe5', 'ac4d9a98-ec25-4af8-933c-2aae4aa52b85', NOW(), 'test2 all'),
     -- Dedicated test keys for apikeys.test.ts to avoid interference with other tests
-    (10, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5f', 'upload', NOW(), 'apikey test get by id'),
-    (11, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5g', 'read', NOW(), 'apikey test update name'),
-    (12, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5a', 'all', NOW(), 'apikey test update mode'),
-    (13, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5d', 'write', NOW(), 'apikey test update apps'),
+    (10, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5f', NOW(), 'apikey test get by id'),
+    (11, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5g', NOW(), 'apikey test update name'),
+    (12, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5a', NOW(), 'apikey test update all'),
+    (13, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5d', NOW(), 'apikey test update apps'),
     -- Dedicated user and API key for statistics tests
-    (14, NOW(), '7a1b2c3d-4e5f-4a6b-7c8d-9e0f1a2b3c4d', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5e', 'all', NOW(), 'stats test all'),
+    (14, NOW(), '7a1b2c3d-4e5f-4a6b-7c8d-9e0f1a2b3c4d', '8b2c3d4e-5f6a-4c7b-8d9e-0f1a2b3c4d5e', NOW(), 'stats test all'),
     -- Dedicated user and API key for RLS hashed apikey tests (isolated to prevent interference)
-    (15, NOW(), '8b2c3d4e-5f6a-4b7c-8d9e-0f1a2b3c4d5e', '9c3d4e5f-6a7b-4c8d-9e0f-1a2b3c4d5e6f', 'all', NOW(), 'rls test all'),
+    (15, NOW(), '8b2c3d4e-5f6a-4b7c-8d9e-0f1a2b3c4d5e', '9c3d4e5f-6a7b-4c8d-9e0f-1a2b3c4d5e6f', NOW(), 'rls test all'),
     -- Dedicated user and API key for CLI hashed apikey tests (isolated to prevent interference)
-    (110, NOW(), 'e5f6a7b8-c9d0-4e1f-8a2b-3c4d5e6f7a81', 'a7b8c9d0-e1f2-4a3b-8c4d-5e6f7a8b9c03', 'all', NOW(), 'cli hashed test all'),
+    (110, NOW(), 'e5f6a7b8-c9d0-4e1f-8a2b-3c4d5e6f7a81', 'a7b8c9d0-e1f2-4a3b-8c4d-5e6f7a8b9c03', NOW(), 'cli hashed test all'),
     -- Dedicated user and API key for encrypted bundles tests (isolated to prevent interference)
-    (111, NOW(), 'f6a7b8c9-d0e1-4f2a-9b3c-4d5e6f708193', 'b8c9d0e1-f2a3-4b4c-9d5e-6f7a8b9c0d14', 'all', NOW(), 'encrypted test all');
+    (111, NOW(), 'f6a7b8c9-d0e1-4f2a-9b3c-4d5e6f708193', 'b8c9d0e1-f2a3-4b4c-9d5e-6f7a8b9c0d14', NOW(), 'encrypted test all');
 
     -- Hashed API key for testing (hash of 'test-hashed-apikey-for-auth-test')
     -- Used by 07_auth_functions.sql tests
-    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "key_hash", "mode", "updated_at", "name") VALUES
-    (100, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', NULL, encode(extensions.digest('test-hashed-apikey-for-auth-test', 'sha256'), 'hex'), 'all', NOW(), 'test hashed all');
+    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "key_hash", "updated_at", "name") VALUES
+    (100, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', NULL, encode(extensions.digest('test-hashed-apikey-for-auth-test', 'sha256'), 'hex'), NOW(), 'test hashed all');
 
     -- Expired hashed API key for testing (expired 1 day ago)
-    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "key_hash", "mode", "updated_at", "name", "expires_at") VALUES
-    (101, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', NULL, encode(extensions.digest('expired-hashed-key-for-test', 'sha256'), 'hex'), 'all', NOW(), 'test expired hashed', NOW() - INTERVAL '1 day');
+    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "key_hash", "updated_at", "name", "expires_at") VALUES
+    (101, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', NULL, encode(extensions.digest('expired-hashed-key-for-test', 'sha256'), 'hex'), NOW(), 'test expired hashed', NOW() - INTERVAL '1 day');
 
     -- Expired plain API key for testing (expired 1 day ago)
-    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "mode", "updated_at", "name", "expires_at") VALUES
-    (102, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', 'expired-plain-key-for-test', 'all', NOW(), 'test expired plain', NOW() - INTERVAL '1 day');
+    INSERT INTO "public"."apikeys" ("id", "created_at", "user_id", "key", "updated_at", "name", "expires_at") VALUES
+    (102, NOW(), '6aa76066-55ef-4238-ade6-0b32334a4097', 'expired-plain-key-for-test', NOW(), 'test expired plain', NOW() - INTERVAL '1 day');
 
     INSERT INTO "public"."apps" ("created_at", "app_id", "icon_url", "name", "last_version", "updated_at", "owner_org", "user_id") VALUES
     (NOW(), 'com.demoadmin.app', '', 'Demo Admin app', '1.0.0', NOW(), '22dbad8a-b885-4309-9b3b-a09f8460fb6d', 'c591b04e-cf29-4945-b9a0-776d0672061a'),
@@ -565,6 +565,107 @@ BEGIN
     (NOW(), 'com.encrypted.app', '', 'Encrypted Test App', '1.0.0', NOW(), 'a7b8c9d0-e1f2-4a3b-9c4d-5e6f7a8b9ca4', 'f6a7b8c9-d0e1-4f2a-9b3c-4d5e6f708193'),
     (NOW(), 'com.test2.app', '', 'Test2 App', '1.0.0', NOW(), '34a8c55d-2d0f-4652-a43f-684c7a9403ac', '6f0d1a2e-59ed-4769-b9d7-4d9615b28fe5');
 
+    WITH seed_key_modes (id, key_kind) AS (
+      VALUES
+        (1, 'upload'),
+        (2, 'read'),
+        (3, 'all'),
+        (4, 'upload'),
+        (5, 'read'),
+        (6, 'all'),
+        (7, 'write'),
+        (8, 'upload'),
+        (9, 'all'),
+        (10, 'upload'),
+        (11, 'read'),
+        (12, 'all'),
+        (13, 'write'),
+        (14, 'all'),
+        (15, 'all'),
+        (100, 'all'),
+        (101, 'all'),
+        (102, 'all'),
+        (110, 'all'),
+        (111, 'all')
+    )
+    INSERT INTO public.role_bindings (
+      principal_type,
+      principal_id,
+      role_id,
+      scope_type,
+      org_id,
+      granted_by,
+      reason,
+      is_direct
+    )
+    SELECT
+      public.rbac_principal_apikey(),
+      ak.rbac_id,
+      roles.id,
+      public.rbac_scope_org(),
+      org_memberships.org_id,
+      ak.user_id,
+      'Seeded API key V2 org binding',
+      true
+    FROM seed_key_modes key_modes
+    JOIN public.apikeys ak ON ak.id = key_modes.id
+    JOIN public.org_users org_memberships
+      ON org_memberships.user_id = ak.user_id
+      AND (org_memberships.user_right IS NULL OR org_memberships.user_right::text NOT LIKE 'invite_%')
+    JOIN public.roles roles
+      ON roles.name = CASE
+        WHEN key_modes.key_kind = 'all' THEN public.rbac_role_org_super_admin()
+        ELSE public.rbac_role_org_member()
+      END
+    ON CONFLICT DO NOTHING;
+
+    WITH seed_key_modes (id, key_kind) AS (
+      VALUES
+        (1, 'upload'),
+        (2, 'read'),
+        (4, 'upload'),
+        (5, 'read'),
+        (7, 'write'),
+        (8, 'upload'),
+        (10, 'upload'),
+        (11, 'read'),
+        (13, 'write')
+    )
+    INSERT INTO public.role_bindings (
+      principal_type,
+      principal_id,
+      role_id,
+      scope_type,
+      org_id,
+      app_id,
+      granted_by,
+      reason,
+      is_direct
+    )
+    SELECT
+      public.rbac_principal_apikey(),
+      ak.rbac_id,
+      roles.id,
+      public.rbac_scope_app(),
+      apps.owner_org,
+      apps.id,
+      ak.user_id,
+      'Seeded API key V2 app binding',
+      true
+    FROM seed_key_modes key_modes
+    JOIN public.apikeys ak ON ak.id = key_modes.id
+    JOIN public.org_users org_memberships
+      ON org_memberships.user_id = ak.user_id
+      AND (org_memberships.user_right IS NULL OR org_memberships.user_right::text NOT LIKE 'invite_%')
+    JOIN public.apps apps ON apps.owner_org = org_memberships.org_id
+    JOIN public.roles roles
+      ON roles.name = CASE key_modes.key_kind
+        WHEN 'write' THEN public.rbac_role_app_developer()
+        WHEN 'upload' THEN public.rbac_role_app_uploader()
+        ELSE public.rbac_role_app_reader()
+      END
+    ON CONFLICT DO NOTHING;
+
     INSERT INTO "public"."app_versions" ("id", "created_at", "app_id", "name", "r2_path", "updated_at", "deleted", "external_url", "checksum", "session_key", "storage_provider", "owner_org", "user_id", "comment", "link") VALUES
     (3, NOW(), 'com.demo.app', '1.0.0', 'orgs/046a36ac-e03c-4590-9257-bd6c9dba9ee8/apps/com.demo.app/1.0.0.zip', NOW(), 'f', NULL, '3885ee49', NULL, 'r2', '046a36ac-e03c-4590-9257-bd6c9dba9ee8', '6aa76066-55ef-4238-ade6-0b32334a4097', 'its a test', 'https://capgo.app'),
     (4, NOW(), 'com.demo.app', '1.0.1', 'orgs/046a36ac-e03c-4590-9257-bd6c9dba9ee8/apps/com.demo.app/1.0.1.zip', NOW(), 'f', NULL, '', NULL, 'r2-direct', '046a36ac-e03c-4590-9257-bd6c9dba9ee8', '6aa76066-55ef-4238-ade6-0b32334a4097', 'its a test', 'https://capgo.app'),
@@ -1150,6 +1251,13 @@ BEGIN
     WHERE r.name = public.rbac_role_org_member()
     ON CONFLICT DO NOTHING;
 
+    -- apikey_org_reader: compatibility org metadata read without org-wide app access
+    INSERT INTO public.role_permissions (role_id, permission_id)
+    SELECT r.id, p.id FROM public.roles r
+    JOIN public.permissions p ON p.key = public.rbac_perm_org_read()
+    WHERE r.name = public.rbac_role_apikey_org_reader()
+    ON CONFLICT DO NOTHING;
+
     -- app_admin: full app control
     INSERT INTO public.role_permissions (role_id, permission_id)
     SELECT r.id, p.id FROM public.roles r
diff --git a/supabase/tests/00-supabase_test_helpers.sql b/supabase/tests/00-supabase_test_helpers.sql
index 5e7994be7b..6a178800b0 100644
--- a/supabase/tests/00-supabase_test_helpers.sql
+++ b/supabase/tests/00-supabase_test_helpers.sql
@@ -445,12 +445,140 @@ BEGIN
 END
 $$ LANGUAGE plpgsql;
 
+/**
+    * ### tests.create_v2_apikey(...)
+    *
+    * Creates an API key row and optional RBAC role bindings for V2-only API key tests.
+ */
+CREATE OR REPLACE FUNCTION tests.create_v2_apikey(
+    p_id bigint,
+    p_user_id uuid,
+    p_key text,
+    p_name text,
+    p_org_id uuid DEFAULT NULL,
+    p_org_role text DEFAULT public.rbac_role_org_super_admin(),
+    p_app_app_id character varying DEFAULT NULL,
+    p_app_role text DEFAULT NULL,
+    p_expires_at timestamptz DEFAULT NULL,
+    p_key_hash text DEFAULT NULL
+)
+RETURNS uuid
+SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+    v_rbac_id uuid;
+    v_role_id uuid;
+    v_app_uuid uuid;
+    v_app_org_id uuid;
+BEGIN
+    IF p_key IS NULL AND p_key_hash IS NULL THEN
+        RAISE EXCEPTION 'tests.create_v2_apikey requires p_key or p_key_hash';
+    END IF;
+
+    INSERT INTO public.apikeys (id, user_id, key, key_hash, name, expires_at)
+    VALUES (p_id, p_user_id, p_key, p_key_hash, p_name, p_expires_at)
+    ON CONFLICT (id) DO UPDATE
+    SET
+        user_id = EXCLUDED.user_id,
+        key = COALESCE(EXCLUDED.key, public.apikeys.key),
+        key_hash = COALESCE(EXCLUDED.key_hash, public.apikeys.key_hash),
+        name = EXCLUDED.name,
+        expires_at = EXCLUDED.expires_at
+    RETURNING rbac_id INTO v_rbac_id;
+
+    IF p_org_id IS NOT NULL AND p_org_role IS NOT NULL THEN
+        SELECT id INTO v_role_id
+        FROM public.roles
+        WHERE name = p_org_role
+        LIMIT 1;
+
+        IF v_role_id IS NULL THEN
+            RAISE EXCEPTION 'Unknown org role: %', p_org_role;
+        END IF;
+
+        INSERT INTO public.role_bindings (
+            principal_type,
+            principal_id,
+            role_id,
+            scope_type,
+            org_id,
+            granted_by,
+            reason,
+            is_direct
+        )
+        VALUES (
+            public.rbac_principal_apikey(),
+            v_rbac_id,
+            v_role_id,
+            public.rbac_scope_org(),
+            p_org_id,
+            p_user_id,
+            'pgTAP V2 API key helper',
+            true
+        )
+        ON CONFLICT DO NOTHING;
+    END IF;
+
+    IF p_app_app_id IS NOT NULL THEN
+        IF p_app_role IS NULL THEN
+            RAISE EXCEPTION 'tests.create_v2_apikey requires p_app_role when p_app_app_id is set';
+        END IF;
+
+        SELECT id, owner_org
+        INTO v_app_uuid, v_app_org_id
+        FROM public.apps
+        WHERE app_id = p_app_app_id
+        LIMIT 1;
+
+        IF v_app_uuid IS NULL THEN
+            RAISE EXCEPTION 'Unknown app_id: %', p_app_app_id;
+        END IF;
+
+        SELECT id INTO v_role_id
+        FROM public.roles
+        WHERE name = p_app_role
+        LIMIT 1;
+
+        IF v_role_id IS NULL THEN
+            RAISE EXCEPTION 'Unknown app role: %', p_app_role;
+        END IF;
+
+        INSERT INTO public.role_bindings (
+            principal_type,
+            principal_id,
+            role_id,
+            scope_type,
+            org_id,
+            app_id,
+            granted_by,
+            reason,
+            is_direct
+        )
+        VALUES (
+            public.rbac_principal_apikey(),
+            v_rbac_id,
+            v_role_id,
+            public.rbac_scope_app(),
+            COALESCE(p_org_id, v_app_org_id),
+            v_app_uuid,
+            p_user_id,
+            'pgTAP V2 API key helper',
+            true
+        )
+        ON CONFLICT DO NOTHING;
+    END IF;
+
+    RETURN v_rbac_id;
+END;
+$$ LANGUAGE plpgsql;
+
 
 -- we have to run some tests to get this to pass as the first test file.
 -- investigating options to make this better.  Maybe a dedicated test harness
 -- but we dont' want these functions to always exist on the database.
 BEGIN;
-SELECT plan(7);
+SELECT plan(8);
 SELECT function_returns('tests', 'create_supabase_user', ARRAY['text', 'text', 'text', 'jsonb'], 'uuid');
 SELECT function_returns('tests', 'get_supabase_uid', ARRAY['text'], 'uuid');
 SELECT function_returns('tests', 'get_supabase_user', ARRAY['text'], 'json');
@@ -458,5 +586,6 @@ SELECT function_returns('tests', 'authenticate_as', ARRAY['text'], 'void');
 SELECT function_returns('tests', 'clear_authentication', ARRAY[null], 'void');
 SELECT function_returns('tests', 'rls_enabled', ARRAY['text', 'text'], 'text');
 SELECT function_returns('tests', 'rls_enabled', ARRAY['text'], 'text');
+SELECT function_returns('tests', 'create_v2_apikey', ARRAY['bigint', 'uuid', 'text', 'text', 'uuid', 'text', 'character varying', 'text', 'timestamp with time zone', 'text'], 'uuid');
 SELECT * FROM finish();
 ROLLBACK;
diff --git a/supabase/tests/04_org_user_functions.sql b/supabase/tests/04_org_user_functions.sql
index fccf5b2f4b..c149308a1e 100644
--- a/supabase/tests/04_org_user_functions.sql
+++ b/supabase/tests/04_org_user_functions.sql
@@ -72,35 +72,21 @@ SELECT tests.authenticate_as('test_user');
 
 SELECT
     is(
-        accept_invitation_to_org(
-            (
-                SELECT id
-                FROM
-                    orgs
-                WHERE
-                    created_by = tests.get_supabase_uid('test_admin')
-            )
-        ),
+        accept_invitation_to_org('22dbad8a-b885-4309-9b3b-a09f8460fb6d'),
         'NO_INVITE',
         'accept_invitation_to_org test - no invite'
     );
 
 SELECT tests.clear_authentication();
 
--- Test 2: Check if the function returns 'INVALID_ROLE' when the user_right is not an invite role
+-- Test 2: Legacy invite input is converted to an RBAC-backed invite row
 SELECT tests.authenticate_as('test_admin');
 
 SELECT
     is(
         invite_user_to_org(
             'test3@capgo.app',
-            (
-                SELECT id
-                FROM
-                    orgs
-                WHERE
-                    created_by = tests.get_supabase_uid('test_admin')
-            ),
+            '22dbad8a-b885-4309-9b3b-a09f8460fb6d',
             'read'
         ),
         'NO_EMAIL',
@@ -116,13 +102,7 @@ SELECT
     is(
         invite_user_to_org(
             'test@capgo.app',
-            (
-                SELECT id
-                FROM
-                    orgs
-                WHERE
-                    created_by = tests.get_supabase_uid('test_admin')
-            ),
+            '22dbad8a-b885-4309-9b3b-a09f8460fb6d',
             'read'
         ),
         'OK',
@@ -135,17 +115,9 @@ SELECT tests.authenticate_as('test_user');
 
 SELECT
     is(
-        accept_invitation_to_org(
-            (
-                SELECT id
-                FROM
-                    orgs
-                WHERE
-                    created_by = tests.get_supabase_uid('test_admin')
-            )
-        ),
-        'INVALID_ROLE',
-        'accept_invitation_to_org test - invalid role'
+        accept_invitation_to_org('22dbad8a-b885-4309-9b3b-a09f8460fb6d'),
+        'OK',
+        'accept_invitation_to_org test - legacy invite input accepted through RBAC wrapper'
     );
 
 SELECT tests.clear_authentication();
@@ -156,7 +128,8 @@ SELECT tests.authenticate_as_service_role();
 
 UPDATE org_users
 SET
-    user_right = 'invite_admin'
+    user_right = 'invite_admin',
+    rbac_role_name = 'org_admin'
 WHERE
     user_id = tests.get_supabase_uid('test_user')
     AND org_id = '22dbad8a-b885-4309-9b3b-a09f8460fb6d';
diff --git a/supabase/tests/07_auth_functions.sql b/supabase/tests/07_auth_functions.sql
index 9f8483f703..205dc0d53c 100644
--- a/supabase/tests/07_auth_functions.sql
+++ b/supabase/tests/07_auth_functions.sql
@@ -79,14 +79,14 @@ SELECT
     is(
         is_allowed_capgkey('ae6e7458-c46d-4c00-aa3b-153b0b8520ea', '{all}'),
         true,
-        'is_allowed_capgkey test - key has correct mode'
+        'is_allowed_capgkey test - key exists'
     );
 
 SELECT
     is(
         is_allowed_capgkey('ae6e7458-c46d-4c00-aa3b-153b0b8520ea', '{read}'),
-        false,
-        'is_allowed_capgkey test - key does not have correct mode'
+        true,
+        'is_allowed_capgkey test - key existence is mode-independent after V2 migration'
     );
 
 SELECT
@@ -105,7 +105,7 @@ SELECT
             'com.demo.app'
         ),
         true,
-        'is_allowed_capgkey test with app_id - key has correct mode and user is app owner'
+        'is_allowed_capgkey test with app_id - key has app RBAC permission'
     );
 
 SELECT
@@ -131,14 +131,14 @@ SELECT
     is(
         is_allowed_capgkey('test-hashed-apikey-for-auth-test', '{all}'),
         true,
-        'is_allowed_capgkey test - hashed key has correct mode'
+        'is_allowed_capgkey test - hashed key exists'
     );
 
 SELECT
     is(
         is_allowed_capgkey('test-hashed-apikey-for-auth-test', '{read}'),
-        false,
-        'is_allowed_capgkey test - hashed key does not have correct mode'
+        true,
+        'is_allowed_capgkey test - hashed key existence is mode-independent after V2 migration'
     );
 
 SELECT
diff --git a/supabase/tests/14_test_apikey.sql b/supabase/tests/14_test_apikey.sql
index e46ba4d4c6..c157463af9 100644
--- a/supabase/tests/14_test_apikey.sql
+++ b/supabase/tests/14_test_apikey.sql
@@ -47,7 +47,7 @@ SELECT
 SELECT
     is(
         get_org_perm_for_apikey(
-            'ac4d9a98-ec25-4af8-933c-2aae4aa52b85',
+            'ab4d9a98-ec25-4af8-933c-2aae4aa52b85',
             'com.demo.app'
         ),
         'perm_upload',
@@ -59,10 +59,18 @@ WHERE
     user_id = '6f0d1a2e-59ed-4769-b9d7-4d9615b28fe5'
     AND org_id = '046a36ac-e03c-4590-9257-bd6c9dba9ee8';
 
+DELETE FROM public.role_bindings
+WHERE principal_type = public.rbac_principal_apikey()
+  AND principal_id = (
+    SELECT rbac_id FROM public.apikeys
+    WHERE key = 'ab4d9a98-ec25-4af8-933c-2aae4aa52b85'
+  )
+  AND org_id = '046a36ac-e03c-4590-9257-bd6c9dba9ee8';
+
 SELECT
     is(
         get_org_perm_for_apikey(
-            'ac4d9a98-ec25-4af8-933c-2aae4aa52b85',
+            'ab4d9a98-ec25-4af8-933c-2aae4aa52b85',
             'com.demo.app'
         ),
         'perm_none',
diff --git a/supabase/tests/19_test_identity_functions.sql b/supabase/tests/19_test_identity_functions.sql
index 9e500d4b89..38a9850940 100644
--- a/supabase/tests/19_test_identity_functions.sql
+++ b/supabase/tests/19_test_identity_functions.sql
@@ -41,8 +41,8 @@ SELECT
 SELECT
     is(
         get_identity_apikey_only('{read}'),
-        null,
-        'get_identity_apikey_only test - returns null when key mode does not match'
+        '6aa76066-55ef-4238-ade6-0b32334a4097',
+        'get_identity_apikey_only test - returns user for valid V2 key regardless of legacy mode argument'
     );
 
 -- Test with read key
@@ -81,8 +81,8 @@ SELECT
 SELECT
     is(
         get_identity_apikey_only('{read}'),
-        null,
-        'get_identity_apikey_only test - returns null when upload key used for read access'
+        'c591b04e-cf29-4945-b9a0-776d0672061a',
+        'get_identity_apikey_only test - returns user for valid upload key regardless of legacy mode argument'
     );
 
 -- Test with invalid API key
diff --git a/supabase/tests/20_test_org_management_functions.sql b/supabase/tests/20_test_org_management_functions.sql
index 0d9adc0825..2355e33ac4 100644
--- a/supabase/tests/20_test_org_management_functions.sql
+++ b/supabase/tests/20_test_org_management_functions.sql
@@ -114,14 +114,7 @@ SELECT
         'get_orgs_v6 API key test - throws correct error message for invalid API key'
     );
 
--- Test 3: API key with limited_to_orgs restrictions
--- Use existing admin all key and temporarily modify it
-UPDATE apikeys
-SET
-    limited_to_orgs = '{"22dbad8a-b885-4309-9b3b-a09f8460fb6d"}'
-WHERE
-    key = 'ae6e7458-c46d-4c00-aa3b-153b0b8520eb';
-
+-- Test 3: V2 API key with org RBAC bindings
 SELECT
     set_config(
         'request.headers',
@@ -136,10 +129,10 @@ SELECT
             FROM
                 get_orgs_v6()
         ) >= 0,
-        'get_orgs_v6 API key test - works with limited_to_orgs API key'
+        'get_orgs_v6 API key test - works with org-bound V2 API key'
     );
 
--- Verify that limited API key only returns allowed orgs
+-- Verify that the V2 API key can see its bound organization
 SELECT
     ok(
         (
@@ -149,16 +142,10 @@ SELECT
             WHERE
                 gid = '22dbad8a-b885-4309-9b3b-a09f8460fb6d'
         ) >= 0,
-        'get_orgs_v6 API key test - limited API key filters organizations correctly'
+        'get_orgs_v6 API key test - V2 API key returns bound organizations'
     );
 
--- Test 4: API key with empty limited_to_orgs (should work normally)
-UPDATE apikeys
-SET
-    limited_to_orgs = '{}'
-WHERE
-    key = 'ae6e7458-c46d-4c00-aa3b-153b0b8520eb';
-
+-- Test 4: V2 API key can be reused across calls
 SELECT
     set_config(
         'request.headers',
@@ -173,16 +160,10 @@ SELECT
             FROM
                 get_orgs_v6()
         ) >= 0,
-        'get_orgs_v6 API key test - API key with empty limitations works normally'
+        'get_orgs_v6 API key test - V2 API key works normally'
     );
 
--- Test 5: API key with NULL limited_to_orgs (should work normally like empty array)
-UPDATE apikeys
-SET
-    limited_to_orgs = NULL
-WHERE
-    key = 'ae6e7458-c46d-4c00-aa3b-153b0b8520eb';
-
+-- Test 5: V2 API key without legacy scope columns continues to work
 SELECT
     set_config(
         'request.headers',
@@ -197,7 +178,7 @@ SELECT
             FROM
                 get_orgs_v6()
         ) >= 0,
-        'get_orgs_v6 API key test - API key with NULL limitations works normally'
+        'get_orgs_v6 API key test - API key without legacy limitations works normally'
     );
 
 -- Test 6: No API key header (should fall back to identity and throw error)
@@ -220,13 +201,6 @@ SELECT
         'get_orgs_v6 API key test - throws correct error when null headers'
     );
 
--- Reset the test key back to no limitations
-UPDATE apikeys
-SET
-    limited_to_orgs = '{}'
-WHERE
-    key = 'ae6e7458-c46d-4c00-aa3b-153b0b8520eb';
-
 -- Test get_org_members
 SELECT tests.authenticate_as('test_admin');
 
@@ -512,14 +486,13 @@ SELECT
         'get_organization_cli_warnings test - returns single warning for invalid API key'
     );
 
--- Test 2b: RBAC v2 path — NULL-mode apikey with org_member binding gets org.read.
+-- Test 2b: RBAC v2 path — apikey with an org binding gets org.read.
 -- Owned by the legacy fixture user (super_admin of the test org). In this
 -- codebase's RBAC v2 model the apikey binding mirrors the user's right (see
 -- supabase/functions/_backend/public/apikey/post.ts where the apikey creation
--- flow auto-inserts org_member bindings to "carry" org.read alongside any
--- app-level bindings). The fix this test guards proves the mode=NULL path
--- still resolves correctly through cli_check_permission rather than failing
--- in get_identity_apikey_only as it did before.
+-- flow auto-inserts an org-read compatibility binding alongside app-level
+-- bindings). The fix this test guards proves the V2 path still
+-- resolves correctly through cli_check_permission after V1 mode is removed.
 SELECT tests.clear_authentication();
 SELECT tests.authenticate_as_service_role();
 
@@ -530,16 +503,17 @@ DECLARE
     v_org_member_role_id uuid;
     v_app_uploader_role_id uuid;
     v_demoadmin_app_uuid uuid;
+    v_demo_app_uuid uuid;
+    v_demo_app_org_id uuid;
 BEGIN
     SELECT user_id INTO v_user_id FROM public.apikeys
     WHERE key = '67eeaff4-ae4c-49a6-8eb1-0875f5369de1';
 
-    INSERT INTO public.apikeys (id, user_id, key, mode, name)
+    INSERT INTO public.apikeys (id, user_id, key, name)
     VALUES (
         99020001,
         v_user_id,
         'rbac-v2-cli-warnings-test-key',
-        NULL,
         'rbac-v2-cli-warnings-test'
     )
     RETURNING rbac_id INTO v_apikey_rbac_id;
@@ -556,6 +530,11 @@ BEGIN
     FROM public.apps
     WHERE app_id = 'com.demoadmin.app';
 
+    SELECT id, owner_org
+    INTO v_demo_app_uuid, v_demo_app_org_id
+    FROM public.apps
+    WHERE app_id = 'com.demo.app';
+
     INSERT INTO public.role_bindings (
         principal_type, principal_id, role_id, scope_type, org_id, granted_by
     )
@@ -568,34 +547,20 @@ BEGIN
         v_user_id
     );
 
-    -- App-scoped RBAC v2 key with org_member + app_uploader bindings. This
-    -- mirrors the org API key UI when an API key is limited to one app.
+    -- App-scoped RBAC v2 key with only an app_uploader binding. Existing CLIs
+    -- call the warning RPC with only org id, so the RPC must bridge through an
+    -- app in the requested org instead of relying on removed V1 scope columns.
     INSERT INTO public.apikeys (
-        id, user_id, key, mode, name, limited_to_orgs, limited_to_apps
+        id, user_id, key, name
     )
     VALUES (
         99020004,
         v_user_id,
         'rbac-v2-cli-warnings-test-key-app-scoped',
-        NULL,
-        'rbac-v2-cli-warnings-test-app-scoped',
-        ARRAY['22dbad8a-b885-4309-9b3b-a09f8460fb6d'::uuid],
-        ARRAY['com.demoadmin.app']
+        'rbac-v2-cli-warnings-test-app-scoped'
     )
     RETURNING rbac_id INTO v_apikey_rbac_id;
 
-    INSERT INTO public.role_bindings (
-        principal_type, principal_id, role_id, scope_type, org_id, granted_by
-    )
-    VALUES (
-        'apikey',
-        v_apikey_rbac_id,
-        v_org_member_role_id,
-        'org',
-        '22dbad8a-b885-4309-9b3b-a09f8460fb6d',
-        v_user_id
-    );
-
     INSERT INTO public.role_bindings (
         principal_type, principal_id, role_id, scope_type, org_id, app_id,
         granted_by
@@ -610,55 +575,49 @@ BEGIN
         v_user_id
     );
 
-    -- App-scoped key whose only limited app belongs to another org. The fallback
+    -- App-scoped key whose only app binding belongs to another org. The fallback
     -- must not turn this into org read access for the requested org.
     INSERT INTO public.apikeys (
-        id, user_id, key, mode, name, limited_to_orgs, limited_to_apps
+        id, user_id, key, name
     )
     VALUES (
         99020005,
         v_user_id,
         'rbac-v2-cli-warnings-test-key-app-scoped-away',
-        NULL,
-        'rbac-v2-cli-warnings-test-app-scoped-away',
-        ARRAY['22dbad8a-b885-4309-9b3b-a09f8460fb6d'::uuid],
-        ARRAY['com.demo.app']
+        'rbac-v2-cli-warnings-test-app-scoped-away'
     )
     RETURNING rbac_id INTO v_apikey_rbac_id;
 
     INSERT INTO public.role_bindings (
-        principal_type, principal_id, role_id, scope_type, org_id, granted_by
+        principal_type, principal_id, role_id, scope_type, org_id, app_id,
+        granted_by
     )
     VALUES (
         'apikey',
         v_apikey_rbac_id,
-        v_org_member_role_id,
-        'org',
-        '22dbad8a-b885-4309-9b3b-a09f8460fb6d',
+        v_app_uploader_role_id,
+        'app',
+        v_demo_app_org_id,
+        v_demo_app_uuid,
         v_user_id
     );
 
-    -- Second RBAC v2 key SCOPED away from the test org via limited_to_orgs.
-    -- The owning user is super_admin of the test org, so we can't rely on
-    -- absence of bindings alone to deny access; limited_to_orgs restricts
-    -- the key away from the test org even though the user has broader rights.
-    INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
+    -- Second RBAC v2 key without bindings for the test org. The owning user is
+    -- super_admin of the test org, so the API key must not inherit user rights.
+    INSERT INTO public.apikeys (id, user_id, key, name)
     VALUES (
         99020002,
         v_user_id,
         'rbac-v2-cli-warnings-test-key-no-binding',
-        NULL,
-        'rbac-v2-cli-warnings-test-no-binding',
-        ARRAY['00000000-0000-0000-0000-000000000001'::uuid]
+        'rbac-v2-cli-warnings-test-no-binding'
     );
 
     -- Expired RBAC v2 key (with a valid binding) — expiry must override the binding
-    INSERT INTO public.apikeys (id, user_id, key, mode, name, expires_at)
+    INSERT INTO public.apikeys (id, user_id, key, name, expires_at)
     VALUES (
         99020003,
         v_user_id,
         'rbac-v2-cli-warnings-test-key-expired',
-        NULL,
         'rbac-v2-cli-warnings-test-expired',
         NOW() - INTERVAL '1 day'
     )
@@ -694,7 +653,7 @@ SELECT ok(
         ) AS msg
         WHERE msg->>'message' = 'API key does not have read access to this organization'
     ),
-    'get_organization_cli_warnings RBAC v2 - NULL-mode key with org.read binding has no fatal no-read-access warning'
+    'get_organization_cli_warnings RBAC v2 - key with org.read binding has no fatal no-read-access warning'
 );
 
 -- Case A2: RBAC v2 key limited to this org and app - expect NO fatal warning.
@@ -758,7 +717,7 @@ SELECT ok(
         WHERE msg->>'message' = 'API key does not have read access to this organization'
           AND (msg->>'fatal')::boolean = true
     ),
-    'get_organization_cli_warnings RBAC v2 - NULL-mode key scoped away from this org returns fatal no-read-access warning'
+    'get_organization_cli_warnings RBAC v2 - key without org binding returns fatal no-read-access warning'
 );
 
 -- Case C: Expired RBAC v2 key (even with a valid binding) — expect the fatal warning
diff --git a/supabase/tests/26_test_rls_policies.sql b/supabase/tests/26_test_rls_policies.sql
index 9b4e6a195a..6fc069e15b 100644
--- a/supabase/tests/26_test_rls_policies.sql
+++ b/supabase/tests/26_test_rls_policies.sql
@@ -3,7 +3,7 @@
 BEGIN;
 
 -- Plan the number of tests
-SELECT plan(43);
+SELECT plan(44);
 
 -- Test app_versions policies
 SELECT
@@ -14,8 +14,7 @@ SELECT
             'Allow all for auth (super_admin+)',
             'Allow for auth, api keys (read+)',
             'Allow insert for api keys (write,all,upload) (upload+)',
-            'Allow update for auth (write+)',
-            'Allow update for api keys (write,all,upload) (upload+)',
+            'Allow update for auth and api keys',
             'Prevent non 2FA access'
         ],
         'app_versions should have correct policies'
@@ -51,7 +50,6 @@ SELECT
         'public',
         'stats',
         ARRAY[
-            'Allow apikey to read',
             'Allow read for auth (read+)'
         ],
         'stats should have correct policies'
@@ -102,13 +100,37 @@ SELECT
         'channel_permission_overrides should expose only one permissive SELECT path for authenticated'
     );
 
+SELECT
+    is(
+        (
+            SELECT count(*)
+            FROM (
+                SELECT
+                    schemaname,
+                    tablename,
+                    cmd
+                FROM pg_policies
+                WHERE
+                    schemaname = 'public'
+                    AND permissive = 'PERMISSIVE'
+                GROUP BY
+                    schemaname,
+                    tablename,
+                    cmd
+                HAVING count(*) > 1
+            ) duplicate_public_policies
+        ),
+        0::bigint,
+        'public RLS should not have duplicate permissive policies for the same table operation'
+    );
+
 -- Test orgs policies
 SELECT
     policies_are(
         'public',
         'orgs',
         ARRAY[
-            'Allow insert org for apikey or user',
+            'Allow insert org for user',
             'Allow org delete for super_admin',
             'Allow select for auth, api keys (read+)',
             'Allow update for auth (admin+)',
@@ -359,9 +381,9 @@ SELECT
         'apikeys',
         ARRAY[
             'Allow owner to delete own apikeys',
-            'Allow owner to insert own apikeys',
             'Allow owner to select own apikeys',
             'Allow owner to update own apikeys',
+            'Deny client insert on apikeys',
             'Prevent non 2FA access'
         ],
         'apikeys should have correct policies'
diff --git a/supabase/tests/28_test_org_creation_apikey.sql b/supabase/tests/28_test_org_creation_apikey.sql
index 2d43fc2ff3..e1e5034852 100644
--- a/supabase/tests/28_test_org_creation_apikey.sql
+++ b/supabase/tests/28_test_org_creation_apikey.sql
@@ -1,6 +1,6 @@
 -- Reproduce org creation behavior with API key vs JWT (RLS)
 -- This test isolates the INSERT INTO public.orgs policy behavior
--- Expectation: INSERT with API key context (anon role + capgkey header) succeeds when created_by matches API key user
+-- Expectation: INSERT with API key context (anon role + capgkey header) is rejected.
 --              INSERT with JWT-authenticated context succeeds when user is authenticated
 BEGIN;
 
@@ -9,7 +9,7 @@ BEGIN;
 -- USER_ID: 6aa76066-55ef-4238-ade6-0b32334a4097
 SELECT plan(3);
 
--- Test 1: Create an org using API key context (anon role + capgkey header)
+-- Test 1: API key identity compatibility remains, but org creation is JWT-only.
 -- Set up the API key context first
 DO $$
 BEGIN
@@ -24,34 +24,28 @@ SELECT
         'get_identity function works with API key - prerequisite check'
     );
 
--- Since manual tests work but pgTAP context doesn't preserve role/headers, 
--- test that the policy logic itself is correct by checking the condition
 DO $$
 DECLARE
-  result_check boolean;
+  captured_sqlstate text;
 BEGIN
   SET LOCAL role TO anon;
   PERFORM set_config('request.headers', '{"capgkey": "ae6e7458-c46d-4c00-aa3b-153b0b8520ea"}', true);
-  
-  -- Check if the policy condition would pass
-  SELECT ('6aa76066-55ef-4238-ade6-0b32334a4097'::uuid = public.get_identity('{write,all}')) INTO result_check;
-  
-  IF result_check THEN
+
+  BEGIN
     INSERT INTO public.orgs (created_by, name, management_email)
     VALUES ('6aa76066-55ef-4238-ade6-0b32334a4097', 'SQL Apikey Org', 'test@capgo.app');
-    RAISE NOTICE 'API key insert test passed';
-  ELSE
-    RAISE EXCEPTION 'API key policy condition failed';
-  END IF;
-EXCEPTION
-  WHEN OTHERS THEN
-    RAISE EXCEPTION 'API key insert failed: %', SQLERRM;
+  EXCEPTION WHEN OTHERS THEN
+    captured_sqlstate := SQLSTATE;
+  END;
+
+  PERFORM set_config('tests.org_creation_apikey_sqlstate', COALESCE(captured_sqlstate, 'success'), true);
 END $$;
 
 SELECT
-    ok(
-        true,
-        'API key insert succeeded when created_by matches API key user'
+    is(
+        current_setting('tests.org_creation_apikey_sqlstate', true),
+        '42501',
+        'API key insert is rejected for JWT-only org creation'
     );
 
 -- Test 2: Create an org using JWT-authenticated context 
@@ -81,7 +75,18 @@ EXCEPTION
     RAISE EXCEPTION 'Authenticated insert failed: %', SQLERRM;
 END $$;
 
-SELECT ok(true, 'Authenticated user insert succeeded');
+SELECT tests.authenticate_as_service_role();
+
+SELECT
+    ok(
+        EXISTS (
+            SELECT 1
+            FROM public.orgs
+            WHERE created_by = '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid
+              AND name = 'SQL JWT Org'
+        ),
+        'Authenticated user insert succeeded'
+    );
 
 -- Finish
 SELECT *
diff --git a/supabase/tests/33_test_rbac_phase1.sql b/supabase/tests/33_test_rbac_phase1.sql
index 5bdc406111..167f643535 100644
--- a/supabase/tests/33_test_rbac_phase1.sql
+++ b/supabase/tests/33_test_rbac_phase1.sql
@@ -88,7 +88,7 @@ SELECT
 FROM seed_data
 ON CONFLICT (id) DO NOTHING;
 
--- Legacy app + membership (exercises fallback path)
+-- Compatibility app + membership (org_users insert syncs into RBAC)
 WITH seed_data AS (
     SELECT
         '33333333-3333-4333-8333-333333333333'::uuid AS admin_user,
@@ -182,13 +182,12 @@ WITH seed_data AS (
         'rbac-test-key-phase1'::text AS api_key_value
 )
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name)
-SELECT
+SELECT tests.create_v2_apikey(
     33001,
     member_user,
     api_key_value,
-    'all'::public.key_mode,
     'rbac-test-apikey'
+)
 FROM seed_data;
 
 -- Restricted API key principal owned by an org admin. The explicit key binding
@@ -199,13 +198,12 @@ WITH seed_data AS (
         'rbac-test-restricted-key-phase1'::text AS api_key_value
 )
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name)
-SELECT
+SELECT tests.create_v2_apikey(
     33002,
     member_user,
     api_key_value,
-    'all'::public.key_mode,
     'rbac-test-restricted-apikey'
+)
 FROM seed_data;
 
 -- RBAC bindings (org_admin to user, app_admin to apikey)
@@ -322,7 +320,7 @@ WHERE
     api.key = api_key_value
     AND r.name = public.rbac_role_org_member();
 
--- 1) Legacy path still works when RBAC flag is off
+-- 1) org_users compatibility writes are synced into RBAC even when the old flag is false
 SELECT
     ok(
         public.rbac_check_permission_direct(
@@ -333,7 +331,7 @@ SELECT
             null::bigint,
             null::varchar
         ),
-        'Legacy org_users rights honored when RBAC disabled'
+        'org_users compatibility write grants RBAC permission'
     );
 
 -- 2) RBAC grants org_admin via role_binding (no org_users row)
@@ -422,13 +420,13 @@ SELECT
 SELECT tests.authenticate_as_service_role();
 SELECT set_config('request.headers', '{}', true);
 
--- 6) Disabling RBAC removes RBAC-granted access when no legacy rights exist
+-- 6) The old RBAC flag is now compatibility-only; RBAC grants remain authoritative
 UPDATE public.orgs SET use_new_rbac = false
 WHERE id = '22222222-2222-4222-8222-222222222222';
 
 SELECT
     ok(
-        NOT public.rbac_check_permission_direct(
+        public.rbac_check_permission_direct(
             'org.update_user_roles',
             '44444444-4444-4444-8444-444444444444',
             '22222222-2222-4222-8222-222222222222',
@@ -436,7 +434,7 @@ SELECT
             null::bigint,
             null::varchar
         ),
-        'RBAC-disabled org falls back to legacy (no rights without org_users row)'
+        'RBAC compatibility flag does not disable role bindings'
     );
 
 UPDATE public.orgs SET use_new_rbac = true
diff --git a/supabase/tests/37_test_check_min_rights_2fa_enforcement.sql b/supabase/tests/37_test_check_min_rights_2fa_enforcement.sql
index bfd70cc4ee..60d827bf18 100644
--- a/supabase/tests/37_test_check_min_rights_2fa_enforcement.sql
+++ b/supabase/tests/37_test_check_min_rights_2fa_enforcement.sql
@@ -42,11 +42,11 @@ BEGIN
     test_unverified_2fa_user_id := tests.get_supabase_uid('test_unverified_2fa_user');
     test_admin_id := tests.get_supabase_uid('test_admin');
 
-    -- Create org WITH 2FA enforcement (use_new_rbac = false: preserves legacy check_min_rights coverage)
+    -- Create org WITH 2FA enforcement while the compatibility flag is false.
     INSERT INTO public.orgs (id, created_by, name, management_email, enforcing_2fa, use_new_rbac)
     VALUES (org_with_2fa_enforcement_id, test_admin_id, '2FA Enforced Org', '2fa@org.com', true, false);
 
-    -- Create org WITHOUT 2FA enforcement (use_new_rbac = false: preserves legacy check_min_rights coverage)
+    -- Create org WITHOUT 2FA enforcement while the compatibility flag is false.
     INSERT INTO public.orgs (id, created_by, name, management_email, enforcing_2fa, use_new_rbac)
     VALUES (org_without_2fa_enforcement_id, test_admin_id, 'No 2FA Org', 'no2fa@org.com', false, false);
 
@@ -55,14 +55,14 @@ BEGIN
     INSERT INTO public.org_users (org_id, user_id, user_right)
     VALUES 
         (org_with_2fa_enforcement_id, test_2fa_user_id, 'admin'::public.user_min_right),
-        (org_with_2fa_enforcement_id, test_no_2fa_user_id, 'write'::public.user_min_right),
+        (org_with_2fa_enforcement_id, test_no_2fa_user_id, 'admin'::public.user_min_right),
         (org_with_2fa_enforcement_id, test_unverified_2fa_user_id, 'admin'::public.user_min_right);
 
     -- Add members to org WITHOUT 2FA enforcement
     INSERT INTO public.org_users (org_id, user_id, user_right)
     VALUES 
         (org_without_2fa_enforcement_id, test_2fa_user_id, 'read'::public.user_min_right),
-        (org_without_2fa_enforcement_id, test_no_2fa_user_id, 'write'::public.user_min_right),
+        (org_without_2fa_enforcement_id, test_no_2fa_user_id, 'admin'::public.user_min_right),
         (org_without_2fa_enforcement_id, test_unverified_2fa_user_id, 'admin'::public.user_min_right);
 
     -- Store org IDs for later use
diff --git a/supabase/tests/40_test_password_policy_enforcement.sql b/supabase/tests/40_test_password_policy_enforcement.sql
index c324af48ec..8419d06873 100644
--- a/supabase/tests/40_test_password_policy_enforcement.sql
+++ b/supabase/tests/40_test_password_policy_enforcement.sql
@@ -46,7 +46,7 @@ BEGIN
     -- Define password policy config
     policy_config := '{"enabled": true, "min_length": 10, "require_uppercase": true, "require_number": true, "require_special": true}'::jsonb;
 
-    -- Create org WITH password policy enforcement (use_new_rbac = false: preserves legacy check_min_rights coverage)
+    -- Create org WITH password policy enforcement while the compatibility flag is false.
     INSERT INTO public.orgs (id, created_by, name, management_email, password_policy_config, use_new_rbac)
     VALUES (
         org_with_pwd_policy_id,
@@ -57,7 +57,7 @@ BEGIN
         false
     );
 
-    -- Create org WITHOUT password policy enforcement (use_new_rbac = false: preserves legacy check_min_rights coverage)
+    -- Create org WITHOUT password policy enforcement while the compatibility flag is false.
     INSERT INTO public.orgs (id, created_by, name, management_email, password_policy_config, use_new_rbac)
     VALUES (
         org_without_pwd_policy_id,
@@ -72,13 +72,13 @@ BEGIN
     INSERT INTO public.org_users (org_id, user_id, user_right)
     VALUES
         (org_with_pwd_policy_id, compliant_user_id, 'admin'::public.user_min_right),
-        (org_with_pwd_policy_id, noncompliant_user_id, 'write'::public.user_min_right);
+        (org_with_pwd_policy_id, noncompliant_user_id, 'admin'::public.user_min_right);
 
     -- Add members to org WITHOUT password policy
     INSERT INTO public.org_users (org_id, user_id, user_right)
     VALUES
         (org_without_pwd_policy_id, compliant_user_id, 'read'::public.user_min_right),
-        (org_without_pwd_policy_id, noncompliant_user_id, 'write'::public.user_min_right);
+        (org_without_pwd_policy_id, noncompliant_user_id, 'admin'::public.user_min_right);
 
     -- Add compliance record for the compliant user (password verified)
     -- This simulates a user who has successfully validated their password via the backend
@@ -269,7 +269,7 @@ BEGIN
     test_admin_id := tests.get_supabase_uid('test_admin');
     noncompliant_user_id := tests.get_supabase_uid('test_pwd_noncompliant_user');
 
-    -- use_new_rbac = false: preserves legacy check_min_rights coverage
+    -- use_new_rbac = false verifies the compatibility flag does not disable RBAC checks.
     INSERT INTO public.orgs (id, created_by, name, management_email, password_policy_config, use_new_rbac)
     VALUES (
         org_disabled_policy_id,
@@ -281,7 +281,7 @@ BEGIN
     );
 
     INSERT INTO public.org_users (org_id, user_id, user_right)
-    VALUES (org_disabled_policy_id, noncompliant_user_id, 'write'::public.user_min_right);
+    VALUES (org_disabled_policy_id, noncompliant_user_id, 'admin'::public.user_min_right);
 
     PERFORM set_config('test.org_disabled_policy', org_disabled_policy_id::text, false);
 END $$;
diff --git a/supabase/tests/41_test_reject_access_due_to_2fa_for_app.sql b/supabase/tests/41_test_reject_access_due_to_2fa_for_app.sql
index 32896c0aeb..9fb479aa4c 100644
--- a/supabase/tests/41_test_reject_access_due_to_2fa_for_app.sql
+++ b/supabase/tests/41_test_reject_access_due_to_2fa_for_app.sql
@@ -77,23 +77,38 @@ BEGIN
     PERFORM set_config('test.app_without_2fa', 'com.test.no2fa.app', false);
 
     -- Create API key for test_2fa_user_app (use high IDs to avoid conflicts)
-    INSERT INTO public.apikeys (id, user_id, key, mode, name)
-    VALUES (
+    PERFORM tests.create_v2_apikey(
         9001,
         test_2fa_user_id,
         'test-2fa-apikey-for-app',
-        'all'::public.key_mode,
-        'Test 2FA API Key'
+        'Test 2FA API Key',
+        org_with_2fa_enforcement_id,
+        public.rbac_role_org_super_admin(),
+        'com.test.2fa.enforced.app',
+        public.rbac_role_app_admin()
     );
 
     -- Create API key for test_no_2fa_user_app
-    INSERT INTO public.apikeys (id, user_id, key, mode, name)
-    VALUES (
+    PERFORM tests.create_v2_apikey(
+        9002,
+        test_no_2fa_user_id,
+        'test-no2fa-apikey-for-app',
+        'Test No 2FA API Key',
+        org_with_2fa_enforcement_id,
+        public.rbac_role_org_super_admin(),
+        'com.test.2fa.enforced.app',
+        public.rbac_role_app_admin()
+    );
+
+    PERFORM tests.create_v2_apikey(
         9002,
         test_no_2fa_user_id,
         'test-no2fa-apikey-for-app',
-        'all'::public.key_mode,
-        'Test No 2FA API Key'
+        'Test No 2FA API Key',
+        org_without_2fa_enforcement_id,
+        public.rbac_role_org_super_admin(),
+        'com.test.no2fa.app',
+        public.rbac_role_app_admin()
     );
 END $$;
 
diff --git a/supabase/tests/42_test_apikey_expiration.sql b/supabase/tests/42_test_apikey_expiration.sql
index e2cab4f613..c787eba127 100644
--- a/supabase/tests/42_test_apikey_expiration.sql
+++ b/supabase/tests/42_test_apikey_expiration.sql
@@ -61,14 +61,13 @@ SELECT
 -- =============================================================================
 
 -- Create test API keys with different expiration dates
-INSERT INTO apikeys (id, user_id, key, mode, name, expires_at)
+INSERT INTO apikeys (id, user_id, key, name, expires_at)
 VALUES
 -- Key expired 31 days ago (should be deleted)
 (
     99901,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-expired-31d',
-    'all',
     'Test Expired 31 days',
     now() - interval '31 days'
 ),
@@ -77,7 +76,6 @@ VALUES
     99902,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-expired-35d',
-    'all',
     'Test Expired 35 days',
     now() - interval '35 days'
 ),
@@ -86,7 +84,6 @@ VALUES
     99903,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-expired-29d',
-    'all',
     'Test Expired 29 days',
     now() - interval '29 days'
 ),
@@ -95,7 +92,6 @@ VALUES
     99904,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-expired-1d',
-    'all',
     'Test Expired 1 day',
     now() - interval '1 day'
 ),
@@ -104,7 +100,6 @@ VALUES
     99905,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-not-expired',
-    'all',
     'Test Not Expired',
     now() + interval '30 days'
 ),
@@ -113,7 +108,6 @@ VALUES
     99906,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-no-expiry',
-    'all',
     'Test No Expiry',
     NULL
 );
@@ -205,25 +199,23 @@ SELECT
 -- =============================================================================
 
 -- Create a test expired API key
-INSERT INTO apikeys (id, user_id, key, mode, name, expires_at)
+INSERT INTO apikeys (id, user_id, key, name, expires_at)
 VALUES
 (
     99907,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-for-identity-expired',
-    'all',
     'Test Identity Expired',
     now() - interval '1 day'
 );
 
 -- Create a test valid API key
-INSERT INTO apikeys (id, user_id, key, mode, name, expires_at)
+INSERT INTO apikeys (id, user_id, key, name, expires_at)
 VALUES
 (
     99908,
     '6aa76066-55ef-4238-ade6-0b32334a4097',
     'test-key-for-identity-valid',
-    'all',
     'Test Identity Valid',
     now() + interval '30 days'
 );
@@ -288,22 +280,27 @@ END $$;
 SELECT tests.authenticate_as_service_role();
 
 -- Create test API keys for get_orgs_v6 tests
-INSERT INTO apikeys (id, user_id, key, mode, name, expires_at)
-VALUES
-(
+SELECT tests.create_v2_apikey(
     99909,
-    '6aa76066-55ef-4238-ade6-0b32334a4097',
+    '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
     'test-key-orgs-expired',
-    'all',
     'Test Orgs Expired',
+    '046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid,
+    public.rbac_role_org_super_admin(),
+    NULL,
+    NULL,
     now() - interval '1 day'
-),
-(
+);
+
+SELECT tests.create_v2_apikey(
     99910,
-    '6aa76066-55ef-4238-ade6-0b32334a4097',
+    '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
     'test-key-orgs-valid',
-    'all',
     'Test Orgs Valid',
+    '046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid,
+    public.rbac_role_org_super_admin(),
+    NULL,
+    NULL,
     now() + interval '30 days'
 );
 
@@ -336,14 +333,15 @@ SELECT
     );
 
 -- Test 20: get_orgs_v6 with no expiration key should work
-INSERT INTO apikeys (id, user_id, key, mode, name, expires_at)
-VALUES
-(
+SELECT tests.create_v2_apikey(
     99911,
-    '6aa76066-55ef-4238-ade6-0b32334a4097',
+    '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
     'test-key-orgs-no-expiry',
-    'all',
     'Test Orgs No Expiry',
+    '046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid,
+    public.rbac_role_org_super_admin(),
+    NULL,
+    NULL,
     NULL
 );
 
@@ -368,17 +366,17 @@ END $$;
 -- Test organization API key policy columns
 -- =============================================================================
 
--- Test 21: get_orgs_v6 with expired key AND limited_to_orgs should also reject
-INSERT INTO apikeys (id, user_id, key, mode, name, expires_at, limited_to_orgs)
-VALUES
-(
+-- Test 21: get_orgs_v6 with expired org-bound key should also reject
+SELECT tests.create_v2_apikey(
     99912,
-    '6aa76066-55ef-4238-ade6-0b32334a4097',
+    '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
     'test-key-orgs-expired-limited',
-    'all',
     'Test Orgs Expired Limited',
-    now() - interval '1 day',
-    '{046a36ac-e03c-4590-9257-bd6c9dba9ee8}'
+    '046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid,
+    public.rbac_role_org_super_admin(),
+    NULL,
+    NULL,
+    now() - interval '1 day'
 );
 
 DO $$
@@ -391,7 +389,7 @@ SELECT
         'SELECT * FROM get_orgs_v6()',
         'P0001',
         'API key has expired',
-        'get_orgs_v6: Raises exception for expired API key with limited_to_orgs'
+        'get_orgs_v6: Raises exception for expired org-bound API key'
     );
 
 -- Reset headers
@@ -443,70 +441,60 @@ SELECT
         'get_user_org_ids: Returns results for valid (not expired) API key'
     );
 
--- Test 25: Unscoped keys must honor expiration-required org memberships
+-- Test 25: Scoped V2 keys must honor expiration-required org bindings
 UPDATE orgs
 SET
     require_apikey_expiration = TRUE,
     max_apikey_expiration_days = 30
 WHERE id = '046a36ac-e03c-4590-9257-bd6c9dba9ee8';
 
+SELECT tests.create_v2_apikey(
+    99913,
+    '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
+    'test-scoped-key-missing-expiration',
+    'Test scoped missing expiration',
+    '046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid,
+    public.rbac_role_org_super_admin(),
+    NULL,
+    NULL,
+    now() + interval '1 day'
+);
+
 SELECT
     throws_ok(
         $$
-        INSERT INTO apikeys (
-            id,
-            user_id,
-            key,
-            mode,
-            name,
-            expires_at,
-            limited_to_orgs,
-            limited_to_apps
-        )
-        VALUES (
-            99913,
-            '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
-            'test-unscoped-key-missing-expiration',
-            'all',
-            'Test unscoped missing expiration',
-            NULL,
-            '{}'::uuid[],
-            '{}'::text[]
-        )
+        UPDATE apikeys
+        SET expires_at = NULL
+        WHERE id = 99913
         $$,
         'P0001',
         'expiration_required',
-        'enforce_apikey_expiration_policy: unscoped keys inherit membership expiration requirement'
+        'enforce_apikey_expiration_policy: scoped V2 keys honor org expiration requirement'
     );
 
--- Test 26: Unscoped keys must honor max expiration days from org memberships
+-- Test 26: Scoped V2 keys must honor max expiration days from org bindings
+SELECT tests.create_v2_apikey(
+    99914,
+    '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
+    'test-scoped-key-too-long-expiration',
+    'Test scoped too long expiration',
+    '046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid,
+    public.rbac_role_org_super_admin(),
+    NULL,
+    NULL,
+    now() + interval '1 day'
+);
+
 SELECT
     throws_ok(
         $$
-        INSERT INTO apikeys (
-            id,
-            user_id,
-            key,
-            mode,
-            name,
-            expires_at,
-            limited_to_orgs,
-            limited_to_apps
-        )
-        VALUES (
-            99914,
-            '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
-            'test-unscoped-key-too-long-expiration',
-            'all',
-            'Test unscoped too long expiration',
-            now() + interval '31 days',
-            '{}'::uuid[],
-            '{}'::text[]
-        )
+        UPDATE apikeys
+        SET expires_at = now() + interval '31 days'
+        WHERE id = 99914
         $$,
         'P0001',
         'expiration_exceeds_max',
-        'enforce_apikey_expiration_policy: unscoped keys inherit membership max expiration days'
+        'enforce_apikey_expiration_policy: scoped V2 keys honor max expiration days'
     );
 
 SELECT *
diff --git a/supabase/tests/42_test_reject_access_due_to_2fa_for_org.sql b/supabase/tests/42_test_reject_access_due_to_2fa_for_org.sql
index 74d9a859d5..9bdf3e735e 100644
--- a/supabase/tests/42_test_reject_access_due_to_2fa_for_org.sql
+++ b/supabase/tests/42_test_reject_access_due_to_2fa_for_org.sql
@@ -67,34 +67,42 @@ BEGIN
     PERFORM set_config('test.org_without_2fa_direct', org_without_2fa_enforcement_id::text, false);
 
     -- Create API key for test_2fa_user_org (use high IDs to avoid conflicts)
-    INSERT INTO public.apikeys (id, user_id, key, mode, name)
-    VALUES (
+    PERFORM tests.create_v2_apikey(
         9003,
         test_2fa_user_id,
         'test-2fa-apikey-for-org',
-        'all'::public.key_mode,
-        'Test 2FA API Key Org'
+        'Test 2FA API Key Org',
+        org_with_2fa_enforcement_id,
+        public.rbac_role_org_super_admin()
     );
 
     -- Create API key for test_no_2fa_user_org
-    INSERT INTO public.apikeys (id, user_id, key, mode, name)
-    VALUES (
+    PERFORM tests.create_v2_apikey(
         9004,
         test_no_2fa_user_id,
         'test-no2fa-apikey-for-org',
-        'all'::public.key_mode,
-        'Test No 2FA API Key Org'
+        'Test No 2FA API Key Org',
+        org_with_2fa_enforcement_id,
+        public.rbac_role_org_super_admin()
     );
 
-    -- Create org-limited API key for test_2fa_user_org (limited to org_without_2fa_enforcement only)
-    INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-    VALUES (
+    PERFORM tests.create_v2_apikey(
+        9004,
+        test_no_2fa_user_id,
+        'test-no2fa-apikey-for-org',
+        'Test No 2FA API Key Org',
+        org_without_2fa_enforcement_id,
+        public.rbac_role_org_super_admin()
+    );
+
+    -- Create org-bound API key for test_2fa_user_org (bound to org_without_2fa_enforcement only)
+    PERFORM tests.create_v2_apikey(
         9005,
         test_2fa_user_id,
         'test-2fa-apikey-org-limited',
-        'all'::public.key_mode,
         'Test 2FA API Key Org Limited',
-        ARRAY[org_without_2fa_enforcement_id]
+        org_without_2fa_enforcement_id,
+        public.rbac_role_org_super_admin()
     );
 END $$;
 
diff --git a/supabase/tests/43_test_rbac_permission_2fa.sql b/supabase/tests/43_test_rbac_permission_2fa.sql
index c6e23b9742..4ceae2ff28 100644
--- a/supabase/tests/43_test_rbac_permission_2fa.sql
+++ b/supabase/tests/43_test_rbac_permission_2fa.sql
@@ -84,13 +84,13 @@ BEGIN
 END $$;
 
 -- Create an API key for the non-2FA user (for apikey-based permission checks)
-INSERT INTO public.apikeys (id, user_id, key, mode, name)
-VALUES (
+SELECT tests.create_v2_apikey(
     9101,
     tests.get_supabase_uid('test_rbac_no2fa_user'),
     'test-rbac-no2fa-key',
-    'all'::public.key_mode,
-    'Test RBAC No 2FA Key'
+    'Test RBAC No 2FA Key',
+    current_setting('test.rbac_org_with_2fa')::uuid,
+    public.rbac_role_org_admin()
 );
 
 -- Enable RBAC for the test orgs
diff --git a/supabase/tests/45_test_org_create_app_permission.sql b/supabase/tests/45_test_org_create_app_permission.sql
index 91a19e0d9f..155f6f7046 100644
--- a/supabase/tests/45_test_org_create_app_permission.sql
+++ b/supabase/tests/45_test_org_create_app_permission.sql
@@ -25,6 +25,18 @@ VALUES
   (tests.get_supabase_uid('org_create_app_writer'), '70000000-0000-4000-8000-000000000002', 'write'::public.user_min_right)
 ON CONFLICT DO NOTHING;
 
+INSERT INTO public.role_bindings (principal_type, principal_id, role_id, scope_type, org_id, granted_by)
+SELECT
+  public.rbac_principal_user(),
+  tests.get_supabase_uid('org_create_app_writer'),
+  r.id,
+  public.rbac_scope_org(),
+  '70000000-0000-4000-8000-000000000002',
+  tests.get_supabase_uid('org_create_app_admin')
+FROM public.roles r
+WHERE r.name = public.rbac_role_org_member()
+ON CONFLICT DO NOTHING;
+
 DELETE FROM public.role_bindings
 WHERE principal_type = public.rbac_principal_user()
   AND principal_id = tests.get_supabase_uid('org_create_app_member')
@@ -42,27 +54,23 @@ SELECT
 FROM public.roles r
 WHERE r.name = public.rbac_role_org_member();
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   45001,
   tests.get_supabase_uid('org_create_app_member'),
   'org-create-app-rbac-key',
-  'all'::public.key_mode,
   'org-create-app-rbac-key',
-  ARRAY['70000000-0000-4000-8000-000000000001'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  '70000000-0000-4000-8000-000000000001'::uuid,
+  public.rbac_role_org_member()
+);
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   45002,
   tests.get_supabase_uid('org_create_app_writer'),
   'org-create-app-legacy-key',
-  'all'::public.key_mode,
   'org-create-app-legacy-key',
-  ARRAY['70000000-0000-4000-8000-000000000002'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  '70000000-0000-4000-8000-000000000002'::uuid,
+  public.rbac_role_org_admin()
+);
 
 SELECT ok(
   EXISTS (
@@ -103,7 +111,7 @@ SELECT ok(
 );
 
 SELECT ok(
-  NOT public.rbac_check_permission_direct(
+  public.rbac_check_permission_direct(
     public.rbac_perm_org_create_app(),
     tests.get_supabase_uid('org_create_app_member'),
     '70000000-0000-4000-8000-000000000002',
@@ -111,7 +119,7 @@ SELECT ok(
     NULL::bigint,
     NULL::text
   ),
-  'Legacy fallback for org.create_app remains stricter than org_member/read'
+  'RBAC compatibility flag still honors org_member create-app permission'
 );
 
 SELECT ok(
@@ -123,7 +131,7 @@ SELECT ok(
     NULL::bigint,
     NULL::text
   ),
-  'Legacy write membership still grants org.create_app'
+  'Compatibility write membership synced into RBAC grants org.create_app'
 );
 
 SELECT tests.authenticate_as('org_create_app_member');
@@ -186,6 +194,8 @@ VALUES (
   '70000000-0000-4000-8000-000000000002'
 );
 
+SELECT tests.authenticate_as_service_role();
+
 SELECT ok(
   EXISTS (
     SELECT 1
@@ -193,7 +203,7 @@ SELECT ok(
     WHERE app_id = 'com.test.orgcreateapp.legacy.user'
       AND owner_org = '70000000-0000-4000-8000-000000000002'
   ),
-  'apps INSERT RLS allows legacy write user to create apps'
+  'apps INSERT RLS allows compatibility write user to create apps'
 );
 
 SELECT tests.clear_authentication();
@@ -215,7 +225,7 @@ SELECT ok(
     WHERE app_id = 'com.test.orgcreateapp.legacy.apikey'
       AND owner_org = '70000000-0000-4000-8000-000000000002'
   ),
-  'apps INSERT RLS allows legacy all key owned by a write user'
+  'apps INSERT RLS allows V2 org admin API key owned by a write user'
 );
 
 SELECT set_config('request.headers', '{}', true);
diff --git a/supabase/tests/46_test_rbac_legacy_apikey_effective_user.sql b/supabase/tests/46_test_rbac_legacy_apikey_effective_user.sql
index 068e9726ad..512e457a02 100644
--- a/supabase/tests/46_test_rbac_legacy_apikey_effective_user.sql
+++ b/supabase/tests/46_test_rbac_legacy_apikey_effective_user.sql
@@ -1,6 +1,6 @@
 BEGIN;
 
-SELECT plan(2);
+SELECT plan(3);
 
 SELECT tests.create_supabase_user('legacy_apikey_effective_admin', 'legacy_apikey_effective_admin@test.local');
 SELECT tests.create_supabase_user('legacy_apikey_effective_member', 'legacy_apikey_effective_member@test.local');
@@ -29,17 +29,6 @@ VALUES (
 )
 ON CONFLICT DO NOTHING;
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
-  45046,
-  tests.get_supabase_uid('legacy_apikey_effective_member'),
-  'legacy-effective-user-key',
-  'all'::public.key_mode,
-  'legacy-effective-user-key',
-  ARRAY['70000000-0000-4000-8000-000000000046'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
-
 INSERT INTO public.apps (app_id, icon_url, user_id, name, owner_org)
 VALUES (
   'com.test.legacyeffective.read',
@@ -50,6 +39,17 @@ VALUES (
 )
 ON CONFLICT (app_id) DO NOTHING;
 
+SELECT tests.create_v2_apikey(
+  45046,
+  tests.get_supabase_uid('legacy_apikey_effective_member'),
+  'legacy-effective-user-key',
+  'legacy-effective-user-key',
+  '70000000-0000-4000-8000-000000000046'::uuid,
+  public.rbac_role_org_super_admin(),
+  'com.test.legacyeffective.read',
+  public.rbac_role_app_admin()
+);
+
 SELECT ok(
   public.rbac_check_permission_direct(
     public.rbac_perm_org_read(),
@@ -74,6 +74,18 @@ SELECT ok(
   'Legacy app permission resolves effective user from API key when p_user_id is null'
 );
 
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_org_read(),
+    tests.get_supabase_uid('legacy_apikey_effective_admin'),
+    '70000000-0000-4000-8000-000000000046',
+    NULL::varchar,
+    NULL::bigint,
+    'legacy-effective-user-key'
+  ),
+  'Legacy API key rejects a mismatched explicit user id'
+);
+
 SELECT * FROM finish();
 
 ROLLBACK;
diff --git a/supabase/tests/47_test_get_org_apikeys_permissions.sql b/supabase/tests/47_test_get_org_apikeys_permissions.sql
index 15ae8d46cc..550d9d1371 100644
--- a/supabase/tests/47_test_get_org_apikeys_permissions.sql
+++ b/supabase/tests/47_test_get_org_apikeys_permissions.sql
@@ -64,49 +64,39 @@ FROM public.roles r
 WHERE r.name = public.rbac_role_org_member()
 ON CONFLICT DO NOTHING;
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   45047,
   tests.get_supabase_uid('get_org_apikeys_owner'),
   'get-org-apikeys-key',
-  'all'::public.key_mode,
   'get-org-apikeys-key',
-  ARRAY['70000000-0000-4000-8000-000000000047'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  '70000000-0000-4000-8000-000000000047'::uuid,
+  public.rbac_role_org_member()
+);
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   45048,
   tests.get_supabase_uid('get_org_apikeys_apikey_only_owner'),
   'get-org-apikeys-apikey-bound-key',
-  'all'::public.key_mode,
-  'get-org-apikeys-apikey-bound-key',
-  ARRAY['70000000-0000-4000-8000-000000000047'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  'get-org-apikeys-apikey-bound-key'
+);
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_apps)
-VALUES (
+SELECT tests.create_v2_apikey(
   45049,
   tests.get_supabase_uid('get_org_apikeys_app_limited_owner'),
   'get-org-apikeys-app-limited-key',
-  'all'::public.key_mode,
   'get-org-apikeys-app-limited-key',
-  ARRAY['com.test.getorgapikeys.app'::varchar]
-)
-ON CONFLICT (id) DO NOTHING;
+  '70000000-0000-4000-8000-000000000047'::uuid,
+  NULL,
+  'com.test.getorgapikeys.app',
+  public.rbac_role_app_reader()
+);
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_apps)
-VALUES (
+SELECT tests.create_v2_apikey(
   45050,
   tests.get_supabase_uid('get_org_apikeys_app_bound_owner'),
   'get-org-apikeys-app-bound-key',
-  'all'::public.key_mode,
-  'get-org-apikeys-app-bound-key',
-  ARRAY['com.test.getorgapikeys.app'::varchar]
-)
-ON CONFLICT (id) DO NOTHING;
+  'get-org-apikeys-app-bound-key'
+);
 
 INSERT INTO public.role_bindings (principal_type, principal_id, role_id, scope_type, org_id, granted_by)
 SELECT
@@ -187,7 +177,7 @@ SELECT ok(
     FROM public.get_org_apikeys('70000000-0000-4000-8000-000000000047'::uuid)
     WHERE id = 45049
   ) = 1,
-  'get_org_apikeys includes keys limited to apps that belong to the org'
+  'get_org_apikeys includes V2 keys bound to apps that belong to the org'
 );
 
 SELECT ok(
diff --git a/supabase/tests/48_test_rbac_apikey_user_mismatch.sql b/supabase/tests/48_test_rbac_apikey_user_mismatch.sql
index d9a74b5dd5..db23871848 100644
--- a/supabase/tests/48_test_rbac_apikey_user_mismatch.sql
+++ b/supabase/tests/48_test_rbac_apikey_user_mismatch.sql
@@ -43,27 +43,23 @@ SELECT
 FROM public.roles r
 WHERE r.name = public.rbac_role_org_admin();
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   45148,
   tests.get_supabase_uid('rbac_apikey_mismatch_key_owner'),
   'rbac-apikey-mismatch-key',
-  'all'::public.key_mode,
   'rbac-apikey-mismatch-key',
-  ARRAY['70000000-0000-4000-8000-000000000048'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  '70000000-0000-4000-8000-000000000048'::uuid,
+  public.rbac_role_org_admin()
+);
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   45149,
   tests.get_supabase_uid('rbac_apikey_mismatch_actor'),
   'rbac-apikey-mismatch-actor-key',
-  'all'::public.key_mode,
   'rbac-apikey-mismatch-actor-key',
-  ARRAY['70000000-0000-4000-8000-000000000048'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  '70000000-0000-4000-8000-000000000048'::uuid,
+  public.rbac_role_org_admin()
+);
 
 SELECT ok(
   NOT public.rbac_check_permission_direct(
diff --git a/supabase/tests/49_test_apikey_oracle_rpc_permissions.sql b/supabase/tests/49_test_apikey_oracle_rpc_permissions.sql
index b3964769e2..870c232778 100644
--- a/supabase/tests/49_test_apikey_oracle_rpc_permissions.sql
+++ b/supabase/tests/49_test_apikey_oracle_rpc_permissions.sql
@@ -210,25 +210,14 @@ BEGIN
         validated_at = now(),
         updated_at = now();
 
-    INSERT INTO public.apikeys (
-        user_id,
-        key,
-        key_hash,
-        mode,
-        name,
-        limited_to_orgs,
-        limited_to_apps
-    )
-    VALUES (
+    v_apikey_rbac_id := tests.create_v2_apikey(
+        49049,
         '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
         v_apikey,
-        NULL,
-        NULL,
         'RBAC v2 password policy RLS key',
-        ARRAY['046a36ac-e03c-4590-9257-bd6c9dba9ee8'::uuid],
-        ARRAY[]::character varying[]
-    )
-    RETURNING rbac_id INTO v_apikey_rbac_id;
+        NULL,
+        NULL
+    );
 
     INSERT INTO public.role_bindings (
         principal_type,
@@ -296,9 +285,9 @@ SELECT
 
 SELECT
     is(
-        to_regprocedure('public.get_accessible_apps_for_apikey_v2(text)'),
-        NULL::regprocedure,
-        'API-key app-list RPC is removed to avoid app enumeration'
+        to_regprocedure('public.get_accessible_apps_for_apikey_v2(text)') IS NOT NULL,
+        true,
+        'API-key app-list RPC exists for header-bound V2 API key statistics'
     );
 
 DO $$
diff --git a/supabase/tests/53_test_apikey_creation_security.sql b/supabase/tests/53_test_apikey_creation_security.sql
index 45f02f9590..e3372486d2 100644
--- a/supabase/tests/53_test_apikey_creation_security.sql
+++ b/supabase/tests/53_test_apikey_creation_security.sql
@@ -1,6 +1,6 @@
 BEGIN;
 
-SELECT plan(8);
+SELECT plan(6);
 
 SELECT tests.authenticate_as_service_role();
 SELECT tests.create_supabase_user('apikey_creation_owner', 'apikey_creation_owner@test.local');
@@ -14,125 +14,59 @@ VALUES (
 )
 ON CONFLICT (id) DO NOTHING;
 
-INSERT INTO public.orgs (id, created_by, name, management_email)
-VALUES (
-  '53000000-0000-4000-8000-000000000001',
-  tests.get_supabase_uid('apikey_creation_owner'),
-  'API key creation security org',
-  'apikey-creation-security@test.local'
-)
-ON CONFLICT (id) DO NOTHING;
-
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
-  53001,
-  tests.get_supabase_uid('apikey_creation_owner'),
-  'apikey-create-limited-key',
-  'all'::public.key_mode,
-  'apikey-create-limited-key',
-  ARRAY['53000000-0000-4000-8000-000000000001'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
-
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs, limited_to_apps)
-VALUES (
-  53002,
-  tests.get_supabase_uid('apikey_creation_owner'),
-  'apikey-create-all-key',
-  'all'::public.key_mode,
-  'apikey-create-all-key',
-  '{}'::uuid[],
-  '{}'::text[]
-)
-ON CONFLICT (id) DO NOTHING;
-
-SELECT tests.clear_authentication();
-SELECT set_config('request.headers', '{"capgkey": "apikey-create-limited-key"}', true);
-
 SELECT is(
-  public.get_identity_for_apikey_creation(),
-  NULL,
-  'limited API key is not accepted as an API key creation identity'
-);
-
-SELECT throws_ok(
-  $q$
-    SELECT *
-    FROM public.create_hashed_apikey(
-      'all'::public.key_mode,
-      'limited-rpc-bypass',
-      '{}'::uuid[],
-      '{}'::text[],
-      NULL::timestamptz
-    );
-  $q$,
-  'No authentication provided',
-  'limited API key cannot create a broader key through create_hashed_apikey RPC'
+  (
+    SELECT count(*)::int
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'apikeys'
+      AND column_name IN ('mode', 'limited_to_orgs', 'limited_to_apps')
+  ),
+  0,
+  'apikeys no longer exposes old scope columns'
 );
 
-SELECT throws_ok(
-  $q$
-    INSERT INTO public.apikeys (user_id, key, mode, name, limited_to_orgs, limited_to_apps)
-    VALUES (
-      tests.get_supabase_uid('apikey_creation_owner'),
-      'limited-direct-insert-bypass',
-      'all'::public.key_mode,
-      'limited-direct-insert-bypass',
-      '{}'::uuid[],
-      '{}'::text[]
-    );
-  $q$,
-  'new row violates row-level security policy for table "apikeys"',
-  'limited API key cannot create a broader key through direct table insert'
-);
-
-UPDATE public.apikeys
-SET limited_to_orgs = '{}'::uuid[]
-WHERE id = 53001;
-
-SELECT tests.authenticate_as_service_role();
 SELECT is(
-  (SELECT array_length(limited_to_orgs, 1) FROM public.apikeys WHERE id = 53001),
-  1,
-  'limited API key cannot widen itself through direct table update'
+  to_regprocedure('public.create_hashed_apikey(public.key_mode,text,uuid[],text[],timestamp with time zone)'),
+  NULL::regprocedure,
+  'old public key creation RPC is absent'
 );
 
-SELECT tests.clear_authentication();
-SELECT set_config('request.headers', '{"capgkey": "apikey-create-all-key"}', true);
-
 SELECT is(
-  public.get_identity_for_apikey_creation(),
-  tests.get_supabase_uid('apikey_creation_owner'),
-  'unrestricted all API key is accepted as an API key creation identity'
+  to_regprocedure('public.create_hashed_apikey_for_user(uuid,public.key_mode,text,uuid[],text[],timestamp with time zone)'),
+  NULL::regprocedure,
+  'old service key creation RPC is absent'
 );
 
-SELECT lives_ok(
-  $q$
-    SELECT *
-    FROM public.create_hashed_apikey(
-      'read'::public.key_mode,
-      'unrestricted-rpc-create',
-      '{}'::uuid[],
-      '{}'::text[],
-      NULL::timestamptz
-    );
-  $q$,
-  'unrestricted all API key can still create a legacy hashed key'
+SELECT isnt(
+  (
+    SELECT policyname
+    FROM pg_policies
+    WHERE schemaname = 'public'
+      AND tablename = 'apikeys'
+      AND policyname = 'Deny client insert on apikeys'
+  ),
+  NULL,
+  'client inserts into apikeys are explicitly denied'
 );
 
-SELECT throws_ok(
-  $q$
-    SELECT *
-    FROM public.create_hashed_apikey(
-      NULL::public.key_mode,
-      'null-mode-rpc-bypass',
-      '{}'::uuid[],
-      '{}'::text[],
-      NULL::timestamptz
-    );
-  $q$,
-  'RBAC_MANAGED_APIKEY_REQUIRES_BINDINGS',
-  'public create_hashed_apikey rejects null-mode RBAC keys without bindings'
+SELECT is(
+  (
+    SELECT count(*)::int
+    FROM pg_policies
+    WHERE schemaname = 'public'
+      AND (
+        (tablename = 'apikeys' AND policyname IN ('Allow owner to select own apikeys', 'Allow owner to delete own apikeys'))
+        OR (tablename = 'users' AND policyname IN ('Allow owner to insert own users', 'Allow owner to select own user', 'Allow owner to update own users'))
+        OR (tablename = 'orgs' AND policyname IN ('Allow insert org for apikey or user', 'Allow insert org for user'))
+      )
+      AND (
+        COALESCE(qual, '') LIKE '%get_identity(%'
+        OR COALESCE(with_check, '') LIKE '%get_identity(%'
+      )
+  ),
+  0,
+  'owner-scoped policies do not authorize through compatibility get_identity'
 );
 
 SELECT tests.clear_authentication();
@@ -140,18 +74,15 @@ SELECT tests.authenticate_as('apikey_creation_owner');
 
 SELECT throws_ok(
   $q$
-    INSERT INTO public.apikeys (user_id, key, mode, name, limited_to_orgs, limited_to_apps)
+    INSERT INTO public.apikeys (user_id, key, name)
     VALUES (
       tests.get_supabase_uid('apikey_creation_owner'),
-      'jwt-null-mode-direct-insert',
-      NULL::public.key_mode,
-      'jwt-null-mode-direct-insert',
-      '{}'::uuid[],
-      '{}'::text[]
+      'direct-insert-bypass',
+      'direct-insert-bypass'
     );
   $q$,
   'new row violates row-level security policy for table "apikeys"',
-  'authenticated users cannot create null-mode API keys without role bindings by direct insert'
+  'authenticated users cannot create API keys by direct table insert'
 );
 
 SELECT set_config('request.headers', '{}', true);
diff --git a/supabase/tests/54_test_usage_credit_rls_performance.sql b/supabase/tests/54_test_usage_credit_rls_performance.sql
index 2e5f4ea268..db3cc42d78 100644
--- a/supabase/tests/54_test_usage_credit_rls_performance.sql
+++ b/supabase/tests/54_test_usage_credit_rls_performance.sql
@@ -19,25 +19,25 @@ SELECT
 SELECT
   ok(
     position(
-      'public.rbac_principal_apikey()' IN pg_get_functiondef('public.usage_credit_readable_org_ids()'::regprocedure)
+      'rbac_check_permission_direct' IN pg_get_functiondef('public.usage_credit_readable_org_ids()'::regprocedure)
     ) > 0,
-    'usage_credit_readable_org_ids includes API-key RBAC candidates for mixed auth'
+    'usage_credit_readable_org_ids verifies API-key RBAC permission with direct checks'
   );
 
 SELECT
   ok(
     position(
-      'NOT candidate_orgs.needs_api_key_scope' IN pg_get_functiondef('public.usage_credit_readable_org_ids()'::regprocedure)
+      'v_api_key.id IS NOT NULL' IN pg_get_functiondef('public.usage_credit_readable_org_ids()'::regprocedure)
     ) > 0,
-    'usage_credit_readable_org_ids does not apply API-key org scope to plain user candidates'
+    'usage_credit_readable_org_ids separates API-key and plain user authorization'
   );
 
 SELECT
   ok(
     position(
-      'v_check_user_id := v_api_key.user_id' IN pg_get_functiondef('public.usage_credit_readable_org_ids()'::regprocedure)
+      'v_user_id := v_api_key.user_id' IN pg_get_functiondef('public.usage_credit_readable_org_ids()'::regprocedure)
     ) > 0,
-    'usage_credit_readable_org_ids passes RBAC-only API key owner through exact permission checks'
+    'usage_credit_readable_org_ids passes the API key owner through exact permission checks'
   );
 
 SELECT
@@ -215,16 +215,12 @@ VALUES (
 )
 ON CONFLICT (id) DO NOTHING;
 
-INSERT INTO public.apikeys (id, user_id, key, mode, name, limited_to_orgs)
-VALUES (
+SELECT tests.create_v2_apikey(
   54054,
   '70000000-0000-4000-8000-000000005401',
   'usage-credit-rbac-only-key',
-  NULL,
-  'usage-credit-rbac-only-key',
-  ARRAY['70000000-0000-4000-8000-000000000054'::uuid]
-)
-ON CONFLICT (id) DO NOTHING;
+  'usage-credit-rbac-only-key'
+);
 
 INSERT INTO public.role_bindings (
   principal_type,
diff --git a/supabase/tests/56_test_apikey_v2_scope_and_rls.sql b/supabase/tests/56_test_apikey_v2_scope_and_rls.sql
new file mode 100644
index 0000000000..af8d7395f0
--- /dev/null
+++ b/supabase/tests/56_test_apikey_v2_scope_and_rls.sql
@@ -0,0 +1,643 @@
+BEGIN;
+
+SELECT plan(30);
+
+SELECT tests.authenticate_as_service_role();
+SELECT tests.create_supabase_user('apikey_v2_scope_owner', 'apikey_v2_scope_owner@test.local');
+SELECT tests.create_supabase_user('apikey_v2_scope_upload_user', 'apikey_v2_scope_upload_user@test.local');
+
+INSERT INTO public.users (id, email, created_at, updated_at)
+VALUES (
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'apikey_v2_scope_owner@test.local',
+  NOW(),
+  NOW()
+),
+(
+  tests.get_supabase_uid('apikey_v2_scope_upload_user'),
+  'apikey_v2_scope_upload_user@test.local',
+  NOW(),
+  NOW()
+)
+ON CONFLICT (id) DO NOTHING;
+
+INSERT INTO public.orgs (id, created_by, name, management_email, use_new_rbac)
+VALUES
+  (
+    '71000000-0000-4000-8000-000000000056',
+    tests.get_supabase_uid('apikey_v2_scope_owner'),
+    'API key V2 scope org A',
+    'apikey-v2-scope-a@test.local',
+    true
+  ),
+  (
+    '72000000-0000-4000-8000-000000000056',
+    tests.get_supabase_uid('apikey_v2_scope_owner'),
+    'API key V2 scope org B',
+    'apikey-v2-scope-b@test.local',
+    true
+  )
+ON CONFLICT (id) DO NOTHING;
+
+INSERT INTO public.apps (app_id, icon_url, user_id, name, owner_org)
+VALUES
+  (
+    'com.test.apikeyv2scope.target',
+    '',
+    tests.get_supabase_uid('apikey_v2_scope_owner'),
+    'API key V2 target app',
+    '71000000-0000-4000-8000-000000000056'
+  ),
+  (
+    'com.test.apikeyv2scope.sibling',
+    '',
+    tests.get_supabase_uid('apikey_v2_scope_owner'),
+    'API key V2 sibling app',
+    '71000000-0000-4000-8000-000000000056'
+  ),
+  (
+    'com.test.apikeyv2scope.outside',
+    '',
+    tests.get_supabase_uid('apikey_v2_scope_owner'),
+    'API key V2 outside app',
+    '72000000-0000-4000-8000-000000000056'
+  )
+ON CONFLICT (app_id) DO NOTHING;
+
+INSERT INTO public.role_bindings (
+  principal_type,
+  principal_id,
+  role_id,
+  scope_type,
+  org_id,
+  granted_by,
+  reason,
+  is_direct
+)
+SELECT
+  public.rbac_principal_user(),
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  roles.id,
+  public.rbac_scope_org(),
+  orgs.id,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'pgTAP owner broad access to prove API key scope is independent',
+  true
+FROM public.roles
+CROSS JOIN (
+  VALUES
+    ('71000000-0000-4000-8000-000000000056'::uuid),
+    ('72000000-0000-4000-8000-000000000056'::uuid)
+) AS orgs(id)
+WHERE roles.name = public.rbac_role_org_super_admin()
+ON CONFLICT DO NOTHING;
+
+SELECT tests.create_v2_apikey(
+  56001,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'apikey-v2-scope-app-key',
+  'apikey-v2-scope-app-key',
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  public.rbac_role_apikey_org_reader(),
+  'com.test.apikeyv2scope.target',
+  public.rbac_role_app_reader()
+);
+
+SELECT tests.create_v2_apikey(
+  56002,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'apikey-v2-scope-org-key',
+  'apikey-v2-scope-org-key',
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  public.rbac_role_org_super_admin()
+);
+
+SELECT tests.create_v2_apikey(
+  56003,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'apikey-v2-scope-both-key',
+  'apikey-v2-scope-both-key',
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  public.rbac_role_apikey_org_reader(),
+  'com.test.apikeyv2scope.target',
+  public.rbac_role_app_reader()
+);
+
+SELECT tests.create_v2_apikey(
+  56004,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'apikey-v2-scope-upload-key',
+  'apikey-v2-scope-upload-key',
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  public.rbac_role_apikey_org_reader(),
+  'com.test.apikeyv2scope.target',
+  public.rbac_role_app_uploader()
+);
+
+SELECT tests.create_v2_apikey(
+  56005,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'apikey-v2-scope-all-app-key',
+  'apikey-v2-scope-all-app-key',
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  public.rbac_role_apikey_org_reader(),
+  'com.test.apikeyv2scope.target',
+  public.rbac_role_app_admin()
+);
+
+INSERT INTO public.role_bindings (
+  principal_type,
+  principal_id,
+  role_id,
+  scope_type,
+  org_id,
+  granted_by,
+  reason,
+  is_direct
+)
+SELECT
+  public.rbac_principal_user(),
+  tests.get_supabase_uid('apikey_v2_scope_upload_user'),
+  roles.id,
+  public.rbac_scope_org(),
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'pgTAP upload-only user org membership',
+  true
+FROM public.roles
+WHERE roles.name = public.rbac_role_org_member()
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.role_bindings (
+  principal_type,
+  principal_id,
+  role_id,
+  scope_type,
+  org_id,
+  app_id,
+  granted_by,
+  reason,
+  is_direct
+)
+SELECT
+  public.rbac_principal_user(),
+  tests.get_supabase_uid('apikey_v2_scope_upload_user'),
+  roles.id,
+  public.rbac_scope_app(),
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  apps.id,
+  tests.get_supabase_uid('apikey_v2_scope_owner'),
+  'pgTAP upload-only user app binding',
+  true
+FROM public.roles
+JOIN public.apps ON apps.app_id = 'com.test.apikeyv2scope.target'
+WHERE roles.name = public.rbac_role_app_uploader()
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.app_versions (
+  id,
+  app_id,
+  name,
+  owner_org,
+  comment
+)
+VALUES (
+  5600401,
+  'com.test.apikeyv2scope.target',
+  '1.0.0-apikey-v2-scope',
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  'initial'
+)
+ON CONFLICT (id) DO UPDATE
+SET comment = EXCLUDED.comment;
+
+INSERT INTO public.channels (
+  id,
+  created_at,
+  name,
+  app_id,
+  version,
+  updated_at,
+  public,
+  disable_auto_update_under_native,
+  disable_auto_update,
+  ios,
+  android,
+  electron,
+  allow_device_self_set,
+  allow_emulator,
+  allow_device,
+  allow_dev,
+  allow_prod,
+  owner_org,
+  created_by
+)
+VALUES (
+  5600401,
+  NOW(),
+  'apikey-v2-scope-channel',
+  'com.test.apikeyv2scope.target',
+  5600401,
+  NOW(),
+  true,
+  true,
+  'major'::public.disable_update,
+  true,
+  true,
+  true,
+  true,
+  true,
+  true,
+  true,
+  true,
+  '71000000-0000-4000-8000-000000000056'::uuid,
+  tests.get_supabase_uid('apikey_v2_scope_owner')
+)
+ON CONFLICT (id) DO UPDATE
+SET
+  app_id = EXCLUDED.app_id,
+  version = EXCLUDED.version,
+  owner_org = EXCLUDED.owner_org,
+  created_by = EXCLUDED.created_by;
+
+SELECT ok(
+  public.rbac_check_permission_direct(
+    public.rbac_perm_app_read(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.target',
+    NULL::bigint,
+    'apikey-v2-scope-app-key'
+  ),
+  'app-limited legacy migration shape grants the selected app'
+);
+
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_app_read(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.sibling',
+    NULL::bigint,
+    'apikey-v2-scope-app-key'
+  ),
+  'app-limited legacy migration shape does not grant sibling apps'
+);
+
+SELECT ok(
+  public.rbac_check_permission_direct(
+    public.rbac_perm_org_read(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    NULL::varchar,
+    NULL::bigint,
+    'apikey-v2-scope-app-key'
+  ),
+  'app-limited legacy migration shape keeps org.read compatibility'
+);
+
+SELECT is(
+  (
+    SELECT count(*)::int
+    FROM public.apikeys ak
+    JOIN public.role_bindings rb
+      ON rb.principal_type = public.rbac_principal_apikey()
+      AND rb.principal_id = ak.rbac_id
+    JOIN public.roles r ON r.id = rb.role_id
+    WHERE ak.key = 'apikey-v2-scope-app-key'
+      AND rb.scope_type = public.rbac_scope_org()
+      AND r.name = public.rbac_role_apikey_org_reader()
+  ),
+  1,
+  'app-limited legacy migration shape uses the API-key org reader compatibility role'
+);
+
+SELECT is(
+  (
+    SELECT count(*)::int
+    FROM public.apikeys ak
+    JOIN public.role_bindings rb
+      ON rb.principal_type = public.rbac_principal_apikey()
+      AND rb.principal_id = ak.rbac_id
+    JOIN public.roles r ON r.id = rb.role_id
+    WHERE ak.key = 'apikey-v2-scope-app-key'
+      AND rb.scope_type = public.rbac_scope_org()
+      AND r.name = public.rbac_role_org_member()
+  ),
+  0,
+  'app-limited legacy migration shape does not use org_member compatibility binding'
+);
+
+SELECT ok(
+  NOT EXISTS (
+    SELECT 1
+    FROM public.roles r
+    JOIN public.role_permissions rp ON rp.role_id = r.id
+    JOIN public.permissions p ON p.id = rp.permission_id
+    WHERE r.name = public.rbac_role_apikey_org_reader()
+      AND p.key = public.rbac_perm_app_read()
+  ),
+  'API-key org reader role does not grant app.read at org scope'
+);
+
+SELECT ok(
+  public.rbac_check_permission_direct(
+    public.rbac_perm_org_read(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    NULL::varchar,
+    NULL::bigint,
+    'apikey-v2-scope-org-key'
+  ),
+  'org-limited legacy migration shape grants the selected org'
+);
+
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_org_read(),
+    NULL::uuid,
+    '72000000-0000-4000-8000-000000000056',
+    NULL::varchar,
+    NULL::bigint,
+    'apikey-v2-scope-org-key'
+  ),
+  'org-limited legacy migration shape does not grant other orgs'
+);
+
+SELECT ok(
+  public.rbac_check_permission_direct(
+    public.rbac_perm_app_read(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.target',
+    NULL::bigint,
+    'apikey-v2-scope-both-key'
+  ),
+  'combined org/app limits grant an app inside the allowed org'
+);
+
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_app_read(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.sibling',
+    NULL::bigint,
+    'apikey-v2-scope-both-key'
+  ),
+  'combined org/app limits do not grant unlisted sibling apps'
+);
+
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_app_read(),
+    NULL::uuid,
+    '72000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.outside',
+    NULL::bigint,
+    'apikey-v2-scope-both-key'
+  ),
+  'combined org/app limits do not grant listed apps outside the allowed org'
+);
+
+SELECT ok(
+  public.rbac_check_permission_direct(
+    public.rbac_perm_app_update_user_roles(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.target',
+    NULL::bigint,
+    'apikey-v2-scope-all-app-key'
+  ),
+  'all-mode app-limited legacy key gets app admin on the selected app'
+);
+
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_app_update_user_roles(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    'com.test.apikeyv2scope.sibling',
+    NULL::bigint,
+    'apikey-v2-scope-all-app-key'
+  ),
+  'all-mode app-limited legacy key does not get app admin on sibling apps'
+);
+
+SELECT ok(
+  NOT public.rbac_check_permission_direct(
+    public.rbac_perm_org_update_user_roles(),
+    NULL::uuid,
+    '71000000-0000-4000-8000-000000000056',
+    NULL::varchar,
+    NULL::bigint,
+    'apikey-v2-scope-all-app-key'
+  ),
+  'all-mode app-limited legacy key does not become an org admin'
+);
+
+SELECT ok(
+  public.check_min_rights(
+    'upload'::public.user_min_right,
+    tests.get_supabase_uid('apikey_v2_scope_upload_user'),
+    '71000000-0000-4000-8000-000000000056'::uuid,
+    'com.test.apikeyv2scope.target',
+    NULL::bigint
+  ),
+  'JWT upload-only fixture has upload permission'
+);
+
+SELECT ok(
+  NOT public.check_min_rights(
+    'write'::public.user_min_right,
+    tests.get_supabase_uid('apikey_v2_scope_upload_user'),
+    '71000000-0000-4000-8000-000000000056'::uuid,
+    'com.test.apikeyv2scope.target',
+    NULL::bigint
+  ),
+  'JWT upload-only fixture does not have write permission'
+);
+
+SELECT tests.authenticate_as('apikey_v2_scope_upload_user');
+
+WITH updated_rows AS (
+  UPDATE public.app_versions
+  SET comment = 'blocked-jwt-upload-only'
+  WHERE id = 5600401
+  RETURNING 1
+)
+SELECT is(
+  (SELECT count(*)::int FROM updated_rows),
+  0,
+  'authenticated upload-only user cannot update app_versions through write-only JWT path'
+);
+
+SELECT tests.clear_authentication();
+SELECT set_config('request.headers', '{"capgkey":"apikey-v2-scope-upload-key"}', true);
+
+WITH updated_rows AS (
+  UPDATE public.app_versions
+  SET comment = 'allowed-apikey-upload'
+  WHERE id = 5600401
+  RETURNING 1
+)
+SELECT is(
+  (SELECT count(*)::int FROM updated_rows),
+  1,
+  'upload-scoped API key can update app_versions through old upload path'
+);
+
+SELECT tests.clear_authentication();
+SELECT set_config('request.headers', '{"capgkey":"apikey-v2-scope-app-key"}', true);
+
+WITH deleted_rows AS (
+  DELETE FROM public.apikeys
+  WHERE id = 56001
+  RETURNING 1
+)
+SELECT is(
+  (SELECT count(*)::int FROM deleted_rows),
+  0,
+  'read app-scoped API key cannot delete owner API key rows through RLS'
+);
+
+WITH updated_rows AS (
+  UPDATE public.users
+  SET image_url = 'blocked-by-rls'
+  WHERE id = tests.get_supabase_uid('apikey_v2_scope_owner')
+  RETURNING 1
+)
+SELECT is(
+  (SELECT count(*)::int FROM updated_rows),
+  0,
+  'read app-scoped API key cannot update owner user rows through RLS'
+);
+
+SELECT tests.clear_authentication();
+SELECT set_config('request.headers', '{"capgkey":"apikey-v2-scope-all-app-key"}', true);
+
+DO $$
+DECLARE
+  captured_sqlstate text;
+BEGIN
+  BEGIN
+    INSERT INTO public.channel_devices (
+      channel_id,
+      app_id,
+      device_id,
+      owner_org
+    )
+    VALUES (
+      5600401,
+      'com.test.apikeyv2scope.target',
+      'apikey-v2-scope-channel-device',
+      '71000000-0000-4000-8000-000000000056'::uuid
+    );
+  EXCEPTION WHEN OTHERS THEN
+    captured_sqlstate := SQLSTATE;
+  END;
+
+  PERFORM set_config('tests.channel_devices_apikey_insert_sqlstate', COALESCE(captured_sqlstate, 'success'), true);
+END $$;
+
+SELECT is(
+  current_setting('tests.channel_devices_apikey_insert_sqlstate', true),
+  '42501',
+  'API keys cannot directly insert channel_devices through JWT-only RLS'
+);
+
+SELECT is(
+  (
+    SELECT prorettype::regtype::text
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.get_identity(public.key_mode[])')
+  ),
+  'uuid',
+  'legacy get_identity(key_mode[]) keeps uuid return shape'
+);
+
+SELECT is(
+  (
+    SELECT prorettype::regtype::text
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.get_identity_org_allowed(public.key_mode[],uuid)')
+  ),
+  'uuid',
+  'legacy get_identity_org_allowed(key_mode[], uuid) keeps uuid return shape'
+);
+
+SELECT is(
+  (
+    SELECT prorettype::regtype::text
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.get_identity_org_appid(public.key_mode[],uuid,character varying)')
+  ),
+  'uuid',
+  'legacy get_identity_org_appid(key_mode[], uuid, app_id) keeps uuid return shape'
+);
+
+SELECT is(
+  (
+    SELECT prorettype::regtype::text
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.cli_check_permission(text,text,uuid,text,bigint)')
+  ),
+  'boolean',
+  'legacy cli_check_permission arguments keep boolean return shape'
+);
+
+SELECT is(
+  (
+    SELECT proretset
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.get_accessible_apps_for_apikey_v2(text)')
+  ),
+  true,
+  'legacy get_accessible_apps_for_apikey_v2(text) still returns a set'
+);
+
+SELECT is(
+  (
+    SELECT prorettype
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.get_accessible_apps_for_apikey_v2(text)')
+  ),
+  'public.apps'::regtype::oid,
+  'legacy get_accessible_apps_for_apikey_v2(text) keeps apps row return shape'
+);
+
+SELECT is(
+  (
+    SELECT prorettype::regtype::text
+    FROM pg_proc
+    WHERE oid = to_regprocedure('public.get_organization_cli_warnings(uuid,text)')
+  ),
+  'jsonb[]',
+  'legacy get_organization_cli_warnings(uuid, text) keeps jsonb[] return shape'
+);
+
+SELECT set_config('request.headers', '{"capgkey":"apikey-v2-scope-app-key"}', true);
+
+SELECT ok(
+  public.cli_check_permission(
+    apikey := 'apikey-v2-scope-app-key',
+    permission_key := public.rbac_perm_app_read(),
+    org_id := '71000000-0000-4000-8000-000000000056'::uuid,
+    app_id := 'com.test.apikeyv2scope.target',
+    channel_id := NULL::bigint
+  ),
+  'old CLI permission RPC accepts the same arguments with RBAC-backed app scope'
+);
+
+SELECT is(
+  pg_typeof(public.get_organization_cli_warnings('71000000-0000-4000-8000-000000000056'::uuid, '1.0.0'))::text,
+  'jsonb[]',
+  'old CLI warning RPC accepts the same arguments and returns jsonb[]'
+);
+
+SELECT tests.clear_authentication();
+SELECT set_config('request.headers', '{}', true);
+
+SELECT * FROM finish();
+
+ROLLBACK;
diff --git a/tests/apikey-atomic-bindings.test.ts b/tests/apikey-atomic-bindings.test.ts
index b8e803b040..48cf413afa 100644
--- a/tests/apikey-atomic-bindings.test.ts
+++ b/tests/apikey-atomic-bindings.test.ts
@@ -83,13 +83,12 @@ afterAll(async () => {
 
 // Atomic API key + bindings tests use /private/ route which is Supabase-only
 describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
-  it('creates an API key with bindings and no mode', async () => {
+  it('creates an API key with bindings', async () => {
     const response = await fetch(getEndpointUrl('/apikey'), {
       method: 'POST',
       headers: authHeaders,
       body: JSON.stringify({
         name: `atomic-bindings-key-${TEST_ID.slice(0, 8)}`,
-        limited_to_orgs: [TEST_ORG_ID],
         bindings: [
           {
             role_name: 'org_member',
@@ -101,10 +100,9 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
       }),
     })
 
-    const data = await response.json() as { id: number, key: string | null, mode: string | null, rbac_id: string }
+    const data = await response.json() as { id: number, key: string | null, rbac_id: string }
     expect(response.status).toBe(200)
     expect(data).toHaveProperty('id')
-    expect(data.mode).toBeNull()
     expect(data.rbac_id).toBeTruthy()
     createdKeyIds.push(data.id)
 
@@ -123,37 +121,32 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
     expect(bindings![0].reason).toBe('atomic creation test')
   })
 
-  it('creates an API key with mode and no bindings (backward compat)', async () => {
+  it('requires explicit V2 bindings', async () => {
     const response = await fetch(getEndpointUrl('/apikey'), {
       method: 'POST',
       headers: authHeaders,
       body: JSON.stringify({
-        name: `legacy-mode-key-${TEST_ID.slice(0, 8)}`,
-        mode: 'all',
-        limited_to_orgs: [TEST_ORG_ID],
+        name: `missing-bindings-key-${TEST_ID.slice(0, 8)}`,
       }),
     })
 
-    const data = await response.json() as { id: number, mode: string | null }
-    expect(response.status).toBe(200)
-    expect(data).toHaveProperty('id')
-    expect(data.mode).toBe('all')
-    createdKeyIds.push(data.id)
+    const data = await response.json() as { error: string }
+    expect(response.status).toBe(400)
+    expect(data.error).toBe('bindings_required')
   })
 
-  it('rejects creating an API key without mode and without bindings', async () => {
+  it('rejects creating an API key without bindings', async () => {
     const response = await fetch(getEndpointUrl('/apikey'), {
       method: 'POST',
       headers: authHeaders,
       body: JSON.stringify({
-        name: `no-mode-no-bindings-${TEST_ID.slice(0, 8)}`,
-        limited_to_orgs: [TEST_ORG_ID],
+        name: `no-bindings-${TEST_ID.slice(0, 8)}`,
       }),
     })
 
     const data = await response.json() as { error: string }
     expect(response.status).toBe(400)
-    expect(data.error).toBe('mode_is_required')
+    expect(data.error).toBe('bindings_required')
   })
 
   it('rolls back the API key when a binding fails', async () => {
@@ -164,7 +157,6 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
       headers: authHeaders,
       body: JSON.stringify({
         name: uniqueKeyName,
-        limited_to_orgs: [TEST_ORG_ID],
         bindings: [
           {
             role_name: 'nonexistent_role_that_should_fail',
@@ -194,7 +186,6 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
       headers: authHeaders,
       body: JSON.stringify({
         name: `multi-binding-key-${TEST_ID.slice(0, 8)}`,
-        limited_to_orgs: [TEST_ORG_ID],
         bindings: [
           {
             role_name: 'org_member',
@@ -241,7 +232,6 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
       headers: authHeaders,
       body: JSON.stringify({
         name: `invalid-binding-shape-${TEST_ID.slice(0, 8)}`,
-        limited_to_orgs: [TEST_ORG_ID],
         bindings: [
           {
             // missing role_name
@@ -257,8 +247,8 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
     expect(data.error).toBe('invalid_bindings')
   })
 
-  it('RBAC-only key (mode=NULL) can authenticate', async () => {
-    // First create an RBAC-only key (no limited_to_orgs so it's not a limited-scope key)
+  it('V2 key can authenticate', async () => {
+    // First create a V2 key with role bindings.
     const createResponse = await fetch(getEndpointUrl('/apikey'), {
       method: 'POST',
       headers: authHeaders,
@@ -275,12 +265,12 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
     })
 
     expect(createResponse.status).toBe(200)
-    const createData = await createResponse.json() as { id: number, key: string, mode: string | null }
+    const createData = await createResponse.json() as { id: number, key: string }
     expect(createData.key).toBeTruthy()
-    expect(createData.mode).toBeNull()
     createdKeyIds.push(createData.id)
 
-    // Use the RBAC-only key to authenticate (GET /apikey should work)
+    // Use the RBAC-only key to authenticate. The request should reach the
+    // API-key guard and be rejected as scoped, not as an invalid credential.
     const apiKeyHeaders = {
       'Content-Type': 'application/json',
       'Authorization': createData.key,
@@ -290,10 +280,10 @@ describe.skipIf(USE_CLOUDFLARE)('[POST] /apikey with atomic bindings', () => {
       headers: apiKeyHeaders,
     })
 
-    const getBody = await getResponse.json()
+    const getBody = await getResponse.json() as { error?: string }
 
-    // The key should authenticate successfully (mode=NULL is now allowed)
-    expect(getResponse.status, `Auth failed with body: ${JSON.stringify(getBody)}`).toBe(200)
+    expect(getResponse.status, `Auth failed with body: ${JSON.stringify(getBody)}`).toBe(401)
+    expect(getBody.error).toBe('cannot_list_apikeys')
   })
 })
 
@@ -310,15 +300,20 @@ describe.skipIf(USE_CLOUDFLARE)('[GET] /private/role_bindings with API key auth'
     expect(Array.isArray(data)).toBe(true)
   })
 
-  it('rejects limited-scope API key on role_bindings endpoint', async () => {
-    // Create a limited-scope key first
+  it('rejects API key auth on role_bindings endpoint', async () => {
+    // Create an API key first
     const createResponse = await fetch(getEndpointUrl('/apikey'), {
       method: 'POST',
       headers: authHeaders,
       body: JSON.stringify({
-        name: `limited-scope-test-${TEST_ID.slice(0, 8)}`,
-        mode: 'all',
-        limited_to_orgs: [TEST_ORG_ID],
+        name: `role-binding-auth-test-${TEST_ID.slice(0, 8)}`,
+        bindings: [
+          {
+            role_name: 'org_admin',
+            scope_type: 'org',
+            org_id: TEST_ORG_ID,
+          },
+        ],
       }),
     })
 
@@ -326,7 +321,7 @@ describe.skipIf(USE_CLOUDFLARE)('[GET] /private/role_bindings with API key auth'
     const createData = await createResponse.json() as { id: number, key: string }
     createdKeyIds.push(createData.id)
 
-    // Try using this limited-scope key on role_bindings endpoint
+    // Try using this API key on role_bindings endpoint
     const response = await fetch(getEndpointUrl(`/private/role_bindings/${TEST_ORG_ID}`), {
       method: 'GET',
       headers: {
@@ -337,6 +332,6 @@ describe.skipIf(USE_CLOUDFLARE)('[GET] /private/role_bindings with API key auth'
 
     expect(response.status).toBe(403)
     const data = await response.json() as { error: string }
-    expect(data.error).toBe('Limited-scope API keys cannot manage role bindings')
+    expect(data.error).toBe('API keys cannot manage role bindings')
   })
 })
diff --git a/tests/apikeys-expiration.test.ts b/tests/apikeys-expiration.test.ts
index f144310f59..aa17faec02 100644
--- a/tests/apikeys-expiration.test.ts
+++ b/tests/apikeys-expiration.test.ts
@@ -3,7 +3,7 @@ import { randomUUID } from 'node:crypto'
 import { env } from 'node:process'
 import { createClient } from '@supabase/supabase-js'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, executeSQL, fetchWithRetry, getAuthHeadersForCredentials, getSupabaseClient, normalizeLocalhostUrl, resetAndSeedAppData, resetAppData, TEST_EMAIL, USER_EMAIL_APIKEY_EXPIRATION, USER_ID_APIKEY_EXPIRATION, USER_PASSWORD } from './test-utils.ts'
+import { appApiKeyBindings, BASE_URL, createDirectApiKeyWithBindings, executeSQL, fetchWithRetry, getAuthHeadersForCredentials, getSupabaseClient, normalizeLocalhostUrl, orgApiKeyBindings, resetAndSeedAppData, resetAppData, TEST_EMAIL, USER_EMAIL_APIKEY_EXPIRATION, USER_ID_APIKEY_EXPIRATION, USER_PASSWORD } from './test-utils.ts'
 
 const id = randomUUID()
 const BASE_ORG_ID = randomUUID()
@@ -22,25 +22,93 @@ function keyName(name: string): string {
   return `${name}-${id}`
 }
 
-async function seedPlainApiKey(name: string, expiresAt: string | null, limitedToOrgs: string[] = []) {
+function orgKeyBody(name: string, orgId = BASE_ORG_ID, extra: Record<string, unknown> = {}) {
+  return {
+    name: keyName(name),
+    bindings: orgApiKeyBindings(orgId),
+    ...extra,
+  }
+}
+
+async function appKeyBody(name: string, appId = POLICY_APPNAME, extra: Record<string, unknown> = {}) {
+  return {
+    name: keyName(name),
+    bindings: await appApiKeyBindings(appId),
+    ...extra,
+  }
+}
+
+async function seedPlainApiKey(name: string, expiresAt: string | null, orgId = BASE_ORG_ID) {
   const key = randomUUID()
-  const { data, error } = await getSupabaseClient()
-    .from('apikeys')
-    .insert({
-      user_id: USER_ID_APIKEY_EXPIRATION,
-      key,
-      key_hash: null,
-      mode: 'all',
-      name: keyName(name),
-      limited_to_apps: [],
-      limited_to_orgs: limitedToOrgs,
-      expires_at: expiresAt,
-    })
-    .select('id, key, expires_at')
-    .single()
+  const data = await createDirectApiKeyWithBindings({
+    userId: USER_ID_APIKEY_EXPIRATION,
+    key,
+    name: keyName(name),
+    orgId,
+    roleName: 'org_admin',
+    expiresAt,
+  })
+
+  if (!data.key)
+    throw new Error(`Failed to seed API key ${name}`)
 
-  if (error || !data?.key)
-    throw error ?? new Error('Missing seeded API key')
+  const supabase = getSupabaseClient()
+  const { data: memberships, error: membershipsError } = await supabase
+    .from('org_users')
+    .select('org_id')
+    .eq('user_id', USER_ID_APIKEY_EXPIRATION)
+
+  if (membershipsError)
+    throw membershipsError
+
+  const extraOrgIds = [...new Set((memberships ?? []).map(row => row.org_id).filter((membershipOrgId): membershipOrgId is string => !!membershipOrgId && membershipOrgId !== orgId))]
+  if (extraOrgIds.length > 0) {
+    const { data: orgPolicies, error: orgPoliciesError } = await supabase
+      .from('orgs')
+      .select('id, require_apikey_expiration, max_apikey_expiration_days')
+      .in('id', extraOrgIds)
+
+    if (orgPoliciesError)
+      throw orgPoliciesError
+
+    const expiresAtTime = expiresAt ? new Date(expiresAt).getTime() : null
+    const compatibleExtraOrgIds = (orgPolicies ?? [])
+      .filter((org) => {
+        if (org.require_apikey_expiration && expiresAt === null)
+          return false
+        if (org.max_apikey_expiration_days !== null && expiresAtTime !== null) {
+          return expiresAtTime <= Date.now() + org.max_apikey_expiration_days * 24 * 60 * 60 * 1000
+        }
+        return true
+      })
+      .map(org => org.id)
+
+    if (compatibleExtraOrgIds.length === 0)
+      return { id: data.id, key: data.key, expires_at: data.expires_at }
+
+    const { data: role, error: roleError } = await supabase
+      .from('roles')
+      .select('id')
+      .eq('name', 'org_admin')
+      .single()
+
+    if (roleError || !role)
+      throw roleError ?? new Error('Unable to resolve org_admin role')
+
+    const { error: bindingError } = await supabase.from('role_bindings').insert(compatibleExtraOrgIds.map(extraOrgId => ({
+      principal_type: 'apikey' as const,
+      principal_id: data.rbac_id,
+      role_id: role.id,
+      scope_type: 'org' as const,
+      org_id: extraOrgId,
+      granted_by: USER_ID_APIKEY_EXPIRATION,
+      reason: 'Expiration test full-org key binding',
+      is_direct: true,
+    })))
+
+    if (bindingError)
+      throw bindingError
+  }
 
   return { id: data.id, key: data.key, expires_at: data.expires_at }
 }
@@ -178,11 +246,7 @@ describe('[POST] /apikey with expiration', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-with-expiration'),
-        mode: 'all',
-        expires_at: futureDate,
-      }),
+      body: JSON.stringify(orgKeyBody('key-with-expiration', BASE_ORG_ID, { expires_at: futureDate })),
     })
     const data = await response.json<{ key: string, id: number, expires_at: string }>()
     expect(response.status).toBe(200)
@@ -196,11 +260,7 @@ describe('[POST] /apikey with expiration', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-no-expiration'),
-        mode: 'all',
-        limited_to_orgs: [BASE_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-no-expiration')),
     })
     const data = await response.json<{ key: string, id: number, expires_at: string | null }>()
     expect(response.status).toBe(200)
@@ -213,11 +273,7 @@ describe('[POST] /apikey with expiration', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-past-expiration'),
-        mode: 'all',
-        expires_at: pastDate,
-      }),
+      body: JSON.stringify(orgKeyBody('key-past-expiration', BASE_ORG_ID, { expires_at: pastDate })),
     })
     const data = await response.json() as { error: string }
     expect(response.status).toBe(400)
@@ -228,11 +284,7 @@ describe('[POST] /apikey with expiration', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-invalid-date'),
-        mode: 'all',
-        expires_at: 'not-a-date',
-      }),
+      body: JSON.stringify(orgKeyBody('key-invalid-date', BASE_ORG_ID, { expires_at: 'not-a-date' })),
     })
     const data = await response.json() as { error: string }
     expect(response.status).toBe(400)
@@ -248,11 +300,7 @@ describe('[PUT] /apikey/:id with expiration', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-for-update-expiration'),
-        mode: 'all',
-        limited_to_orgs: [BASE_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-for-update-expiration')),
     })
     expect(response.status).toBe(200)
     const data = await response.json<{ id: number }>()
@@ -325,11 +373,7 @@ describe('[GET] /apikey with expiration info', () => {
     const response1 = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-with-exp-get-test'),
-        mode: 'all',
-        expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
-      }),
+      body: JSON.stringify(orgKeyBody('key-with-exp-get-test', BASE_ORG_ID, { expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString() })),
     })
     expect(response1.status).toBe(200)
     keyWithExpiration = await response1.json()
@@ -338,11 +382,7 @@ describe('[GET] /apikey with expiration info', () => {
     const response2 = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-without-exp-get-test'),
-        mode: 'all',
-        limited_to_orgs: [BASE_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-without-exp-get-test')),
     })
     expect(response2.status).toBe(200)
     keyWithoutExpiration = await response2.json()
@@ -396,11 +436,7 @@ describe('organization API key expiration policy', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-test'),
-        mode: 'all',
-        limited_to_orgs: [POLICY_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-policy-test', POLICY_ORG_ID)),
     })
     const data = await response.json() as { error: string }
     expect(response.status).toBe(400)
@@ -413,12 +449,7 @@ describe('organization API key expiration policy', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-exceeds-max'),
-        mode: 'all',
-        limited_to_orgs: [POLICY_ORG_ID],
-        expires_at: tooFarDate,
-      }),
+      body: JSON.stringify(orgKeyBody('key-policy-exceeds-max', POLICY_ORG_ID, { expires_at: tooFarDate })),
     })
     const data = await response.json() as { error: string }
     expect(response.status).toBe(400)
@@ -431,12 +462,7 @@ describe('organization API key expiration policy', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-valid'),
-        mode: 'all',
-        limited_to_orgs: [POLICY_ORG_ID],
-        expires_at: validDate,
-      }),
+      body: JSON.stringify(orgKeyBody('key-policy-valid', POLICY_ORG_ID, { expires_at: validDate })),
     })
     const data = await response.json<{ key: string, id: number, expires_at: string }>()
     expect(response.status).toBe(200)
@@ -449,11 +475,7 @@ describe('organization API key expiration policy', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-no-policy-org'),
-        mode: 'all',
-        limited_to_orgs: [BASE_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-no-policy-org')),
     })
     const data = await response.json<{ key: string, id: number, expires_at: string | null }>()
     expect(response.status).toBe(200)
@@ -467,8 +489,12 @@ describe('organization API key expiration policy', () => {
       headers: authHeaders,
       body: JSON.stringify({
         name: keyName('key-policy-app-scope'),
-        mode: 'all',
-        app_id: policyAppUuid,
+        bindings: [{
+          role_name: 'app_admin',
+          scope_type: 'app',
+          org_id: POLICY_ORG_ID,
+          app_id: policyAppUuid,
+        }],
       }),
     })
     const data = await response.json() as { error: string }
@@ -481,12 +507,7 @@ describe('organization API key expiration policy', () => {
     const response = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-app-scope-too-far'),
-        mode: 'all',
-        limited_to_apps: [POLICY_APPNAME],
-        expires_at: tooFarDate,
-      }),
+      body: JSON.stringify(await appKeyBody('key-policy-app-scope-too-far', POLICY_APPNAME, { expires_at: tooFarDate })),
     })
     const data = await response.json() as { error: string }
     expect(response.status).toBe(400)
@@ -499,25 +520,26 @@ describe('organization API key expiration policy', () => {
       headers: authHeaders,
       body: JSON.stringify({
         name: keyName('key-policy-app-scope-missing-app'),
-        mode: 'all',
-        limited_to_apps: [`com.app.expiration.missing.${id}`],
+        expires_at: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
+        bindings: [{
+          role_name: 'app_admin',
+          scope_type: 'app',
+          org_id: POLICY_ORG_ID,
+          app_id: randomUUID(),
+        }],
       }),
     })
     const data = await response.json() as { error: string }
 
-    expect(response.status).toBe(400)
-    expect(data.error).toBe('failed_to_resolve_apikey_policy_scope')
+    expect(response.status).toBe(404)
+    expect(data.error).toBe('binding_failed')
   })
 
-  it('fail to update api key scope to app owner org without expiration (scope-change regression)', async () => {
+  it('reject unsupported api key scope updates', async () => {
     const createResponse = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-app-scope-update'),
-        mode: 'all',
-        limited_to_orgs: [BASE_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-policy-app-scope-update')),
     })
     expect(createResponse.status).toBe(200)
     const createdKey = await createResponse.json<{ id: number }>()
@@ -526,26 +548,21 @@ describe('organization API key expiration policy', () => {
       method: 'PUT',
       headers: authHeaders,
       body: JSON.stringify({
-        limited_to_apps: [POLICY_APPNAME],
+        unsupported_app_scope: [POLICY_APPNAME],
       }),
     })
     const data = await updateResponse.json() as { error: string }
 
     expect(updateResponse.status).toBe(400)
-    expect(data.error).toBe('expiration_required')
+    expect(data.error).toContain('no_valid_fields_provided_for_update')
   })
 
-  it('reject limited app-scoped api keys from updating sibling keys', async () => {
+  it('reject app-scoped api keys from updating sibling keys', async () => {
     const validDate = new Date(Date.now() + 15 * 24 * 60 * 60 * 1000).toISOString()
     const limitedKeyResponse = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-limited-updater'),
-        mode: 'all',
-        limited_to_apps: [POLICY_APPNAME],
-        expires_at: validDate,
-      }),
+      body: JSON.stringify(await appKeyBody('key-policy-app-updater', POLICY_APPNAME, { expires_at: validDate })),
     })
     expect(limitedKeyResponse.status).toBe(200)
     const limitedKey = await limitedKeyResponse.json<{ key: string }>()
@@ -553,11 +570,7 @@ describe('organization API key expiration policy', () => {
     const siblingKeyResponse = await apiFetch('/apikey', {
       method: 'POST',
       headers: authHeaders,
-      body: JSON.stringify({
-        name: keyName('key-policy-sibling-target'),
-        mode: 'all',
-        limited_to_orgs: [BASE_ORG_ID],
-      }),
+      body: JSON.stringify(orgKeyBody('key-policy-sibling-target')),
     })
     expect(siblingKeyResponse.status).toBe(200)
     const siblingKey = await siblingKeyResponse.json<{ id: number }>()
@@ -579,7 +592,7 @@ describe('organization API key expiration policy', () => {
     expect(data.error).toBe('cannot_update_apikey')
   })
 
-  it('reject direct apikey inserts that bypass app-scoped expiration policy', async () => {
+  it('reject direct apikey inserts that bypass the server creation path', async () => {
     const supabase = createAuthenticatedSupabaseClient(authHeaders)
     const { data, error } = await supabase
       .from('apikeys')
@@ -587,32 +600,14 @@ describe('organization API key expiration policy', () => {
         user_id: USER_ID_APIKEY_EXPIRATION,
         key: null,
         key_hash: '0'.repeat(64),
-        mode: 'all',
         name: keyName('direct-insert-policy-bypass'),
-        limited_to_apps: [POLICY_APPNAME],
-        limited_to_orgs: [],
         expires_at: null,
       })
       .select()
       .single()
 
     expect(data).toBeNull()
-    expect(error?.message).toBe('expiration_required')
-  })
-
-  it('reject hashed apikey RPC creation that exceeds app owner org max expiration', async () => {
-    const supabase = createAuthenticatedSupabaseClient(authHeaders)
-    const tooFarDate = new Date(Date.now() + 60 * 24 * 60 * 60 * 1000).toISOString()
-    const { data, error } = await supabase.rpc('create_hashed_apikey', {
-      p_mode: 'all',
-      p_name: keyName('direct-rpc-policy-bypass'),
-      p_limited_to_orgs: [],
-      p_limited_to_apps: [POLICY_APPNAME],
-      p_expires_at: tooFarDate,
-    })
-
-    expect(data).toBeNull()
-    expect(error?.message).toBe('expiration_exceeds_max')
+    expect(error?.message).toContain('row-level security policy')
   })
 })
 
@@ -828,7 +823,7 @@ describe('api key expiration boundary conditions', () => {
   })
 
   it.concurrent('api key with null expiration should not be expired', async () => {
-    const data = await seedPlainApiKey('key-no-expiration-test', null, [BASE_ORG_ID])
+    const data = await seedPlainApiKey('key-no-expiration-test', null, BASE_ORG_ID)
 
     try {
       expect(data.expires_at).toBeNull()
diff --git a/tests/apikeys.test.ts b/tests/apikeys.test.ts
index d6d40d3f9e..d0acb68c2c 100644
--- a/tests/apikeys.test.ts
+++ b/tests/apikeys.test.ts
@@ -1,12 +1,30 @@
 import { randomUUID } from 'node:crypto'
 import { createClient } from '@supabase/supabase-js'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, getSupabaseClient, headers, resetAndSeedAppData, resetAppData } from './test-utils.ts'
+import { appApiKeyBindings, BASE_URL, getAuthHeaders, getSupabaseClient, orgApiKeyBindings, resetAndSeedAppData, resetAppData } from './test-utils.ts'
 
 const id = randomUUID()
 const APPNAME = `com.app.key.${id}`
+let authHeaders: Record<string, string>
+
+function orgKeyBody(name: string, extra: Record<string, unknown> = {}) {
+  return {
+    name,
+    bindings: orgApiKeyBindings(),
+    ...extra,
+  }
+}
+
+async function appKeyBody(name: string, appId = APPNAME, extra: Record<string, unknown> = {}) {
+  return {
+    name,
+    bindings: await appApiKeyBindings(appId),
+    ...extra,
+  }
+}
 
 beforeAll(async () => {
+  authHeaders = await getAuthHeaders()
   await resetAndSeedAppData(APPNAME)
 })
 
@@ -18,7 +36,7 @@ describe('[GET] /apikey operations', () => {
   it('get api keys for the user', async () => {
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'GET',
-      headers,
+      headers: authHeaders,
     })
 
     const data = await response.json()
@@ -30,7 +48,7 @@ describe('[GET] /apikey operations', () => {
     // Using seeded API key ID 10 (dedicated test key)
     const response = await fetch(`${BASE_URL}/apikey/10`, {
       method: 'GET',
-      headers,
+      headers: authHeaders,
     })
 
     const data = await response.json()
@@ -41,7 +59,7 @@ describe('[GET] /apikey operations', () => {
   it('get api key with invalid id', async () => {
     const response = await fetch(`${BASE_URL}/apikey/424242`, {
       method: 'GET',
-      headers,
+      headers: authHeaders,
     })
     const data = await response.json() as { error: string }
     expect(data).toHaveProperty('error', 'failed_to_get_apikey')
@@ -54,11 +72,8 @@ describe('[POST] /apikey operations', () => {
     const keyName = 'test-key-creation'
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({
-        name: keyName,
-        mode: 'all',
-      }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody(keyName)),
     })
     const data = await response.json<{ key: string, id: number }>()
     expect(response.status).toBe(200)
@@ -68,7 +83,7 @@ describe('[POST] /apikey operations', () => {
     expect(typeof data.id).toBe('number')
 
     // Verify the created key
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers: authHeaders })
     const verifyData = await verifyResponse.json() as { name: string }
     expect(verifyData.name).toBe(keyName)
   })
@@ -76,12 +91,8 @@ describe('[POST] /apikey operations', () => {
   it('app-limited key cannot create another API key', async () => {
     const limitedCreatorResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({
-        name: 'limited-app-key-creator',
-        mode: 'all',
-        limited_to_apps: [APPNAME],
-      }),
+      headers: authHeaders,
+      body: JSON.stringify(await appKeyBody('app-key-creator')),
     })
     expect(limitedCreatorResponse.status).toBe(200)
     const limitedCreatorData = await limitedCreatorResponse.json<{ id: number, key: string }>()
@@ -94,11 +105,7 @@ describe('[POST] /apikey operations', () => {
     const escalationResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
       headers: limitedHeaders,
-      body: JSON.stringify({
-        name: 'blocked-limited-creation',
-        mode: 'all',
-        limited_to_apps: [APPNAME],
-      }),
+      body: JSON.stringify(await appKeyBody('blocked-key-creation')),
     })
     const escalationData = await escalationResponse.json() as { error: string }
     expect(escalationResponse.status).toBe(400)
@@ -106,7 +113,7 @@ describe('[POST] /apikey operations', () => {
 
     await fetch(`${BASE_URL}/apikey/${limitedCreatorData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
@@ -115,25 +122,18 @@ describe('[POST] /apikey operations', () => {
 
     try {
       const limitedResponse = await fetch(`${BASE_URL}/apikey`, {
-        method: 'POST',
-        headers,
-        body: JSON.stringify({
-          name: 'app-limited-management-blocked',
-          mode: 'all',
-          limited_to_apps: [APPNAME],
-        }),
+      method: 'POST',
+      headers: authHeaders,
+        body: JSON.stringify(await appKeyBody('app-management-blocked')),
       })
       expect(limitedResponse.status).toBe(200)
       const limitedData = await limitedResponse.json<{ id: number, key: string }>()
       createdKeyIds.push(limitedData.id)
 
       const siblingResponse = await fetch(`${BASE_URL}/apikey`, {
-        method: 'POST',
-        headers,
-        body: JSON.stringify({
-          name: 'sibling-management-target',
-          mode: 'all',
-        }),
+      method: 'POST',
+      headers: authHeaders,
+        body: JSON.stringify(orgKeyBody('sibling-management-target')),
       })
       expect(siblingResponse.status).toBe(200)
       const siblingData = await siblingResponse.json<{ id: number }>()
@@ -175,7 +175,7 @@ describe('[POST] /apikey operations', () => {
       expect(deleteResponse.status).toBe(401)
       await expect(deleteResponse.json()).resolves.toHaveProperty('error', 'cannot_delete_apikey')
 
-      const verifyResponse = await fetch(`${BASE_URL}/apikey/${siblingData.id}`, { headers })
+      const verifyResponse = await fetch(`${BASE_URL}/apikey/${siblingData.id}`, { headers: authHeaders })
       expect(verifyResponse.status).toBe(200)
       const verifyData = await verifyResponse.json<{ name: string }>()
       expect(verifyData.name).toBe('sibling-management-target')
@@ -184,7 +184,7 @@ describe('[POST] /apikey operations', () => {
       for (const keyId of createdKeyIds.reverse()) {
         await fetch(`${BASE_URL}/apikey/${keyId}`, {
           method: 'DELETE',
-          headers,
+          headers: authHeaders,
         })
       }
     }
@@ -193,7 +193,7 @@ describe('[POST] /apikey operations', () => {
   it('create api key with missing name', async () => {
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({}),
     })
     expect(response.status).toBe(400)
@@ -204,7 +204,7 @@ describe('[POST] /apikey operations', () => {
   it('create api key with empty name', async () => {
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({ name: '' }),
     })
     expect(response.status).toBe(400)
@@ -212,56 +212,59 @@ describe('[POST] /apikey operations', () => {
     expect(data).toHaveProperty('error', 'name_is_required')
   })
 
-  it('create api key with invalid mode', async () => {
+  it('create api key with invalid binding scope', async () => {
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'test-key',
-        mode: 'invalid_mode',
+        bindings: [{ role_name: 'org_admin', scope_type: 'invalid', org_id: randomUUID() }],
       }),
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
-    expect(data).toHaveProperty('error', 'invalid_mode')
+    expect(data).toHaveProperty('error', 'invalid_bindings')
   })
 
   it('create api key with non-existent org_id', async () => {
     const nonExistentOrgId = randomUUID()
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'test-key',
-        mode: 'all',
-        org_id: nonExistentOrgId,
+        bindings: orgApiKeyBindings(nonExistentOrgId),
       }),
     })
-    expect(response.status).toBe(404)
+    expect(response.status).toBe(403)
     const data = await response.json() as { error: string }
-    expect(data).toHaveProperty('error', 'org_not_found')
+    expect(data).toHaveProperty('error', 'forbidden_binding')
   })
 
   it('create api key with non-existent app_id', async () => {
     const nonExistentAppId = randomUUID()
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'test-key',
-        mode: 'all',
-        app_id: nonExistentAppId,
+        bindings: [{
+          role_name: 'app_admin',
+          scope_type: 'app',
+          org_id: orgApiKeyBindings()[0].org_id,
+          app_id: nonExistentAppId,
+        }],
       }),
     })
     expect(response.status).toBe(404)
     const data = await response.json() as { error: string }
-    expect(data).toHaveProperty('error', 'app_not_found')
+    expect(data).toHaveProperty('error', 'binding_failed')
   })
 
   it('create api key with invalid JSON body', async () => {
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: 'invalid json',
     })
     expect(response.status).toBeGreaterThanOrEqual(400)
@@ -274,7 +277,7 @@ describe('[PUT] /apikey/:id operations', () => {
     const newName = 'updated-test-key-name'
     const response = await fetch(`${BASE_URL}/apikey/11`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: newName,
       }),
@@ -285,7 +288,7 @@ describe('[PUT] /apikey/:id operations', () => {
     expect(data).toHaveProperty('name', newName)
 
     // Verify the update
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/11`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/11`, { headers: authHeaders })
     const verifyData = await verifyResponse.json() as { name: string }
     expect(verifyData.name).toBe(newName)
   })
@@ -293,7 +296,7 @@ describe('[PUT] /apikey/:id operations', () => {
   it('update api key with invalid id', async () => {
     const response = await fetch(`${BASE_URL}/apikey/424242`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({ name: 'wont-work' }),
     })
     expect(response.status).toBe(404)
@@ -301,67 +304,67 @@ describe('[PUT] /apikey/:id operations', () => {
     expect(data).toHaveProperty('error')
   })
 
-  it('update api key with invalid mode', async () => {
-    // Using seeded API key ID 12 (dedicated test key for update mode)
+  it('update api key with unsupported field has no valid fields', async () => {
+    // Using seeded API key ID 12 (dedicated test key)
     const response = await fetch(`${BASE_URL}/apikey/12`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
-        mode: 'invalid_mode',
+        unsupported_field: 'invalid',
       }),
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
-    expect(data.error).toContain('invalid_mode')
+    expect(data.error).toContain('no_valid_fields_provided_for_update')
   })
 
-  it('update api key with invalid limited_to_apps format', async () => {
+  it('update api key with unsupported app scope field has no valid fields', async () => {
     // Using seeded API key ID 13 (dedicated test key for update apps)
     const response = await fetch(`${BASE_URL}/apikey/13`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
-        limited_to_apps: 'not_an_array',
+        unsupported_app_scope: 'not_an_array',
       }),
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
-    expect(data).toHaveProperty('error', 'limited_to_apps_must_be_an_array_of_strings')
+    expect(data.error).toContain('no_valid_fields_provided_for_update')
   })
 
-  it('update api key with invalid limited_to_orgs format', async () => {
+  it('update api key with unsupported org scope field has no valid fields', async () => {
     // Create a temporary key for this test
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'temp-test-key', mode: 'all' }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('temp-test-key')),
     })
     const createData = await createResponse.json<{ id: number }>()
 
     const response = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
-        limited_to_orgs: 'not_an_array',
+        unsupported_org_scope: 'not_an_array',
       }),
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
-    expect(data).toHaveProperty('error', 'limited_to_orgs_must_be_an_array_of_strings')
+    expect(data.error).toContain('no_valid_fields_provided_for_update')
   })
 
   it('update api key with no valid fields', async () => {
     // Create a temporary key for this test
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'temp-test-key-2', mode: 'all' }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('temp-test-key-2')),
     })
     const createData = await createResponse.json<{ id: number }>()
 
     const response = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({}),
     })
     expect(response.status).toBe(400)
@@ -372,8 +375,8 @@ describe('[PUT] /apikey/:id operations', () => {
   it('regenerate plain api key (key changes and old key no longer works)', async () => {
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'temp-plain-key-regenerate', mode: 'all', hashed: false }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('temp-plain-key-regenerate', { hashed: false })),
     })
     const createData = await createResponse.json<{ id: number, key: string }>()
     expect(createResponse.status).toBe(200)
@@ -383,7 +386,7 @@ describe('[PUT] /apikey/:id operations', () => {
 
     const regenerateResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({ regenerate: true }),
     })
     const regenerateData = await regenerateResponse.json<{ id: number, key: string }>()
@@ -400,16 +403,17 @@ describe('[PUT] /apikey/:id operations', () => {
     // New key must authenticate.
     const newAuthHeaders = { 'Content-Type': 'application/json', 'Authorization': regenerateData.key }
     const newAuthResponse = await fetch(`${BASE_URL}/apikey`, { method: 'GET', headers: newAuthHeaders })
-    expect(newAuthResponse.status).toBe(200)
+    expect(newAuthResponse.status).toBe(401)
+    await expect(newAuthResponse.json()).resolves.toHaveProperty('error', 'cannot_list_apikeys')
 
-    await fetch(`${BASE_URL}/apikey/${createData.id}`, { method: 'DELETE', headers })
+    await fetch(`${BASE_URL}/apikey/${createData.id}`, { method: 'DELETE', headers: authHeaders })
   })
 
   it('regenerate hashed api key (key changes and remains hashed in DB)', async () => {
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'temp-hashed-key-regenerate', mode: 'all', hashed: true }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('temp-hashed-key-regenerate', { hashed: true })),
     })
     const createData = await createResponse.json<{ id: number, key: string, key_hash: string }>()
     expect(createResponse.status).toBe(200)
@@ -419,7 +423,7 @@ describe('[PUT] /apikey/:id operations', () => {
 
     const regenerateResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({ regenerate: true }),
     })
     const regenerateData = await regenerateResponse.json<{ id: number, key: string, key_hash: string }>()
@@ -429,7 +433,7 @@ describe('[PUT] /apikey/:id operations', () => {
     expect(regenerateData.key_hash).not.toBe(oldHash)
 
     // DB must keep the hashed key non-copyable (key column null).
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, { headers: authHeaders })
     const verifyData = await verifyResponse.json() as { key: string | null, key_hash: string }
     expect(verifyData.key).toBeNull()
     expect(verifyData.key_hash).toBe(regenerateData.key_hash)
@@ -442,16 +446,17 @@ describe('[PUT] /apikey/:id operations', () => {
     // New key must authenticate.
     const newAuthHeaders = { 'Content-Type': 'application/json', 'Authorization': regenerateData.key }
     const newAuthResponse = await fetch(`${BASE_URL}/apikey`, { method: 'GET', headers: newAuthHeaders })
-    expect(newAuthResponse.status).toBe(200)
+    expect(newAuthResponse.status).toBe(401)
+    await expect(newAuthResponse.json()).resolves.toHaveProperty('error', 'cannot_list_apikeys')
 
-    await fetch(`${BASE_URL}/apikey/${createData.id}`, { method: 'DELETE', headers })
+    await fetch(`${BASE_URL}/apikey/${createData.id}`, { method: 'DELETE', headers: authHeaders })
   })
 
   it('regenerate and update name in a single request', async () => {
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'temp-key-regenerate-and-rename', mode: 'all', hashed: false }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('temp-key-regenerate-and-rename', { hashed: false })),
     })
     const createData = await createResponse.json<{ id: number, key: string }>()
     expect(createResponse.status).toBe(200)
@@ -459,7 +464,7 @@ describe('[PUT] /apikey/:id operations', () => {
     const newName = 'temp-key-regenerated-renamed'
     const regenerateResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({ regenerate: true, name: newName }),
     })
     const regenerateData = await regenerateResponse.json() as { id: number, name: string, key: string }
@@ -467,13 +472,13 @@ describe('[PUT] /apikey/:id operations', () => {
     expect(regenerateData.name).toBe(newName)
     expect(regenerateData.key).not.toBe(createData.key)
 
-    await fetch(`${BASE_URL}/apikey/${createData.id}`, { method: 'DELETE', headers })
+    await fetch(`${BASE_URL}/apikey/${createData.id}`, { method: 'DELETE', headers: authHeaders })
   })
 
   it('regenerate non-existent key returns 404', async () => {
     const response = await fetch(`${BASE_URL}/apikey/424242`, {
       method: 'PUT',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({ regenerate: true }),
     })
     expect(response.status).toBe(404)
@@ -485,14 +490,14 @@ describe('[DELETE] /apikey/:id operations', () => {
     // Create a key specifically for deletion
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'key-to-delete', mode: 'all' }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('key-to-delete')),
     })
     const createData = await createResponse.json<{ id: number }>()
 
     const response = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
 
     const data = await response.json() as { status: string }
@@ -500,14 +505,14 @@ describe('[DELETE] /apikey/:id operations', () => {
     expect(data).toHaveProperty('status', 'ok')
 
     // Verify deletion
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/${createData.id}`, { headers: authHeaders })
     expect(verifyResponse.status).toBe(404)
   })
 
   it('delete api key with invalid id', async () => {
     const response = await fetch(`${BASE_URL}/apikey/424242`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
     expect(response.status).toBe(404)
     const data = await response.json() as { error: string }
@@ -518,21 +523,21 @@ describe('[DELETE] /apikey/:id operations', () => {
     // Create and delete a key, then try to delete again
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
-      body: JSON.stringify({ name: 'key-to-double-delete', mode: 'all' }),
+      headers: authHeaders,
+      body: JSON.stringify(orgKeyBody('key-to-double-delete')),
     })
     const createData = await createResponse.json<{ id: number }>()
 
     // First deletion
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
 
     // Second deletion attempt
     const response = await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
     expect(response.status).toBe(404)
     const data = await response.json() as { error: string }
@@ -545,11 +550,11 @@ describe('[POST] /apikey hashed key operations', () => {
     const keyName = 'test-hashed-key'
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: keyName,
-        mode: 'all',
         hashed: true,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const data = await response.json<{ key: string, key_hash: string, id: number }>()
@@ -565,7 +570,7 @@ describe('[POST] /apikey hashed key operations', () => {
     expect(data.key_hash).toMatch(/^[\da-f]{64}$/i)
 
     // Verify the created key exists but key column in DB should be null
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers: authHeaders })
     const verifyData = await verifyResponse.json() as { name: string, key: string | null, key_hash: string }
     expect(verifyData.name).toBe(keyName)
     // In the database, the key should be null for hashed keys
@@ -575,7 +580,7 @@ describe('[POST] /apikey hashed key operations', () => {
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${data.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
@@ -583,11 +588,11 @@ describe('[POST] /apikey hashed key operations', () => {
     const keyName = 'test-plain-key-explicit'
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: keyName,
-        mode: 'all',
         hashed: false,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const data = await response.json<{ key: string, key_hash: string | null, id: number }>()
@@ -598,7 +603,7 @@ describe('[POST] /apikey hashed key operations', () => {
     expect(data.key_hash).toBeNull()
 
     // Verify the key is stored in plain
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers: authHeaders })
     const verifyData = await verifyResponse.json() as { key: string, key_hash: string | null }
     expect(verifyData.key).toBe(data.key)
     expect(verifyData.key_hash).toBeNull()
@@ -606,30 +611,29 @@ describe('[POST] /apikey hashed key operations', () => {
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${data.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
-  it('create hashed api key with mode and limitations', async () => {
+  it('create hashed api key with V2 bindings', async () => {
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'hashed-key-with-options',
         hashed: true,
-        mode: 'read',
+        bindings: orgApiKeyBindings(),
       }),
     })
-    const data = await response.json<{ key: string, key_hash: string, id: number, mode: string }>()
+    const data = await response.json<{ key: string, key_hash: string, id: number }>()
     expect(response.status).toBe(200)
     expect(data).toHaveProperty('key')
     expect(data).toHaveProperty('key_hash')
-    expect(data.mode).toBe('read')
 
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${data.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
@@ -637,18 +641,18 @@ describe('[POST] /apikey hashed key operations', () => {
     // Create a hashed key
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'hashed-key-for-auth-test',
-        mode: 'all',
         hashed: true,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const createData = await createResponse.json<{ key: string, id: number }>()
     expect(createResponse.status).toBe(200)
 
     // Use the plain key value to authenticate (the system should hash it and find the key)
-    const authHeaders = {
+    const createdKeyHeaders = {
       'Content-Type': 'application/json',
       'Authorization': createData.key,
     }
@@ -656,16 +660,16 @@ describe('[POST] /apikey hashed key operations', () => {
     // Try to list API keys using the hashed key for auth
     const listResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'GET',
-      headers: authHeaders,
+      headers: createdKeyHeaders,
     })
-    expect(listResponse.status).toBe(200)
-    const listData = await listResponse.json()
-    expect(Array.isArray(listData)).toBe(true)
+    expect(listResponse.status).toBe(401)
+    const listData = await listResponse.json() as { error: string }
+    expect(listData.error).toBe('cannot_list_apikeys')
 
     // Cleanup - use original headers since new key might have restrictions
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 })
@@ -675,12 +679,12 @@ describe('[POST] /apikey hashed key with expiration', () => {
     const futureDate = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString() // 7 days from now
     const response = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'hashed-key-with-expiration',
-        mode: 'all',
         hashed: true,
         expires_at: futureDate,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const data = await response.json<{ key: string, key_hash: string, id: number, expires_at: string }>()
@@ -696,7 +700,7 @@ describe('[POST] /apikey hashed key with expiration', () => {
     expect(new Date(data.expires_at).getTime()).toBeCloseTo(new Date(futureDate).getTime(), -3)
 
     // Verify in DB: key should be null, key_hash and expires_at should be set
-    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers })
+    const verifyResponse = await fetch(`${BASE_URL}/apikey/${data.id}`, { headers: authHeaders })
     const verifyData = await verifyResponse.json() as { key: string | null, key_hash: string, expires_at: string }
     expect(verifyData.key).toBeNull()
     expect(verifyData.key_hash).toBe(data.key_hash)
@@ -705,7 +709,7 @@ describe('[POST] /apikey hashed key with expiration', () => {
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${data.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
@@ -713,35 +717,35 @@ describe('[POST] /apikey hashed key with expiration', () => {
     const futureDate = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString()
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'hashed-key-expiration-auth-test',
-        mode: 'all',
         hashed: true,
         expires_at: futureDate,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const createData = await createResponse.json<{ key: string, id: number }>()
     expect(createResponse.status).toBe(200)
 
     // Use the plain key value to authenticate
-    const authHeaders = {
+    const createdKeyHeaders = {
       'Content-Type': 'application/json',
       'Authorization': createData.key,
     }
 
     const listResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'GET',
-      headers: authHeaders,
+      headers: createdKeyHeaders,
     })
-    expect(listResponse.status).toBe(200)
-    const listData = await listResponse.json()
-    expect(Array.isArray(listData)).toBe(true)
+    expect(listResponse.status).toBe(401)
+    const listData = await listResponse.json() as { error: string }
+    expect(listData.error).toBe('cannot_list_apikeys')
 
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
@@ -749,12 +753,12 @@ describe('[POST] /apikey hashed key with expiration', () => {
     // Create a hashed key with future expiration
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'hashed-key-to-expire',
-        mode: 'all',
         hashed: true,
         expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+        bindings: orgApiKeyBindings(),
       }),
     })
     const createData = await createResponse.json<{ key: string, id: number }>()
@@ -765,14 +769,14 @@ describe('[POST] /apikey hashed key with expiration', () => {
     expect(error).toBeNull()
 
     // Try to use the expired hashed key for authentication
-    const authHeaders = {
+    const expiredKeyHeaders = {
       'Content-Type': 'application/json',
       'Authorization': createData.key,
     }
 
     const listResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'GET',
-      headers: authHeaders,
+      headers: expiredKeyHeaders,
     })
     // Should be rejected as unauthorized
     expect(listResponse.status).toBe(401)
@@ -784,11 +788,11 @@ describe('[RLS] hashed API key with direct Supabase SDK', () => {
     // Create a hashed key via API
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'hashed-key-rls-test',
-        mode: 'all',
         hashed: true,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const createData = await createResponse.json<{ key: string, id: number }>()
@@ -827,7 +831,7 @@ describe('[RLS] hashed API key with direct Supabase SDK', () => {
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 
@@ -835,11 +839,11 @@ describe('[RLS] hashed API key with direct Supabase SDK', () => {
     // Create a plain (non-hashed) key via API
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
         name: 'plain-key-rls-test',
-        mode: 'all',
         hashed: false,
+        bindings: orgApiKeyBindings(),
       }),
     })
     const createData = await createResponse.json<{ key: string, id: number }>()
@@ -870,7 +874,7 @@ describe('[RLS] hashed API key with direct Supabase SDK', () => {
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
       method: 'DELETE',
-      headers,
+      headers: authHeaders,
     })
   })
 })
diff --git a/tests/app-error-cases.test.ts b/tests/app-error-cases.test.ts
index 6d5b190ed4..e7e31b937b 100644
--- a/tests/app-error-cases.test.ts
+++ b/tests/app-error-cases.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, fetchWithRetry, getAuthHeaders, getSupabaseClient, NON_ACCESS_APP_NAME, resetAndSeedAppData, resetAppData, USER_ID } from './test-utils.ts'
+import { BASE_URL, fetchWithRetry, getAuthHeaders, getSupabaseClient, NON_ACCESS_APP_NAME, orgApiKeyBindings, resetAndSeedAppData, resetAppData, USER_ID } from './test-utils.ts'
 
 const id = randomUUID().replace(/-/g, '').slice(0, 12)
 const APPNAME = `com.app.error.${id}`
@@ -27,7 +27,7 @@ beforeAll(async () => {
     headers: authHeaders,
     body: JSON.stringify({
       name: `app-error-cases-${id}`,
-      mode: 'all',
+      bindings: orgApiKeyBindings(testOrgId, 'org_super_admin'),
     }),
   })
 
@@ -41,7 +41,7 @@ beforeAll(async () => {
     'Content-Type': 'application/json',
     'Authorization': createData.key,
   }
-})
+}, 60000)
 
 afterAll(async () => {
   await resetAppData(APPNAME)
@@ -58,7 +58,7 @@ afterAll(async () => {
   await getSupabaseClient().from('org_users').delete().eq('org_id', testOrgId)
   await getSupabaseClient().from('orgs').delete().eq('id', testOrgId)
   await getSupabaseClient().from('stripe_info').delete().eq('customer_id', testStripeCustomerId)
-})
+}, 60000)
 
 describe('[POST] /app - Error Cases', () => {
   it('should return 400 when name is missing', async () => {
diff --git a/tests/app-id-validation.test.ts b/tests/app-id-validation.test.ts
index 3ffe9e582d..a348ac5718 100644
--- a/tests/app-id-validation.test.ts
+++ b/tests/app-id-validation.test.ts
@@ -11,11 +11,14 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 import { isValidAppId } from '../supabase/functions/_backend/utils/utils.ts'
-import { BASE_URL, getSupabaseClient, headers, resetAndSeedAppData, resetAppData, TEST_EMAIL, USER_ID } from './test-utils.ts'
+import { BASE_URL, createDirectApiKeyWithBindings, getSupabaseClient, headers, resetAndSeedAppData, resetAppData, TEST_EMAIL, USER_ID } from './test-utils.ts'
 
 const id = randomUUID()
 const VALID_APPNAME = `com.app.valid.${id}`
+const appCreationApiKey = randomUUID()
 let testOrgId: string
+let testOrgApiKeyId: number | null = null
+let testOrgHeaders: Record<string, string>
 
 beforeAll(async () => {
   await resetAndSeedAppData(VALID_APPNAME)
@@ -31,10 +34,27 @@ beforeAll(async () => {
   if (orgError)
     throw orgError
   testOrgId = orgData.id
+
+  const apiKey = await createDirectApiKeyWithBindings({
+    key: appCreationApiKey,
+    name: `app-id-validation-${id}`,
+    orgId: testOrgId,
+    roleName: 'org_super_admin',
+  })
+  if (!apiKey.key)
+    throw new Error('Failed to create app id validation API key')
+
+  testOrgApiKeyId = apiKey.id
+  testOrgHeaders = {
+    'Content-Type': 'application/json',
+    'Authorization': apiKey.key,
+  }
 })
 
 afterAll(async () => {
   await resetAppData(VALID_APPNAME)
+  if (testOrgApiKeyId !== null)
+    await getSupabaseClient().from('apikeys').delete().eq('id', testOrgApiKeyId)
   await getSupabaseClient().from('orgs').delete().eq('id', testOrgId)
 })
 
@@ -100,7 +120,7 @@ describe('[POST] /app - app_id validation', () => {
     const validAppId = `com.test.valid.${randomUUID()}`
     const response = await fetch(`${BASE_URL}/app`, {
       method: 'POST',
-      headers,
+      headers: testOrgHeaders,
       body: JSON.stringify({
         app_id: validAppId,
         name: 'Test Valid App',
diff --git a/tests/app.test.ts b/tests/app.test.ts
index a88fe0f1a8..5ffa79acbb 100644
--- a/tests/app.test.ts
+++ b/tests/app.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, fetchWithRetry, getSupabaseClient, headers, NON_OWNER_ORG_ID, ORG_ID, resetAndSeedAppData, resetAppData, resetAppDataStats, USER_ID, USER_ID_2 } from './test-utils.ts'
+import { BASE_URL, createDirectApiKeyWithBindings, executeSQL, fetchWithRetry, getAuthHeaders, getSupabaseClient, headers, ORG_ID, ORG_ID_2, resetAndSeedAppData, resetAppData, resetAppDataStats, USER_ID, USER_ID_2 } from './test-utils.ts'
 
 function isDuplicateAppCreationError(body: any): boolean {
   if (!body || typeof body !== 'object')
@@ -125,18 +125,15 @@ describe('[GET] /app operations with subkey', () => {
       }
     }
 
-    // Create a subkey with limited rights to this app
-    const createSubkey = await fetch(`${BASE_URL}/apikey`, {
-      method: 'POST',
-      headers,
-      body: JSON.stringify({
-        name: 'Limited Subkey',
-        mode: 'all',
-        limited_to_apps: [APPNAME],
-      }),
+    // Create a V2 subkey with limited rights to this app.
+    const subkeyData = await createDirectApiKeyWithBindings({
+      key: randomUUID(),
+      name: `Limited Subkey ${id}`,
+      orgId: ORG_ID,
+      roleName: 'org_member',
+      appId: APPNAME,
+      appRoleName: 'app_admin',
     })
-    expect(createSubkey.status).toBe(200)
-    const subkeyData = await createSubkey.json() as { id: number }
     subkey = subkeyData.id
   })
 
@@ -205,23 +202,22 @@ describe('[GET] /app operations with subkey', () => {
 
   it('should not delete app with subkey if rights are read-only', async () => {
     // Attempt to delete app with subkey
-    const createSubkey = await fetch(`${BASE_URL}/apikey`, {
-      method: 'POST',
-      headers,
-      body: JSON.stringify({
-        name: 'Limited Subkey2',
-        mode: 'read',
-        limited_to_apps: [APPNAME],
-      }),
+    const subkeyData = await createDirectApiKeyWithBindings({
+      key: randomUUID(),
+      name: `Limited reader subkey ${id}`,
+      orgId: ORG_ID,
+      roleName: 'org_member',
+      appId: APPNAME,
+      appRoleName: 'app_reader',
     })
-    expect(createSubkey.status).toBe(200)
-    const subkeyData = await createSubkey.json() as { id: number }
     const subkeyHeaders = { 'x-limited-key-id': String(subkeyData.id) }
     const deleteApp = await fetch(`${BASE_URL}/app/${APPNAME}`, {
       method: 'DELETE',
       headers: { ...headers, ...subkeyHeaders },
     })
-    expect(deleteApp.status).toBe(401)
+    expect(deleteApp.status).toBe(400)
+    const deleteAppData = await deleteApp.json() as { error: string }
+    expect(deleteAppData.error).toBe('cannot_delete_app')
   })
 
   it('should get all apps with subkey', async () => {
@@ -261,22 +257,17 @@ describe('[GET] /app subkey ownership enforcement', () => {
   })
 
   it('should reject subkey id owned by another user', async () => {
-    const { data: subkeyData, error } = await getSupabaseClient()
-      .from('apikeys')
-      .insert({
-        user_id: USER_ID_2,
-        key: randomUUID(),
-        key_hash: null,
-        mode: 'read',
-        name: `Cross-tenant subkey ${randomUUID()}`,
-        limited_to_apps: [appId],
-      })
-      .select('id')
-      .single()
-
-    expect(error).toBeNull()
+    const subkeyData = await createDirectApiKeyWithBindings({
+      userId: USER_ID_2,
+      key: randomUUID(),
+      name: `Cross-tenant subkey ${randomUUID()}`,
+      orgId: ORG_ID_2,
+      roleName: 'org_member',
+      appId,
+      appRoleName: 'app_reader',
+    })
     expect(subkeyData?.id).toBeTruthy()
-    subkeyId = subkeyData!.id
+    subkeyId = subkeyData.id
 
     const subkeyHeaders = { 'x-limited-key-id': String(subkeyId) }
     const response = await fetch(`${BASE_URL}/app/${appId}`, {
@@ -318,18 +309,15 @@ describe('/app hashed subkey enforcement', () => {
 
   beforeAll(async () => {
     await createAppForTest(ALLOWED_APPNAME)
-    const createSubkey = await fetch(`${BASE_URL}/apikey`, {
-      method: 'POST',
-      headers,
-      body: JSON.stringify({
-        name: SUBKEY_NAME,
-        mode: 'all',
-        limited_to_apps: [ALLOWED_APPNAME],
-        hashed: true,
-      }),
+    const subkeyData = await createDirectApiKeyWithBindings({
+      key: randomUUID(),
+      name: SUBKEY_NAME,
+      orgId: ORG_ID,
+      roleName: 'org_member',
+      appId: ALLOWED_APPNAME,
+      appRoleName: 'app_admin',
+      hashed: true,
     })
-    expect(createSubkey.status).toBe(200)
-    const subkeyData = await createSubkey.json() as { id: number }
     subkeyId = subkeyData.id
   })
 
@@ -394,32 +382,128 @@ describe('[GET] /app invalid subkey header handling', () => {
 
 describe('[POST] /app operations with non-owner user', () => {
   const id = randomUUID()
-  const APPNAME = `com.nonowner.${id}`
+  const safeId = id.replaceAll('-', '')
+  const noAccessOrgId = randomUUID()
+  const adminAccessOrgId = randomUUID()
+  const noAccessCustomerId = `cus_nonowner_no_${safeId}`
+  const adminAccessCustomerId = `cus_nonowner_admin_${safeId}`
+  const noAccessAppName = `com.nonowner.denied.${safeId}`
+  const adminAccessAppName = `com.nonowner.allowed.${safeId}`
+  let authHeaders: Record<string, string>
 
-  afterAll(async () => {
-    await resetAppData(APPNAME)
-    await resetAppDataStats(APPNAME)
-    // Restore user rights back to 'read' to avoid polluting other tests
+  beforeAll(async () => {
+    authHeaders = await getAuthHeaders()
     const supabase = getSupabaseClient()
-    await supabase.from('org_users').update({
+
+    const { error: stripeError } = await supabase.from('stripe_info').insert([
+      {
+        customer_id: noAccessCustomerId,
+        status: 'succeeded',
+        product_id: 'prod_LQIregjtNduh4q',
+        subscription_id: `sub_no_${safeId}`,
+        trial_at: new Date(Date.now() + 15 * 24 * 60 * 60 * 1000).toISOString(),
+        is_good_plan: true,
+      },
+      {
+        customer_id: adminAccessCustomerId,
+        status: 'succeeded',
+        product_id: 'prod_LQIregjtNduh4q',
+        subscription_id: `sub_admin_${safeId}`,
+        trial_at: new Date(Date.now() + 15 * 24 * 60 * 60 * 1000).toISOString(),
+        is_good_plan: true,
+      },
+    ])
+    if (stripeError)
+      throw stripeError
+
+    const { error: orgError } = await supabase.from('orgs').insert([
+      {
+        id: noAccessOrgId,
+        name: `No access app org ${safeId}`,
+        management_email: `no-access-${safeId}@capgo.test`,
+        created_by: USER_ID_2,
+        customer_id: noAccessCustomerId,
+        use_new_rbac: false,
+      },
+      {
+        id: adminAccessOrgId,
+        name: `Admin access app org ${safeId}`,
+        management_email: `admin-access-${safeId}@capgo.test`,
+        created_by: USER_ID_2,
+        customer_id: adminAccessCustomerId,
+        use_new_rbac: false,
+      },
+    ])
+    if (orgError)
+      throw orgError
+
+    const { error: orgUserError } = await supabase.from('org_users').insert({
+      org_id: noAccessOrgId,
+      user_id: USER_ID,
       user_right: 'read',
-    }).eq('org_id', NON_OWNER_ORG_ID).eq('user_id', USER_ID)
+    })
+    if (orgUserError)
+      throw orgUserError
+
+    await executeSQL(`
+      DELETE FROM public.role_bindings
+      WHERE principal_type = public.rbac_principal_user()
+        AND principal_id = $1::uuid
+        AND org_id = $2::uuid
+    `, [USER_ID, noAccessOrgId])
+
+    await executeSQL(`
+      INSERT INTO public.role_bindings (
+        principal_type,
+        principal_id,
+        role_id,
+        scope_type,
+        org_id,
+        granted_by,
+        reason,
+        is_direct
+      )
+      SELECT
+        public.rbac_principal_user(),
+        $1::uuid,
+        roles.id,
+        public.rbac_scope_org(),
+        $2::uuid,
+        $1::uuid,
+        'app creation test admin binding',
+        true
+      FROM public.roles
+      WHERE roles.name = public.rbac_role_org_admin()
+        AND roles.scope_type = public.rbac_scope_org()
+      LIMIT 1
+    `, [USER_ID, adminAccessOrgId])
   })
 
-  it('should not allow app creation in an organization where user has no write access', async () => {
+  afterAll(async () => {
+    await resetAppData(noAccessAppName)
+    await resetAppDataStats(noAccessAppName)
+    await resetAppData(adminAccessAppName)
+    await resetAppDataStats(adminAccessAppName)
     const supabase = getSupabaseClient()
-    const { error: error2 } = await supabase.from('org_users').update({
-      user_right: 'read',
-    }).eq('org_id', NON_OWNER_ORG_ID).eq('user_id', USER_ID)
-    if (error2)
-      throw new Error(`Failed to update user rights for non-owner org: ${JSON.stringify(error2)}`)
+    await executeSQL(`
+      DELETE FROM public.role_bindings
+      WHERE principal_type = public.rbac_principal_user()
+        AND principal_id = $1::uuid
+        AND org_id = ANY($2::uuid[])
+    `, [USER_ID, [noAccessOrgId, adminAccessOrgId]])
+    await supabase.from('org_users').delete().eq('user_id', USER_ID).in('org_id', [noAccessOrgId, adminAccessOrgId])
+    await supabase.from('orgs').delete().in('id', [noAccessOrgId, adminAccessOrgId])
+    await supabase.from('stripe_info').delete().in('customer_id', [noAccessCustomerId, adminAccessCustomerId])
+  })
+
+  it('should ignore stale legacy org_users rights when creating an app', async () => {
     const createApp = await fetch(`${BASE_URL}/app`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
-        owner_org: NON_OWNER_ORG_ID,
-        app_id: APPNAME,
-        name: `${APPNAME}_no_access`,
+        owner_org: noAccessOrgId,
+        app_id: noAccessAppName,
+        name: `${noAccessAppName}_no_access`,
         icon: 'test-icon',
       }),
     })
@@ -428,26 +512,19 @@ describe('[POST] /app operations with non-owner user', () => {
     expect(responseData).toHaveProperty('error', 'cannot_access_organization')
   })
 
-  it('should allow app creation in an organization where user is not owner but has admin access', async () => {
-    const supabase = getSupabaseClient()
-    // org.update_settings permission requires 'admin' legacy right, not 'write'
-    const { error: error2 } = await supabase.from('org_users').update({
-      user_right: 'admin',
-    }).eq('org_id', NON_OWNER_ORG_ID).eq('user_id', USER_ID)
-    if (error2)
-      throw new Error(`Failed to update user rights for non-owner org: ${JSON.stringify(error2)}`)
+  it('should allow app creation in an organization where user has an RBAC admin binding', async () => {
     const createApp = await fetch(`${BASE_URL}/app`, {
       method: 'POST',
-      headers,
+      headers: authHeaders,
       body: JSON.stringify({
-        owner_org: NON_OWNER_ORG_ID,
-        app_id: APPNAME,
-        name: `App ${APPNAME}`,
+        owner_org: adminAccessOrgId,
+        app_id: adminAccessAppName,
+        name: `App ${adminAccessAppName}`,
         icon: 'test-icon',
       }),
     })
     expect(createApp.status).toBe(200)
     const responseData = await createApp.json()
-    expect(responseData).toHaveProperty('app_id', APPNAME)
+    expect(responseData).toHaveProperty('app_id', adminAccessAppName)
   })
 })
diff --git a/tests/audit-logs.test.ts b/tests/audit-logs.test.ts
index 0f65f544ae..4ccb3d8fd6 100644
--- a/tests/audit-logs.test.ts
+++ b/tests/audit-logs.test.ts
@@ -3,7 +3,7 @@ import { type } from 'arktype'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 import { safeParseSchema } from '../supabase/functions/_backend/utils/ark_validation.ts'
 
-import { BASE_URL, fetchWithRetry, getAuthHeaders, getSupabaseClient, TEST_EMAIL, USER_ID } from './test-utils.ts'
+import { BASE_URL, createDirectApiKeyWithBindings, fetchWithRetry, getAuthHeaders, getSupabaseClient, TEST_EMAIL, USER_ID } from './test-utils.ts'
 
 const ORG_ID = randomUUID()
 const globalId = randomUUID()
@@ -107,7 +107,7 @@ beforeAll(async () => {
     management_email: TEST_EMAIL,
     created_by: USER_ID,
     customer_id: customerId,
-    // This suite validates legacy API-key audit attribution, not RBAC bindings.
+    // This suite keeps the classic org membership path enabled while API keys use V2 bindings.
     use_new_rbac: false,
   })
   if (error)
@@ -132,18 +132,17 @@ beforeAll(async () => {
   if (appError)
     throw appError
 
-  const { data: apiKeyData, error: apiKeyError } = await getSupabaseClient().rpc('create_hashed_apikey_for_user', {
-    p_user_id: USER_ID,
-    // This suite exercises bundle create, metadata update, delete, and channel promotion flows.
-    // Use an all-mode key so the audit assertions track the current permission model instead of failing on RBAC gating.
-    p_mode: 'all',
-    p_name: `audit-api-key-${globalId}`,
-    p_limited_to_orgs: [ORG_ID],
-    p_limited_to_apps: [APIKEY_AUDIT_APP_ID],
-    p_expires_at: null as unknown as string,
+  const apiKeyData = await createDirectApiKeyWithBindings({
+    userId: USER_ID,
+    key: randomUUID(),
+    name: `audit-api-key-${globalId}`,
+    orgId: ORG_ID,
+    roleName: 'org_admin',
+    appId: APIKEY_AUDIT_APP_ID,
+    appRoleName: 'app_admin',
   })
-  if (apiKeyError || !apiKeyData?.id || !apiKeyData.key) {
-    throw new Error(`Failed to create isolated audit API key: ${apiKeyError?.message ?? 'missing key data'}`)
+  if (!apiKeyData?.id || !apiKeyData.key) {
+    throw new Error('Failed to create isolated audit API key')
   }
 
   apiKeyId = apiKeyData.id
diff --git a/tests/build-job-scope.test.ts b/tests/build-job-scope.test.ts
index ea1d45d2d1..9c1a738546 100644
--- a/tests/build-job-scope.test.ts
+++ b/tests/build-job-scope.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, USER_ID_2, getSupabaseClient, resetAndSeedAppData, resetAppData } from './test-utils.ts'
+import { BASE_URL, createDirectApiKeyWithBindings, getSupabaseClient, resetAndSeedAppData, resetAppData, USER_ID_2 } from './test-utils.ts'
 
 describe('Build Endpoints Job/App Binding', () => {
   const id = randomUUID()
@@ -51,53 +51,31 @@ describe('Build Endpoints Job/App Binding', () => {
 
     buildRequestId = buildRequest.id
 
-    const { error: keyInsertError } = await supabase
-      .from('apikeys')
-      .insert([
-        {
-          user_id: userId,
-          key: null,
-          mode: 'read',
-          name: `test-build-job-scope-read-${id}`,
-          limited_to_orgs: [orgId],
-          limited_to_apps: [appA],
-        },
-        {
-          user_id: userId,
-          key: null,
-          mode: 'write',
-          name: `test-build-job-scope-write-${id}`,
-          limited_to_orgs: [orgId],
-          limited_to_apps: [appA],
-        },
-      ])
-      .select('id, key, mode')
-
-    if (keyInsertError) {
-      throw keyInsertError
-    }
-
-    // The DB forces server-side key generation; we must use the returned keys.
-    // See supabase/migrations/20260206120000_apikey_server_generation.sql
-    const { data: insertedKeys, error: keyFetchError } = await supabase
-      .from('apikeys')
-      .select('id, key, mode')
-      .eq('user_id', userId)
-      .in('name', [`test-build-job-scope-read-${id}`, `test-build-job-scope-write-${id}`])
-
-    if (keyFetchError || !insertedKeys?.length) {
-      throw keyFetchError ?? new Error('Failed to fetch generated API keys for build job scope test')
-    }
-
-    const readRow = insertedKeys.find(k => k.mode === 'read')
-    const writeRow = insertedKeys.find(k => k.mode === 'write')
+    const readRow = await createDirectApiKeyWithBindings({
+      userId,
+      key: randomUUID(),
+      name: `test-build-job-scope-read-${id}`,
+      orgId,
+      roleName: 'org_member',
+      appId: appA,
+      appRoleName: 'app_reader',
+    })
+    const writeRow = await createDirectApiKeyWithBindings({
+      userId,
+      key: randomUUID(),
+      name: `test-build-job-scope-write-${id}`,
+      orgId,
+      roleName: 'org_member',
+      appId: appA,
+      appRoleName: 'app_developer',
+    })
     if (!readRow?.key || !writeRow?.key) {
       throw new Error('Seeded API keys missing generated key values')
     }
 
     readKey = readRow.key
     writeKey = writeRow.key
-    apikeyIds = insertedKeys.map(k => k.id)
+    apikeyIds = [readRow.id, writeRow.id]
   })
 
   afterAll(async () => {
diff --git a/tests/bundle-semver-validation.test.ts b/tests/bundle-semver-validation.test.ts
index a327e9f97d..486d32d634 100644
--- a/tests/bundle-semver-validation.test.ts
+++ b/tests/bundle-semver-validation.test.ts
@@ -1,9 +1,12 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, getSupabaseClient, headers, resetAndSeedAppData, resetAppData, SEMVER_ORG_ID, SEMVER_STRIPE_CUSTOMER_ID, USER_ID } from './test-utils.ts'
+import { BASE_URL, createDirectApiKeyWithBindings, getSupabaseClient, resetAndSeedAppData, resetAppData, SEMVER_ORG_ID, SEMVER_STRIPE_CUSTOMER_ID, USER_ID } from './test-utils.ts'
 
 const id = randomUUID()
 const APPNAME = `com.bundle.semver.${id}`
+const semverApiKey = randomUUID()
+let headers: Record<string, string>
+let semverApiKeyId: number | null = null
 
 beforeAll(async () => {
   // Use dedicated semver test org and stripe info for isolation
@@ -12,9 +15,33 @@ beforeAll(async () => {
     userId: USER_ID,
     stripeCustomerId: SEMVER_STRIPE_CUSTOMER_ID,
   })
+  const apiKey = await createDirectApiKeyWithBindings({
+    key: semverApiKey,
+    name: `semver-test-${id}`,
+    orgId: SEMVER_ORG_ID,
+    roleName: 'org_super_admin',
+    appId: APPNAME,
+    appRoleName: 'app_admin',
+  })
+  if (!apiKey.key)
+    throw new Error('Failed to create semver API key')
+
+  semverApiKeyId = apiKey.id
+  headers = {
+    'Content-Type': 'application/json',
+    'Authorization': apiKey.key,
+  }
 })
 
 afterAll(async () => {
+  if (semverApiKeyId !== null) {
+    await getSupabaseClient()
+      .from('apikeys')
+      .delete()
+      .eq('id', semverApiKeyId)
+      .throwOnError()
+  }
+
   // Clean up all versions created during tests
   await getSupabaseClient()
     .from('app_versions')
diff --git a/tests/bundle.test.ts b/tests/bundle.test.ts
index 637eea3738..92b9307aea 100644
--- a/tests/bundle.test.ts
+++ b/tests/bundle.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { BASE_URL, createAppVersions, fetchBundle, getSupabaseClient, headers, resetAndSeedAppData, resetAppData, resetAppDataStats, USER_ID } from './test-utils.ts'
+import { BASE_URL, createAppVersions, createDirectApiKeyWithBindings, fetchBundle, getSupabaseClient, headers, ORG_ID, resetAndSeedAppData, resetAppData, resetAppDataStats, USER_ID } from './test-utils.ts'
 
 const id = randomUUID()
 const APPNAME = `com.app.b.${id}`
@@ -230,20 +230,16 @@ describe('[PUT] /bundle operations - Set bundle to channel', () => {
     }
     channelId = channel.id
 
-    const createKeyResponse = await fetch(`${BASE_URL}/apikey`, {
-      method: 'POST',
-      headers,
-      body: JSON.stringify({
-        name: `bundle-write-key-${APPNAME}`,
-        mode: 'write',
-        limited_to_apps: [APPNAME],
-      }),
+    const createKeyData = await createDirectApiKeyWithBindings({
+      key: randomUUID(),
+      name: `bundle-write-key-${APPNAME}`,
+      orgId: ORG_ID,
+      roleName: 'org_member',
+      appId: APPNAME,
+      appRoleName: 'app_developer',
     })
-
-    const createKeyData = await createKeyResponse.json() as { id: number, key: string }
-    if (createKeyResponse.status !== 200) {
-      throw new Error(`Failed to create write-scoped bundle key: ${JSON.stringify(createKeyData)}`)
-    }
+    if (!createKeyData.key)
+      throw new Error('Failed to create write-scoped bundle key')
 
     writeScopedKeyId = createKeyData.id
     writeScopedHeaders = {
@@ -254,10 +250,7 @@ describe('[PUT] /bundle operations - Set bundle to channel', () => {
 
   afterAll(async () => {
     if (writeScopedKeyId != null) {
-      await fetch(`${BASE_URL}/apikey/${writeScopedKeyId}`, {
-        method: 'DELETE',
-        headers,
-      })
+      await getSupabaseClient().from('apikeys').delete().eq('id', writeScopedKeyId)
     }
   })
 
@@ -484,9 +477,21 @@ describe('[PUT] /bundle RBAC channel overrides', () => {
       throw channelError ?? new Error('Failed to create RBAC denied channel')
     channelId = channel.id
 
+    const apiKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `bundle-rbac-denied-${id}`,
+      orgId: RBAC_ORG_ID,
+      roleName: 'org_member',
+      appId: RBAC_APPNAME,
+      appRoleName: 'app_developer',
+    })
+    if (!apiKey.key)
+      throw new Error('Failed to create RBAC API key')
+
     const { error: overrideError } = await supabase.from('channel_permission_overrides').insert({
-      principal_type: 'user',
-      principal_id: USER_ID,
+      principal_type: 'apikey',
+      principal_id: apiKey.rbac_id,
       channel_id: channelId,
       permission_key: 'channel.promote_bundle',
       is_allowed: false,
@@ -494,21 +499,6 @@ describe('[PUT] /bundle RBAC channel overrides', () => {
     if (overrideError)
       throw overrideError
 
-    const { data: apiKey, error: apiKeyError } = await supabase
-      .from('apikeys')
-      .insert({
-        user_id: USER_ID,
-        key: randomUUID(),
-        key_hash: null,
-        mode: 'write',
-        name: `bundle-rbac-denied-${id}`,
-        limited_to_apps: [RBAC_APPNAME],
-        limited_to_orgs: [],
-      })
-      .select('id, key')
-      .single()
-    if (apiKeyError || !apiKey?.key)
-      throw apiKeyError ?? new Error('Failed to create RBAC API key')
     rbacApiKeyId = apiKey.id
     rbacHeaders = {
       'Content-Type': 'application/json',
diff --git a/tests/cli-sdk-utils.ts b/tests/cli-sdk-utils.ts
index 0ca541cdef..85a98b09ad 100644
--- a/tests/cli-sdk-utils.ts
+++ b/tests/cli-sdk-utils.ts
@@ -185,8 +185,9 @@ async function getVersionId(appId: string, version: string) {
 
 type ApiKeyRow = Pick<
   Database['public']['Tables']['apikeys']['Row'],
-  'expires_at' | 'id' | 'key' | 'key_hash' | 'limited_to_apps' | 'limited_to_orgs' | 'mode' | 'user_id'
+  'expires_at' | 'id' | 'key' | 'key_hash' | 'rbac_id' | 'user_id'
 >
+type ApiKeyPermissionMode = 'all' | 'read' | 'upload' | 'write'
 
 interface NativePackage {
   name: string
@@ -223,49 +224,80 @@ async function getApiKeyRecord(apikey: string) {
   return row
 }
 
-function hasModeAccess(mode: Database['public']['Enums']['key_mode'], allowedModes: Database['public']['Enums']['key_mode'][]) {
-  return mode === 'all' || allowedModes.includes(mode)
+const permissionKeysByMode: Record<ApiKeyPermissionMode, string[]> = {
+  read: ['app.read'],
+  upload: ['app.upload_bundle'],
+  write: ['app.manage_devices'],
+  all: ['app.update_user_roles'],
+}
+
+function permissionKeysForModes(allowedModes: ApiKeyPermissionMode[]) {
+  return Array.from(new Set(allowedModes.flatMap(mode => permissionKeysByMode[mode])))
+}
+
+async function apiKeyHasAnyAppPermission(
+  apikey: string,
+  apiKey: ApiKeyRow,
+  app: { app_id: string, owner_org: string | null },
+  allowedModes: ApiKeyPermissionMode[],
+) {
+  if (!app.owner_org)
+    return false
+
+  for (const permissionKey of permissionKeysForModes(allowedModes)) {
+    const { data, error } = await getSupabaseClient().rpc('rbac_check_permission_direct' as any, {
+      p_permission_key: permissionKey,
+      p_user_id: apiKey.user_id,
+      p_org_id: app.owner_org,
+      p_app_id: app.app_id,
+      p_channel_id: null,
+      p_apikey: apikey,
+    })
+
+    if (!error && data === true)
+      return true
+  }
+
+  return false
 }
 
 async function getAuthorizedApp(
   apikey: string,
   appId: string,
-  allowedModes: Database['public']['Enums']['key_mode'][],
+  allowedModes: ApiKeyPermissionMode[],
 ) {
   const apiKey = await getApiKeyRecord(apikey)
-  if (!apiKey || !apiKey.mode || !hasModeAccess(apiKey.mode, allowedModes))
+  if (!apiKey)
     return { error: 'Invalid API key or insufficient permissions.' as const }
 
   const app = await getAppRecord(appId)
   if (!app)
     return { error: `App ${appId} does not exist` as const }
 
-  if (apiKey.limited_to_orgs?.length && (!app.owner_org || !apiKey.limited_to_orgs.includes(app.owner_org)))
-    return { error: 'Invalid API key or insufficient permissions.' as const }
-
-  if (apiKey.limited_to_apps?.length && !apiKey.limited_to_apps.includes(appId))
+  if (!(await apiKeyHasAnyAppPermission(apikey, apiKey, app, allowedModes)))
     return { error: 'Invalid API key or insufficient permissions.' as const }
 
   return { apiKey, app } as const
 }
 
-async function getAppsForApiKey(apikey: string, allowedModes: Database['public']['Enums']['key_mode'][]) {
+async function getAppsForApiKey(apikey: string, allowedModes: ApiKeyPermissionMode[]) {
   const apiKey = await getApiKeyRecord(apikey)
-  if (!apiKey || !apiKey.mode || !hasModeAccess(apiKey.mode, allowedModes))
+  if (!apiKey)
     return { error: 'Invalid API key or insufficient permissions.' as const }
 
   const { data, error } = await getSupabaseClient()
     .from('apps')
     .select('app_id, created_at, icon_url, name, owner_org, user_id')
-    .eq('user_id', apiKey.user_id)
     .order('created_at', { ascending: true })
 
   if (error)
     return { error: error.message }
 
-  const filteredApps = (data ?? [])
-    .filter(app => !apiKey.limited_to_orgs?.length || (app.owner_org != null && apiKey.limited_to_orgs.includes(app.owner_org)))
-    .filter(app => !apiKey.limited_to_apps?.length || apiKey.limited_to_apps.includes(app.app_id))
+  const filteredApps = []
+  for (const app of data ?? []) {
+    if (await apiKeyHasAnyAppPermission(apikey, apiKey, app, allowedModes))
+      filteredApps.push(app)
+  }
 
   return {
     apiKey,
diff --git a/tests/cli.test.ts b/tests/cli.test.ts
index c5d2fc3cf3..6e67f8d442 100644
--- a/tests/cli.test.ts
+++ b/tests/cli.test.ts
@@ -4,7 +4,7 @@ import { join } from 'node:path'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 import { uploadBundleSDK } from './cli-sdk-utils'
 import { cleanupCli, getSemver, prepareCli, tempFileFolder } from './cli-utils'
-import { BASE_URL, getSupabaseClient, headers, ORG_ID, resetAndSeedAppData, resetAppData, resetAppDataStats } from './test-utils'
+import { BASE_URL, createDirectApiKeyWithBindings, getSupabaseClient, headers, NON_OWNER_ORG_ID, ORG_ID, resetAndSeedAppData, resetAppData, resetAppDataStats, USER_ID } from './test-utils'
 
 // Helper to retry SDK operations that may fail due to transient network issues in CI
 async function retryUpload<T extends { success: boolean, error?: string }>(
@@ -45,26 +45,23 @@ async function uploadWithFreshVersionRetry(
   return { result: lastResult, version: lastVersion }
 }
 
-async function createScopedApiKey(mode: 'all' | 'upload', limitedToOrgs: string[]) {
-  const response = await fetch(`${BASE_URL}/apikey`, {
-    method: 'POST',
-    headers,
-    body: JSON.stringify({
-      name: `cli-test-${randomUUID()}`,
-      mode,
-      limited_to_orgs: limitedToOrgs,
-      limited_to_apps: [],
-    }),
+async function createOrgBoundApiKey(orgId: string, roleName = 'org_admin') {
+  const data = await createDirectApiKeyWithBindings({
+    userId: USER_ID,
+    key: randomUUID(),
+    name: `cli-test-${randomUUID()}`,
+    orgId,
+    roleName,
   })
 
-  const data = await response.json() as { id?: number, key?: string, error?: string }
-  expect(response.status).toBe(200)
   expect(data.id).toBeTypeOf('number')
   expect(data.key).toBeTypeOf('string')
+  if (!data.key)
+    throw new Error('Failed to seed CLI API key')
 
   return {
-    id: data.id as number,
-    key: data.key as string,
+    id: data.id,
+    key: data.key,
   }
 }
 
@@ -241,7 +238,7 @@ describe('tests CLI upload options in parallel', () => {
     let createdPlainKey: string | null = null
 
     try {
-      const createdApikey = await createScopedApiKey('all', [ORG_ID])
+      const createdApikey = await createOrgBoundApiKey(ORG_ID)
       createdApikeyId = createdApikey.id
       createdPlainKey = createdApikey.key
 
@@ -264,12 +261,11 @@ describe('tests CLI upload options in parallel', () => {
     usedApps.push(app.APPNAME)
 
     const semver = getSemver()
-    const wrongOrgId = randomUUID()
     let createdApikeyId: number | null = null
     let createdPlainKey: string | null = null
 
     try {
-      const createdApikey = await createScopedApiKey('upload', [wrongOrgId])
+      const createdApikey = await createOrgBoundApiKey(NON_OWNER_ORG_ID, 'org_member')
       createdApikeyId = createdApikey.id
       createdPlainKey = createdApikey.key
 
diff --git a/tests/enforce-encrypted-bundles.test.ts b/tests/enforce-encrypted-bundles.test.ts
index 256849a633..76b0aeb4e0 100644
--- a/tests/enforce-encrypted-bundles.test.ts
+++ b/tests/enforce-encrypted-bundles.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { APIKEY_ENCRYPTED, APP_NAME_ENCRYPTED, getAuthHeadersForCredentials, getEndpointUrl, getSupabaseClient, ORG_ID_ENCRYPTED, SUPABASE_ANON_KEY, SUPABASE_BASE_URL, USER_ID, USER_ID_2, USER_ID_ENCRYPTED, USER_PASSWORD } from './test-utils.ts'
+import { APIKEY_ENCRYPTED, APP_NAME_ENCRYPTED, createDirectApiKeyWithBindings, getAuthHeadersForCredentials, getEndpointUrl, getSupabaseClient, ORG_ID_ENCRYPTED, SUPABASE_ANON_KEY, SUPABASE_BASE_URL, USER_ID, USER_ID_2, USER_ID_ENCRYPTED, USER_PASSWORD } from './test-utils.ts'
 
 // This test file uses ISOLATED test data seeded in seed.sql:
 // - USER_ID_ENCRYPTED: f6a7b8c9-d0e1-4f2a-9b3c-4d5e6f708193
@@ -171,21 +171,18 @@ beforeAll(async () => {
   // Ensure enforcement is disabled at the start of tests
   await resetEncryptedBundleSettings()
 
-  const { data: scopedApiKey, error: scopedApiKeyError } = await getSupabaseClient()
-    .from('apikeys')
-    .insert({
-      user_id: USER_ID_ENCRYPTED,
-      key: APIKEY_ENCRYPTED_SCOPED_NAME,
-      mode: 'all',
-      name: APIKEY_ENCRYPTED_SCOPED_NAME,
-      limited_to_apps: [APP_NAME_ENCRYPTED],
-      limited_to_orgs: [],
-    })
-    .select('key')
-    .single()
+  const scopedApiKey = await createDirectApiKeyWithBindings({
+    userId: USER_ID_ENCRYPTED,
+    key: APIKEY_ENCRYPTED_SCOPED_NAME,
+    name: APIKEY_ENCRYPTED_SCOPED_NAME,
+    orgId: ORG_ID_ENCRYPTED,
+    roleName: 'org_member',
+    appId: APP_NAME_ENCRYPTED,
+    appRoleName: 'app_admin',
+  })
 
-  if (scopedApiKeyError || !scopedApiKey?.key)
-    throw new Error(`Failed to seed scoped encrypted API key: ${scopedApiKeyError?.message ?? 'missing key'}`)
+  if (!scopedApiKey.key)
+    throw new Error('Failed to seed scoped encrypted API key')
 
   apiKeyEncryptedScoped = scopedApiKey.key
 
diff --git a/tests/files-security.test.ts b/tests/files-security.test.ts
index 005205f192..9091af4ddb 100644
--- a/tests/files-security.test.ts
+++ b/tests/files-security.test.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 import {
   BASE_URL,
+  createDirectApiKeyWithBindings,
   executeSQL,
   fetchWithRetry,
   getEndpointUrl,
@@ -21,37 +22,40 @@ function buildAttachmentPath(orgId: string, appId: string, filename: string) {
 
 async function createSeededApiKey({
   appId,
-  limitedToApp,
-  mode,
+  role,
+  scope,
   name,
 }: {
   appId: string
-  limitedToApp: boolean
-  mode: 'all' | 'upload'
+  role: 'admin' | 'upload'
+  scope: 'app' | 'org'
   name: string
 }): Promise<{ id: number, key: string }> {
   // Seed keys directly so this suite only validates files behavior. API key
   // creation behavior is covered in the dedicated apikey suites and can
   // otherwise introduce unrelated worker-auth flakiness here.
-  const plainKey = randomUUID()
-  const keyRow = {
-    user_id: USER_ID,
-    key: plainKey,
-    key_hash: null,
-    mode,
-    name,
-    limited_to_apps: limitedToApp ? [appId] : null,
-  }
-
-  const { data: created, error } = await getSupabaseClient()
-    .from('apikeys')
-    .insert(keyRow)
-    .select('id, key')
+  const { data: app, error: appError } = await getSupabaseClient()
+    .from('apps')
+    .select('owner_org')
+    .eq('app_id', appId)
     .single()
 
-  if (error || !created) {
-    throw new Error(`Failed to seed ${mode} API key: ${error?.message ?? 'missing key row'}`)
-  }
+  if (appError || !app?.owner_org)
+    throw new Error(`Failed to resolve app ${appId}: ${appError?.message ?? 'missing owner org'}`)
+
+  const created = await createDirectApiKeyWithBindings({
+    userId: USER_ID,
+    key: randomUUID(),
+    name,
+    orgId: app.owner_org,
+    roleName: role === 'admin' ? 'org_super_admin' : 'org_member',
+    ...(scope === 'app'
+      ? {
+          appId,
+          appRoleName: role === 'admin' ? 'app_admin' : 'app_uploader',
+        }
+      : {}),
+  })
 
   const key = created.key
 
@@ -117,7 +121,7 @@ describe('attachment upload plan gating regression', () => {
   beforeAll(async () => {
     await seedApp(appId, orgId, stripeCustomerId)
 
-    const createdKey = await createSeededApiKey({ appId, limitedToApp: true, mode: 'upload', name: `upload-only-${appId}` })
+    const createdKey = await createSeededApiKey({ appId, scope: 'app', role: 'upload', name: `upload-only-${appId}` })
     uploadKeyId = createdKey.id
     uploadKey = createdKey.key
 
@@ -164,7 +168,7 @@ describe('ready bundle upload immutability regression', () => {
   beforeAll(async () => {
     await seedApp(appId, orgId, stripeCustomerId)
 
-    const createdKey = await createSeededApiKey({ appId, limitedToApp: true, mode: 'upload', name: `upload-ready-${appId}` })
+    const createdKey = await createSeededApiKey({ appId, scope: 'app', role: 'upload', name: `upload-ready-${appId}` })
     uploadKeyId = createdKey.id
     uploadKey = createdKey.key
     readyBundle = await seedReadyBundle(appId, orgId, `ready-${scopeId}.zip`)
@@ -204,11 +208,11 @@ describe('attachment reads after app deletion', () => {
 
   beforeAll(async () => {
     await seedApp(appId, orgId, stripeCustomerId)
-    const createdUploadKey = await createSeededApiKey({ appId, limitedToApp: true, mode: 'upload', name: `upload-cleanup-${appId}` })
+    const createdUploadKey = await createSeededApiKey({ appId, scope: 'org', role: 'admin', name: `upload-cleanup-${appId}` })
     uploadKeyId = createdUploadKey.id
     uploadKey = createdUploadKey.key
 
-    const createdDeleteKey = await createSeededApiKey({ appId, limitedToApp: false, mode: 'all', name: `delete-cleanup-${appId}` })
+    const createdDeleteKey = await createSeededApiKey({ appId, scope: 'org', role: 'admin', name: `delete-cleanup-${appId}` })
     deleteKeyId = createdDeleteKey.id
     deleteKey = createdDeleteKey.key
   }, 60_000)
diff --git a/tests/hashed-apikey-rls.test.ts b/tests/hashed-apikey-rls.test.ts
index d39f50b5ba..e90cd34813 100644
--- a/tests/hashed-apikey-rls.test.ts
+++ b/tests/hashed-apikey-rls.test.ts
@@ -8,6 +8,7 @@
  * IMPORTANT: This test uses a completely isolated user (USER_ID_RLS) with its own
  * org and API key to prevent interference with other tests that create/delete API keys.
  */
+import type { PoolClient } from 'pg'
 import { randomUUID } from 'node:crypto'
 import { createClient } from '@supabase/supabase-js'
 import { Pool } from 'pg'
@@ -33,13 +34,29 @@ let originalEnforcing2fa: boolean | null = null
 async function execWithCapgkey(sql: string, capgkey: string): Promise<any> {
   const client = await pool.connect()
   try {
-    // Set the capgkey header in request.headers (how Supabase passes it to RLS)
-    await client.query(`SET request.headers = '{"capgkey": "${capgkey}"}'`)
-    const result = await client.query(sql)
-    return result.rows
+    await client.query('BEGIN')
+    try {
+      // Set the capgkey header in request.headers (how Supabase passes it to RLS)
+      await client.query(
+        'SELECT set_config(\'request.headers\', $1, true)',
+        [JSON.stringify({ capgkey })],
+      )
+      const result = await client.query(sql)
+      await client.query('COMMIT')
+      return result.rows
+    }
+    catch (error) {
+      try {
+        await client.query('ROLLBACK')
+      }
+      catch {
+        // Ignore rollback failures for clearer root error handling.
+      }
+      throw error
+    }
   }
   finally {
-    client.release()
+    client.release(true)
   }
 }
 
@@ -91,7 +108,7 @@ async function execWithRoleClaims(
     }
   }
   finally {
-    client.release()
+    client.release(true)
   }
 }
 
@@ -126,26 +143,76 @@ async function execAsRoleWithCapgkey(
     }
   }
   finally {
-    client.release()
+    client.release(true)
   }
 }
 
-// Helper to create a hashed API key via the API
+interface ApiKeyAccessOptions {
+  orgId?: string
+  orgRoleName?: 'org_admin' | 'org_member'
+  appId?: string
+  appRoleName?: 'app_admin' | 'app_developer' | 'app_reader' | 'app_uploader'
+}
+
+async function bindApiKeyRole(
+  client: PoolClient,
+  rbacId: string,
+  userId: string,
+  roleName: string,
+  scopeType: 'app' | 'org',
+  orgId: string,
+  appUuid: string | null = null,
+) {
+  await client.query(
+    `INSERT INTO public.role_bindings (principal_type, principal_id, role_id, scope_type, org_id, app_id, granted_by, reason, is_direct)
+     SELECT 'apikey', $1::uuid, roles.id, $2, $3::uuid, $4::uuid, $5::uuid, $6, true
+     FROM public.roles
+     WHERE roles.name = $7`,
+    [rbacId, scopeType, orgId, appUuid, userId, 'Hashed API key RLS test binding', roleName],
+  )
+}
+
+async function bindApiKeyAccess(client: PoolClient, rbacId: string, userId: string, options: ApiKeyAccessOptions = {}) {
+  const orgId = options.orgId ?? ORG_ID_RLS
+  await bindApiKeyRole(client, rbacId, userId, options.orgRoleName ?? 'org_admin', 'org', orgId)
+
+  if (!options.appId)
+    return
+
+  const appResult = await client.query(
+    'SELECT id, owner_org FROM public.apps WHERE app_id = $1 LIMIT 1',
+    [options.appId],
+  )
+  const app = appResult.rows[0]
+  if (!app?.id || !app.owner_org)
+    throw new Error(`Unable to resolve app ${options.appId}`)
+
+  await bindApiKeyRole(
+    client,
+    rbacId,
+    userId,
+    options.appRoleName ?? 'app_admin',
+    'app',
+    app.owner_org,
+    app.id,
+  )
+}
+
+// Helper to create a hashed API key via the database
 async function createHashedApiKey(
   name: string,
-  mode: 'all' | 'write' | 'read' | 'upload' = 'all',
-  limitedToOrgs: string[] = [],
-  limitedToApps: string[] = [],
+  options: ApiKeyAccessOptions = {},
 ): Promise<{ id: number, key: string, key_hash: string }> {
   const client = await pool.connect()
   const plainKey = randomUUID()
   try {
     const { rows } = await client.query(
-      `INSERT INTO public.apikeys (user_id, key, key_hash, mode, name, limited_to_orgs, limited_to_apps)
-       VALUES ($1, NULL, encode(extensions.digest($2, 'sha256'), 'hex'), $3, $4, $5, $6)
-       RETURNING id, key_hash`,
-      [RLS_TEST_USER_ID, plainKey, mode, name, limitedToOrgs, limitedToApps],
+      `INSERT INTO public.apikeys (user_id, key, key_hash, name)
+       VALUES ($1, NULL, encode(extensions.digest($2, 'sha256'), 'hex'), $3)
+       RETURNING id, key_hash, rbac_id`,
+      [RLS_TEST_USER_ID, plainKey, name],
     )
+    await bindApiKeyAccess(client, rows[0].rbac_id, RLS_TEST_USER_ID, options)
     return { id: Number(rows[0].id), key: plainKey, key_hash: rows[0].key_hash }
   }
   finally {
@@ -153,22 +220,21 @@ async function createHashedApiKey(
   }
 }
 
-// Helper to create a plain API key via the API
+// Helper to create a plain API key via the database
 async function createPlainApiKey(
   name: string,
-  mode: 'all' | 'write' | 'read' | 'upload' = 'all',
-  limitedToOrgs: string[] = [],
-  limitedToApps: string[] = [],
+  options: ApiKeyAccessOptions = {},
 ): Promise<{ id: number, key: string }> {
   const client = await pool.connect()
   const plainKey = randomUUID()
   try {
     const { rows } = await client.query(
-      `INSERT INTO public.apikeys (user_id, key, mode, name, limited_to_orgs, limited_to_apps)
-       VALUES ($1, $2, $3, $4, $5, $6)
-       RETURNING id, key`,
-      [RLS_TEST_USER_ID, plainKey, mode, name, limitedToOrgs, limitedToApps],
+      `INSERT INTO public.apikeys (user_id, key, name)
+       VALUES ($1, $2, $3)
+       RETURNING id, key, rbac_id`,
+      [RLS_TEST_USER_ID, plainKey, name],
     )
+    await bindApiKeyAccess(client, rows[0].rbac_id, RLS_TEST_USER_ID, options)
     return { id: Number(rows[0].id), key: rows[0].key }
   }
   finally {
@@ -546,28 +612,6 @@ describe('get_identity() with hashed API keys', () => {
     expect(rows[0].user_id).toBeNull()
   })
 
-  it('returns NULL when key mode does not match', async () => {
-    // Create a read-only key
-    const readOnlyKey = await createHashedApiKey('test-readonly-key')
-    // Update it to read mode
-    const client = await pool.connect()
-    try {
-      await client.query('UPDATE apikeys SET mode = $1 WHERE id = $2', ['read', readOnlyKey.id])
-    }
-    finally {
-      client.release()
-    }
-
-    // Try to use it with write mode requirement
-    const rows = await execWithCapgkey(
-      `SELECT get_identity('{write}'::key_mode[]) as user_id`,
-      readOnlyKey.key,
-    )
-    expect(rows[0].user_id).toBeNull()
-
-    await deleteApiKey(readOnlyKey.id)
-  })
-
   it('returns NULL for expired hashed API key', async () => {
     const expiredKey = await createHashedApiKey('test-expired-hashed')
     // Set expiration to yesterday
@@ -604,8 +648,8 @@ describe('enforce_hashed_api_keys blocks plaintext capgkey auth on the RLS plane
 
   beforeAll(async () => {
     suiteOrgId = await createEnforcedMemberOrgForUser(RLS_TEST_USER_ID, true)
-    hashedKey = await createHashedApiKey('test-hashed-enforced-rls')
-    plainKey = await createPlainApiKey('test-plain-enforced-rls')
+    hashedKey = await createHashedApiKey('test-hashed-enforced-rls', { orgId: suiteOrgId })
+    plainKey = await createPlainApiKey('test-plain-enforced-rls', { orgId: suiteOrgId })
   }, 60000)
 
   afterAll(async () => {
@@ -662,7 +706,7 @@ describe('enforce_hashed_api_keys blocks plaintext capgkey auth on the RLS plane
     }
   })
 
-  it('rejects a plain API key when hashed enforcement is reached through RBAC-only org membership', async () => {
+  it('does not reject a plain API key for an enforced org that is only bound to the user', async () => {
     const rbacOnlyOrgId = await createEnforcedRbacOnlyOrgForUser(RLS_TEST_USER_ID)
 
     try {
@@ -672,7 +716,7 @@ describe('enforce_hashed_api_keys blocks plaintext capgkey auth on the RLS plane
         `SELECT get_identity('{all,write,read,upload}'::key_mode[]) AS user_id`,
         plainKey.key,
       )
-      expect(rows[0].user_id).toBeNull()
+      expect(rows[0].user_id).toBe(RLS_TEST_USER_ID)
     }
     finally {
       await setOrgHashedApiKeyEnforcement(suiteOrgId, true)
@@ -787,29 +831,17 @@ describe('get_identity_apikey_only() with hashed API keys', () => {
 
 describe('get_identity_org_allowed() with hashed API keys', () => {
   let hashedKey: { id: number, key: string, key_hash: string }
-  let limitedKey: { id: number, key: string, key_hash: string }
+  let otherOrgKey: { id: number, key: string, key_hash: string }
 
   beforeAll(async () => {
     hashedKey = await createHashedApiKey('test-hashed-org-allowed')
-    limitedKey = await createHashedApiKey('test-limited-org')
-
-    // Limit the second key to a different org
-    const client = await pool.connect()
-    try {
-      await client.query(
-        `UPDATE apikeys SET limited_to_orgs = $1 WHERE id = $2`,
-        [['00000000-0000-0000-0000-000000000000'], limitedKey.id], // Non-existent org
-      )
-    }
-    finally {
-      client.release()
-    }
+    otherOrgKey = await createHashedApiKey('test-other-org', { orgId: ORG_ID_2 })
   }, 60000)
 
   afterAll(async () => {
     await deleteApiKey(hashedKey.id)
-    await deleteApiKey(limitedKey.id)
-  })
+    await deleteApiKey(otherOrgKey.id)
+  }, 60000)
 
   it('returns user_id for hashed API key with matching org', async () => {
     const rows = await execWithCapgkey(
@@ -819,10 +851,10 @@ describe('get_identity_org_allowed() with hashed API keys', () => {
     expect(rows[0].user_id).toBe(RLS_TEST_USER_ID)
   })
 
-  it('returns NULL for hashed API key limited to different org', async () => {
+  it('returns NULL for hashed API key bound to different org', async () => {
     const rows = await execWithCapgkey(
       `SELECT get_identity_org_allowed('{all,write,read,upload}'::key_mode[], '${ORG_ID_RLS}'::uuid) as user_id`,
-      limitedKey.key,
+      otherOrgKey.key,
     )
     expect(rows[0].user_id).toBeNull()
   })
@@ -838,28 +870,16 @@ describe('get_identity_org_allowed() with hashed API keys', () => {
 
 describe('get_identity_org_appid() with hashed API keys', () => {
   let hashedKey: { id: number, key: string, key_hash: string }
-  let appLimitedKey: { id: number, key: string, key_hash: string }
+  let otherOrgKey: { id: number, key: string, key_hash: string }
 
   beforeAll(async () => {
     hashedKey = await createHashedApiKey('test-hashed-org-appid')
-    appLimitedKey = await createHashedApiKey('test-limited-app')
-
-    // Limit the second key to a different app
-    const client = await pool.connect()
-    try {
-      await client.query(
-        `UPDATE apikeys SET limited_to_apps = $1 WHERE id = $2`,
-        [['com.nonexistent.app'], appLimitedKey.id],
-      )
-    }
-    finally {
-      client.release()
-    }
+    otherOrgKey = await createHashedApiKey('test-other-org-app', { orgId: ORG_ID_2 })
   }, 60000)
 
   afterAll(async () => {
     await deleteApiKey(hashedKey.id)
-    await deleteApiKey(appLimitedKey.id)
+    await deleteApiKey(otherOrgKey.id)
   })
 
   it('returns user_id for hashed API key with matching app', async () => {
@@ -870,10 +890,10 @@ describe('get_identity_org_appid() with hashed API keys', () => {
     expect(rows[0].user_id).toBe(RLS_TEST_USER_ID)
   })
 
-  it('returns NULL for hashed API key limited to different app', async () => {
+  it('returns NULL for hashed API key without requested app permission', async () => {
     const rows = await execWithCapgkey(
       `SELECT get_identity_org_appid('{all,write,read,upload}'::key_mode[], '${ORG_ID_RLS}'::uuid, '${APP_NAME_RLS}') as user_id`,
-      appLimitedKey.key,
+      otherOrgKey.key,
     )
     expect(rows[0].user_id).toBeNull()
   })
@@ -1050,8 +1070,18 @@ describe('channels rls blocks direct api-key updates', () => {
   const channelName = `rls-direct-channel-${randomUUID().slice(0, 8)}`
 
   beforeAll(async () => {
-    allKey = await createHashedApiKey('test-channel-direct-all-key', 'all', [ORG_ID_RLS], [APP_NAME_RLS])
-    writeKey = await createHashedApiKey('test-channel-direct-write-key', 'write', [ORG_ID_RLS], [APP_NAME_RLS])
+    allKey = await createHashedApiKey('test-channel-direct-admin-key', {
+      orgId: ORG_ID_RLS,
+      orgRoleName: 'org_admin',
+      appId: APP_NAME_RLS,
+      appRoleName: 'app_admin',
+    })
+    writeKey = await createHashedApiKey('test-channel-direct-developer-key', {
+      orgId: ORG_ID_RLS,
+      orgRoleName: 'org_member',
+      appId: APP_NAME_RLS,
+      appRoleName: 'app_developer',
+    })
 
     const versionResult = await pool.query(
       `INSERT INTO public.app_versions (app_id, name, owner_org, user_id, checksum, storage_provider, r2_path, deleted)
@@ -1100,7 +1130,7 @@ describe('channels rls blocks direct api-key updates', () => {
       await deleteApiKey(writeKey.id)
   })
 
-  it('does not let a write-scoped API key mutate protected channel fields via anon role access', async () => {
+  it('does not let a developer API key mutate protected channel fields via anon role access', async () => {
     if (!writeKey || !channelId)
       throw new Error('RLS channel test setup did not complete')
 
@@ -1127,7 +1157,7 @@ describe('channels rls blocks direct api-key updates', () => {
     expect(rows[0].allow_emulator).toBe(false)
   })
 
-  it('still lets an all-scoped API key mutate supported channel fields via anon role access', async () => {
+  it('still lets an admin API key mutate supported channel fields via anon role access', async () => {
     if (!allKey || !channelId)
       throw new Error('RLS channel test setup did not complete')
 
@@ -1154,23 +1184,15 @@ describe('channels rls blocks direct api-key updates', () => {
   })
 })
 
-describe('webhook and webhook_delivery rls with api-key org scope precedence', () => {
-  let limitedKey: { id: number, key: string, key_hash: string }
-  let scopedKey: { id: number, key: string, key_hash: string }
+describe('webhook and webhook_delivery rls with api-key org bindings', () => {
+  let unauthorizedKey: { id: number, key: string, key_hash: string }
+  let authorizedKey: { id: number, key: string, key_hash: string }
   let webhookId: string
   let deliveryId: string
 
   beforeAll(async () => {
-    limitedKey = await createHashedApiKey('rls-webhook-org-scope-key', 'all')
-    scopedKey = await createHashedApiKey('rls-webhook-org-scope-update-key', 'all')
-    await pool.query(
-      `UPDATE public.apikeys SET limited_to_orgs = $1 WHERE id = $2`,
-      [['00000000-0000-0000-0000-000000000000'], limitedKey.id],
-    )
-    await pool.query(
-      `UPDATE public.apikeys SET limited_to_orgs = $1 WHERE id = $2`,
-      [[ORG_ID_RLS], scopedKey.id],
-    )
+    unauthorizedKey = await createHashedApiKey('rls-webhook-other-org-key', { orgId: ORG_ID_2 })
+    authorizedKey = await createHashedApiKey('rls-webhook-org-bound-key', { orgId: ORG_ID_RLS })
 
     webhookId = randomUUID()
     await pool.query(
@@ -1205,8 +1227,8 @@ describe('webhook and webhook_delivery rls with api-key org scope precedence', (
   afterAll(async () => {
     await pool.query('DELETE FROM public.webhook_deliveries WHERE id = $1', [deliveryId])
     await pool.query('DELETE FROM public.webhooks WHERE id = $1', [webhookId])
-    await deleteApiKey(limitedKey.id)
-    await deleteApiKey(scopedKey.id)
+    await deleteApiKey(unauthorizedKey.id)
+    await deleteApiKey(authorizedKey.id)
   })
 
   it('denies direct webhook reads even when API key scope matches', async () => {
@@ -1220,7 +1242,7 @@ describe('webhook and webhook_delivery rls with api-key org scope precedence', (
             role: 'authenticated',
             aud: 'authenticated',
           },
-          headers: { capgkey: scopedKey.key },
+          headers: { capgkey: authorizedKey.key },
           params: [webhookId],
         },
       ),
@@ -1236,7 +1258,7 @@ describe('webhook and webhook_delivery rls with api-key org scope precedence', (
             role: 'authenticated',
             aud: 'authenticated',
           },
-          headers: { capgkey: scopedKey.key },
+          headers: { capgkey: authorizedKey.key },
           params: [deliveryId],
         },
       ),
@@ -1244,21 +1266,19 @@ describe('webhook and webhook_delivery rls with api-key org scope precedence', (
   })
 
   it('prevents webhook_delivery org_id changes when update payload org_id is unauthorized', async () => {
-    await expect(
-      execWithRoleClaims(
-        'UPDATE public.webhook_deliveries SET org_id = $1 WHERE id = $2',
-        {
+    await expect(execWithRoleClaims(
+      'UPDATE public.webhook_deliveries SET org_id = $1 WHERE id = $2',
+      {
+        role: 'authenticated',
+        claims: {
+          sub: USER_ID_RLS,
           role: 'authenticated',
-          claims: {
-            sub: USER_ID_RLS,
-            role: 'authenticated',
-            aud: 'authenticated',
-          },
-          headers: { capgkey: scopedKey.key },
-          params: [ORG_ID_2, deliveryId],
+          aud: 'authenticated',
         },
-      ),
-    ).rejects.toMatchObject({ code: '42501' })
+        headers: { capgkey: authorizedKey.key },
+        params: [ORG_ID_2, deliveryId],
+      },
+    )).rejects.toMatchObject({ code: '42501' })
 
     const { rows } = await pool.query(
       'SELECT org_id FROM public.webhook_deliveries WHERE id = $1',
diff --git a/tests/invites.unit.test.ts b/tests/invites.unit.test.ts
index c15035e0c1..7337d4cc85 100644
--- a/tests/invites.unit.test.ts
+++ b/tests/invites.unit.test.ts
@@ -1,40 +1,15 @@
 import { describe, expect, it } from 'vitest'
-import { shouldAttemptExistingUserInviteNotification, shouldNotifyExistingUserInvite } from '../src/utils/invites'
-
-describe('shouldNotifyExistingUserInvite', () => {
-  it.concurrent('returns true for RBAC invite roles', () => {
-    expect(shouldNotifyExistingUserInvite('org_admin', true)).toBe(true)
-    expect(shouldNotifyExistingUserInvite('org_super_admin', true)).toBe(true)
-  })
-
-  it.concurrent('returns true for legacy invite rows', () => {
-    expect(shouldNotifyExistingUserInvite('invite_admin', false)).toBe(true)
-    expect(shouldNotifyExistingUserInvite('invite_super_admin', false)).toBe(true)
-  })
-
-  it.concurrent('returns false for legacy direct membership roles', () => {
-    expect(shouldNotifyExistingUserInvite('admin', false)).toBe(false)
-    expect(shouldNotifyExistingUserInvite('super_admin', false)).toBe(false)
-  })
-})
+import { shouldAttemptExistingUserInviteNotification } from '../src/utils/invites'
 
 describe('shouldAttemptExistingUserInviteNotification', () => {
   it.concurrent('returns true for new invites and pending invite resends', () => {
-    expect(shouldAttemptExistingUserInviteNotification('OK', 'invite_admin', false)).toBe(true)
-    expect(shouldAttemptExistingUserInviteNotification('OK', 'org_admin', true)).toBe(true)
-    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED', 'invite_admin', false, true)).toBe(true)
-    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED', 'org_admin', true, true)).toBe(true)
+    expect(shouldAttemptExistingUserInviteNotification('OK')).toBe(true)
+    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED', true)).toBe(true)
   })
 
   it.concurrent('returns false for outputs that should not send email', () => {
-    expect(shouldAttemptExistingUserInviteNotification('NO_EMAIL', 'invite_admin', false)).toBe(false)
-    expect(shouldAttemptExistingUserInviteNotification('CAN_NOT_INVITE_OWNER', 'org_admin', true)).toBe(false)
-    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED', 'invite_admin', false)).toBe(false)
-    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED', 'org_admin', true)).toBe(false)
-  })
-
-  it.concurrent('returns false for legacy direct membership roles', () => {
-    expect(shouldAttemptExistingUserInviteNotification('OK', 'admin', false)).toBe(false)
-    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED', 'super_admin', false)).toBe(false)
+    expect(shouldAttemptExistingUserInviteNotification('NO_EMAIL')).toBe(false)
+    expect(shouldAttemptExistingUserInviteNotification('CAN_NOT_INVITE_OWNER')).toBe(false)
+    expect(shouldAttemptExistingUserInviteNotification('ALREADY_INVITED')).toBe(false)
   })
 })
diff --git a/tests/manifest-rls.test.ts b/tests/manifest-rls.test.ts
index 91a73219ed..4a283f07b0 100644
--- a/tests/manifest-rls.test.ts
+++ b/tests/manifest-rls.test.ts
@@ -1,8 +1,8 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 import {
-  APIKEY_TEST2_ALL,
   APIKEY_TEST_ALL,
+  createDirectApiKeyWithBindings,
   fetchWithRetry,
   getAuthHeaders,
   getAuthHeadersForCredentials,
@@ -26,10 +26,13 @@ const READ_ONLY_ORG_ID = randomUUID()
 const READ_ONLY_STRIPE_CUSTOMER_ID = `cus_manifest_rls_${id.replaceAll('-', '')}`
 const READ_ONLY_VISIBLE_FILE = 'read-only-visible.js'
 const OTHER_USER_EMAIL = 'test2@capgo.app'
+const otherOrgOnlyApiKeyInput = randomUUID()
 
 let authHeadersUser1: Record<string, string>
 let authHeadersUser2: Record<string, string>
 let authHeadersNonMember: Record<string, string>
+let otherOrgOnlyApiKey: string
+let otherOrgOnlyApiKeyId: number | null = null
 let ownVersionId: number
 let otherVersionId: number
 let readOnlyVersionId: number
@@ -190,6 +193,20 @@ beforeAll(async () => {
 
   readOnlyVersionId = readOnlyVersion.id
 
+  const apiKey = await createDirectApiKeyWithBindings({
+    userId: USER_ID_2,
+    key: otherOrgOnlyApiKeyInput,
+    name: `manifest-other-org-${id}`,
+    orgId: ORG_ID_2,
+    roleName: 'org_super_admin',
+    appId: APP_OTHER,
+    appRoleName: 'app_admin',
+  })
+  if (!apiKey.key)
+    throw new Error('Failed to create manifest API key')
+  otherOrgOnlyApiKey = apiKey.key
+  otherOrgOnlyApiKeyId = apiKey.id
+
   await supabase.from('org_users').insert({
     org_id: READ_ONLY_ORG_ID,
     user_id: USER_ID_NONMEMBER,
@@ -222,6 +239,14 @@ beforeAll(async () => {
 }, 120000)
 
 afterAll(async () => {
+  if (otherOrgOnlyApiKeyId !== null) {
+    await getSupabaseClient()
+      .from('apikeys')
+      .delete()
+      .eq('id', otherOrgOnlyApiKeyId)
+      .throwOnError()
+  }
+
   await getSupabaseClient()
     .from('org_users')
     .delete()
@@ -282,7 +307,7 @@ describe('manifest RLS', () => {
   it.concurrent('prevents an API key from reading another org\'s manifest entries', async () => {
     const { response, data } = await fetchManifestRows({
       ...restApiKeyHeaders,
-      capgkey: APIKEY_TEST2_ALL,
+      capgkey: otherOrgOnlyApiKey,
     }, ownVersionId)
 
     expect(response.status).toBe(200)
diff --git a/tests/org-email-notifications-send-once.unit.test.ts b/tests/org-email-notifications-send-once.unit.test.ts
index e929d697ae..eadcc53ed7 100644
--- a/tests/org-email-notifications-send-once.unit.test.ts
+++ b/tests/org-email-notifications-send-once.unit.test.ts
@@ -86,7 +86,11 @@ function createDrizzleStub(options?: {
     }
     if (
       table === schema.role_bindings
-      || table === schema.group_members
+    ) {
+      return adminUsers.map(user => ({ principal_id: user.id, expires_at: null }))
+    }
+    if (
+      table === schema.group_members
     ) {
       return []
     }
diff --git a/tests/organization-api.test.ts b/tests/organization-api.test.ts
index d26c4908f3..82deef9976 100644
--- a/tests/organization-api.test.ts
+++ b/tests/organization-api.test.ts
@@ -7,10 +7,12 @@ import { parseSchema, safeParseSchema } from '../supabase/functions/_backend/uti
 
 import {
   BASE_URL,
+  createDirectApiKeyWithBindings,
+  getAuthHeaders,
   getAuthHeadersForCredentials,
   getSupabaseClient,
-  headers,
   normalizeLocalhostUrl,
+  orgApiKeyBindings,
   SUPABASE_ANON_KEY,
   SUPABASE_BASE_URL,
   TEST_EMAIL,
@@ -28,8 +30,13 @@ const globalId = randomUUID()
 const name = `Test Organization ${globalId}`
 const customerId = `cus_test_${ORG_ID}`
 const website = 'https://test-organization.example/'
+let headers: Record<string, string>
+let authHeaders: Record<string, string>
+let organizationApiKeyId = 0
 
 beforeAll(async () => {
+  authHeaders = await getAuthHeaders()
+
   // Create stripe_info for this test org
   const { error: stripeError } = await getSupabaseClient().from('stripe_info').insert({
     customer_id: customerId,
@@ -49,7 +56,7 @@ beforeAll(async () => {
     created_by: USER_ID,
     customer_id: customerId,
     website,
-    use_new_rbac: false, // Explicitly legacy — this suite tests the legacy permission path
+    use_new_rbac: false, // Compatibility flag is ignored; permissions are RBAC-backed.
   })
   if (error)
     throw error
@@ -62,16 +69,35 @@ beforeAll(async () => {
   })
   if (orgUserError)
     throw orgUserError
+
+  const createdKey = await createDirectApiKeyWithBindings({
+    userId: USER_ID,
+    key: randomUUID(),
+    name: `Organization API suite ${randomUUID()}`,
+    orgId: ORG_ID,
+    roleName: 'org_super_admin',
+  })
+  if (!createdKey?.key || typeof createdKey.id !== 'number') {
+    throw new Error('Failed to seed organization API key')
+  }
+  organizationApiKeyId = createdKey.id
+  headers = {
+    'Content-Type': 'application/json',
+    'capgkey': createdKey.key,
+  }
 })
 
 afterAll(async () => {
   // Clean up test organization, org_users relation, and stripe_info
+  if (organizationApiKeyId) {
+    await getSupabaseClient().from('apikeys').delete().eq('id', organizationApiKeyId)
+  }
   await getSupabaseClient().from('org_users').delete().eq('org_id', ORG_ID)
   await getSupabaseClient().from('orgs').delete().eq('id', ORG_ID)
   await getSupabaseClient().from('stripe_info').delete().eq('customer_id', customerId)
 })
 
-describe('read-mode API keys cannot access destructive organization routes', () => {
+describe('read-only API keys cannot access destructive organization routes', () => {
   const readOnlyOrgId = randomUUID()
   const readOnlyGlobalId = randomUUID()
   const readOnlyName = `Test Read-Only Organization ${readOnlyGlobalId}`
@@ -100,7 +126,7 @@ describe('read-mode API keys cannot access destructive organization routes', ()
       created_by: USER_ID,
       customer_id: readOnlyCustomerId,
       require_apikey_expiration: false,
-      use_new_rbac: false, // Explicitly legacy — this suite tests the legacy permission path
+      use_new_rbac: false, // Compatibility flag is ignored; permissions are RBAC-backed.
     })
     expect(orgError).toBeNull()
 
@@ -111,22 +137,13 @@ describe('read-mode API keys cannot access destructive organization routes', ()
     })
     expect(orgUserError).toBeNull()
 
-    // Seed the key directly so this suite stays focused on organization-route auth.
-    // API key creation behavior is covered in apikey-specific tests and can run in parallel.
-    const { data: createdKey, error: createError } = await getSupabaseClient()
-      .from('apikeys')
-      .insert({
-        user_id: USER_ID,
-        key: randomUUID(),
-        key_hash: null,
-        mode: 'read',
-        name: `Organization read-only regression ${randomUUID()}`,
-        limited_to_orgs: [readOnlyOrgId],
-      })
-      .select('id, key')
-      .single()
-
-    expect(createError).toBeNull()
+    const createdKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `Organization read-only regression ${randomUUID()}`,
+      orgId: readOnlyOrgId,
+      roleName: 'org_member',
+    })
     expect(createdKey?.id).toBeTypeOf('number')
     expect(createdKey?.key).toBeTypeOf('string')
     if (!createdKey?.key || typeof createdKey.id !== 'number') {
@@ -157,7 +174,9 @@ describe('read-mode API keys cannot access destructive organization routes', ()
       }),
     })
 
-    expect(response.status).toBe(401)
+    expect(response.status).toBe(400)
+    const payload = await response.json() as { error: string }
+    expect(payload.error).toBe('cannot_access_organization')
   })
 
   it.concurrent('rejects DELETE /organization/members', async () => {
@@ -166,7 +185,9 @@ describe('read-mode API keys cannot access destructive organization routes', ()
       method: 'DELETE',
     })
 
-    expect(response.status).toBe(401)
+    expect(response.status).toBe(400)
+    const payload = await response.json() as { error: string }
+    expect(payload.error).toBe('cannot_access_organization')
   })
 
   it.concurrent('rejects PUT /organization', async () => {
@@ -179,7 +200,9 @@ describe('read-mode API keys cannot access destructive organization routes', ()
       }),
     })
 
-    expect(response.status).toBe(401)
+    expect(response.status).toBe(400)
+    const payload = await response.json() as { error: string }
+    expect(payload.error).toBe('cannot_access_organization')
   })
 
   it.concurrent('rejects POST /organization', async () => {
@@ -193,7 +216,7 @@ describe('read-mode API keys cannot access destructive organization routes', ()
     })
 
     expect(response.status).toBe(401)
-    // Ensure this is blocked by API-key auth (key mode allowlist), not by RLS deeper in the handler.
+    // Ensure this is blocked by API-key auth, not by RLS deeper in the handler.
     const payload = await response.json() as { error?: string }
     expect(payload.error).toBe('invalid_apikey')
   })
@@ -204,7 +227,9 @@ describe('read-mode API keys cannot access destructive organization routes', ()
       method: 'DELETE',
     })
 
-    expect(response.status).toBe(401)
+    expect(response.status).toBe(403)
+    const payload = await response.json() as { error: string }
+    expect(payload.error).toBe('invalid_org_id')
   })
 
   it.concurrent('allows GET /organization for accessible organizations', async () => {
@@ -248,7 +273,7 @@ describe('read-mode API keys cannot access destructive organization routes', ()
     expect(parseSchema(members, await response.json()).some(member => member.uid === USER_ID)).toBe(true)
   })
 
-  it.concurrent('rejects GET /organization/members outside limited_to_orgs scope', async () => {
+  it.concurrent('rejects GET /organization/members outside bound organization scope', async () => {
     const response = await fetch(`${BASE_URL}/organization/members?orgId=${ORG_ID}`, {
       headers: { ...readOnlyHeaders, capgkey: readOnlyKey },
       method: 'GET',
@@ -259,15 +284,15 @@ describe('read-mode API keys cannot access destructive organization routes', ()
     expect(payload.error).toBe('cannot_access_organization')
   })
 
-  it.concurrent('allows GET /organization/audit for accessible organizations', async () => {
+  it.concurrent('rejects GET /organization/audit without audit-log permission', async () => {
     const response = await fetch(`${BASE_URL}/organization/audit?orgId=${readOnlyOrgId}`, {
       headers: { ...readOnlyHeaders, capgkey: readOnlyKey },
       method: 'GET',
     })
 
-    expect(response.status).toBe(200)
-    // The audit endpoint is allowed for read-mode keys; payload may be empty for a new org.
-    expect(await response.json()).toBeDefined()
+    expect(response.status).toBe(400)
+    const payload = await response.json() as { error: string }
+    expect(payload.error).toBe('invalid_org_id')
   })
 })
 
@@ -311,20 +336,13 @@ describe('scoped write API keys cannot cross organization boundaries', () => {
     })
     expect(targetOrgError).toBeNull()
 
-    const { data: createdKey, error: createKeyError } = await getSupabaseClient()
-      .from('apikeys')
-      .insert({
-        user_id: USER_ID,
-        key: randomUUID(),
-        key_hash: null,
-        mode: 'write',
-        name: scopedKeyName,
-        limited_to_orgs: [allowedOrgId],
-      })
-      .select('id, key')
-      .single()
-
-    expect(createKeyError).toBeNull()
+    const createdKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: scopedKeyName,
+      orgId: allowedOrgId,
+      roleName: 'org_admin',
+    })
     expect(createdKey?.key).toBeTruthy()
     expect(createdKey?.id).toBeTypeOf('number')
 
@@ -362,7 +380,7 @@ describe('scoped write API keys cannot cross organization boundaries', () => {
     await getSupabaseClient().from('stripe_info').delete().eq('customer_id', targetCustomerId)
   })
 
-  it.concurrent('rejects DELETE /organization outside limited_to_orgs scope without deleting images', async () => {
+  it.concurrent('rejects DELETE /organization outside bound organization scope without deleting images', async () => {
     const response = await fetch(`${BASE_URL}/organization?orgId=${targetOrgId}`, {
       headers: {
         'Content-Type': 'application/json',
@@ -393,9 +411,23 @@ describe('scoped write API keys cannot cross organization boundaries', () => {
     expect(imageList?.some(file => file.name === imagePath.split('/').at(-1))).toBe(true)
   })
 
-  it.concurrent('rejects DELETE /organization/members outside limited_to_orgs scope without deleting role bindings', async () => {
+  it.concurrent('rejects DELETE /organization/members outside bound organization scope without deleting role bindings', async () => {
+    const setupKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `Scoped target setup ${randomUUID()}`,
+      orgId: targetOrgId,
+      roleName: 'org_super_admin',
+    })
+    if (!setupKey?.key || typeof setupKey.id !== 'number')
+      throw new Error('Failed to seed scoped setup API key')
+    const setupHeaders = {
+      'Content-Type': 'application/json',
+      'capgkey': setupKey.key,
+    }
+
     const addMemberResponse = await fetch(`${BASE_URL}/organization/members`, {
-      headers,
+      headers: setupHeaders,
       method: 'POST',
       body: JSON.stringify({
         orgId: targetOrgId,
@@ -452,6 +484,7 @@ describe('scoped write API keys cannot cross organization boundaries', () => {
     expect(bindingsAfter!.length).toBeGreaterThan(0)
 
     await getSupabaseClient().from('org_users').delete().eq('org_id', targetOrgId).eq('user_id', userData!.id)
+    await getSupabaseClient().from('apikeys').delete().eq('id', setupKey.id)
   })
 })
 
@@ -513,40 +546,47 @@ describe('x-limited-key-id subkeys enforce organization scope on middlewareKey r
     ])
     expect(orgUsersError).toBeNull()
 
-    const { data: parentKeyData, error: parentKeyError } = await supabase
-      .from('apikeys')
-      .insert({
-        user_id: USER_ID,
-        key: randomUUID(),
-        key_hash: null,
-        mode: 'all',
-        name: `Parent key ${randomUUID()}`,
-        limited_to_orgs: [],
-        limited_to_apps: [],
-      })
-      .select('id, key')
-      .single()
-    expect(parentKeyError).toBeNull()
+    const parentKeyData = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `Parent key ${randomUUID()}`,
+      orgId: scopedOrgId,
+      roleName: 'org_admin',
+    })
     if (!parentKeyData?.key || typeof parentKeyData.id !== 'number') {
       throw new TypeError('Failed to seed parent API key')
     }
     parentKey = parentKeyData.key
     parentKeyId = parentKeyData.id
 
-    const { data: subkeyData, error: subkeyError } = await supabase
-      .from('apikeys')
-      .insert({
-        user_id: USER_ID,
-        key: randomUUID(),
-        key_hash: null,
-        mode: 'read',
-        name: `Scoped subkey ${randomUUID()}`,
-        limited_to_orgs: [scopedOrgId],
-        limited_to_apps: [],
-      })
+    const { data: orgAdminRole, error: orgAdminRoleError } = await supabase
+      .from('roles')
       .select('id')
+      .eq('name', 'org_admin')
       .single()
-    expect(subkeyError).toBeNull()
+    expect(orgAdminRoleError).toBeNull()
+    if (!orgAdminRole?.id)
+      throw new TypeError('Failed to resolve org_admin role')
+
+    const { error: parentBlockedBindingError } = await supabase.from('role_bindings').insert({
+      principal_type: 'apikey',
+      principal_id: parentKeyData.rbac_id,
+      role_id: orgAdminRole.id,
+      scope_type: 'org',
+      org_id: blockedOrgId,
+      granted_by: USER_ID,
+      reason: 'Organization middleware parent key test binding',
+      is_direct: true,
+    })
+    expect(parentBlockedBindingError).toBeNull()
+
+    const subkeyData = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `Scoped subkey ${randomUUID()}`,
+      orgId: scopedOrgId,
+      roleName: 'org_member',
+    })
     if (typeof subkeyData?.id !== 'number') {
       throw new TypeError('Failed to seed scoped subkey')
     }
@@ -953,7 +993,7 @@ describe('[POST] /organization', () => {
   async function expectCreatedOrganizationPlan(estimatedMau: number, planName: string) {
     const name = `Created ${planName} Plan Organization ${randomUUID()}`
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({ name, estimatedMau }),
     })
@@ -1004,7 +1044,7 @@ describe('[POST] /organization', () => {
     const name = `Created Organization ${new Date().toISOString()}`
     const website = 'HTTPS://capgo.app'
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({ name, website }),
     })
@@ -1034,7 +1074,7 @@ describe('[POST] /organization', () => {
 
   it('create organization with missing name', async () => {
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({}), // Missing name
     })
@@ -1045,7 +1085,7 @@ describe('[POST] /organization', () => {
 
   it('create organization with invalid body format', async () => {
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: 'invalid json', // Invalid JSON
     })
@@ -1054,7 +1094,7 @@ describe('[POST] /organization', () => {
 
   it('create organization with empty name', async () => {
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({ name: '' }), // Empty name
     })
@@ -1065,7 +1105,7 @@ describe('[POST] /organization', () => {
 
   it.concurrent('create organization rejects invalid website scheme', async () => {
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({
         name: `Created Organization ${new Date().toISOString()}`,
@@ -1079,7 +1119,7 @@ describe('[POST] /organization', () => {
 
   it.concurrent('create organization rejects credential-bearing website urls', async () => {
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({
         name: `Created Organization ${new Date().toISOString()}`,
@@ -1105,7 +1145,7 @@ describe('[POST] /organization', () => {
 
   it.concurrent('create organization rejects an estimated active user count above the largest plan stop', async () => {
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({
         name: `Created Organization ${randomUUID()}`,
@@ -1144,7 +1184,7 @@ describe('[PUT] /organization', () => {
 
     try {
       const response = await fetch(`${BASE_URL}/organization`, {
-        headers,
+        headers: authHeaders,
         method: 'PUT',
         body: JSON.stringify({ orgId, name, website }),
       })
@@ -1282,8 +1322,22 @@ describe('[DELETE] /organization', () => {
     })
     expect(metricsCacheError).toBeNull()
 
+    const deleteKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `Delete org key ${randomUUID()}`,
+      orgId: id,
+      roleName: 'org_super_admin',
+    })
+    if (!deleteKey?.key || typeof deleteKey.id !== 'number')
+      throw new Error('Failed to seed delete organization API key')
+    const deleteHeaders = {
+      'Content-Type': 'application/json',
+      'capgkey': deleteKey.key,
+    }
+
     const response = await fetch(`${BASE_URL}/organization?orgId=${id}`, {
-      headers,
+      headers: deleteHeaders,
       method: 'DELETE',
     })
     expect(response.status).toBe(200)
@@ -1302,6 +1356,7 @@ describe('[DELETE] /organization', () => {
     expect(cachedMetricsError).toBeNull()
     expect(cachedMetrics).toBeNull()
 
+    await getSupabaseClient().from('apikeys').delete().eq('id', deleteKey.id)
     await getSupabaseClient().from('stripe_info').delete().eq('customer_id', customerId)
   })
 
@@ -1389,9 +1444,23 @@ describe('[DELETE] /organization', () => {
     })
     expect(memberError).toBeNull()
 
+    const orgAdminKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `Non-owner org key ${randomUUID()}`,
+      orgId: id,
+      roleName: 'org_admin',
+    })
+    if (!orgAdminKey?.key || typeof orgAdminKey.id !== 'number')
+      throw new Error('Failed to seed non-owner organization API key')
+    const orgAdminHeaders = {
+      'Content-Type': 'application/json',
+      'capgkey': orgAdminKey.key,
+    }
+
     // Try to delete the organization
     const response = await fetch(`${BASE_URL}/organization?orgId=${id}`, {
-      headers,
+      headers: orgAdminHeaders,
       method: 'DELETE',
     })
 
@@ -1406,6 +1475,7 @@ describe('[DELETE] /organization', () => {
     expect(dataOrgAfter).toBeTruthy()
 
     // Clean up
+    await getSupabaseClient().from('apikeys').delete().eq('id', orgAdminKey.id)
     await getSupabaseClient().from('org_users').delete().eq('org_id', id).eq('user_id', USER_ID)
     await getSupabaseClient().from('orgs').delete().eq('id', id)
     await getSupabaseClient().from('stripe_info').delete().eq('customer_id', customerId)
@@ -1639,6 +1709,9 @@ const globalIdRbac = randomUUID()
 const nameRbac = `RBAC Test Organization ${globalIdRbac}`
 
 describe('rbac mode - organization member operations', () => {
+  let rbacHeaders: Record<string, string>
+  let rbacApiKeyId = 0
+
   beforeAll(async () => {
     const { error } = await getSupabaseClient().from('orgs').insert({
       id: ORG_ID_RBAC,
@@ -1652,9 +1725,26 @@ describe('rbac mode - organization member operations', () => {
 
     // The generate_org_user_on_org_create trigger creates org_users(super_admin)
     // and role_bindings(org_super_admin) for created_by automatically.
+    const createdKey = await createDirectApiKeyWithBindings({
+      userId: USER_ID,
+      key: randomUUID(),
+      name: `RBAC organization suite ${randomUUID()}`,
+      orgId: ORG_ID_RBAC,
+      roleName: 'org_super_admin',
+    })
+    if (!createdKey?.key || typeof createdKey.id !== 'number')
+      throw new Error('Failed to seed RBAC organization API key')
+    rbacApiKeyId = createdKey.id
+    rbacHeaders = {
+      'Content-Type': 'application/json',
+      'capgkey': createdKey.key,
+    }
   })
 
   afterAll(async () => {
+    if (rbacApiKeyId) {
+      await getSupabaseClient().from('apikeys').delete().eq('id', rbacApiKeyId)
+    }
     await getSupabaseClient().from('role_bindings').delete().eq('org_id', ORG_ID_RBAC)
     await getSupabaseClient().from('org_users').delete().eq('org_id', ORG_ID_RBAC)
     await getSupabaseClient().from('orgs').delete().eq('id', ORG_ID_RBAC)
@@ -1662,7 +1752,7 @@ describe('rbac mode - organization member operations', () => {
 
   it('[GET] /organization - get RBAC org by id', async () => {
     const response = await fetch(`${BASE_URL}/organization?orgId=${ORG_ID_RBAC}`, {
-      headers,
+      headers: rbacHeaders,
     })
     expect(response.status).toBe(200)
     const responseType = type({ id: 'string', name: 'string' })
@@ -1675,7 +1765,7 @@ describe('rbac mode - organization member operations', () => {
 
   it('[GET] /organization/members - returns members via role_bindings (RBAC path)', async () => {
     const response = await fetch(`${BASE_URL}/organization/members?orgId=${ORG_ID_RBAC}`, {
-      headers,
+      headers: rbacHeaders,
     })
     expect(response.status).toBe(200)
     const responseType = type({
@@ -1698,7 +1788,7 @@ describe('rbac mode - organization member operations', () => {
   it('[PUT] /organization - update RBAC org name', async () => {
     const updatedName = `RBAC Updated ${new Date().toISOString()}`
     const response = await fetch(`${BASE_URL}/organization`, {
-      headers,
+      headers: rbacHeaders,
       method: 'PUT',
       body: JSON.stringify({ orgId: ORG_ID_RBAC, name: updatedName }),
     })
@@ -1713,7 +1803,7 @@ describe('rbac mode - organization member operations', () => {
 
   it('[POST] /organization/members - add member in RBAC mode (sync trigger creates role_binding)', async () => {
     const response = await fetch(`${BASE_URL}/organization/members`, {
-      headers,
+      headers: rbacHeaders,
       method: 'POST',
       body: JSON.stringify({
         orgId: ORG_ID_RBAC,
@@ -1755,7 +1845,7 @@ describe('rbac mode - organization member operations', () => {
     expect(bindingsBefore!.length).toBeGreaterThan(0)
 
     const response = await fetch(`${BASE_URL}/organization/members?orgId=${ORG_ID_RBAC}&email=${USER_ADMIN_EMAIL}`, {
-      headers,
+      headers: rbacHeaders,
       method: 'DELETE',
     })
     expect(response.status).toBe(200)
@@ -1774,11 +1864,11 @@ describe('hashed API key enforcement integration', () => {
   it('find_apikey_by_value finds hashed key', async () => {
     // Create a hashed API key via API
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({
         name: 'test-hashed-key-for-find',
-        mode: 'all',
+        bindings: orgApiKeyBindings(ORG_ID),
         hashed: true,
       }),
     })
@@ -1799,7 +1889,7 @@ describe('hashed API key enforcement integration', () => {
 
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
-      headers,
+      headers: authHeaders,
       method: 'DELETE',
     })
   })
@@ -1826,11 +1916,11 @@ describe('hashed API key enforcement integration', () => {
     // Calculate correct hash using the function itself
     // We can test this by creating a hashed key and verifying
     const createResponse = await fetch(`${BASE_URL}/apikey`, {
-      headers,
+      headers: authHeaders,
       method: 'POST',
       body: JSON.stringify({
         name: 'test-verify-hash-key',
-        mode: 'all',
+        bindings: orgApiKeyBindings(ORG_ID),
         hashed: true,
       }),
     })
@@ -1847,7 +1937,7 @@ describe('hashed API key enforcement integration', () => {
 
     // Cleanup
     await fetch(`${BASE_URL}/apikey/${createData.id}`, {
-      headers,
+      headers: authHeaders,
       method: 'DELETE',
     })
   })
diff --git a/tests/password-policy.test.ts b/tests/password-policy.test.ts
index 1246a3f90c..b25d7f6777 100644
--- a/tests/password-policy.test.ts
+++ b/tests/password-policy.test.ts
@@ -30,7 +30,7 @@ beforeAll(async () => {
     management_email: TEST_EMAIL,
     created_by: USER_ID,
     customer_id: customerId,
-    use_new_rbac: false, // Explicitly legacy — preserves legacy check_min_rights coverage
+    use_new_rbac: false, // Compatibility flag is ignored; permissions are RBAC-backed.
   })
   if (error)
     throw error
@@ -642,7 +642,7 @@ describe('password Policy Enforcement Integration', () => {
       is_good_plan: true,
     })
 
-    // Create org with password policy enabled (legacy mode — preserves legacy check_min_rights coverage)
+    // Create org with password policy enabled while the compatibility flag is false.
     await getSupabaseClient().from('orgs').insert({
       id: orgWithPolicyId,
       name: orgWithPolicyName,
@@ -674,8 +674,8 @@ describe('password Policy Enforcement Integration', () => {
     await getSupabaseClient().from('stripe_info').delete().eq('customer_id', orgWithPolicyCustomerId)
   })
 
-  it('check_min_rights respects password policy (legacy mode)', async () => {
-    // Directly test the check_min_rights function via RPC in legacy mode
+  it('check_min_rights respects password policy with compatibility flag disabled', async () => {
+    // Directly test the compatibility check_min_rights function via RPC
     const { data, error } = await getSupabaseClient().rpc('check_min_rights', {
       min_right: 'read',
       user_id: USER_ID,
diff --git a/tests/plan-check-appid-passthrough.test.ts b/tests/plan-check-appid-passthrough.test.ts
index 99a74ddf81..b204b0e527 100644
--- a/tests/plan-check-appid-passthrough.test.ts
+++ b/tests/plan-check-appid-passthrough.test.ts
@@ -1,26 +1,17 @@
 // Regression test for the "Plan upgrade required for upload" RBAC bug.
 //
-// Background: is_allowed_action_org_action(orgid, actions) internally calls
-// check_min_rights with app_id = NULL. For an RBAC-managed API key with
-// limited_to_apps set (typical for capgo CLI uploads bound to one app), the
-// app-scope restriction in rbac_check_permission_direct denies the call
-// because the key is restricted to apps but the caller passed no app context.
-// The CLI then surfaces this as "Plan upgrade required for upload" even when
-// the plan is healthy.
-//
-// The migration in 20260518071442_plan_check_passthrough_appid.sql adds a
-// 3-arg overload that threads appid into check_min_rights. This test
-// exercises all three paths via PostgREST so we catch any regression in:
-//   1. The bug repro (2-arg call denies for limited_to_apps keys).
-//   2. The fix (3-arg call with matching appid allows).
-//   3. The safety invariant (3-arg call with non-matching appid still denies).
+// Background: old CLI versions call is_allowed_action_org_action(orgid, actions)
+// without an appid. Newer callers can pass appid so the plan check can enforce
+// app-scoped RBAC bindings when it has the app context. This keeps the old
+// two-argument function shape compatible while proving the three-argument
+// overload does not widen an app-scoped API key to sibling apps.
 
 import type { Database } from '../src/types/supabase.types'
 import { randomUUID } from 'node:crypto'
 import { env } from 'node:process'
 import { createClient } from '@supabase/supabase-js'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { getSupabaseClient, normalizeLocalhostUrl, SUPABASE_ANON_KEY } from './test-utils.ts'
+import { createDirectApiKeyWithBindings, getSupabaseClient, normalizeLocalhostUrl, SUPABASE_ANON_KEY } from './test-utils.ts'
 
 const SUPABASE_URL = normalizeLocalhostUrl(env.SUPABASE_URL) ?? ''
 const USE_CLOUDFLARE_WORKERS = env.USE_CLOUDFLARE_WORKERS === 'true'
@@ -60,7 +51,7 @@ function createCapgkeyClient(apikey: string) {
   })
 }
 
-describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + limited_to_apps)', () => {
+describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC bindings)', () => {
   beforeAll(async () => {
     // 1. User. public.users has a FK to auth.users, so we provision via
     //    auth admin first. The CLI authenticates by capgkey header, not by
@@ -104,8 +95,7 @@ describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + li
       throw stripeError
 
     // 3. Org with use_new_rbac = true so check_min_rights routes through
-    //    rbac_check_permission_direct (the function that has the
-    //    limited_to_apps gate).
+    //    rbac_check_permission_direct.
     const { data: orgRow, error: orgError } = await serviceRoleSupabase
       .from('orgs')
       .insert({
@@ -122,8 +112,8 @@ describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + li
     orgId = orgRow.id
 
     // 4. Two apps in the same org - one the key is allowed for, one it isn't.
-    //    Same-org apps prove the rejection comes from limited_to_apps, not from
-    //    the cross-org check in check_min_rights.
+    //    Same-org apps prove the rejection comes from app RBAC bindings, not
+    //    from the cross-org check in check_min_rights.
     const { data: primaryAppRow, error: primaryAppError } = await serviceRoleSupabase
       .from('apps')
       .insert({
@@ -158,79 +148,24 @@ describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + li
       throw new Error('Expected other app insert to return an id')
     otherAppUuid = otherAppRow.id
 
-    // 5. RBAC-managed API key: mode = NULL, limited_to_apps = [PRIMARY_APP_ID],
-    //    distinct rbac_id used as the role-binding principal. The
-    //    apikeys_force_server_key trigger overrides whatever we pass in
-    //    for `key` and replaces it with a server-generated UUID, so we
-    //    must read the actual key back from the INSERT ... RETURNING
-    //    result (the AFTER trigger that strips the plain key for hashed
-    //    keys is DEFERRABLE INITIALLY DEFERRED and runs at commit, so
-    //    the RETURNING clause still sees the plaintext).
-    const rbacId = randomUUID()
-    const { data: apikeyRow, error: apikeyError } = await serviceRoleSupabase
-      .from('apikeys')
-      .insert({
-        user_id: ownerUserId,
-        key: randomUUID(),
-        mode: null,
-        name: `plan-check-rbac-${SUITE_ID}`,
-        limited_to_apps: [PRIMARY_APP_ID],
-        limited_to_orgs: [orgId],
-        rbac_id: rbacId,
-      })
-      .select('id, rbac_id, key')
-      .single()
-    if (apikeyError)
-      throw apikeyError
+    // 5. RBAC-managed API key with org read compatibility and upload access
+    //    only for the primary app. This mirrors the V2 key shape after the
+    //    old scope columns have been removed.
+    const apikeyRow = await createDirectApiKeyWithBindings({
+      userId: ownerUserId,
+      key: randomUUID(),
+      name: `plan-check-rbac-${SUITE_ID}`,
+      orgId,
+      roleName: 'org_member',
+      appId: PRIMARY_APP_ID,
+      appRoleName: 'app_uploader',
+    })
     if (!apikeyRow.rbac_id)
       throw new Error('Expected apikey insert to return rbac_id')
     if (!apikeyRow.key)
       throw new Error('Expected plaintext key in apikey insert RETURNING row')
     apiKeyRow = { id: apikeyRow.id, rbac_id: apikeyRow.rbac_id }
     apiKeyPlain = apikeyRow.key
-
-    // 6. Role bindings: org_member at org scope gives org.read,
-    //    app_uploader at app scope gives app.read / app.upload_bundle.
-    //    Mirrors what /apikey POST creates for a CLI-issued RBAC key.
-    const { data: orgRoleRow, error: orgRoleError } = await serviceRoleSupabase
-      .from('roles')
-      .select('id')
-      .eq('name', 'org_member')
-      .single()
-    if (orgRoleError)
-      throw orgRoleError
-
-    const { data: appRoleRow, error: appRoleError } = await serviceRoleSupabase
-      .from('roles')
-      .select('id')
-      .eq('name', 'app_uploader')
-      .single()
-    if (appRoleError)
-      throw appRoleError
-
-    const { error: bindingError } = await serviceRoleSupabase.from('role_bindings').insert([
-      {
-        principal_type: 'apikey',
-        principal_id: apiKeyRow.rbac_id,
-        role_id: orgRoleRow.id,
-        scope_type: 'org',
-        org_id: orgId,
-        granted_by: ownerUserId,
-        is_direct: true,
-      },
-      {
-        principal_type: 'apikey',
-        principal_id: apiKeyRow.rbac_id,
-        role_id: appRoleRow.id,
-        scope_type: 'app',
-        org_id: orgId,
-        app_id: primaryAppUuid,
-        granted_by: ownerUserId,
-        is_direct: true,
-      },
-    ])
-    if (bindingError)
-      throw bindingError
   })
 
   afterAll(async () => {
@@ -251,20 +186,17 @@ describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + li
     }
   })
 
-  it('denies the 2-arg call (regression of the original bug)', async () => {
+  it('allows the 2-arg call for old CLI compatibility', async () => {
     const client = createCapgkeyClient(apiKeyPlain)
     const { data, error } = await client.rpc('is_allowed_action_org_action', {
       orgid: orgId,
       actions: ['storage'],
     })
     expect(error).toBeNull()
-    // Limited_to_apps key + null app context => RBAC app-scope restriction
-    // denies. Before the fix, the CLI's checkPlanValidUpload always called
-    // this 2-arg variant and tripped this path.
-    expect(data).toBe(false)
+    expect(data).toBe(true)
   })
 
-  it('allows the 3-arg call when appid matches limited_to_apps (the fix)', async () => {
+  it('allows the 3-arg call when appid matches an app binding', async () => {
     const client = createCapgkeyClient(apiKeyPlain)
     const args = {
       orgid: orgId,
@@ -276,7 +208,7 @@ describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + li
     expect(data).toBe(true)
   })
 
-  it('still denies the 3-arg call when appid does not match limited_to_apps (safety invariant)', async () => {
+  it('still denies the 3-arg call when appid does not match an app binding', async () => {
     const client = createCapgkeyClient(apiKeyPlain)
     const args = {
       orgid: orgId,
@@ -285,9 +217,9 @@ describe.skipIf(USE_CLOUDFLARE_WORKERS)('plan-check appid passthrough (RBAC + li
     } as never
     const { data, error } = await client.rpc('is_allowed_action_org_action', args)
     expect(error).toBeNull()
-    // Key is limited_to_apps = [PRIMARY_APP_ID], so an upload-plan check for
-    // OTHER_APP_ID must still be rejected even though both apps are in the
-    // same org.
+    // The API key only has an app binding for PRIMARY_APP_ID, so an upload-plan
+    // check for OTHER_APP_ID must still be rejected even though both apps are
+    // in the same org.
     expect(data).toBe(false)
   })
 })
diff --git a/tests/private-error-cases.test.ts b/tests/private-error-cases.test.ts
index 32b7183dbb..fc1d696ffc 100644
--- a/tests/private-error-cases.test.ts
+++ b/tests/private-error-cases.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { APIKEY_STATS, getEndpointUrl, getSupabaseClient, headers, NON_OWNER_ORG_ID, ORG_ID, resetAndSeedAppData, resetAppData, USER_ID } from './test-utils.ts'
+import { APIKEY_STATS, createDirectApiKeyWithBindings, getEndpointUrl, getSupabaseClient, headers, NON_OWNER_ORG_ID, ORG_ID, resetAndSeedAppData, resetAppData, USER_ID } from './test-utils.ts'
 
 const id = randomUUID()
 const APPNAME = `com.private.error.${id}`
@@ -8,6 +8,9 @@ const APPNAME = `com.private.error.${id}`
 const testOrgId = randomUUID()
 const testOrgEmail = `test-private-error-${id}@capgo.app`
 const testCustomerId = `cus_test_${id}`
+const testOrgApiKey = randomUUID()
+let testOrgHeaders: Record<string, string>
+let testOrgApiKeyId: number | null = null
 
 beforeAll(async () => {
   await resetAndSeedAppData(APPNAME)
@@ -25,7 +28,7 @@ beforeAll(async () => {
     throw stripeError
 
   // Create unique test organization (WITH a customer_id so RLS allows access)
-  // use_new_rbac: false — this test checks error handling (404 for missing app).
+  // use_new_rbac false is kept to verify compatibility flag handling while RBAC remains authoritative.
   // In RBAC mode check_min_rights fails for non-existent apps before the app lookup.
   const { error: orgError } = await getSupabaseClient().from('orgs').insert({
     id: testOrgId,
@@ -47,12 +50,29 @@ beforeAll(async () => {
   })
   if (orgUserError)
     throw orgUserError
+
+  const apiKey = await createDirectApiKeyWithBindings({
+    key: testOrgApiKey,
+    name: `private-error-org-${id}`,
+    orgId: testOrgId,
+    roleName: 'org_super_admin',
+  })
+  if (!apiKey.key)
+    throw new Error('Failed to create private error API key')
+
+  testOrgApiKeyId = apiKey.id
+  testOrgHeaders = {
+    'Content-Type': 'application/json',
+    'Authorization': apiKey.key,
+  }
 })
 
 afterAll(async () => {
   await resetAppData(APPNAME)
 
   // Clean up the unique test organization
+  if (testOrgApiKeyId !== null)
+    await getSupabaseClient().from('apikeys').delete().eq('id', testOrgApiKeyId).throwOnError()
   await getSupabaseClient().from('org_users').delete().eq('org_id', testOrgId)
   await getSupabaseClient().from('orgs').delete().eq('id', testOrgId)
   await getSupabaseClient().from('stripe_info').delete().eq('customer_id', testCustomerId)
@@ -76,7 +96,7 @@ describe('[POST] /private/create_device - Error Cases', () => {
     const deviceId = randomUUID()
     const response = await fetch(getEndpointUrl('/private/create_device'), {
       method: 'POST',
-      headers,
+      headers: testOrgHeaders,
       body: JSON.stringify({
         app_id: APPNAME,
         org_id: testOrgId,
@@ -153,7 +173,7 @@ describe('[POST] /private/create_device - Error Cases', () => {
     // Use testOrgId where user has super_admin rights to properly test app not found
     const response = await fetch(getEndpointUrl('/private/create_device'), {
       method: 'POST',
-      headers,
+      headers: testOrgHeaders,
       body: JSON.stringify({
         app_id: 'nonexistent.app',
         org_id: testOrgId,
@@ -432,7 +452,7 @@ describe('[POST] /private/set_org_email - Error Cases', () => {
 
     const response = await fetch(getEndpointUrl('/private/set_org_email'), {
       method: 'POST',
-      headers,
+      headers: testOrgHeaders,
       body: JSON.stringify({
         org_id: testOrgId,
         email: 'test@example.com',
@@ -447,19 +467,19 @@ describe('[POST] /private/set_org_email - Error Cases', () => {
     await getSupabaseClient().from('orgs').update({ customer_id: testCustomerId }).eq('id', testOrgId)
   })
 
-  it('should return 403 when not authorized for org', async () => {
+  it('should return 400 when the scoped API key cannot read the org', async () => {
     const response = await fetch(getEndpointUrl('/private/set_org_email'), {
       method: 'POST',
-      headers,
+      headers: testOrgHeaders,
       body: JSON.stringify({
         org_id: NON_OWNER_ORG_ID,
         email: 'test@example.com',
       }),
     })
 
-    expect(response.status).toBe(401)
+    expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
-    expect(data.error).toBe('not_authorized')
+    expect(data.error).toBe('org_not_found')
   })
 })
 
diff --git a/tests/rbac-permissions.test.ts b/tests/rbac-permissions.test.ts
index 94d0938097..2c92ba7c4f 100644
--- a/tests/rbac-permissions.test.ts
+++ b/tests/rbac-permissions.test.ts
@@ -3,12 +3,11 @@ import { randomUUID } from 'node:crypto'
 /**
  * RBAC Permission System Tests
  *
- * Tests the checkPermission function with both legacy and RBAC modes
- * to ensure feature flag routing works correctly.
+ * Tests the checkPermission function with legacy-compatible inputs backed by RBAC.
  */
 import { Pool } from 'pg'
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from 'vitest'
-import { APIKEY_TEST_ALL, ORG_ID, POSTGRES_URL, USER_ID, USER_ID_2 } from './test-utils'
+import { APIKEY_TEST_ALL, ORG_ID, POSTGRES_URL, USER_ID, USER_ID_2, USER_PASSWORD_HASH } from './test-utils'
 
 // Test constants
 const TEST_APP_ID = 'com.demo.app'
@@ -40,6 +39,34 @@ describe('rbac permission system', () => {
     ])
   }
 
+  const createApiKeyForOrg = async (key: string, name: string, orgId: string, roleName = 'org_super_admin') => {
+    const apiKeyResult = await query(`
+      INSERT INTO public.apikeys (user_id, key, name)
+      VALUES ($1::uuid, $2, $3)
+      RETURNING rbac_id
+    `, [USER_ID, key, name])
+    const apiKeyRbacId = apiKeyResult.rows[0]?.rbac_id
+    expect(apiKeyRbacId).toBeTruthy()
+
+    const bindingResult = await query(`
+      INSERT INTO public.role_bindings (principal_type, principal_id, role_id, scope_type, org_id, granted_by)
+      SELECT
+        'apikey',
+        $1::uuid,
+        roles.id,
+        'org',
+        $2::uuid,
+        $3::uuid
+      FROM public.roles
+      WHERE roles.name = $4
+      LIMIT 1
+      RETURNING id
+    `, [apiKeyRbacId, orgId, USER_ID, roleName])
+    expect(bindingResult.rowCount).toBe(1)
+
+    return apiKeyRbacId
+  }
+
   beforeAll(async () => {
     pool = new Pool({ connectionString: POSTGRES_URL })
   })
@@ -65,7 +92,7 @@ describe('rbac permission system', () => {
   })
 
   describe('rbac_check_permission_direct SQL function', () => {
-    describe('legacy mode (use_new_rbac = false)', () => {
+    describe('legacy-compatible inputs with RBAC enforced', () => {
       beforeEach(async () => {
         await query(`SELECT set_config('capgo.rbac_enabled', 'false', true)`)
         await query(`UPDATE public.orgs SET use_new_rbac = false WHERE id = $1`, [ORG_ID])
@@ -132,17 +159,17 @@ describe('rbac permission system', () => {
         expect(result.rows[0].allowed).toBe(false)
       })
 
-      it('should deny org permissions outside limited_to_orgs for scoped api keys', async () => {
+      it('should deny org permissions outside bound org for api keys', async () => {
         const allowedOrgId = randomUUID()
         const targetOrgId = randomUUID()
-        const scopedKey = `legacy-scope-${randomUUID()}`
+        const scopedKey = `org-bound-${randomUUID()}`
 
         await query(`
           INSERT INTO public.orgs (id, name, management_email, created_by, use_new_rbac)
           VALUES
             ($1::uuid, $3, $5, $6::uuid, false),
             ($2::uuid, $4, $5, $6::uuid, false)
-        `, [allowedOrgId, targetOrgId, `Legacy Allowed ${allowedOrgId}`, `Legacy Target ${targetOrgId}`, `legacy-scope-${randomUUID()}@capgo.app`, USER_ID])
+        `, [allowedOrgId, targetOrgId, `API Key Allowed ${allowedOrgId}`, `API Key Target ${targetOrgId}`, `org-bound-${randomUUID()}@capgo.app`, USER_ID])
 
         await query(`
           INSERT INTO public.org_users (org_id, user_id, user_right)
@@ -151,10 +178,7 @@ describe('rbac permission system', () => {
             ($2::uuid, $3::uuid, 'super_admin')
         `, [allowedOrgId, targetOrgId, USER_ID])
 
-        await query(`
-          INSERT INTO public.apikeys (user_id, key, key_hash, mode, name, limited_to_orgs, limited_to_apps)
-          VALUES ($1::uuid, $2, NULL, 'write', $3, ARRAY[$4::uuid], ARRAY[]::text[])
-        `, [USER_ID, scopedKey, `Legacy scoped ${allowedOrgId}`, allowedOrgId])
+        await createApiKeyForOrg(scopedKey, `Org bound ${allowedOrgId}`, allowedOrgId)
 
         const deniedResult = await query(`
           SELECT public.rbac_check_permission_direct(
@@ -181,16 +205,60 @@ describe('rbac permission system', () => {
         expect(deniedResult.rows[0].allowed).toBe(false)
         expect(allowedResult.rows[0].allowed).toBe(true)
       })
+
+      it('should deny stale org_users rights when RBAC bindings are missing', async () => {
+        const staleOrgId = randomUUID()
+        const staleUserId = randomUUID()
+        const staleEmail = `stale-rbac-${staleOrgId}@capgo.app`
+
+        await query(`
+          INSERT INTO auth.users (id, email, encrypted_password, email_confirmed_at, created_at, updated_at, raw_user_meta_data)
+          VALUES ($1::uuid, $2, $3, NOW(), NOW(), NOW(), '{}'::jsonb)
+        `, [staleUserId, staleEmail, USER_PASSWORD_HASH])
+
+        await query(`
+          INSERT INTO public.users (id, email, first_name, last_name)
+          VALUES ($1::uuid, $2, 'Stale', 'Rights')
+        `, [staleUserId, staleEmail])
+
+        await query(`
+          INSERT INTO public.orgs (id, name, management_email, created_by, use_new_rbac)
+          VALUES ($1::uuid, $2, $3, $4::uuid, false)
+        `, [staleOrgId, `Stale RBAC ${staleOrgId}`, staleEmail, USER_ID])
+
+        await query(`
+          INSERT INTO public.org_users (org_id, user_id, user_right)
+          VALUES ($1::uuid, $2::uuid, 'super_admin')
+        `, [staleOrgId, staleUserId])
+
+        await query(`
+          DELETE FROM public.role_bindings
+          WHERE principal_type = public.rbac_principal_user()
+            AND principal_id = $1::uuid
+            AND org_id = $2::uuid
+        `, [staleUserId, staleOrgId])
+
+        const result = await query(`
+          SELECT public.rbac_check_permission_direct(
+            'org.delete',
+            $1::uuid,
+            $2::uuid,
+            NULL::text,
+            NULL::bigint,
+            NULL
+          ) AS allowed
+        `, [staleUserId, staleOrgId])
+
+        expect(result.rows[0].allowed).toBe(false)
+      })
     })
 
-    describe('rbac mode (use_new_rbac = true)', () => {
+    describe('rbac permission checks', () => {
       beforeEach(async () => {
-        // Enable RBAC globally for tests
         await query(`SELECT set_config('capgo.rbac_enabled', 'true', true)`)
       })
 
       afterEach(async () => {
-        // Reset to legacy mode
         await query(`SELECT set_config('capgo.rbac_enabled', 'false', true)`)
       })
 
@@ -678,45 +746,19 @@ describe('rbac permission system', () => {
         expect(result.rows[0].allowed).toBe(false)
       })
 
-      it('should deny org permissions outside limited_to_orgs for scoped api keys', async () => {
+      it('should deny org permissions outside bound org for api keys', async () => {
         const allowedOrgId = randomUUID()
         const targetOrgId = randomUUID()
-        const scopedKey = `rbac-scope-${randomUUID()}`
+        const scopedKey = `rbac-bound-${randomUUID()}`
 
         await query(`
           INSERT INTO public.orgs (id, name, management_email, created_by, use_new_rbac)
           VALUES
             ($1::uuid, $3, $5, $6::uuid, true),
             ($2::uuid, $4, $5, $6::uuid, true)
-        `, [allowedOrgId, targetOrgId, `RBAC Allowed ${allowedOrgId}`, `RBAC Target ${targetOrgId}`, `rbac-scope-${randomUUID()}@capgo.app`, USER_ID])
-
-        await query(`
-          INSERT INTO public.apikeys (user_id, key, key_hash, mode, name, limited_to_orgs, limited_to_apps)
-          VALUES ($1::uuid, $2, NULL, 'write', $3, ARRAY[$4::uuid], ARRAY[]::text[])
-        `, [USER_ID, scopedKey, `RBAC scoped ${allowedOrgId}`, allowedOrgId])
-
-        const apiKeyResult = await query(`
-          SELECT rbac_id
-          FROM public.apikeys
-          WHERE key = $1
-          LIMIT 1
-        `, [scopedKey])
-        const apiKeyRbacId = apiKeyResult.rows[0]?.rbac_id
-        expect(apiKeyRbacId).toBeTruthy()
+        `, [allowedOrgId, targetOrgId, `RBAC Allowed ${allowedOrgId}`, `RBAC Target ${targetOrgId}`, `rbac-bound-${randomUUID()}@capgo.app`, USER_ID])
 
-        await query(`
-          INSERT INTO public.role_bindings (principal_type, principal_id, role_id, scope_type, org_id, granted_by)
-          SELECT
-            'apikey',
-            $1::uuid,
-            r.id,
-            'org',
-            $2::uuid,
-            $3::uuid
-          FROM public.roles r
-          WHERE r.name = 'org_super_admin'
-          LIMIT 1
-        `, [apiKeyRbacId, allowedOrgId, USER_ID])
+        await createApiKeyForOrg(scopedKey, `RBAC bound ${allowedOrgId}`, allowedOrgId)
 
         const deniedResult = await query(`
           SELECT public.rbac_check_permission_direct(
@@ -851,8 +893,8 @@ describe('rbac permission system', () => {
       })
     })
 
-    describe('feature flag routing', () => {
-      it('should use legacy for orgs without RBAC flag', async () => {
+    describe('RBAC compatibility flag', () => {
+      it('should keep using RBAC when the old org flag is false', async () => {
         await query(`UPDATE public.orgs SET use_new_rbac = false WHERE id = $1`, [ORG_ID])
         await query(`SELECT set_config('capgo.rbac_enabled', 'false', true)`)
 
@@ -871,7 +913,6 @@ describe('rbac permission system', () => {
       })
 
       it('should use RBAC for orgs with RBAC flag enabled', async () => {
-        // Enable RBAC for the org
         await query(`
           UPDATE public.orgs SET use_new_rbac = true WHERE id = $1;
         `, [ORG_ID])
@@ -887,11 +928,6 @@ describe('rbac permission system', () => {
           ) as allowed
         `, [USER_ID, ORG_ID, TEST_APP_ID])
 
-        // Reset
-        await query(`
-          UPDATE public.orgs SET use_new_rbac = false WHERE id = $1;
-        `, [ORG_ID])
-
         expect(result.rows[0].allowed).toBe(true)
       })
     })
@@ -958,7 +994,7 @@ describe('rbac permission system', () => {
         expect(result.rows[0].enabled).toBe(true)
       })
 
-      it('should return false when both flags are disabled', async () => {
+      it('should return true even when old flags are disabled', async () => {
         await query(`SELECT set_config('capgo.rbac_enabled', 'false', true)`)
         await query(`UPDATE public.orgs SET use_new_rbac = false WHERE id = $1`, [ORG_ID])
 
@@ -966,7 +1002,7 @@ describe('rbac permission system', () => {
           SELECT public.rbac_is_enabled_for_org($1::uuid) as enabled
         `, [ORG_ID])
 
-        expect(result.rows[0].enabled).toBe(false)
+        expect(result.rows[0].enabled).toBe(true)
       })
     })
 
diff --git a/tests/statistics.test.ts b/tests/statistics.test.ts
index 60d7a6cd03..334f4da8ff 100644
--- a/tests/statistics.test.ts
+++ b/tests/statistics.test.ts
@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, describe, expect, it } from 'vitest'
-import { APP_NAME_STATS, BASE_URL, getAuthHeadersForCredentials, getSupabaseClient, headersStats, ORG_ID_STATS, USER_ID_STATS } from './test-utils.ts'
+import { APP_NAME_STATS, appApiKeyBindings, BASE_URL, createDirectApiKeyWithBindings, getAuthHeadersForCredentials, getSupabaseClient, headersStats, ORG_ID_STATS, USER_ID_STATS } from './test-utils.ts'
 
 function hasSeededStats(statsData: unknown) {
   if (!Array.isArray(statsData))
@@ -45,6 +45,20 @@ async function deleteAppByAppId(appId: string) {
     .throwOnError()
 }
 
+async function createStatsAppReadKey(name: string) {
+  const keyData = await createDirectApiKeyWithBindings({
+    userId: USER_ID_STATS,
+    key: randomUUID(),
+    name,
+    orgId: ORG_ID_STATS,
+    roleName: 'org_member',
+    appId: APP_NAME_STATS,
+    appRoleName: 'app_reader',
+  })
+
+  return keyData.id
+}
+
 describe('[GET] /statistics operations with and without subkey', () => {
   const APPNAME = APP_NAME_STATS // Use the seeded stats app
   let subkeyId = 0
@@ -187,20 +201,9 @@ describe('[GET] /statistics operations with and without subkey', () => {
     }
   })
 
-  it('should create app and subkey with limited rights', async () => {
-    // Create a subkey with limited rights to this app
-    const createSubkey = await fetch(`${BASE_URL}/apikey`, {
-      method: 'POST',
-      headers: headersStats,
-      body: JSON.stringify({
-        name: 'Limited Stats Subkey',
-        mode: 'read',
-        limited_to_apps: [APPNAME],
-      }),
-    })
-    expect(createSubkey.status).toBe(200)
-    const subkeyData = await createSubkey.json() as { id: number }
-    subkeyId = subkeyData.id
+  it('should seed app-bound key for statistics checks', async () => {
+    subkeyId = await createStatsAppReadKey('Stats app-bound key')
+    expect(subkeyId).toBeTypeOf('number')
   })
 
   it('should get app statistics with subkey', async () => {
@@ -218,17 +221,7 @@ describe('[GET] /statistics operations with and without subkey', () => {
   })
 
   it.concurrent('should not reveal sibling app existence outside an app-limited subkey', async () => {
-    const createSubkey = await fetch(`${BASE_URL}/apikey`, {
-      method: 'POST',
-      headers: headersStats,
-      body: JSON.stringify({
-        name: 'Limited Stats Subkey - oracle test',
-        mode: 'read',
-        limited_to_apps: [APPNAME],
-      }),
-    })
-    expect(createSubkey.status).toBe(200)
-    const localSubkey = await createSubkey.json() as { id: number }
+    const localSubkey = { id: await createStatsAppReadKey('Stats oracle app-bound key') }
     const siblingApp = `com.stats.oracle.${randomUUID().replaceAll('-', '')}`
     const fakeApp = `com.stats.fake.${randomUUID().replaceAll('-', '')}`
 
@@ -270,7 +263,7 @@ describe('[GET] /statistics operations with and without subkey', () => {
       method: 'GET',
       headers: { ...headersStats, ...subkeyHeaders },
     })
-    expect(getOrgStats.status).toBe(401)
+    expect(getOrgStats.status).toBe(200)
   })
 
   it('should get user statistics with subkey', async () => {
@@ -342,67 +335,35 @@ describe('[GET] /statistics operations with and without subkey', () => {
     expect(orgStatsData.error).toBe('no_access_to_organization')
   })
 
-  it('should create subkey with non-accessible org and fail to get org statistics', async () => {
-    // Create a subkey with limited rights to a non-accessible org
+  it('rejects nested API key creation from API key auth for org bindings', async () => {
     const createSubkey = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
       headers: headersStats,
       body: JSON.stringify({
-        name: 'Non-Accessible Org Subkey',
-        mode: 'read',
-        limited_to_orgs: ['22dbad8a-b885-4309-9b3b-a09f8460fb6d'],
+        name: 'Nested Stats Org Key',
+        bindings: [{
+          role_name: 'org_member',
+          scope_type: 'org',
+          org_id: ORG_ID_STATS,
+        }],
       }),
     })
-    expect(createSubkey.status).toBe(200)
-    const subkeyData = await createSubkey.json() as { id: number }
-    const nonAccessibleOrgSubkeyId = subkeyData.id
-
-    try {
-      const subkeyHeaders = { 'x-limited-key-id': String(nonAccessibleOrgSubkeyId) }
-      const fromDate = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000).toISOString().split('T')[0]
-      const toDate = new Date().toISOString().split('T')[0]
-      const getOrgStats = await fetch(`${BASE_URL}/statistics/org/22dbad8a-b885-4309-9b3b-a09f8460fb6d?from=${fromDate}&to=${toDate}`, {
-        method: 'GET',
-        headers: { ...headersStats, ...subkeyHeaders },
-      })
-      expect(getOrgStats.status).toBe(401)
-      const orgStatsData = await getOrgStats.json<{ error: string }>()
-      expect(orgStatsData.error).toBe('no_access_to_organization')
-    }
-    finally {
-      await deleteApikeyById(nonAccessibleOrgSubkeyId)
-    }
+    expect(createSubkey.status).toBe(400)
+    const subkeyData = await createSubkey.json<{ error: string }>()
+    expect(subkeyData.error).toBe('cannot_create_apikey')
   })
 
-  it('should create subkey with non-accessible app and fail to get app statistics', async () => {
-    // Create a subkey with limited rights to a non-accessible app
+  it('rejects nested API key creation from API key auth for app bindings', async () => {
     const createSubkey = await fetch(`${BASE_URL}/apikey`, {
       method: 'POST',
       headers: headersStats,
       body: JSON.stringify({
-        name: 'Non-Accessible App Subkey',
-        mode: 'read',
-        limited_to_apps: ['com.demoadmin.app'],
+        name: 'Nested Stats App Key',
+        bindings: await appApiKeyBindings(APPNAME, 'app_reader'),
       }),
     })
-    expect(createSubkey.status).toBe(200)
-    const subkeyData = await createSubkey.json() as { id: number }
-    const nonAccessibleAppSubkeyId = subkeyData.id
-
-    try {
-      const subkeyHeaders = { 'x-limited-key-id': String(nonAccessibleAppSubkeyId) }
-      const fromDate = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000).toISOString().split('T')[0]
-      const toDate = new Date().toISOString().split('T')[0]
-      const getStats = await fetch(`${BASE_URL}/statistics/app/com.demoadmin.app?from=${fromDate}&to=${toDate}`, {
-        method: 'GET',
-        headers: { ...headersStats, ...subkeyHeaders },
-      })
-      expect(getStats.status).toBe(401)
-      const statsData = await getStats.json<{ error: string }>()
-      expect(statsData.error).toBe('no_access_to_app')
-    }
-    finally {
-      await deleteApikeyById(nonAccessibleAppSubkeyId)
-    }
+    expect(createSubkey.status).toBe(400)
+    const subkeyData = await createSubkey.json<{ error: string }>()
+    expect(subkeyData.error).toBe('cannot_create_apikey')
   })
 })
diff --git a/tests/test-utils.ts b/tests/test-utils.ts
index 39ecd7707d..8a76c9af9c 100644
--- a/tests/test-utils.ts
+++ b/tests/test-utils.ts
@@ -12,9 +12,9 @@ function normalizePostgresUrl(raw: string): string {
 
 function getPostgresUrlFromEnv(): string {
   return normalizePostgresUrl(
-  env.SUPABASE_DB_URL
-  ?? env.DB_URL
-  ?? 'postgresql://postgres:postgres@127.0.0.1:54322/postgres',
+    env.SUPABASE_DB_URL
+    ?? env.DB_URL
+    ?? 'postgresql://postgres:postgres@127.0.0.1:54322/postgres',
   )
 }
 
@@ -236,6 +236,169 @@ export const headers = {
   'Authorization': APIKEY_TEST_ALL,
 }
 
+interface ApiKeyBinding {
+  role_name: string
+  scope_type: 'org' | 'app' | 'channel'
+  org_id: string
+  app_id?: string | null
+  channel_id?: string | number | null
+  reason?: string
+}
+
+export function orgApiKeyBindings(orgId = ORG_ID, roleName = 'org_admin'): ApiKeyBinding[] {
+  return [{
+    role_name: roleName,
+    scope_type: 'org',
+    org_id: orgId,
+  }]
+}
+
+export async function appApiKeyBindings(appId: string, roleName = 'app_admin'): Promise<ApiKeyBinding[]> {
+  const { data, error } = await getSupabaseClient()
+    .from('apps')
+    .select('id, owner_org')
+    .eq('app_id', appId)
+    .single()
+
+  if (error || !data?.id || !data.owner_org)
+    throw error ?? new Error(`Unable to resolve app ${appId}`)
+
+  return [{
+    role_name: roleName,
+    scope_type: 'app',
+    org_id: data.owner_org,
+    app_id: data.id,
+  }]
+}
+
+export async function createDirectApiKeyWithBindings(options: {
+  userId?: string
+  key: string
+  name: string
+  orgId: string
+  roleName?: string
+  appId?: string
+  appRoleName?: string
+  expiresAt?: string | null
+  hashed?: boolean
+}) {
+  const supabase = getSupabaseClient()
+  let apiKey: {
+    id: number
+    key: string | null
+    rbac_id: string
+    user_id: string
+    expires_at: string | null
+  } | null = null
+
+  if (options.hashed) {
+    const [insertedKey] = await executeSQL(
+      `INSERT INTO public.apikeys (user_id, key, key_hash, name, expires_at)
+       VALUES ($1, NULL, encode(extensions.digest($2, 'sha256'), 'hex'), $3, $4)
+       RETURNING id, key, rbac_id, user_id, expires_at`,
+      [options.userId ?? USER_ID, options.key, options.name, options.expiresAt ?? null],
+    )
+    apiKey = insertedKey
+      ? {
+          id: Number(insertedKey.id),
+          key: insertedKey.key,
+          rbac_id: insertedKey.rbac_id,
+          user_id: insertedKey.user_id,
+          expires_at: insertedKey.expires_at,
+        }
+      : null
+  }
+  else {
+    const { data, error: apiKeyError } = await supabase
+      .from('apikeys')
+      .insert({
+        user_id: options.userId ?? USER_ID,
+        key: options.key,
+        key_hash: null,
+        name: options.name,
+        expires_at: options.expiresAt ?? null,
+      })
+      .select('id, key, rbac_id, user_id, expires_at')
+      .single()
+
+    if (apiKeyError)
+      throw apiKeyError
+
+    apiKey = data
+  }
+
+  if (!apiKey)
+    throw new Error('Unable to create API key')
+
+  try {
+    const bindingRows: Database['public']['Tables']['role_bindings']['Insert'][] = []
+    const { data: orgRole, error: orgRoleError } = await supabase
+      .from('roles')
+      .select('id')
+      .eq('name', options.roleName ?? 'org_admin')
+      .single()
+    if (orgRoleError || !orgRole)
+      throw orgRoleError ?? new Error('Unable to resolve org role')
+
+    bindingRows.push({
+      principal_type: 'apikey',
+      principal_id: apiKey.rbac_id,
+      role_id: orgRole.id,
+      scope_type: 'org',
+      org_id: options.orgId,
+      granted_by: apiKey.user_id,
+      reason: 'Test API key binding',
+      is_direct: true,
+    })
+
+    if (options.appId) {
+      const { data: app, error: appError } = await supabase
+        .from('apps')
+        .select('id, owner_org')
+        .eq('app_id', options.appId)
+        .single()
+      if (appError || !app?.id || !app.owner_org)
+        throw appError ?? new Error(`Unable to resolve app ${options.appId}`)
+      if (app.owner_org !== options.orgId)
+        throw new Error(`App ${options.appId} belongs to org ${app.owner_org}, expected ${options.orgId}`)
+
+      const { data: appRole, error: appRoleError } = await supabase
+        .from('roles')
+        .select('id')
+        .eq('name', options.appRoleName ?? 'app_admin')
+        .single()
+      if (appRoleError || !appRole)
+        throw appRoleError ?? new Error('Unable to resolve app role')
+
+      bindingRows.push({
+        principal_type: 'apikey',
+        principal_id: apiKey.rbac_id,
+        role_id: appRole.id,
+        scope_type: 'app',
+        org_id: options.orgId,
+        app_id: app.id,
+        granted_by: apiKey.user_id,
+        reason: 'Test API key app binding',
+        is_direct: true,
+      })
+    }
+
+    const { error: bindingError } = await supabase
+      .from('role_bindings')
+      .insert(bindingRows)
+    if (bindingError)
+      throw bindingError
+
+    return apiKey
+  }
+  catch (error) {
+    const { error: cleanupError } = await supabase.from('apikeys').delete().eq('id', apiKey.id)
+    if (cleanupError)
+      console.warn(`Failed to clean up API key ${apiKey.id} after binding setup error:`, cleanupError)
+    throw error
+  }
+}
+
 let cachedAuthHeaders: Record<string, string> | null = null
 let authHeadersPromise: Promise<Record<string, string>> | null = null
 
diff --git a/tests/webhook-signature.test.ts b/tests/webhook-signature.test.ts
index 9351f7abe3..5e7b3e6b2a 100644
--- a/tests/webhook-signature.test.ts
+++ b/tests/webhook-signature.test.ts
@@ -2,14 +2,17 @@ import { Buffer } from 'node:buffer'
 import { createHmac, randomUUID, timingSafeEqual } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 import { generateStandardWebhookSignature, generateWebhookSignature } from '../supabase/functions/_backend/utils/webhook.ts'
-import { BASE_URL, getSupabaseClient, headers, TEST_EMAIL, USER_ID } from './test-utils.ts'
+import { BASE_URL, createDirectApiKeyWithBindings, getSupabaseClient, TEST_EMAIL, USER_ID } from './test-utils.ts'
 
 // Test data
 const WEBHOOK_TEST_ORG_ID = randomUUID()
 const globalId = randomUUID()
 const customerId = `cus_test_${WEBHOOK_TEST_ORG_ID}`
+const webhookApiKey = randomUUID()
 let createdWebhookId: string | null = null
 let webhookSecret: string | null = null
+let headers: Record<string, string>
+let webhookApiKeyId: number | null = null
 
 /**
  * Verify Standard Webhooks signature using Node.js crypto.
@@ -81,6 +84,21 @@ beforeAll(async () => {
   })
   if (error)
     throw error
+
+  const apiKey = await createDirectApiKeyWithBindings({
+    key: webhookApiKey,
+    name: `webhook-signature-${globalId}`,
+    orgId: WEBHOOK_TEST_ORG_ID,
+    roleName: 'org_admin',
+  })
+  if (!apiKey.key)
+    throw new Error('Failed to create webhook API key')
+
+  webhookApiKeyId = apiKey.id
+  headers = {
+    'Content-Type': 'application/json',
+    'Authorization': apiKey.key,
+  }
 })
 
 afterAll(async () => {
@@ -90,6 +108,8 @@ afterAll(async () => {
     await (getSupabaseClient() as any).from('webhooks').delete().eq('id', createdWebhookId)
   }
   // Clean up test organization and stripe_info
+  if (webhookApiKeyId !== null)
+    await getSupabaseClient().from('apikeys').delete().eq('id', webhookApiKeyId).throwOnError()
   await getSupabaseClient().from('orgs').delete().eq('id', WEBHOOK_TEST_ORG_ID)
   await getSupabaseClient().from('stripe_info').delete().eq('customer_id', customerId)
 })
diff --git a/tests/webhooks-apikey-policy.test.ts b/tests/webhooks-apikey-policy.test.ts
index 30b6424110..181e4b9d18 100644
--- a/tests/webhooks-apikey-policy.test.ts
+++ b/tests/webhooks-apikey-policy.test.ts
@@ -1,22 +1,20 @@
 import { randomUUID } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
-import { getEndpointUrl, getSupabaseClient, USER_ID_2 } from './test-utils.ts'
+import { createDirectApiKeyWithBindings, getEndpointUrl, getSupabaseClient, USER_ID_2 } from './test-utils.ts'
 
 const globalId = randomUUID()
-const numericGlobalId = Number.parseInt(globalId.replaceAll('-', '').slice(0, 12), 16)
 const policyOrgId = randomUUID()
+const policySecondaryOrgId = randomUUID()
 const policyCustomerId = `cus_webhook_policy_${globalId}`
+const policySecondaryCustomerId = `cus_webhook_policy_secondary_${globalId}`
 const WEBHOOKS_URL = getEndpointUrl('/webhooks')
 const WEBHOOKS_TEST_URL = getEndpointUrl('/webhooks/test')
 const WEBHOOKS_RETRY_URL = getEndpointUrl('/webhooks/deliveries/retry')
-const legacyApiKeySeedId = numericGlobalId * 2
-const expiringSubkeySeedId = legacyApiKeySeedId + 1
-const delegatedApiKeySeedId = expiringSubkeySeedId + 1
 const seededWebhookId = randomUUID()
 const seededDeliveryId = randomUUID()
 
-let legacyApiKeyId: number | null = null
-let legacyApiKeyValue: string | null = null
+let primaryApiKeyId: number | null = null
+let primaryApiKeyValue: string | null = null
 let expiringSubkeyId: number | null = null
 let expiringSubkeyValue: string | null = null
 let delegatedApiKeyId: number | null = null
@@ -75,22 +73,46 @@ beforeAll(async () => {
   if (memberError)
     throw memberError
 
-  const { data: legacyKeyData, error: legacyKeyError } = await supabase.from('apikeys').insert({
-    id: legacyApiKeySeedId,
+  const { error: secondaryStripeError } = await supabase.from('stripe_info').insert({
+    customer_id: policySecondaryCustomerId,
+    status: 'succeeded',
+    product_id: 'prod_LQIregjtNduh4q',
+    subscription_id: `sub_webhook_policy_secondary_${globalId}`,
+    trial_at: new Date(Date.now() + 15 * 24 * 60 * 60 * 1000).toISOString(),
+    is_good_plan: true,
+  })
+  if (secondaryStripeError)
+    throw secondaryStripeError
+
+  const { error: secondaryOrgError } = await supabase.from('orgs').insert({
+    id: policySecondaryOrgId,
+    name: `Webhook Policy Secondary Org ${globalId}`,
+    management_email: policyOwnerEmail,
+    created_by: policyOwnerUserId,
+    customer_id: policySecondaryCustomerId,
+  })
+  if (secondaryOrgError)
+    throw secondaryOrgError
+
+  const { error: secondaryMemberError } = await supabase.from('org_users').insert({
+    org_id: policySecondaryOrgId,
     user_id: policyOwnerUserId,
-    key: `legacy-webhook-key-${globalId}`,
-    key_hash: null,
-    mode: 'all',
-    name: `legacy-webhook-key-${globalId}`,
-    limited_to_apps: [],
-    limited_to_orgs: [policyOrgId],
-    expires_at: null,
-  }).select('id, key').single()
-  if (legacyKeyError || !legacyKeyData) {
-    throw new Error(`Failed to seed legacy webhook API key: ${legacyKeyError?.message ?? 'missing key data'}`)
-  }
-  legacyApiKeyId = legacyKeyData.id
-  legacyApiKeyValue = legacyKeyData.key
+    user_right: 'super_admin',
+  })
+  if (secondaryMemberError)
+    throw secondaryMemberError
+
+  const primaryKeyData = await createDirectApiKeyWithBindings({
+    userId: policyOwnerUserId,
+    key: `webhook-primary-key-${globalId}`,
+    name: `webhook-primary-key-${globalId}`,
+    orgId: policyOrgId,
+    roleName: 'org_admin',
+  })
+  if (!primaryKeyData.key)
+    throw new Error('Failed to seed webhook API key')
+  primaryApiKeyId = primaryKeyData.id
+  primaryApiKeyValue = primaryKeyData.key
 
   // Seed preconditions directly so policy tests do not depend on webhook delivery side effects.
   const { error: webhookError } = await (supabase as any).from('webhooks').insert({
@@ -134,61 +156,31 @@ beforeAll(async () => {
   if (policyError)
     throw policyError
 
-  const { data: expiringKeyData, error: expiringKeyError } = await supabase.from('apikeys').insert({
-    id: expiringSubkeySeedId,
-    user_id: policyOwnerUserId,
+  const expiringKeyData = await createDirectApiKeyWithBindings({
+    userId: policyOwnerUserId,
     key: `expiring-webhook-subkey-${globalId}`,
-    key_hash: null,
-    mode: 'all',
     name: `expiring-webhook-subkey-${globalId}`,
-    limited_to_apps: [],
-    limited_to_orgs: [policyOrgId],
-    expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
-  }).select('id, key').single()
-  if (expiringKeyError || !expiringKeyData) {
-    throw new Error(`Failed to seed expiring webhook API key: ${expiringKeyError?.message ?? 'missing key data'}`)
-  }
+    orgId: policyOrgId,
+    roleName: 'org_admin',
+    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+  })
+  if (!expiringKeyData.key)
+    throw new Error('Failed to seed expiring webhook API key')
   expiringSubkeyId = expiringKeyData.id
   expiringSubkeyValue = expiringKeyData.key
 
-  const { data: delegatedKeyData, error: delegatedKeyError } = await supabase.from('apikeys').insert({
-    id: delegatedApiKeySeedId,
-    user_id: USER_ID_2,
+  const delegatedKeyData = await createDirectApiKeyWithBindings({
+    userId: USER_ID_2,
     key: `delegated-webhook-key-${globalId}`,
-    key_hash: null,
-    mode: 'all',
     name: `delegated-webhook-key-${globalId}`,
-    limited_to_apps: [],
-    limited_to_orgs: [policyOrgId],
-    expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
-  }).select('id, key, rbac_id').single()
-  if (delegatedKeyError || !delegatedKeyData?.rbac_id) {
-    throw new Error(`Failed to seed delegated webhook API key: ${delegatedKeyError?.message ?? 'missing delegated key data'}`)
-  }
+    orgId: policyOrgId,
+    roleName: 'org_admin',
+    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+  })
+  if (!delegatedKeyData.key)
+    throw new Error('Failed to seed delegated webhook API key')
   delegatedApiKeyId = delegatedKeyData.id
   delegatedApiKeyValue = delegatedKeyData.key
-
-  const { data: orgAdminRole, error: orgAdminRoleError } = await supabase
-    .from('roles')
-    .select('id')
-    .eq('name', 'org_admin')
-    .single()
-  if (orgAdminRoleError || !orgAdminRole?.id) {
-    throw new Error(`Failed to load org_admin role: ${orgAdminRoleError?.message ?? 'missing role data'}`)
-  }
-
-  const { error: delegatedBindingError } = await supabase.from('role_bindings').insert({
-    principal_type: 'apikey',
-    principal_id: delegatedKeyData.rbac_id,
-    role_id: orgAdminRole.id,
-    scope_type: 'org',
-    org_id: policyOrgId,
-    granted_by: policyOwnerUserId,
-    reason: 'Webhook delegated API key regression test',
-    is_direct: true,
-  })
-  if (delegatedBindingError)
-    throw delegatedBindingError
 }, 60000)
 
 afterAll(async () => {
@@ -198,8 +190,8 @@ afterAll(async () => {
     await (supabase as any).from('webhooks').delete().eq('id', createdWebhookId)
   }
 
-  if (legacyApiKeyId) {
-    await supabase.from('apikeys').delete().eq('id', legacyApiKeyId)
+  if (primaryApiKeyId) {
+    await supabase.from('apikeys').delete().eq('id', primaryApiKeyId)
   }
 
   if (expiringSubkeyId) {
@@ -211,9 +203,13 @@ afterAll(async () => {
   }
 
   await supabase.from('role_bindings').delete().eq('org_id', policyOrgId)
+  await supabase.from('role_bindings').delete().eq('org_id', policySecondaryOrgId)
   await supabase.from('org_users').delete().eq('org_id', policyOrgId)
+  await supabase.from('org_users').delete().eq('org_id', policySecondaryOrgId)
   await supabase.from('orgs').delete().eq('id', policyOrgId)
+  await supabase.from('orgs').delete().eq('id', policySecondaryOrgId)
   await supabase.from('stripe_info').delete().eq('customer_id', policyCustomerId)
+  await supabase.from('stripe_info').delete().eq('customer_id', policySecondaryCustomerId)
   if (policyOwnerUserId) {
     await supabase.from('users').delete().eq('id', policyOwnerUserId)
     await supabase.auth.admin.deleteUser(policyOwnerUserId)
@@ -221,14 +217,14 @@ afterAll(async () => {
 }, 60000)
 
 describe('webhook endpoints enforce org API key expiration policy', () => {
-  it('rejects webhook listing for legacy non-expiring org key', async () => {
-    if (!legacyApiKeyValue)
+  it('rejects webhook listing for org non-expiring org key', async () => {
+    if (!primaryApiKeyValue)
       throw new Error('Legacy API key was not created')
 
     const response = await fetch(`${WEBHOOKS_URL}?orgId=${policyOrgId}`, {
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': legacyApiKeyValue,
+        'Authorization': primaryApiKeyValue,
       },
     })
 
@@ -237,15 +233,15 @@ describe('webhook endpoints enforce org API key expiration policy', () => {
     expect(data.error).toBe('org_requires_expiring_key')
   })
 
-  it('rejects webhook creation for legacy non-expiring org key', async () => {
-    if (!legacyApiKeyValue)
+  it('rejects webhook creation for org non-expiring org key', async () => {
+    if (!primaryApiKeyValue)
       throw new Error('Legacy API key was not created')
 
     const response = await fetch(WEBHOOKS_URL, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': legacyApiKeyValue,
+        'Authorization': primaryApiKeyValue,
       },
       body: JSON.stringify({
         orgId: policyOrgId,
@@ -260,15 +256,15 @@ describe('webhook endpoints enforce org API key expiration policy', () => {
     expect(data.error).toBe('org_requires_expiring_key')
   })
 
-  it('rejects webhook deletion for legacy non-expiring org key', async () => {
-    if (!legacyApiKeyValue || !createdWebhookId)
+  it('rejects webhook deletion for org non-expiring org key', async () => {
+    if (!primaryApiKeyValue || !createdWebhookId)
       throw new Error('Webhook deletion prerequisites were not created')
 
     const response = await fetch(WEBHOOKS_URL, {
       method: 'DELETE',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': legacyApiKeyValue,
+        'Authorization': primaryApiKeyValue,
       },
       body: JSON.stringify({
         orgId: policyOrgId,
@@ -281,15 +277,15 @@ describe('webhook endpoints enforce org API key expiration policy', () => {
     expect(data.error).toBe('org_requires_expiring_key')
   })
 
-  it('rejects webhook test for legacy non-expiring org key', async () => {
-    if (!legacyApiKeyValue || !createdWebhookId)
+  it('rejects webhook test for org non-expiring org key', async () => {
+    if (!primaryApiKeyValue || !createdWebhookId)
       throw new Error('Webhook test prerequisites were not created')
 
     const response = await fetch(WEBHOOKS_TEST_URL, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': legacyApiKeyValue,
+        'Authorization': primaryApiKeyValue,
       },
       body: JSON.stringify({
         orgId: policyOrgId,
@@ -302,15 +298,15 @@ describe('webhook endpoints enforce org API key expiration policy', () => {
     expect(data.error).toBe('org_requires_expiring_key')
   })
 
-  it('rejects delivery retry for legacy non-expiring org key', async () => {
-    if (!legacyApiKeyValue || !createdDeliveryId)
+  it('rejects delivery retry for org non-expiring org key', async () => {
+    if (!primaryApiKeyValue || !createdDeliveryId)
       throw new Error('Webhook delivery prerequisites were not created')
 
     const response = await fetch(WEBHOOKS_RETRY_URL, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': legacyApiKeyValue,
+        'Authorization': primaryApiKeyValue,
       },
       body: JSON.stringify({
         orgId: policyOrgId,
@@ -323,15 +319,15 @@ describe('webhook endpoints enforce org API key expiration policy', () => {
     expect(data.error).toBe('org_requires_expiring_key')
   })
 
-  it('rejects webhook test when a legacy parent key attaches an expiring subkey', async () => {
-    if (!legacyApiKeyValue || !expiringSubkeyId || !createdWebhookId)
+  it('rejects webhook test when an org parent key attaches an expiring subkey', async () => {
+    if (!primaryApiKeyValue || !expiringSubkeyId || !createdWebhookId)
       throw new Error('Webhook subkey policy prerequisites were not created')
 
     const response = await fetch(WEBHOOKS_TEST_URL, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': legacyApiKeyValue,
+        'Authorization': primaryApiKeyValue,
         'x-limited-key-id': String(expiringSubkeyId),
       },
       body: JSON.stringify({
diff --git a/tests/webhooks.test.ts b/tests/webhooks.test.ts
index b4421d6552..1f4b5acb98 100644
--- a/tests/webhooks.test.ts
+++ b/tests/webhooks.test.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'node:crypto'
 import { createClient } from '@supabase/supabase-js'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 
-import { fetchWithRetry, getAuthHeaders, getEndpointUrl, getSupabaseClient, headers, SUPABASE_ANON_KEY, SUPABASE_BASE_URL, TEST_EMAIL, USER_ID } from './test-utils.ts'
+import { createDirectApiKeyWithBindings, fetchWithRetry, getAuthHeaders, getEndpointUrl, getSupabaseClient, SUPABASE_ANON_KEY, SUPABASE_BASE_URL, TEST_EMAIL, USER_ID } from './test-utils.ts'
 
 // This file intentionally runs sequentially because it exercises one webhook
 // lifecycle across create, list, update, test, delivery, and delete steps.
@@ -26,6 +26,7 @@ let lastDeliveryId: string | null = null
 let appScopedKeyId: number | null = null
 let appScopedKey: string | null = null
 let orgScopedSubkeyId: number | null = null
+let webhookHeaders: Record<string, string>
 
 const webhookEndpoint = (path = '') => getEndpointUrl(`/webhooks${path}`)
 
@@ -92,36 +93,38 @@ beforeAll(async () => {
   if (appError)
     throw appError
 
-  const { data: appScopedKeyData, error: appScopedKeyError } = await getSupabaseClient().rpc('create_hashed_apikey_for_user', {
-    p_user_id: USER_ID,
-    p_mode: 'all',
-    p_name: `webhook-app-scoped-${globalId}`,
-    p_limited_to_orgs: [],
-    p_limited_to_apps: [webhookAppId],
-    p_expires_at: null as unknown as string,
+  const appScopedKeyData = await createDirectApiKeyWithBindings({
+    userId: USER_ID,
+    key: randomUUID(),
+    name: `webhook-app-scoped-${globalId}`,
+    orgId: WEBHOOK_TEST_ORG_ID,
+    roleName: 'org_member',
+    appId: webhookAppId,
+    appRoleName: 'app_admin',
   })
-  if (appScopedKeyError || !appScopedKeyData?.key) {
-    throw new Error(`Failed to create app-scoped API key for webhook tests: ${appScopedKeyError?.message ?? 'missing key data'}`)
+  if (!appScopedKeyData?.key) {
+    throw new Error('Failed to create app-scoped API key for webhook tests')
   }
 
   appScopedKeyId = appScopedKeyData.id
   appScopedKey = appScopedKeyData.key
 
-  const { data: orgScopedSubkeyData, error: orgScopedSubkeyError } = await getSupabaseClient().from('apikeys').insert({
-    user_id: USER_ID,
+  const orgScopedSubkeyData = await createDirectApiKeyWithBindings({
+    userId: USER_ID,
     key: randomUUID(),
-    key_hash: null,
-    mode: 'all',
     name: `webhook-org-scoped-subkey-${globalId}`,
-    limited_to_orgs: [WEBHOOK_TEST_ORG_ID],
-    limited_to_apps: [],
-    expires_at: null,
-  }).select('id').single()
-  if (orgScopedSubkeyError || !orgScopedSubkeyData?.id) {
-    throw new Error(`Failed to create org-scoped API subkey for webhook tests: ${orgScopedSubkeyError?.message ?? 'missing key data'}`)
+    orgId: WEBHOOK_TEST_ORG_ID,
+    roleName: 'org_admin',
+  })
+  if (!orgScopedSubkeyData?.id || !orgScopedSubkeyData?.key) {
+    throw new Error('Failed to create org-scoped API subkey for webhook tests')
   }
 
   orgScopedSubkeyId = orgScopedSubkeyData.id
+  webhookHeaders = {
+    'Content-Type': 'application/json',
+    'Authorization': orgScopedSubkeyData.key,
+  }
 })
 
 afterAll(async () => {
@@ -159,7 +162,7 @@ afterAll(async () => {
 describe('[GET] /webhooks', () => {
   it('list webhooks for organization', async () => {
     const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as { secret?: string }[]
@@ -168,7 +171,7 @@ describe('[GET] /webhooks', () => {
 
   it('list webhooks with query-string pagination', async () => {
     const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&page=0`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as unknown[]
@@ -177,7 +180,7 @@ describe('[GET] /webhooks', () => {
 
   it('list webhooks with missing orgId', async () => {
     const response = await fetchWithRetry(webhookEndpoint(), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
@@ -187,7 +190,7 @@ describe('[GET] /webhooks', () => {
   it('list webhooks with invalid orgId', async () => {
     const invalidOrgId = randomUUID()
     const response = await fetchWithRetry(webhookEndpoint(`?orgId=${invalidOrgId}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
   })
@@ -215,7 +218,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: webhookName,
@@ -240,7 +243,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with Standard Webhooks delivery version', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: `Standard Webhook ${globalId}`,
@@ -382,7 +385,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with missing required fields', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Missing URL Webhook',
@@ -397,7 +400,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with invalid URL', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Invalid URL Webhook',
@@ -413,7 +416,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with HTTP URL (non-HTTPS)', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'HTTP URL Webhook',
@@ -430,7 +433,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with invalid events', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Invalid Events Webhook',
@@ -446,7 +449,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with invalid delivery version', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Invalid Version Webhook',
@@ -463,7 +466,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook with empty events array', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Empty Events Webhook',
@@ -480,7 +483,7 @@ describe('[POST] /webhooks', () => {
     const invalidOrgId = randomUUID()
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: invalidOrgId,
         name: 'Invalid Org Webhook',
@@ -494,7 +497,7 @@ describe('[POST] /webhooks', () => {
   it('create webhook rejects localhost URL', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Localhost Webhook',
@@ -514,7 +517,7 @@ describe('[GET] /webhooks (single webhook)', () => {
       throw new Error('Webhook was not created in previous test')
 
     const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as { id: string, name: string, delivery_version: string, secret?: string, stats_24h: object }
@@ -528,7 +531,7 @@ describe('[GET] /webhooks (single webhook)', () => {
   it('get webhook with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
     const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
@@ -544,7 +547,7 @@ describe('[PUT] /webhooks', () => {
     const newName = `Updated Webhook ${globalId}`
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -565,7 +568,7 @@ describe('[PUT] /webhooks', () => {
     const newUrl = 'https://updated.example.com/webhook'
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -583,7 +586,7 @@ describe('[PUT] /webhooks', () => {
 
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -602,7 +605,7 @@ describe('[PUT] /webhooks', () => {
 
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -616,7 +619,7 @@ describe('[PUT] /webhooks', () => {
     // Re-enable for subsequent tests
     await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -631,7 +634,7 @@ describe('[PUT] /webhooks', () => {
 
     const standardResponse = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -644,7 +647,7 @@ describe('[PUT] /webhooks', () => {
 
     const legacyResponse = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -662,7 +665,7 @@ describe('[PUT] /webhooks', () => {
 
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -677,7 +680,7 @@ describe('[PUT] /webhooks', () => {
     const invalidWebhookId = randomUUID()
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: invalidWebhookId,
@@ -695,7 +698,7 @@ describe('[PUT] /webhooks', () => {
 
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -713,7 +716,7 @@ describe('[PUT] /webhooks', () => {
 
     const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -734,7 +737,7 @@ describe('[POST] /webhooks/test', () => {
 
     const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
@@ -769,7 +772,7 @@ describe('[POST] /webhooks/test', () => {
     const invalidWebhookId = randomUUID()
     const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: invalidWebhookId,
@@ -793,7 +796,7 @@ describe('[POST] /webhooks/test', () => {
     try {
       const response = await fetch(webhookEndpoint('/test'), {
         method: 'POST',
-        headers,
+        headers: webhookHeaders,
         body: JSON.stringify({
           orgId: WEBHOOK_TEST_ORG_ID,
           webhookId: createdWebhookId,
@@ -815,7 +818,7 @@ describe('[POST] /webhooks/test', () => {
   it('test webhook with missing body', async () => {
     const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({}),
     })
     expect(response.status).toBe(400)
@@ -876,7 +879,7 @@ describe('[GET] /webhooks/deliveries', () => {
       throw new Error('Webhook was not created in previous test')
 
     const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as { deliveries: any[], pagination: { page: number, per_page: number, total: number, has_more: boolean } }
@@ -918,7 +921,7 @@ describe('[GET] /webhooks/deliveries', () => {
       throw new Error('Webhook was not created in previous test')
 
     const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}&status=success`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as { deliveries: any[] }
@@ -930,7 +933,7 @@ describe('[GET] /webhooks/deliveries', () => {
       throw new Error('Webhook was not created in previous test')
 
     const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}&page=0`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as { pagination: { page: number } }
@@ -940,7 +943,7 @@ describe('[GET] /webhooks/deliveries', () => {
   it('get webhook deliveries with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
     const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
@@ -949,7 +952,7 @@ describe('[GET] /webhooks/deliveries', () => {
 
   it('get webhook deliveries with missing body', async () => {
     const response = await fetchWithRetry(webhookEndpoint('/deliveries'), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
@@ -962,7 +965,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
     const invalidDeliveryId = randomUUID()
     const response = await fetch(webhookEndpoint('/deliveries/retry'), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         deliveryId: invalidDeliveryId,
@@ -1052,7 +1055,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
     try {
       const response = await fetch(webhookEndpoint('/deliveries/retry'), {
         method: 'POST',
-        headers,
+        headers: webhookHeaders,
         body: JSON.stringify({
           orgId: WEBHOOK_TEST_ORG_ID,
           deliveryId: pendingDeliveryId,
@@ -1113,7 +1116,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
     try {
       const response = await fetch(webhookEndpoint('/deliveries/retry'), {
         method: 'POST',
-        headers,
+        headers: webhookHeaders,
         body: JSON.stringify({
           orgId: WEBHOOK_TEST_ORG_ID,
           deliveryId: failedDeliveryId,
@@ -1139,7 +1142,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
   it('retry delivery with missing body', async () => {
     const response = await fetch(webhookEndpoint('/deliveries/retry'), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({}),
     })
     expect(response.status).toBe(400)
@@ -1154,7 +1157,7 @@ describe('[DELETE] /webhooks', () => {
     const invalidWebhookId = randomUUID()
     const response = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`), {
       method: 'DELETE',
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
@@ -1164,7 +1167,7 @@ describe('[DELETE] /webhooks', () => {
   it('delete webhook with missing body', async () => {
     const response = await fetch(webhookEndpoint(), {
       method: 'DELETE',
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }
@@ -1178,7 +1181,7 @@ describe('[DELETE] /webhooks', () => {
 
     const response = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
       method: 'DELETE',
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(200)
     const data = await response.json() as { status: string, webhookId: string }
@@ -1187,7 +1190,7 @@ describe('[DELETE] /webhooks', () => {
 
     // Verify deletion
     const getResponse = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
-      headers,
+      headers: webhookHeaders,
     })
     expect(getResponse.status).toBe(400)
 
@@ -1198,7 +1201,7 @@ describe('[DELETE] /webhooks', () => {
     // Create a new webhook to delete
     const createResponse = await fetch(webhookEndpoint(), {
       method: 'POST',
-      headers,
+      headers: webhookHeaders,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'Webhook to double delete',
@@ -1212,13 +1215,13 @@ describe('[DELETE] /webhooks', () => {
     // First deletion
     await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${webhookId}`), {
       method: 'DELETE',
-      headers,
+      headers: webhookHeaders,
     })
 
     // Second deletion attempt
     const response = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${webhookId}`), {
       method: 'DELETE',
-      headers,
+      headers: webhookHeaders,
     })
     expect(response.status).toBe(400)
     const data = await response.json() as { error: string }