NOISSUE - Bump the go-dependency group across 1 directory with 3 updates (#3531 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump actions/checkout from 6 to 7 in /.github/workflows in the gh-dependency group across 1 directory (#3530 )
2026-06-23 04:10:28 +00:00 · 2026-06-19 17:13:43 +02:00 · 2026-06-19 17:08:11 +02:00 · 2026-06-19 16:52:13 +02:00 · 2026-06-16 16:23:06 +02:00 · 2026-06-12 13:43:21 +02:00
1149 changed files with 138095 additions and 24865 deletions
@@ -5,9 +5,10 @@
 coverage:
  ignore:
    - "tools/*"
+    - "api/grpc/**"
    - "cmd/*"
-    - "coap/*"
-    - "*/mocks/*"
+    - "coap/**"
+    - "**/mocks/*"
    - "*/middleware/*"
    - "pkg/sid/mock.go"
    - "pkg/tracing/utils.go"
@@ -1 +1 @@
-*   @absmach/supermq
+*   @absmach/magistrala
@@ -5,7 +5,7 @@ blank_issues_enabled: false
 contact_links:
  - name: Google group
    url: https://groups.google.com/forum/#!forum/mainflux
-    about: Join the SuperMQ community on Google group.
+    about: Join the Magistrala community on Google group.
  - name: Gitter
    url: https://gitter.im/mainflux/mainflux
-    about: Join the SuperMQ community on Gitter.
+    about: Join the Magistrala community on Gitter.
@@ -3,8 +3,8 @@ SPDX-License-Identifier: Apache-2.0 -->

 <!--

-Pull request title should be `SMQ-XXX - description` or `NOISSUE - description` where XXX is ID of the issue that this PR relate to.
-Please review the [CONTRIBUTING.md](https://github.com/absmach/supermq/blob/main/CONTRIBUTING.md) file for detailed contributing guidelines.
+Pull request title should be `MG-XXX - description` or `NOISSUE - description` where XXX is ID of the issue that this PR relate to.
+Please review the [CONTRIBUTING.md](https://github.com/absmach/magistrala/blob/main/CONTRIBUTING.md) file for detailed contributing guidelines.

 For Work In Progress Pull Requests, please use the Draft PR feature, see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for further details.

@@ -5,9 +5,11 @@ version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "./.github/workflows"
+    target-branch: "main"
    schedule:
-      interval: "monthly"
+      interval: "weekly"
      day: "monday"
+      time: "06:00"
      timezone: "Europe/Paris"
    groups:
      gh-dependency:
@@ -16,16 +18,24 @@ updates:

  - package-ecosystem: "gomod"
    directory: "/"
+    target-branch: "main"
    schedule:
      interval: "weekly"
      day: "monday"
+      time: "06:15"
      timezone: "Europe/Paris"
+    groups:
+      go-dependency:
+        patterns:
+          - "*"

  - package-ecosystem: "docker"
-    directory: "./docker"
+    directory: "/docker"
+    target-branch: "main"
    schedule:
-      interval: "monthly"
+      interval: "weekly"
      day: "monday"
+      time: "06:30"
      timezone: "Europe/Paris"
    groups:
      docker-dependency:
@@ -0,0 +1,181 @@
+<!--
+Copyright (c) Abstract Machines
+SPDX-License-Identifier: Apache-2.0
+-->
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Magistrala API Documentation</title>
+    <link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui.css">
+    <style>
+        body {
+            margin: 0;
+            padding: 0;
+        }
+        .topbar {
+            display: none;
+        }
+        .service-selector {
+            background: #1b1b1b;
+            padding: 20px;
+            text-align: center;
+        }
+        .service-selector h1 {
+            color: #fff;
+            margin: 0 0 15px 0;
+            font-family: sans-serif;
+        }
+        .service-dropdown-container {
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            gap: 10px;
+        }
+        .service-dropdown-container label {
+            color: #fff;
+            font-family: sans-serif;
+            font-size: 14px;
+            font-weight: 500;
+        }
+        .service-dropdown {
+            background: #2d2d2d;
+            color: white;
+            border: 1px solid #4990e2;
+            padding: 10px 40px 10px 15px;
+            border-radius: 4px;
+            cursor: pointer;
+            font-size: 14px;
+            font-weight: 500;
+            min-width: 200px;
+            appearance: none;
+            background-image: url('data:image/svg+xml;charset=UTF-8,<svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" viewBox="0 0 12 12"><path fill="%23ffffff" d="M6 9L1 4h10z"/></svg>');
+            background-repeat: no-repeat;
+            background-position: right 12px center;
+        }
+        .service-dropdown:hover {
+            background-color: #3a3a3a;
+            border-color: #357abd;
+        }
+        .service-dropdown:focus {
+            outline: none;
+            border-color: #4990e2;
+            box-shadow: 0 0 0 2px rgba(73, 144, 226, 0.3);
+        }
+
+        /* Responsive styles for mobile */
+        @media (max-width: 768px) {
+            .service-selector {
+                padding: 15px 10px;
+            }
+            .service-selector h1 {
+                font-size: 1.5rem;
+                margin: 0 0 12px 0;
+            }
+            .service-dropdown-container {
+                flex-direction: column;
+                gap: 8px;
+            }
+            .service-dropdown-container label {
+                font-size: 13px;
+            }
+            .service-dropdown {
+                width: 100%;
+                max-width: 300px;
+                min-width: auto;
+                font-size: 13px;
+                padding: 8px 35px 8px 12px;
+            }
+        }
+
+        @media (max-width: 480px) {
+            .service-selector h1 {
+                font-size: 1.25rem;
+            }
+            .service-dropdown {
+                max-width: 250px;
+            }
+        }
+    </style>
+</head>
+<body>
+    <div class="service-selector">
+        <h1>Magistrala API Documentation</h1>
+        <div class="service-dropdown-container">
+            <label for="serviceDropdown">Select Service:</label>
+            <select id="serviceDropdown" class="service-dropdown"></select>
+        </div>
+    </div>
+    <div id="swagger-ui"></div>
+
+    <script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui-bundle.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui-standalone-preset.js"></script>
+    <script>
+        // Available API specifications
+        const APIs = APIS_PLACEHOLDER;
+
+        // Get the service from URL query parameter, default to first service
+        function getServiceFromURL() {
+            const params = new URLSearchParams(window.location.search);
+            const service = params.get('service');
+            return service && APIs.includes(service) ? service : APIs[0];
+        }
+
+        // Update URL with selected service
+        function updateURL(service) {
+            const url = new URL(window.location);
+            url.searchParams.set('service', service);
+            window.history.pushState({}, '', url);
+        }
+
+        // Create service selector dropdown
+        function createServiceDropdown() {
+            const dropdown = document.getElementById('serviceDropdown');
+            const currentService = getServiceFromURL();
+
+            APIs.forEach(api => {
+                const option = document.createElement('option');
+                option.value = api;
+                let serviceName = api.replace('.yaml', '').replace(/^\w/, c => c.toUpperCase());
+                if (serviceName.toLowerCase() === 'http') {
+                    serviceName = 'HTTP';
+                }
+                option.textContent = serviceName;
+                if (api === currentService) {
+                    option.selected = true;
+                }
+                dropdown.appendChild(option);
+            });
+
+            // Handle dropdown change
+            dropdown.addEventListener('change', (e) => {
+                const selectedApi = e.target.value;
+                loadSwaggerUI(selectedApi);
+                updateURL(selectedApi);
+            });
+        }
+
+        // Load Swagger UI with specified API spec
+        function loadSwaggerUI(apiSpec) {
+            SwaggerUIBundle({
+                url: apiSpec,
+                dom_id: '#swagger-ui',
+                deepLinking: true,
+                presets: [
+                    SwaggerUIBundle.presets.apis,
+                    SwaggerUIStandalonePreset
+                ],
+                plugins: [
+                    SwaggerUIBundle.plugins.DownloadUrl
+                ],
+                layout: "StandaloneLayout"
+            });
+        }
+
+        // Initialize
+        createServiceDropdown();
+        loadSwaggerUI(getServiceFromURL());
+    </script>
+</body>
+</html>
@@ -4,6 +4,26 @@
 name: Property Based Tests

 on:
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/api-tests.yaml"
+      - "api/**"
+      - "auth/api/http/**"
+      - "channels/api/http/**"
+      - "clients/api/http/**"
+      - "domains/api/http/**"
+      - "groups/api/http/**"
+      - "journal/api/**"
+      - "users/api/**"
+      - "bootstrap/api/**"
+      - "certs/api/http/**"
+      - "readers/api/http/**"
+      - "re/api/**"
+      - "alarms/api/**"
+      - "reports/api/**"
+      - "apidocs/openapi/**"
  pull_request:
    branches:
      - main
@@ -15,9 +35,19 @@ on:
      - "clients/api/http/**"
      - "domains/api/http/**"
      - "groups/api/http/**"
-      - "http/api/**"
      - "journal/api/**"
      - "users/api/**"
+      - "bootstrap/api/**"
+      - "certs/api/http/**"
+      - "readers/api/http/**"
+      - "re/api/**"
+      - "alarms/api/**"
+      - "reports/api/**"
+      - "apidocs/openapi/**"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

 env:
  TOKENS_URL: http://localhost:9002/users/tokens/issue
@@ -30,94 +60,131 @@ env:
  CLIENTS_URL: http://localhost:9006
  CHANNELS_URL: http://localhost:9005
  GROUPS_URL: http://localhost:9004
-  HTTP_ADAPTER_URL: http://localhost:8008
  AUTH_URL: http://localhost:9001
  JOURNAL_URL: http://localhost:9021
+  BOOTSTRAP_URL: http://localhost:9013
+  CERTS_URL: http://localhost:9019
+  READERS_URL: http://localhost:9011
+  RE_URL: http://localhost:9008
+  ALARMS_URL: http://localhost:8050
+  REPORTS_URL: http://localhost:9017

 jobs:
  api-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
+        with:
+          fetch-depth: 0

      - name: Install Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

+      - name: Check for changes in specific paths
+        uses: dorny/paths-filter@v4
+        id: changes
+        with:
+          filters: |
+            workflow:
+              - ".github/workflows/api-tests.yaml"
+
+            journal:
+              - "apidocs/openapi/journal.yaml"
+              - "journal/api/**"
+
+            auth:
+              - "apidocs/openapi/auth.yaml"
+              - "auth/api/http/**"
+
+            domains:
+              - "apidocs/openapi/domains.yaml"
+              - "domains/api/http/**"
+
+            clients:
+              - "apidocs/openapi/clients.yaml"
+              - "clients/api/http/**"
+
+            channels:
+              - "apidocs/openapi/channels.yaml"
+              - "channels/api/http/**"
+
+            groups:
+              - "apidocs/openapi/groups.yaml"
+              - "groups/api/http/**"
+
+            users:
+              - "apidocs/openapi/users.yaml"
+              - "users/api/**"
+
+            bootstrap:
+              - "apidocs/openapi/bootstrap.yaml"
+              - "bootstrap/api/**"
+
+            certs:
+              - "apidocs/openapi/certs.yaml"
+              - "certs/api/http/**"
+
+            readers:
+              - "apidocs/openapi/readers.yaml"
+              - "readers/api/http/**"
+
+            re:
+              - "apidocs/openapi/rules.yaml"
+              - "re/api/**"
+
+            alarms:
+              - "apidocs/openapi/alarms.yaml"
+              - "alarms/api/**"
+
+            reports:
+              - "apidocs/openapi/reports.yaml"
+              - "reports/api/**"
+
      - name: Build images
        run: make all -j $(nproc) && make dockers_dev -j $(nproc)

      - name: Start containers
-        run: make run up args="-d" && make run_addons up args="-d"
+        run: make run_latest up args="-d" && make run_addons up args="-d"
+
+      - name: Wait for services to be ready
+        run: |
+          echo "Waiting for services to start..."
+          sleep 15
+
+          # Check if services are responding
+          for i in {1..30}; do
+            if curl -f -s http://localhost:9002/health > /dev/null 2>&1; then
+              echo "Services are ready!"
+              break
+            fi
+            echo "Waiting for services... ($i/30)"
+            sleep 2
+          done

      - name: Set access token
        run: |
          export USER_TOKEN=$(curl -sSX POST $TOKENS_URL -H "Content-Type: application/json" -d "{\"identity\": \"$USER_IDENTITY\",\"secret\": \"$USER_SECRET\"}" | jq -r .access_token)
          export DOMAIN_ID=$(curl -sSX POST $CREATE_DOMAINS_URL -H "Content-Type: application/json" -H "Authorization: Bearer $USER_TOKEN" -d "{\"name\":\"$DOMAIN_NAME\",\"route\":\"$DOMAIN_NAME\"}" | jq -r .id)
          echo "USER_TOKEN=$USER_TOKEN" >> $GITHUB_ENV
-          export CLIENT_SECRET=$(supermq-cli provision test | /usr/bin/grep -Eo '"secret": "[^"]+"' | awk 'NR % 2 == 0' | sed 's/"secret": "\(.*\)"/\1/')
+          export CLIENT_SECRET=$(magistrala-cli provision test | /usr/bin/grep -Eo '"secret": "[^"]+"' | awk 'NR % 2 == 0' | sed 's/"secret": "\(.*\)"/\1/')
          echo "CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV

-      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
-        id: changes
-        with:
-          filters: |
-            journal:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/journal.yaml"
-              - "journal/api/**"
-
-            auth:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/auth.yaml"
-              - "auth/api/http/**"
-
-            domains:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/domains.yaml"
-              - "domains/api/http/**"
-
-            http:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/http.yaml"
-              - "http/api/**"
-
-            clients:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/clients.yaml"
-              - "clients/api/http/**"
-
-            channels:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/channels.yaml"
-              - "channels/api/http/**"
-
-            groups:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/groups.yaml"
-              - "groups/api/http/**"
-
-            users:
-              - ".github/workflows/api-tests.yaml"
-              - "apidocs/openapi/users.yaml"
-              - "users/api/**"
-
      - name: Run Users API tests
-        if: steps.changes.outputs.users == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.users == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/users.yaml
          base-url: ${{ env.USERS_URL }}
          checks: all
-          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --exclude-operation-id=requestPasswordReset --phases=examples,stateful'
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --exclude-operation-id=requestPasswordReset --phases=examples'

      - name: Run Groups API tests
-        if: steps.changes.outputs.groups == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.groups == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/groups.yaml
          base-url: ${{ env.GROUPS_URL }}
@@ -125,8 +192,8 @@ jobs:
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

      - name: Run Clients API tests
-        if: steps.changes.outputs.clients == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.clients == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/clients.yaml
          base-url: ${{ env.CLIENTS_URL }}
@@ -134,26 +201,17 @@ jobs:
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

      - name: Run Channels API tests
-        if: steps.changes.outputs.channels == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.channels == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/channels.yaml
          base-url: ${{ env.CHANNELS_URL }}
          checks: all
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

-      - name: Run HTTP Adapter API tests
-        if: steps.changes.outputs.http == 'true'
-        uses: schemathesis/action@v2.1.0
-        with:
-          schema: apidocs/openapi/http.yaml
-          base-url: ${{ env.HTTP_ADAPTER_URL }}
-          checks: all
-          args: '--header "Authorization: Client ${{ env.CLIENT_SECRET }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
-
      - name: Run Auth API tests
-        if: steps.changes.outputs.auth == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.auth == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/auth.yaml
          base-url: ${{ env.AUTH_URL }}
@@ -161,8 +219,8 @@ jobs:
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

      - name: Run Domains API tests
-        if: steps.changes.outputs.domains == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.domains == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/domains.yaml
          base-url: ${{ env.DOMAIN_URL }}
@@ -170,14 +228,68 @@ jobs:
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

      - name: Run Journal API tests
-        if: steps.changes.outputs.journal == 'true'
-        uses: schemathesis/action@v2.1.0
+        if: steps.changes.outputs.journal == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/journal.yaml
          base-url: ${{ env.JOURNAL_URL }}
          checks: all
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

+      - name: Run Bootstrap API tests
+        if: steps.changes.outputs.bootstrap == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/bootstrap.yaml
+          base-url: ${{ env.BOOTSTRAP_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Certs API tests
+        if: steps.changes.outputs.certs == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/certs.yaml
+          base-url: ${{ env.CERTS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Readers API tests
+        if: steps.changes.outputs.readers == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/readers.yaml
+          base-url: ${{ env.READERS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Rules Engine API tests
+        if: steps.changes.outputs.re == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/rules.yaml
+          base-url: ${{ env.RE_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Alarms API tests
+        if: steps.changes.outputs.alarms == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/alarms.yaml
+          base-url: ${{ env.ALARMS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Reports API tests
+        if: steps.changes.outputs.reports == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/reports.yaml
+          base-url: ${{ env.REPORTS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
      - name: Stop containers
        if: always()
-        run: make run down args="-v" && make run_addons down args="-v"
+        run: make run_latest down args="-v" && make run_addons down args="-v"
@@ -7,17 +7,33 @@ on:
  push:
    branches:
      - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - ".github/workflows/**"
+      - "LICENSE"
+      - "MAINTAINERS"
+      - "CODEOWNERS"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false

 jobs:
+  lint-and-build:
+    uses: ./.github/workflows/lint-and-build.yaml
+
  build-and-push:
-    name: Build and Push
+    name: Build and Push Docker Images
    runs-on: ubuntu-latest
+    needs: [lint-and-build]
    permissions:
      contents: read
+      packages: write

    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
        with:
          fetch-depth: 0
          fetch-tags: true
@@ -25,52 +41,19 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

-      - name: Set GOBIN
-        run: echo "GOBIN=$HOME/.local/bin" >> $GITHUB_ENV
-
-      - name: Add GOBIN to PATH
-        run: echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Run tests
-        run: |
-          make test
-
-      - name: Upload coverage
-        uses: codecov/codecov-action@v5
-        with:
-          token: ${{ secrets.CODECOV }}
-          files: ./coverage/*.out
-          verbose: true
-
      - name: Set up Docker Build
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

-      - name: Login to DockerHub
-        uses: docker/login-action@v3
+      - name: Login to GHCR
+        uses: docker/login-action@v4
        with:
-          registry: docker.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-
-      - name: Compile check for rabbitmq
-        run: |
-          SMQ_MESSAGE_BROKER_TYPE=msg_rabbitmq make mqtt
-
-      - name: Compile check for redis
-        run: |
-          SMQ_ES_TYPE=es_redis make mqtt
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Docker images
        run: |
          make latest -j $(nproc)
-
-      - name: Trigger Helm Chart Deployment
-        if: success() && github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: peter-evans/repository-dispatch@v4
-        with:
-          token: ${{ secrets.REPO_DISPATCH_TOKEN }}
-          repository: absmach/amdm
-          event-type: deploy-latest-smq-images
@@ -4,9 +4,6 @@
 name: Check the consistency of generated files

 on:
-  push:
-    branches:
-      - main
  pull_request:
    branches:
      - main
@@ -14,14 +11,18 @@ on:
 jobs:
  check-generated-files:
    runs-on: ubuntu-latest
+    env:
+      PROTOC_VERSION: "33.0"
+      PROTOC_GEN_GO_VERSION: "v1.36.11"
+      PROTOC_GEN_GO_GRPC_VERSION: "v1.6.0"
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Install Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Set GOBIN
@@ -36,7 +37,7 @@ jobs:
          git diff --exit-code

      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
        id: changes
        with:
          base: main
@@ -69,32 +70,18 @@ jobs:
              - "journal/journal.go"
              - "consumers/notifier.go"

-      - name: Set up protoc
+      - name: Install Protoc
+        if: steps.changes.outputs.proto == 'true'
+        uses: arduino/setup-protoc@v3
+        with:
+          version: ${{ env.PROTOC_VERSION }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Go Protobuf Plugins
        if: steps.changes.outputs.proto == 'true'
        run: |
-          PROTOC_VERSION=33.0
-          PROTOC_GEN_VERSION=v1.36.10
-          PROTOC_GRPC_VERSION=v1.5.1
-
-          # Export the variables so they are available in future steps
-          echo "PROTOC_VERSION=$PROTOC_VERSION" >> $GITHUB_ENV
-          echo "PROTOC_GEN_VERSION=$PROTOC_GEN_VERSION" >> $GITHUB_ENV
-          echo "PROTOC_GRPC_VERSION=$PROTOC_GRPC_VERSION" >> $GITHUB_ENV
-
-          # Download and install protoc
-          PROTOC_ZIP=protoc-$PROTOC_VERSION-linux-x86_64.zip
-          curl -0L -o $PROTOC_ZIP https://github.com/protocolbuffers/protobuf/releases/download/v$PROTOC_VERSION/$PROTOC_ZIP
-          unzip -o $PROTOC_ZIP -d protoc3
-          sudo mv protoc3/bin/* /usr/local/bin/
-          sudo mv protoc3/include/* /usr/local/include/
-          rm -rf $PROTOC_ZIP protoc3
-
-          # Install protoc-gen-go and protoc-gen-go-grpc
-          go install google.golang.org/protobuf/cmd/protoc-gen-go@$PROTOC_GEN_VERSION
-          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@$PROTOC_GRPC_VERSION
-
-          # Add protoc to the PATH
-          export PATH=$PATH:/usr/local/bin/protoc
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@$PROTOC_GEN_GO_VERSION
+          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@$PROTOC_GEN_GO_GRPC_VERSION

      - name: Check Protobuf is up to Date
        if: steps.changes.outputs.proto == 'true'
@@ -110,7 +97,7 @@ jobs:
              echo "Error: Proto file and generated Go file $p are out of sync!"
              echo "Here is the difference:"
              diff $p $p.tmp || true
-              echo "Please run 'make proto' with protoc version $PROTOC_VERSION, protoc-gen-go version $PROTOC_GEN_VERSION and protoc-gen-go-grpc version $PROTOC_GRPC_VERSION and commit the changes."
+              echo "Please run 'make proto' with protoc version $PROTOC_VERSION, protoc-gen-go version $PROTOC_GEN_GO_VERSION and protoc-gen-go-grpc version $PROTOC_GEN_GO_GRPC_VERSION and commit the changes."
              exit 1
            fi
          done
@@ -4,9 +4,6 @@
 name: Check License Header

 on:
-  push:
-    branches:
-      - main
  pull_request:
    branches:
      - main
@@ -16,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Check License Header
        run: |
@@ -0,0 +1,71 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+name: Lint and Build
+
+on:
+  workflow_call:
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v7
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: "go.sum"
+
+      - name: Run linters
+        uses: golangci/golangci-lint-action@v9.2.1
+        with:
+          version: v2.10.1
+          args: --config ./tools/config/.golangci.yaml
+
+  build:
+    name: Build All Binaries
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v7
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: "go.sum"
+
+      - name: Build all binaries
+        run: |
+          make all -j $(nproc)
+
+  compile-check:
+    name: Compile Check ${{ matrix.variant.name }}
+    runs-on: ubuntu-latest
+    needs: lint
+    strategy:
+      fail-fast: true
+      matrix:
+        variant:
+          - name: redis
+            env: MG_ES_TYPE=es_redis
+            target: fluxmq
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v7
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: "go.sum"
+
+      - name: Compile check for ${{ matrix.variant.name }}
+        run: |
+          ${{ matrix.variant.env }} make ${{ matrix.variant.target }}
@@ -8,24 +8,38 @@ on:
    branches:
      - main

+permissions:
+  contents: write
+
 jobs:
  swagger-ui:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

-      - name: Swagger UI action
-        id: swagger-ui-action
-        uses: blokovi/swagger-ui-action@main
-        with:
-          dir: "./apidocs/openapi"
-          pattern: "*.yaml"
-          debug: "true"
+      - name: Build Swagger UI
+        run: |
+          # Create output directory
+          mkdir -p swagger-ui
+
+          # Copy OpenAPI YAML files and schemas directory
+          cp apidocs/openapi/*.yaml swagger-ui/
+          cp -r apidocs/openapi/schemas swagger-ui/
+
+          # Get list of YAML files
+          cd apidocs/openapi
+          YAML_FILES=$(ls *.yaml | jq -R -s -c 'split("\n")[:-1]')
+          cd ../..
+
+          # Generate index.html from template
+          sed "s|APIS_PLACEHOLDER|$YAML_FILES|g" .github/swagger-ui-template.html > swagger-ui/index.html
+
+          echo "Generated Swagger UI with APIs: $YAML_FILES"

      - name: Deploy to GitHub Pages
        uses: peaceiris/actions-gh-pages@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: swagger-ui
-          cname: docs.api.supermq.absmach.eu
+          publish_dir: ./swagger-ui
+          cname: docs.api.magistrala.absmach.eu
@@ -4,36 +4,37 @@
 name: CI Pipeline

 on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - 'MAINTAINERS'
+      - 'CODEOWNERS'
  pull_request:
    branches:
      - main

-jobs:
-  lint-and-build: # Linting and building are combined to save time for setting up Go
-    name: Lint and Build
-    runs-on: ubuntu-latest
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

+jobs:
+  lint-proto:
+    name: Lint Proto
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

-      - name: Fetch Certs
-        run: |
-          make fetch_certs
-          if [[ -n $(git status --porcelain docker/addons/certs) ]]; then
-            echo "Certs docker file is not up to date. Please update it"
-            git diff docker/addons/certs
-            exit 1
-          else
-            exit 0
-          fi
-
      - name: Install protolint
        run: |
          go install github.com/yoheimuta/protolint/cmd/protolint@latest
@@ -42,46 +43,25 @@ jobs:
        run: |
          protolint .

-      - name: Run linters
-        uses: golangci/golangci-lint-action@v9
-        with:
-          version: v2.4.0
-          args: --config ./tools/config/.golangci.yaml
+  lint-and-build:
+    needs: [lint-proto]
+    uses: ./.github/workflows/lint-and-build.yaml

-      - name: Build all Binaries
-        run: |
-          make all -j $(nproc)
-
-      - name: Compile check for rabbitmq
-        run: |
-          SMQ_MESSAGE_BROKER_TYPE=msg_rabbitmq make mqtt
-
-      - name: Compile check for redis
-        run: |
-          SMQ_ES_TYPE=es_redis make mqtt
-
-  run-tests:
-    name: Run tests
+  detect-changes:
+    name: Detect Changes
    runs-on: ubuntu-latest
-    needs: lint-and-build
-
+    outputs:
+      modules: ${{ steps.set-matrix.outputs.modules }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
        with:
          fetch-depth: 0

-      - name: Setup Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: 1.25.x
-          cache-dependency-path: "go.sum"
-
      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
        id: changes
        with:
-          base: main
          filters: |
            workflow:
              - ".github/workflows/tests.yaml"
@@ -95,6 +75,13 @@ jobs:
              - "pkg/ulid/**"
              - "pkg/uuid/**"

+            bootstrap:
+              - "bootstrap/**"
+              - "cmd/bootstrap/**"
+              - "pkg/bootstrap/**"
+              - "provision/**"
+              - "pkg/sdk/**"
+
            channels:
              - "channels/**"
              - "cmd/channels/**"
@@ -126,14 +113,6 @@ jobs:
              - "domains/api/grpc/**"
              - "internal/grpc/**"

-            coap:
-              - "coap/**"
-              - "cmd/coap/**"
-              - "auth.pb.go"
-              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
-
            domains:
              - "domains/**"
              - "cmd/domains/**"
@@ -155,15 +134,6 @@ jobs:
              - "domains/api/grpc/**"
              - "internal/grpc/**"

-            http:
-              - "http/**"
-              - "cmd/http/**"
-              - "auth.pb.go"
-              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
-              - "logger/**"
-
            internal:
              - "internal/**"

@@ -178,16 +148,6 @@ jobs:
            logger:
              - "logger/**"

-            mqtt:
-              - "mqtt/**"
-              - "cmd/mqtt/**"
-              - "auth.pb.go"
-              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
-              - "logger/**"
-              - "pkg/events/**"
-
            pkg-errors:
              - "pkg/errors/**"

@@ -206,7 +166,6 @@ jobs:
              - "pkg/errors/**"
              - "pkg/groups/**"
              - "auth/**"
-              - "http/**"
              - "internal/*"
              - "clients/**"
              - "users/**"
@@ -215,6 +174,9 @@ jobs:
              - "groups/**"
              - "journal/**"
              - "api/http/**"
+              - "re/**"
+              - "alarms/**"
+              - "reports/**"

            pkg-transformers:
              - "pkg/transformers/**"
@@ -235,131 +197,156 @@ jobs:
              - "pkg/uuid/**"
              - "pkg/events/**"

-            ws:
-              - "ws/**"
-              - "cmd/ws/**"
+            notifications:
+              - "notifications/**"
+              - "cmd/notifications/**"
              - "auth.pb.go"
              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
+              - "consumers/notifier.go"
+              - "pkg/events/**"

-      - name: Create coverage directory
-        run: |
-          mkdir coverage
+            api:
+              - "api/**"

-      - name: Run journal tests
-        if: steps.changes.outputs.journal == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/journal.out ./journal/...
+            consumers:
+              - "consumers/**"
+              - "cmd/postgres-writer/**"
+              - "cmd/timescale-writer/**"
+              - "cmd/smpp-notifier/**"
+              - "cmd/smtp-notifier/**"

-      - name: Run auth tests
-        if: steps.changes.outputs.auth == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/auth.out ./auth/...
+            readers:
+              - "readers/**"
+              - "cmd/postgres-reader/**"
+              - "cmd/timescale-reader/**"

-      - name: Run domains tests
-        if: steps.changes.outputs.domains == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/domains.out ./domains/...
+            re:
+              - "re/**"
+              - "cmd/re/**"
+              - "re/api/**"

-      - name: Run cli tests
-        if: steps.changes.outputs.cli == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/cli.out ./cli/...
+            alarms:
+              - "alarms/**"
+              - "cmd/alarms/**"

-      - name: Run CoAP tests
-        if: steps.changes.outputs.coap == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/coap.out ./coap/...
+            reports:
+              - "reports/**"
+              - "cmd/reports/**"

-      - name: Run HTTP tests
-        if: steps.changes.outputs.http == 'true' || steps.changes.outputs.workflow == 'true'
+      - name: Set matrix for changed modules
+        id: set-matrix
        run: |
-          go test --race -v -count=1 -coverprofile=coverage/http.out ./http/...
+          modules=()

-      - name: Run internal tests
-        if: steps.changes.outputs.internal == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/internal.out ./internal/...
+          if [[ "${{ steps.changes.outputs.workflow }}" == "true" || "${{ steps.changes.outputs.pkg-errors }}" == "true" ]]; then
+            # If workflow or pkg/errors changed, test everything
+            modules=("auth" "bootstrap" "channels" "cli" "clients" "domains" "groups" "internal" "journal" "logger" "pkg-errors" "pkg-events" "pkg-grpcclient" "pkg-messaging" "pkg-sdk" "pkg-transformers" "pkg-ulid" "pkg-uuid" "users" "notifications" "api" "consumers" "readers" "re" "alarms" "reports")
+          else
+            # Add only changed modules
+            [[ "${{ steps.changes.outputs.auth }}" == "true" ]] && modules+=("auth")
+            [[ "${{ steps.changes.outputs.bootstrap }}" == "true" ]] && modules+=("bootstrap")
+            [[ "${{ steps.changes.outputs.channels }}" == "true" ]] && modules+=("channels")
+            [[ "${{ steps.changes.outputs.cli }}" == "true" ]] && modules+=("cli")
+            [[ "${{ steps.changes.outputs.clients }}" == "true" ]] && modules+=("clients")
+            [[ "${{ steps.changes.outputs.domains }}" == "true" ]] && modules+=("domains")
+            [[ "${{ steps.changes.outputs.groups }}" == "true" ]] && modules+=("groups")
+            [[ "${{ steps.changes.outputs.internal }}" == "true" ]] && modules+=("internal")
+            [[ "${{ steps.changes.outputs.journal }}" == "true" ]] && modules+=("journal")
+            [[ "${{ steps.changes.outputs.logger }}" == "true" ]] && modules+=("logger")
+            [[ "${{ steps.changes.outputs.pkg-errors }}" == "true" ]] && modules+=("pkg-errors")
+            [[ "${{ steps.changes.outputs.pkg-events }}" == "true" ]] && modules+=("pkg-events")
+            [[ "${{ steps.changes.outputs.pkg-grpcclient }}" == "true" ]] && modules+=("pkg-grpcclient")
+            [[ "${{ steps.changes.outputs.pkg-messaging }}" == "true" ]] && modules+=("pkg-messaging")
+            [[ "${{ steps.changes.outputs.pkg-sdk }}" == "true" ]] && modules+=("pkg-sdk")
+            [[ "${{ steps.changes.outputs.pkg-transformers }}" == "true" ]] && modules+=("pkg-transformers")
+            [[ "${{ steps.changes.outputs.pkg-ulid }}" == "true" ]] && modules+=("pkg-ulid")
+            [[ "${{ steps.changes.outputs.pkg-uuid }}" == "true" ]] && modules+=("pkg-uuid")
+            [[ "${{ steps.changes.outputs.users }}" == "true" ]] && modules+=("users")
+            [[ "${{ steps.changes.outputs.notifications }}" == "true" ]] && modules+=("notifications")
+            [[ "${{ steps.changes.outputs.api }}" == "true" ]] && modules+=("api")
+            [[ "${{ steps.changes.outputs.consumers }}" == "true" ]] && modules+=("consumers")
+            [[ "${{ steps.changes.outputs.readers }}" == "true" ]] && modules+=("readers")
+            [[ "${{ steps.changes.outputs.re }}" == "true" ]] && modules+=("re")
+            [[ "${{ steps.changes.outputs.alarms }}" == "true" ]] && modules+=("alarms")
+            [[ "${{ steps.changes.outputs.reports }}" == "true" ]] && modules+=("reports")
+          fi

-      - name: Run logger tests
-        if: steps.changes.outputs.logger == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/logger.out ./logger/...
+          # Convert to JSON array
+          json_modules=$(printf '%s\n' "${modules[@]}" | jq -R . | jq -s -c .)
+          echo "modules=$json_modules" >> $GITHUB_OUTPUT
+          echo "Testing modules: $json_modules"

-      - name: Run MQTT tests
-        if: steps.changes.outputs.mqtt == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/mqtt.out ./mqtt/...
+  run-tests:
+    name: Test ${{ matrix.module }}
+    runs-on: ubuntu-latest
+    needs: [lint-and-build, detect-changes]
+    if: needs.detect-changes.outputs.modules != '[]'
+    strategy:
+      fail-fast: true
+      max-parallel: 20
+      matrix:
+        module: ${{ fromJSON(needs.detect-changes.outputs.modules) }}

-      - name: Run pkg errors tests
-        if: steps.changes.outputs.pkg-errors == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-errors.out ./pkg/errors/...
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v7

-      - name: Run pkg events tests
-        if: steps.changes.outputs.pkg-events == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-events.out ./pkg/events/...
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: "go.sum"

-      - name: Run pkg grpcclient tests
-        if: steps.changes.outputs.pkg-grpcclient == 'true' || steps.changes.outputs.workflow == 'true'
+      - name: Verify dependencies
        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-grpcclient.out ./pkg/grpcclient/...
+          go mod download
+          go mod verify

-      - name: Run pkg messaging tests
-        if: steps.changes.outputs.pkg-messaging == 'true' || steps.changes.outputs.workflow == 'true'
+      - name: Run ${{ matrix.module }} tests
        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-messaging.out ./pkg/messaging/...
+          # Map module names to directories
+          case "${{ matrix.module }}" in
+            pkg-errors) dir="pkg/errors" ;;
+            pkg-events) dir="pkg/events" ;;
+            pkg-grpcclient) dir="pkg/grpcclient" ;;
+            pkg-messaging) dir="pkg/messaging" ;;
+            pkg-sdk) dir="pkg/sdk" ;;
+            pkg-transformers) dir="pkg/transformers" ;;
+            pkg-ulid) dir="pkg/ulid" ;;
+            pkg-uuid) dir="pkg/uuid" ;;
+            *) dir="${{ matrix.module }}" ;;
+          esac

-      - name: Run pkg sdk tests
-        if: steps.changes.outputs.pkg-sdk == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-sdk.out ./pkg/sdk/...
-
-      - name: Run pkg transformers tests
-        if: steps.changes.outputs.pkg-transformers == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-transformers.out ./pkg/transformers/...
-
-      - name: Run pkg ulid tests
-        if: steps.changes.outputs.pkg-ulid == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-ulid.out ./pkg/ulid/...
-
-      - name: Run pkg uuid tests
-        if: steps.changes.outputs.pkg-uuid == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-uuid.out ./pkg/uuid/...
-
-      - name: Run clients tests
-        if: steps.changes.outputs.clients == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/clients.out ./clients/...
-
-      - name: Run channels tests
-        if: steps.changes.outputs.channels == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/channels.out ./channels/...
-
-      - name: Run users tests
-        if: steps.changes.outputs.users == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/users.out ./users/...
-
-      - name: Run groups tests
-        if: steps.changes.outputs.groups == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/groups.out ./groups/...
-
-      - name: Run WebSocket tests
-        if: steps.changes.outputs.ws == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/ws.out ./ws/...
+          go test -mod=readonly --race -v -count=1 -failfast -coverprofile=coverage-${{ matrix.module }}.out ./$dir/...

      - name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: actions/upload-artifact@v7
+        with:
+          name: coverage-${{ matrix.module }}
+          path: coverage-${{ matrix.module }}.out
+          retention-days: 1
+
+  upload-coverage:
+    name: Upload Coverage
+    runs-on: ubuntu-latest
+    needs: run-tests
+    if: always() && needs.run-tests.result != 'cancelled'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v7
+
+      - name: Download all coverage artifacts
+        uses: actions/download-artifact@v8
+        with:
+          pattern: coverage-*
+          path: coverage
+          merge-multiple: true
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v7
        with:
          token: ${{ secrets.CODECOV }}
+          directory: ./coverage
          files: ./coverage/*.out
+          fail_ci_if_error: false
          verbose: true
@@ -18,3 +18,6 @@ coverage

 # Ignore Openbao data directory as it contains runtime-generated data
 docker/addons/certs/openbao/
+
+# Ignore SeaweedFS data directory as it contains runtime-generated data
+docker/data/*
@@ -1,12 +1,12 @@
 # Adopters

-As SuperMQ Community grows, we'd like to keep track of SuperMQ adopters to grow the community, contact other users, share experiences and best practices.
+As Magistrala Community grows, we'd like to keep track of Magistrala adopters to grow the community, contact other users, share experiences and best practices.

-To accomplish this, we created a public ledger. The list of organizations and users who consider themselves as SuperMQ adopters and that **publicly/officially** shared information and/or details of their adoption journey(optional).
+To accomplish this, we created a public ledger. The list of organizations and users who consider themselves as Magistrala adopters and that **publicly/officially** shared information and/or details of their adoption journey(optional).
 Where users themselves directly maintain the list.

 ## Adding yourself as an adopter
-If you are using SuperMQ, please consider adding yourself as an adopter with a brief description of your use case by opening a pull request to this file and adding a section describing your adoption of SuperMQ technology.
+If you are using Magistrala, please consider adding yourself as an adopter with a brief description of your use case by opening a pull request to this file and adding a section describing your adoption of Magistrala technology.

 **Please send PRs to add or remove organizations/users**

@@ -25,12 +25,12 @@ Pull request commit must be [signed](https://docs.github.com/en/github/authentic
 * There is no minimum requirement or adaptation size, but we request to list permanent deployments only, i.e., no demo or trial deployments. Commercial or production use is not required. A well-done home lab setup can be equally impressive as a large-scale commercial deployment.


-**The list of organizations/users that have publicly shared the usage of SuperMQ:**
+**The list of organizations/users that have publicly shared the usage of Magistrala:**

-**Note**: Several other organizations/users couldn't publicly share their usage details but are active project contributors and SuperMQ Community members.
+**Note**: Several other organizations/users couldn't publicly share their usage details but are active project contributors and Magistrala Community members.


 ## Adopters list (alphabetical)


-**Note:** The list is maintained by the users themselves. If you find yourself on this list, and you think it's inappropriate. Please contact [project maintainers](https://github.com/absmach/supermq/blob/main/MAINTAINERS) and you will be permanently removed from the list.
+**Note:** The list is maintained by the users themselves. If you find yourself on this list, and you think it's inappropriate. Please contact [project maintainers](https://github.com/absmach/magistrala/blob/main/MAINTAINERS) and you will be permanently removed from the list.
@@ -1,11 +1,11 @@
-# Contributing to SuperMQ
+# Contributing to Magistrala

-The following is a set of guidelines to contribute to SuperMQ and its libraries, which are
+The following is a set of guidelines to contribute to Magistrala and its libraries, which are
 hosted on the [Abstract Machines Organization](https://github.com/absmach) on GitHub.

 This project adheres to the [Contributor Covenant 1.2](http://contributor-covenant.org/version/1/2/0).
 By participating, you are expected to uphold this code. Please report unacceptable behavior to
-[abuse@abstractmachines.fr](mailto:abuse@abstractmachines.fr).
+[abuse@absmach.eu](mailto:abuse@absmach.eu).

 ## Reporting issues

@@ -13,7 +13,7 @@ Reporting issues are a great way to contribute to the project. We are perpetuall
 thorough bug report.

 Before raising a new issue, check [our issue
-list](https://github.com/absmach/supermq/issues) to determine if it already contains the
+list](https://github.com/absmach/magistrala/issues) to determine if it already contains the
 problem that you are facing.

 A good bug report shouldn't leave others needing to chase you for more information. Please be as detailed as possible. The following questions might serve as a template for writing a detailed
@@ -41,9 +41,9 @@ To contribute to the project, [fork](https://help.github.com/articles/fork-a-rep
 clone your fork repository, and configure the remotes:

 ```
-git clone https://github.com/<your-username>/supermq.git
-cd supermq
-git remote add upstream https://github.com/absmach/supermq.git
+git clone https://github.com/<your-username>/magistrala.git
+cd magistrala
+git remote add upstream https://github.com/absmach/magistrala.git
 ```

 If your cloned repository is behind the upstream commits, then get the latest changes from upstream:
@@ -53,11 +53,11 @@ git checkout main
 git pull --rebase upstream main
 ```

-Create a new topic branch from `main` using the naming convention `SMQ-[issue-number]`
+Create a new topic branch from `main` using the naming convention `MG-[issue-number]`
 to help us keep track of your contribution scope:

 ```
-git checkout -b SMQ-[issue-number]
+git checkout -b MG-[issue-number]
 ```

 Commit your changes in logical chunks. When you are ready to commit, make sure
@@ -80,7 +80,7 @@ git pull --rebase upstream main
 Push your topic branch up to your fork:

 ```
-git push origin SMQ-[issue-number]
+git push origin MG-[issue-number]
 ```

 [Open a Pull Request](https://help.github.com/articles/using-pull-requests/) with a clear title
@@ -176,7 +176,7 @@

   END OF TERMS AND CONDITIONS

-   Copyright 2015-2020 SuperMQ
+   Copyright 2015-2026 Magistrala

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -1,30 +1,15 @@
-# SuperMQ follows the timeless, highly efficient and totally unfair system
-# known as [Benevolent dictator for
-# life](https://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with
-# Drasko DRASKOVIC in the role of BDFL.
+# Magistrala Maintainers

-[bdfl]
-	
-	[[drasko]]
-	Name	= "Drasko Draskovic"
-	Email	= "drasko@abstractmachines.fr"
-	GitHub	= "drasko"
+Magistrala follows a BDFL model for dead-lock situations; day-to-day decisions happen through discussion and pull requests.

-# However, this role serves only in dead-lock events, or in a special and very rare cases
-# when BDFL completely disagrees with the decisions made.
-# In the normal flow of events, decisions on the project design are made through discussions,
-# most often on the Pull Requests.
-#
-# Maintainers have the special role in the project in managing and accepting PRs,
-# overall leading the project and making design decisions on the maintained subsystems.
-#
-# A reference list of all maintainers of the SuperMQ project.
+## BDFL

-# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+- **Drasko Draskovic** — [drasko@absmach.eu](mailto:drasko@absmach.eu) — [GitHub: drasko](https://github.com/drasko)

-[maintainers]
- 
- 	[[dusan]]
-	Name	= "Dusan Borovcanin"
-	Email	= "dusan.borovcanin@abstractmachines.fr"
-	GitHub	= "dborovcanin"
+## Maintainers
+
+Add yourself below in alphabetical order.
+
+| Name | Email | GitHub |
+| --- | --- | --- |
+| Dusan Borovcanin | [dusan.borovcanin@absmach.eu](mailto:dusan.borovcanin@absmach.eu) | [dborovcanin](https://github.com/dborovcanin) |
@@ -1,16 +1,18 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-SMQ_DOCKER_IMAGE_NAME_PREFIX ?= supermq
+override MG_DOCKER_IMAGE_NAME_PREFIX := ghcr.io/absmach/magistrala
+MG_DOCKER_VOLUME_NAME_PREFIX ?= magistrala
 BUILD_DIR ?= build
-SERVICES = auth users clients groups channels domains http coap ws cli mqtt journal notifications
-TEST_API_SERVICES = journal auth certs http clients users channels groups domains
+SERVICES = auth users clients groups channels domains notifications certs re postgres-writer postgres-reader timescale-writer timescale-reader cli alarms reports bootstrap provision journal fluxmq
+TEST_API_SERVICES = journal auth certs clients users channels groups domains
 TEST_API = $(addprefix test_api_,$(TEST_API_SERVICES))
 DOCKERS = $(addprefix docker_,$(SERVICES))
 DOCKERS_DEV = $(addprefix docker_dev_,$(SERVICES))
 CGO_ENABLED ?= 0
 GOARCH ?= amd64
 GOOS ?= linux
+DETECTED_ARCH := $(shell uname -m)
 VERSION ?= $(shell git describe --abbrev=0 --tags 2>/dev/null || echo 'unknown')
 COMMIT ?= $(shell git rev-parse HEAD)
 TIME ?= $(shell date +%F_%T)
@@ -23,29 +25,31 @@ DOCKER_COMPOSE_COMMANDS_SUPPORTED := up down config restart
 DEFAULT_DOCKER_COMPOSE_COMMAND  := up
 GRPC_MTLS_CERT_FILES_EXISTS = 0
 MOCKERY = $(GOBIN)/mockery
-MOCKERY_VERSION=3.5.5
+MOCKERY_VERSION=3.6.4
 PKG_PROTO_GEN_OUT_DIR=api/grpc
 INTERNAL_PROTO_DIR=internal/proto
 INTERNAL_PROTO_FILES := $(shell find $(INTERNAL_PROTO_DIR) -name "*.proto" | sed 's|$(INTERNAL_PROTO_DIR)/||')

-ifneq ($(SMQ_MESSAGE_BROKER_TYPE),)
-	SMQ_MESSAGE_BROKER_TYPE := $(SMQ_MESSAGE_BROKER_TYPE)
+ifneq ($(MG_MESSAGE_BROKER_TYPE),)
+	MG_MESSAGE_BROKER_TYPE := $(MG_MESSAGE_BROKER_TYPE)
 else
-	SMQ_MESSAGE_BROKER_TYPE=msg_nats
+	MG_MESSAGE_BROKER_TYPE=msg_fluxmq
 endif

-ifneq ($(SMQ_ES_TYPE),)
-	SMQ_ES_TYPE := $(SMQ_ES_TYPE)
+ifneq ($(MG_ES_TYPE),)
+	MG_ES_TYPE := $(MG_ES_TYPE)
 else
-	SMQ_ES_TYPE=es_nats
+	MG_ES_TYPE=es_fluxmq
 endif

+BUILD_TAGS := $(strip $(MG_MESSAGE_BROKER_TYPE) $(MG_ES_TYPE))
+
 define compile_service
 	CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) GOARM=$(GOARM) \
-	go build -tags $(SMQ_MESSAGE_BROKER_TYPE) -tags $(SMQ_ES_TYPE) -ldflags "-s -w \
-	-X 'github.com/absmach/supermq.BuildTime=$(TIME)' \
-	-X 'github.com/absmach/supermq.Version=$(VERSION)' \
-	-X 'github.com/absmach/supermq.Commit=$(COMMIT)'" \
+	go build -tags "$(BUILD_TAGS)" -ldflags "-s -w \
+	-X 'github.com/absmach/magistrala.BuildTime=$(TIME)' \
+	-X 'github.com/absmach/magistrala.Version=$(VERSION)' \
+	-X 'github.com/absmach/magistrala.Commit=$(COMMIT)'" \
 	-o ${BUILD_DIR}/$(1) cmd/$(1)/main.go
 endef

@@ -60,7 +64,8 @@ define make_docker
 		--build-arg VERSION=$(VERSION) \
 		--build-arg COMMIT=$(COMMIT) \
 		--build-arg TIME=$(TIME) \
-		--tag=$(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
+		--build-arg BUILD_TAGS="$(BUILD_TAGS)" \
+		--tag=$(MG_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
 		-f docker/Dockerfile .
 endef

@@ -70,14 +75,53 @@ define make_docker_dev
 	docker build \
 		--no-cache \
 		--build-arg SVC=$(svc) \
-		--tag=$(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
+		--tag=$(MG_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
 		-f docker/Dockerfile.dev ./build
 endef

-ADDON_SERVICES = journal certs
+define run_with_arch_detection
+	@echo "Detecting architecture..."
+	@if [ "$(DETECTED_ARCH)" = "arm64" ] || [ "$(DETECTED_ARCH)" = "aarch64" ]; then \
+		echo "ARM64 architecture detected."; \
+		git checkout $(1); \
+		GOARCH=arm64 $(MAKE) dockers; \
+		for svc in $(SERVICES); do \
+				docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest; \
+		done; \
+		sed -i.bak 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=latest/' docker/.env && rm -f docker/.env.bak; \
+		docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	else \
+		echo "x86_64 architecture detected."; \
+		git checkout $(1); \
+		sed -i.bak 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=$(2)/' docker/.env && rm -f docker/.env.bak; \
+		docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	fi
+endef
+
+ADDON_SERVICES = bootstrap provision postgres-writer postgres-reader

 EXTERNAL_SERVICES = prometheus

+# Detect OS and architecture for cross-platform compatibility
+UNAME_S := $(shell uname -s)
+UNAME_M := $(shell uname -m)
+
+# macOS BSD sed vs GNU sed compatibility
+ifeq ($(UNAME_S),Darwin)
+	SED_INPLACE := sed -i ''
+else
+	SED_INPLACE := sed -i
+endif
+
+# Apple Silicon (arm64) Docker platform compatibility
+# Pre-built images are amd64 only, so we need to use emulation on Apple Silicon
+ifeq ($(UNAME_S),Darwin)
+ifeq ($(UNAME_M),arm64)
+	DOCKER_PLATFORM := DOCKER_DEFAULT_PLATFORM=linux/amd64
+endif
+endif
+DOCKER_PLATFORM ?=
+
 ifneq ($(filter run%,$(firstword $(MAKECMDGOALS))),)
  temp_args := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS))
  DOCKER_COMPOSE_COMMAND := $(if $(filter $(DOCKER_COMPOSE_COMMANDS_SUPPORTED),$(temp_args)), $(filter $(DOCKER_COMPOSE_COMMANDS_SUPPORTED),$(temp_args)), $(DEFAULT_DOCKER_COMPOSE_COMMAND))
@@ -100,7 +144,7 @@ FILTERED_SERVICES = $(filter-out $(RUN_ADDON_ARGS), $(SERVICES))

 all: $(SERVICES)

-.PHONY: all $(SERVICES) dockers dockers_dev latest release run run_addons grpc_mtls_certs check_mtls check_certs test_api mocks
+.PHONY: all $(SERVICES) dockers dockers_dev latest release run_latest run_tls run_stable run_addons grpc_mtls_certs check_mtls check_certs test_api mocks

 clean:
 	rm -rf ${BUILD_DIR}
@@ -111,12 +155,12 @@ cleandocker:

 ifdef pv
 	# Remove unused volumes
-	docker volume ls -f name=$(SMQ_DOCKER_IMAGE_NAME_PREFIX) -f dangling=true -q | xargs -r docker volume rm
+	docker volume ls -f name=$(MG_DOCKER_VOLUME_NAME_PREFIX) -f dangling=true -q | xargs -r docker volume rm
 endif

 install:
 	for file in $(BUILD_DIR)/*; do \
-		cp $$file $(GOBIN)/supermq-`basename $$file`; \
+		cp $$file $(GOBIN)/magistrala-`basename $$file`; \
 	done

 mocks: $(MOCKERY)
@@ -124,11 +168,8 @@ mocks: $(MOCKERY)

 $(MOCKERY):
 	@mkdir -p $(GOBIN)
-	@mkdir -p mockery
-	@echo ">> downloading mockery $(MOCKERY_VERSION)..."
-	@curl -sL https://github.com/vektra/mockery/releases/download/v$(MOCKERY_VERSION)/mockery_$(MOCKERY_VERSION)_Linux_x86_64.tar.gz | tar -xz -C mockery
-	@mv mockery/mockery $(GOBIN)
-	@rm -r mockery
+	@echo ">> installing mockery $(MOCKERY_VERSION)..."
+	@go install github.com/vektra/mockery/v3@v$(MOCKERY_VERSION)

 DIRS = consumers readers postgres internal
 test: mocks
@@ -144,34 +185,18 @@ define test_api_service

 	@if [ -z "$(USER_TOKEN)" ]; then \
 		echo "USER_TOKEN is not set"; \
-		echo "Please set it to a valid token"; \
-		exit 1; \
+			echo "Please set it to a valid token"; \
+			exit 1; \
 	fi

-	@if [ "$(svc)" = "http" ] && [ -z "$(CLIENT_SECRET)" ]; then \
-		echo "CLIENT_SECRET is not set"; \
-		echo "Please set it to a valid secret"; \
-		exit 1; \
-	fi
-
-	@if [ "$(svc)" = "http" ]; then \
-		uvx schemathesis run apidocs/openapi/$(svc).yaml \
-		--checks all \
-		--url $(2) \
-		--header "Authorization: Client $(CLIENT_SECRET)" \
-		--suppress-health-check=filter_too_much \
-		--exclude-checks=positive_data_acceptance \
-		--phases=examples,stateful; \
-	else \
-		uvx schemathesis run apidocs/openapi/$(svc).yaml \
-		--checks all \
-		--url $(2) \
-		--header "Authorization: Bearer $(USER_TOKEN)" \
-		--suppress-health-check=filter_too_much \
-		--exclude-checks=positive_data_acceptance \
-		--exclude-operation-id=requestPasswordReset \
-		--phases=examples,stateful; \
-	fi
+	@uvx schemathesis run apidocs/openapi/$(svc).yaml \
+	--checks all \
+	--url $(2) \
+	--header "Authorization: Bearer $(USER_TOKEN)" \
+	--suppress-health-check=filter_too_much \
+	--exclude-checks=positive_data_acceptance \
+	--exclude-operation-id=requestPasswordReset \
+	--phases=examples,stateful
 endef

 test_api_users: TEST_API_URL := http://localhost:9002
@@ -179,7 +204,6 @@ test_api_clients: TEST_API_URL := http://localhost:9006
 test_api_domains: TEST_API_URL := http://localhost:9003
 test_api_channels: TEST_API_URL := http://localhost:9005
 test_api_groups: TEST_API_URL := http://localhost:9004
-test_api_http: TEST_API_URL := http://localhost:8008
 test_api_auth: TEST_API_URL := http://localhost:9001
 test_api_certs: TEST_API_URL := http://localhost:9019
 test_api_journal: TEST_API_URL := http://localhost:9021
@@ -206,7 +230,7 @@ dockers_dev: $(DOCKERS_DEV)

 define docker_push
 	for svc in $(SERVICES); do \
-		docker push $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(1); \
+		docker push $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(1); \
 	done
 endef

@@ -219,10 +243,10 @@ latest: dockers
 publish_arch:
 	$(MAKE) dockers GOOS=$(GOOS) GOARCH=$(GOARCH) GOARM=$(GOARM)
 	for svc in $(SERVICES); do \
-		docker tag $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
-		docker tag $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
-		docker push $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
-		docker push $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
+		docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
+		docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
+		docker push $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
+		docker push $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
 	done

 release:
@@ -230,7 +254,7 @@ release:
 	git checkout $(version)
 	$(MAKE) dockers
 	for svc in $(SERVICES); do \
-		docker tag $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(version); \
+		docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(version); \
 	done
 	$(call docker_push,$(version))

@@ -265,22 +289,33 @@ endif
 endif
 endif

-fetch_certs:
-	@./scripts/certs.sh
+run_latest: check_certs
+	$(SED_INPLACE) 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=latest/' docker/.env
+	$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)

-run: check_certs
-	docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+run_tls:
+	@test -n "$(host)" || (echo "Usage: make run_tls host=example.com [email=admin@example.com] [letsencrypt=false] [staging=true] [force=true]" && exit 2)
+	@if [ "$(or $(letsencrypt),true)" != "false" ] && [ -z "$(email)" ]; then echo "Usage: make run_tls host=example.com email=admin@example.com [letsencrypt=false] [staging=true] [force=true]"; exit 2; fi
+	MG_PUBLIC_HOST="$(host)" \
+	MG_LETSENCRYPT_ENABLED="$(or $(letsencrypt),true)" \
+	MG_LETSENCRYPT_EMAIL="$(email)" \
+	MG_LETSENCRYPT_STAGING="$(or $(staging),false)" \
+	MG_LETSENCRYPT_FORCE_RENEWAL="$(or $(force),false)" \
+	DOCKER_PROJECT="$(DOCKER_PROJECT)" \
+	./docker/setup-tls.sh
+
+run_stable: check_certs
+	$(eval version = $(shell git describe --abbrev=0 --tags))
+	git checkout $(version)
+	$(SED_INPLACE) 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=$(version)/' docker/.env
+	$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)

 run_addons: check_certs
 	$(foreach SVC,$(RUN_ADDON_ARGS),$(if $(filter $(SVC),$(ADDON_SERVICES) $(EXTERNAL_SERVICES)),,$(error Invalid Service $(SVC))))
-	@docker compose -f docker/docker-compose.yaml --env-file ./docker/.env -p $(DOCKER_PROJECT) up -d auth domains jaeger
+	@$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file ./docker/.env -p $(DOCKER_PROJECT) up -d auth domains jaeger
 	@for SVC in $(RUN_ADDON_ARGS); do \
-		if [ "$$SVC" = "certs" ]; then \
-			docker compose -f docker/addons/$$SVC/docker-compose.yaml -f docker/certs-docker-compose-override.yaml --env-file ./docker/.env --env-file ./docker/addons/$$SVC/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args) & \
-		else \
-			SMQ_ADDONS_CERTS_PATH_PREFIX="../."  docker compose -f docker/addons/$$SVC/docker-compose.yaml -p $(DOCKER_PROJECT) --env-file ./docker/.env $(DOCKER_COMPOSE_COMMAND) $(args) & \
-		fi; \
+		MG_ADDONS_CERTS_PATH_PREFIX="../" $(DOCKER_PLATFORM) docker compose -f docker/addons/$$SVC/docker-compose.yaml -p $(DOCKER_PROJECT) --env-file ./docker/.env $(DOCKER_COMPOSE_COMMAND) $(args) & \
 	done

 run_live: check_certs
-	GOPATH=$(go env GOPATH) docker compose  -f docker/docker-compose.yaml -f docker/docker-compose-live.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+	GOPATH=$(go env GOPATH) $(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml -f docker/docker-compose-live.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
@@ -1,118 +1,213 @@
 <div align="center">

-  # SuperMQ
-  
-  **Planetary event-driven infrastructure**
-  
-  **Made with ❤️ by [Abstract Machines](https://absmach.eu/)**
-  
-  [![Build Status](https://github.com/absmach/supermq/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/absmach/supermq/actions/workflows/build.yaml)
-  [![Check License Header](https://github.com/absmach/supermq/actions/workflows/check-license.yaml/badge.svg?branch=main)](https://github.com/absmach/supermq/actions/workflows/check-license.yaml)
-  [![Check Generated Files](https://github.com/absmach/supermq/actions/workflows/check-generated-files.yaml/badge.svg?branch=main)](https://github.com/absmach/supermq/actions/workflows/check-generated-files.yaml)
-  [![Go Report Card](https://goreportcard.com/badge/github.com/absmach/supermq)](https://goreportcard.com/report/github.com/absmach/supermq)
-  [![Coverage](https://codecov.io/gh/absmach/supermq/graph/badge.svg?token=nPCEr5nW8S)](https://codecov.io/gh/absmach/supermq)
-  [![License](https://img.shields.io/badge/license-Apache%20v2.0-blue.svg)](LICENSE)
- [![Matrix](https://img.shields.io/matrix/supermq%3Amatrix.org?label=Chat&style=flat&logo=matrix&logoColor=white)](https://matrix.to/#/#supermq:matrix.org)
-  
-  ### [Guide](https://docs.supermq.absmach.eu) | [Contributing](CONTRIBUTING.md) | [Website](https://absmach.eu/) | [Chat](https://matrix.to/#/#supermq:matrix.org)
+# Magistrala

+### A Modern IoT Platform Framework for Scalable IoT
+
+**Made with ❤ by [Abstract Machines](https://absmach.eu/)**
+
+[![Build Status](https://github.com/absmach/magistrala/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/build.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/absmach/magistrala)](https://goreportcard.com/report/github.com/absmach/magistrala)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/absmach/magistrala)
+[![Check License Header](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml)
+[![Check Generated Files](https://github.com/absmach/magistrala/actions/workflows/check-generated-files.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-generated-files.yaml)
+[![Coverage](https://codecov.io/gh/absmach/magistrala/graph/badge.svg?token=nPCEr5nW8S)](https://codecov.io/gh/absmach/magistrala)
+[![License](https://img.shields.io/badge/license-Apache%20v2.0-blue.svg)](LICENSE)
+[![Matrix](https://img.shields.io/matrix/supermq%3Amatrix.org?label=Chat&style=flat&logo=matrix&logoColor=white)](https://matrix.to/#/#supermq:matrix.org)
+
+[Guide](https://magistrala.absmach.eu/docs/) | [Contributing](CONTRIBUTING.md) | [Website](https://absmach.eu/) | [Chat](https://matrix.to/#/#supermq:matrix.org)
 </div>

+## Introduction 🌍

+Magistrala is an open-source IoT platform built for engineers who need full control over their messaging, device management, and data pipelines.

-## Introduction 📖
+It is built on top of [FluxMQ](https://github.com/absmach/fluxmq), a modern message broker designed for both messaging and event streams. Magistrala provides everything around it: identity, access control, device provisioning, data processing, and observability.

-SuperMQ is a distributed, highly scalable, and secure open-source cloud platform for messaging and event-driven architecture (EDA). It is a planetarily distributed, highly scalable, and secure platform that serves as a robust foundation for building advanced real-time and reactive systems.
+IoT systems usually involve brokers, databases, rule engines, and custom services. Magistrala does not pretend those pieces disappear. It provides a coherent framework for integrating them into a single system with a consistent model for identity, access control, messaging, and observability.

-## Why SuperMQ Stands Out 🚀
+**What it is:**
+- An event-driven IoT middleware platform
+- A unified control plane for devices, users, and data
+- A foundation for building scalable IoT systems

-SuperMQ bridges the gap between various network protocols (HTTP, MQTT, WebSocket, CoAP, and more) to provide a seamless messaging experience. Whether you're working on IoT solutions, real-time data pipelines, or event-driven systems, SuperMQ has you covered. 🌐✨
+**What it is not:**
+- Not just an MQTT broker
+- Not a black-box SaaS
+- Not tied to a single cloud or vendor

-## Key Features 🌟
+---

- **Multi-Protocol Connectivity**: HTTP, MQTT, WebSocket, CoAP, and more! 🌉
- **Secure by Design**: Mutual TLS (mTLS) with X.509 Certificates, JWT support, and multi-protocol authorization. 🔒
- **Fine-Grained Access Control**: Support for ABAC and RBAC policies. 📜
- **Multi-Tenant**: Manage multiple domains seamlessly. 🏢
- **Multi-User**: Unlimited organizational hierarchies for user management. 👥
- **Application Management**: Group and share messaging clients for streamlined operations. 📱
- **Ease of Use**: Simple and powerful communication channel management, grouping, and sharing. ✨
- **Personal Access Tokens (PATs)**: Scoped and revocable tokens for enhanced security. 🔑
- **Observability**: Integrated logging and instrumentation with Prometheus and OpenTelemetry. 📈
- **Event Sourcing**: Build robust and scalable architectures. ⚡
- **Edge and IoT Ready**: Supports MQTT and CoAP protocols for seamless IoT gateway and sensor communication and management. 🌍
- **Developer-Friendly**: SDKs, CLI tools, and comprehensive documentation to get you started. 👩‍💻👨‍💻
- **Production-Ready**: Container-based deployment using Docker and Kubernetes. 🐳☸️
+## 🧩 IoT Platform Framework

-## Installation 🛠️
+We call Magistrala a **framework**, not just a platform.

-Clone the repository and start SuperMQ services:
+It is extremely flexible and lets you build systems the way you want — from simple prototypes to complex, large-scale deployments — without forcing you into rigid patterns.
+
+At the same time, it avoids the typical complexity of many IoT platforms, where you need to learn an entirely new set of concepts before you can even get started.
+
+Magistrala is built around a small number of core concepts:
+- users
+- clients (devices)
+- channels
+- messages
+- policies
+
+Most engineers are already familiar with these ideas, so you can start building immediately.
+
+You can keep things simple:
+- connect devices
+- send messages
+- store data
+
+Or you can go deeper:
+- define complex access control policies
+- build event-driven pipelines
+- integrate custom processing and automation
+
+Magistrala scales with your needs — simple when you want it, powerful when you need it.
+
+---
+
+## 🚀 Key Benefits
+
+- **A Coherent System, Not a Mess of Integrations**
+  Build IoT systems from multiple components without ending up with fragmented security, messaging, and operations.
+
+- **Event-Driven at the Core**
+  Everything is built around events — enabling real-time processing, streaming, and scalable data flows.
+
+- **Protocol-Native, Not Forced Abstractions**
+  MQTT, HTTP, WebSocket, and CoAP are treated as first-class citizens, each with their own semantics.
+
+- **Security Built Into the Model**
+  Identity, authentication, and authorization are part of the system design — not bolted on later.
+
+- **Flexible by Design**
+  Start simple or build complex systems — without changing platforms or rewriting your architecture.
+
+- **Runs Where You Need It**
+  Cloud, edge, or hybrid — no vendor lock-in, no hidden dependencies.
+---
+## ✨ Features
+
+Magistrala provides a complete set of building blocks for IoT systems — from device connectivity to data processing and observability — without forcing a rigid architecture.
+
+### 🔐 Identity & Access
+
+- Multi-tenant domains for isolating environments
+- Users, roles, and organizational hierarchies
+- Fine-grained access control (ABAC + RBAC)
+- Mutual TLS (X.509) and JWT-based authentication
+- Personal Access Tokens (PATs) with scoping and revocation
+
+### 🔌 Connectivity
+
+- Native support for MQTT, HTTP, WebSocket, and CoAP
+- Consistent authentication and authorization across protocols
+- Designed for both cloud services and constrained devices
+
+### 📦 Device & Application Model
+
+- Device (client) provisioning and lifecycle management
+- Channels for grouping and controlling message flow
+- Application-level grouping and sharing of clients
+- Simple but flexible communication model
+
+### ⚙️ Processing & Automation
+
+- Rules engine for message processing and routing
+- Alarms and triggers for reacting to events
+- Scheduled actions for time-based workflows
+- Event-driven architecture as the foundation
+
+### 📊 Observability
+
+- Audit logs for tracking system activity
+- Metrics and tracing via Prometheus and OpenTelemetry
+- Built-in visibility into system behavior and data flows
+
+### 🚀 Deployment & Operations
+
+- Container-native (Docker, Kubernetes)
+- Designed for cloud, edge, and hybrid deployments
+- Works with external storage and processing systems
+- Scales from small setups to production environments
+
+### 🧑‍💻 Developer Experience
+
+- CLI and SDKs for fast integration
+- Straightforward APIs and concepts
+- Documentation focused on getting you running quickly
+---
+
+## Installation

 ```bash
-git clone https://github.com/absmach/supermq.git
-cd supermq
-docker compose -f docker/docker-compose.yaml --env-file docker/.env up
+git clone https://github.com/absmach/magistrala.git
+cd magistrala
+make run_latest
 ```

-Or use the [Makefile](Makefile) for a simpler command:
+---
+
+## Upgrade from v0.19.0 to v0.20.0
+
+Before upgrading, back up the Domains, Rules Engine, Reports, Alarms, Auth, and SpiceDB databases.
+
+v0.20.0 adds new domain admin actions for alarms and reports, and it requires existing rules and reports to have their built-in admin roles backfilled. The service database migrations run when the v0.20.0 services start, then the role backfill scripts must be run once.
+
+For the default Docker Compose setup:

 ```bash
-make run
+cd docker
+
+docker compose up -d \
+  spicedb-db spicedb-migrate spicedb \
+  auth-db auth \
+  domains-db domains \
+  re-db re \
+  reports-db reports \
+  alarms-db alarms
 ```

-For production deployments, check our [Kubernetes guide](https://docs.supermq.abstractmachines.fr/kubernetes). ⚙️
+Wait until the services are running. The `auth` service must start successfully because it loads the SpiceDB schema.

-### Usage 📤📥
+From the repository root, run the backfills:

-#### Using the CLI:
+```bash
+go run ./scripts/re-backfill-roles/
+go run ./scripts/reports-backfill-roles/
+```
+
+The scripts are idempotent. If they are interrupted, fix the issue and run them again.
+
+Expected successful summaries:
+
+```text
+backfill finished processed=<number> skipped=<number> failed=0
+```
+
+After the backfills finish, verify that the services are still running:
+
+```bash
+cd docker
+docker compose ps re reports alarms domains auth spicedb
+```
+
+For non-default deployments, make sure the database and SpiceDB connection settings used by the backfill scripts match your environment before running them.
+
+---
+
+## Usage

 ```bash
 make cli
-./build/supermq-cli status
+./build/cli health <service>
 ```

-This command retrieves the status of the SuperMQ server and outputs it to the console.
+---

-#### Using HTTP with Curl:
-
-```bash
-curl -X GET http://localhost:8080/status
-```
-
-This request fetches the server status over HTTP and provides a JSON response.
-
-See our [CLI documentation](https://docs.supermq.abstractmachines.fr/cli) for more details.
-
-## Documentation 📚
-
-The official documentation is hosted at [SuperMQ docs page](https://docs.supermq.abstractmachines.fr).
-
-Documentation is auto-generated, check out the instructions in the [docs repository](https://github.com/absmach/supermq-docs).
-If you spot an error or a need for corrections, please let us know - or even better: send us a PR! 💌
-
-## Community and Contributing 🤝
-
-Thank you for your interest in SuperMQ and the desire to contribute!
-
-1. Take a look at our [open issues](https://github.com/absmach/supermq/issues). The [good-first-issue](https://github.com/absmach/supermq/labels/good-first-issue) label is specifically for issues that are great for getting started.
-2. Checkout the [contribution guide](CONTRIBUTING.md) to learn more about our style and conventions.
-3. Make your changes compatible to our workflow.
-
-Join our community:
-
- [Matrix Room](https://matrix.to/#/#supermq\:matrix.org)
-
-## Professional Support 💼
-
-Need help deploying SuperMQ or integrating it into your system? Reach out to **[Abstract Machines](https://absmach.eu/)** for professional support and guidance.
-
-## License 📜
-
-SuperMQ is open-source software licensed under the [Apache License 2.0](LICENSE). Contributions are welcome!
-
-## Acknowledgments 🙌
-
-Special thanks to the amazing contributors who make SuperMQ possible. Check out the [MAINTAINERS](MAINTAINERS) file to see the team behind the magic.
-
-Ready to build the future of messaging and event-driven systems? Let's get started! 🚀
+## License

+Apache-2.0
@@ -0,0 +1,197 @@
+# Alarms
+
+The Alarms service stores, manages and exposes alarms raised by rules and device activity. It consumes alarm events from the message broker, persists them to PostgreSQL, and provides an HTTP API for listing, viewing, updating, and deleting alarms with full authn/authz, metrics, and tracing support.
+
+## Configuration
+
+The service is configured using the following environment variables (values shown are from [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env) as consumed by [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml)):
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_ALARMS_LOG_LEVEL` | Log level for the service | `debug` |
+| `MG_ALARMS_HTTP_HOST` | HTTP host to bind | `alarms` |
+| `MG_ALARMS_HTTP_PORT` | HTTP port to bind | `8050` |
+| `MG_ALARMS_HTTP_SERVER_CERT` | Path to PEM-encoded HTTPS server certificate | "" |
+| `MG_ALARMS_HTTP_SERVER_KEY` | Path to PEM-encoded HTTPS server key | "" |
+| `MG_ALARMS_DB_HOST` | PostgreSQL host | `alarms-db` |
+| `MG_ALARMS_DB_PORT` | PostgreSQL port | `5432` |
+| `MG_ALARMS_DB_USER` | PostgreSQL user | `magistrala` |
+| `MG_ALARMS_DB_PASS` | PostgreSQL password | `magistrala` |
+| `MG_ALARMS_DB_NAME` | PostgreSQL database name | `alarms` |
+| `MG_ALARMS_DB_SSL_MODE` | PostgreSQL SSL mode | `disable` |
+| `MG_ALARMS_DB_SSL_CERT` | PostgreSQL SSL client cert | "" |
+| `MG_ALARMS_DB_SSL_KEY` | PostgreSQL SSL client key | "" |
+| `MG_ALARMS_DB_SSL_ROOT_CERT` | PostgreSQL SSL root cert | "" |
+| `MG_ALARMS_INSTANCE_ID` | Instance ID for tracing/health | "" |
+| `MG_MESSAGE_BROKER_URL` | Message broker URL for alarm ingestion | `nats://nats:4222` |
+| `MG_JAEGER_URL` | Jaeger collector endpoint | `http://jaeger:4318/v1/traces` |
+| `MG_JAEGER_TRACE_RATIO` | Trace sampling ratio | `1.0` |
+| `MG_AUTH_GRPC_URL` | Auth gRPC endpoint | `auth:7001` |
+| `MG_AUTH_GRPC_TIMEOUT` | Auth gRPC timeout | `300s` |
+| `MG_AUTH_GRPC_CLIENT_CERT` | Auth gRPC client cert path | `${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}` |
+| `MG_AUTH_GRPC_CLIENT_KEY` | Auth gRPC client key path | `${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}` |
+| `MG_AUTH_GRPC_SERVER_CA_CERTS` | Auth gRPC server CA path | `${GRPC_MTLS:+./ssl/certs/ca.crt}` |
+| `MG_DOMAINS_GRPC_URL` | Domains gRPC endpoint | `domains:7003` |
+| `MG_DOMAINS_GRPC_TIMEOUT` | Domains gRPC timeout | `300s` |
+| `MG_DOMAINS_GRPC_CLIENT_CERT` | Domains gRPC client cert path | `${GRPC_MTLS:+./ssl/certs/domains-grpc-client.crt}` |
+| `MG_DOMAINS_GRPC_CLIENT_KEY` | Domains gRPC client key path | `${GRPC_MTLS:+./ssl/certs/domains-grpc-client.key}` |
+| `MG_DOMAINS_GRPC_SERVER_CA_CERTS` | Domains gRPC server CA path | `${GRPC_MTLS:+./ssl/certs/ca.crt}` |
+| `MG_ALLOW_UNVERIFIED_USER` | Allow unverified users to access | `true` |
+
+## Features
+
+- **Alarm ingestion**: Consumes alarms from the message broker and persists them to PostgreSQL.
+- **Stateful updates**: Updates assignee, acknowledgment, resolution, and metadata fields.
+- **Filtering and paging**: Lists alarms by domain, rule, channel, client, subtopic, status, severity, and time range.
+- **Observability**: `/metrics` Prometheus endpoint and Jaeger tracing support.
+- **Auth and authorization**: Authn/authz enforced via gRPC auth and domains services.
+
+## Architecture
+
+### Runtime flow
+
+1. The message broker publishes alarm events under the `alarms.>` subject.
+2. The Alarms consumer decodes the event payload, enriches it with message metadata, validates it, and calls `CreateAlarm`.
+3. The repository writes to PostgreSQL while deduplicating repeated active alarms with the same severity.
+4. The HTTP API exposes list/view/update/delete operations with authn/authz, metrics, and tracing middleware.
+
+### Components
+
+- **HTTP API**: `alarms/api` exposes REST endpoints and health/metrics handlers.
+- **Service layer**: `alarms/service.go` validates requests and coordinates repository operations.
+- **Repository**: `alarms/postgres/alarms.go` implements persistence and filtering.
+- **Consumer**: `alarms/consumer` processes broker messages and creates alarms.
+- **Message broker**: `alarms/brokers` uses NATS JetStream with stream `alarms` and subject `alarms.>`.
+- **Migrations**: `alarms/postgres/init.go` defines the alarms schema and indexes.
+
+### Alarms table
+
+Defined in `alarms/postgres/init.go`:
+
+| Column | Type | Description |
+| --- | --- | --- |
+| `id` | `VARCHAR(36)` | Alarm UUID (primary key) |
+| `rule_id` | `VARCHAR(36)` | Rule ID that triggered the alarm |
+| `domain_id` | `VARCHAR(36)` | Domain ID |
+| `channel_id` | `VARCHAR(36)` | Channel ID |
+| `subtopic` | `TEXT` | Subtopic associated with the alarm |
+| `client_id` | `VARCHAR(36)` | Client ID |
+| `measurement` | `TEXT` | Measurement name |
+| `value` | `TEXT` | Measured value |
+| `unit` | `TEXT` | Measurement unit |
+| `threshold` | `TEXT` | Threshold value |
+| `cause` | `TEXT` | Cause/description |
+| `status` | `SMALLINT` | 0 = active, 1 = cleared |
+| `severity` | `SMALLINT` | Severity (0-100) |
+| `assignee_id` | `VARCHAR(36)` | Assignee ID |
+| `created_at` | `TIMESTAMPTZ` | Creation timestamp |
+| `updated_at` | `TIMESTAMPTZ` | Last update timestamp |
+| `updated_by` | `VARCHAR(36)` | User who updated |
+| `assigned_at` | `TIMESTAMPTZ` | When assigned |
+| `assigned_by` | `VARCHAR(36)` | Who assigned |
+| `acknowledged_at` | `TIMESTAMPTZ` | When acknowledged |
+| `acknowledged_by` | `VARCHAR(36)` | Who acknowledged |
+| `resolved_at` | `TIMESTAMPTZ` | When resolved |
+| `resolved_by` | `VARCHAR(36)` | Who resolved |
+| `metadata` | `JSONB` | Custom metadata |
+
+Index: `idx_alarms_state (domain_id, rule_id, channel_id, subtopic, client_id, measurement, created_at DESC)`
+
+## Deployment
+
+### Build and run locally
+
+```bash
+make alarms
+
+MG_ALARMS_LOG_LEVEL=debug \
+MG_ALARMS_HTTP_PORT=8050 \
+MG_ALARMS_DB_HOST=localhost \
+MG_ALARMS_DB_PORT=5432 \
+MG_ALARMS_DB_USER=magistrala \
+MG_ALARMS_DB_PASS=magistrala \
+MG_ALARMS_DB_NAME=alarms \
+MG_MESSAGE_BROKER_URL=nats://localhost:4222 \
+MG_AUTH_GRPC_URL=localhost:7001 \
+MG_AUTH_GRPC_TIMEOUT=300s \
+MG_DOMAINS_GRPC_URL=localhost:7003 \
+MG_DOMAINS_GRPC_TIMEOUT=300s \
+./build/alarms
+```
+
+### Docker Compose
+
+The service is available as a Docker container. Refer to [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml) for the `alarms` and `alarms-db` services and their environment variables. For a full local stack, make sure the auth, domains, and message broker services are also running.
+
+```bash
+docker compose -f docker/docker-compose.yaml up alarms alarms-db
+```
+
+### Health check
+
+```bash
+curl -X GET http://localhost:8050/health \
+  -H "accept: application/health+json"
+```
+
+## Testing
+
+```bash
+go test ./alarms/...
+```
+
+## Usage
+
+The Alarms service supports the following operations:
+
+| Operation | Method & Path | Description |
+| --- | --- | --- |
+| `listAlarms` | `GET /{domainID}/alarms` | List alarms with filters |
+| `viewAlarm` | `GET /{domainID}/alarms/{alarmID}` | Retrieve a single alarm |
+| `updateAlarm` | `PUT /{domainID}/alarms/{alarmID}` | Update alarm status/assignee/metadata |
+| `deleteAlarm` | `DELETE /{domainID}/alarms/{alarmID}` | Delete an alarm |
+| `health` | `GET /health` | Service health check |
+
+Alarm creation is driven by message broker events and is not exposed as an HTTP endpoint.
+
+### Example: List alarms
+
+```bash
+curl -X GET "http://localhost:8050/<domainID>/alarms?limit=10&offset=0&status=active&severity=50" \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: View an alarm
+
+```bash
+curl -X GET http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Update an alarm
+
+```bash
+curl -X PUT http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "status": "cleared",
+    "assignee_id": "<userID>",
+    "severity": 40,
+    "metadata": { "note": "cleared after inspection" }
+  }'
+```
+
+### Example: Delete an alarm
+
+```bash
+curl -X DELETE http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Health check
+
+```bash
+curl -X GET http://localhost:8050/health \
+  -H "accept: application/health+json"
+```
@@ -0,0 +1,123 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/absmach/magistrala/pkg/authn"
+)
+
+const SeverityMax uint8 = 100
+
+var ErrInvalidSeverity = errors.New("invalid severity. Must be between 0 and 100")
+
+type Metadata map[string]any
+
+// Alarm represents an alarm instance.
+type Alarm struct {
+	ID             string    `json:"id"`
+	RuleID         string    `json:"rule_id"`
+	DomainID       string    `json:"domain_id"`
+	ChannelID      string    `json:"channel_id"`
+	ClientID       string    `json:"client_id"`
+	Subtopic       string    `json:"subtopic"`
+	Status         Status    `json:"status"`
+	Measurement    string    `json:"measurement"`
+	Value          string    `json:"value"`
+	Unit           string    `json:"unit"`
+	Threshold      string    `json:"threshold"`
+	Cause          string    `json:"cause"`
+	Severity       uint8     `json:"severity"`
+	AssigneeID     string    `json:"assignee_id"`
+	CreatedAt      time.Time `json:"created_at"`
+	UpdatedAt      time.Time `json:"updated_at"`
+	UpdatedBy      string    `json:"updated_by"`
+	AssignedAt     time.Time `json:"assigned_at,omitempty"`
+	AssignedBy     string    `json:"assigned_by,omitempty"`
+	AcknowledgedAt time.Time `json:"acknowledged_at,omitempty"`
+	AcknowledgedBy string    `json:"acknowledged_by,omitempty"`
+	ResolvedAt     time.Time `json:"resolved_at,omitempty"`
+	ResolvedBy     string    `json:"resolved_by,omitempty"`
+	Metadata       Metadata  `json:"metadata,omitempty"`
+}
+
+type AlarmsPage struct {
+	Offset uint64  `json:"offset"`
+	Limit  uint64  `json:"limit"`
+	Total  uint64  `json:"total"`
+	Alarms []Alarm `json:"alarms"`
+}
+
+type PageMetadata struct {
+	Offset         uint64    `json:"offset"          db:"offset"`
+	Limit          uint64    `json:"limit"           db:"limit"`
+	DomainID       string    `json:"domain_id"       db:"domain_id"`
+	RuleID         string    `json:"rule_id"         db:"rule_id"`
+	ChannelID      string    `json:"channel_id"      db:"channel_id"`
+	ClientID       string    `json:"client_id"       db:"client_id"`
+	Subtopic       string    `json:"subtopic"        db:"subtopic"`
+	Measurement    string    `json:"measurement"     db:"measurement"`
+	Dir            string    `json:"dir"             db:"dir"`
+	Order          string    `json:"order"           db:"order"`
+	Status         Status    `json:"status"          db:"status"`
+	CreatedFrom    time.Time `json:"created_from"    db:"created_from"`
+	CreatedTo      time.Time `json:"created_to"      db:"created_to"`
+	AssigneeID     string    `json:"assignee_id"     db:"assignee_id"`
+	Severity       uint8     `json:"severity"        db:"severity"`
+	UpdatedBy      string    `json:"updated_by"      db:"updated_by"`
+	AssignedBy     string    `json:"assigned_by"     db:"assigned_by"`
+	AcknowledgedBy string    `json:"acknowledged_by" db:"acknowledged_by"`
+	ResolvedBy     string    `json:"resolved_by"     db:"resolved_by"`
+	UserID         string    `json:"user_id"         db:"user_id"`
+}
+
+func (a Alarm) Validate() error {
+	if a.RuleID == "" {
+		return errors.New("rule_id is required")
+	}
+	if a.DomainID == "" {
+		return errors.New("domain_id is required")
+	}
+	if a.ChannelID == "" {
+		return errors.New("channel_id is required")
+	}
+	if a.ClientID == "" {
+		return errors.New("client_id is required")
+	}
+	if a.Measurement == "" {
+		return errors.New("measurement is required")
+	}
+	if a.Value == "" {
+		return errors.New("value is required")
+	}
+	if a.Cause == "" {
+		return errors.New("cause is required")
+	}
+	if a.Severity > SeverityMax {
+		return ErrInvalidSeverity
+	}
+
+	return nil
+}
+
+// Service specifies an API that must be fulfilled by the domain service.
+type Service interface {
+	CreateAlarm(ctx context.Context, alarm Alarm) error
+	UpdateAlarm(ctx context.Context, session authn.Session, alarm Alarm) (Alarm, error)
+	ViewAlarm(ctx context.Context, session authn.Session, id string) (Alarm, error)
+	ListAlarms(ctx context.Context, session authn.Session, pm PageMetadata) (AlarmsPage, error)
+	DeleteAlarm(ctx context.Context, session authn.Session, id string) error
+}
+
+type Repository interface {
+	CreateAlarm(ctx context.Context, alarm Alarm) (Alarm, error)
+	UpdateAlarm(ctx context.Context, alarm Alarm) (Alarm, error)
+	ViewAlarm(ctx context.Context, alarmID, domainID string) (Alarm, error)
+	ListAllAlarms(ctx context.Context, pm PageMetadata) (AlarmsPage, error)
+	ListUserAlarms(ctx context.Context, userID string, pm PageMetadata) (AlarmsPage, error)
+	DeleteAlarm(ctx context.Context, id string) error
+}
@@ -0,0 +1,173 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/internal/testsutil"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateAlarms(t *testing.T) {
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: nil,
+		},
+		{
+			desc: "missing rule_id",
+			alarm: alarms.Alarm{
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("rule_id is required"),
+		},
+		{
+			desc: "missing domain_id",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("domain_id is required"),
+		},
+		{
+			desc: "missing channel_id",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("channel_id is required"),
+		},
+		{
+			desc: "missing client_id",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("client_id is required"),
+		},
+		{
+			desc: "missing measurement",
+			alarm: alarms.Alarm{
+				RuleID:    testsutil.GenerateUUID(t),
+				DomainID:  testsutil.GenerateUUID(t),
+				ChannelID: testsutil.GenerateUUID(t),
+				ClientID:  testsutil.GenerateUUID(t),
+				Subtopic:  "subtopic",
+				Value:     "value",
+				Unit:      "unit",
+				Cause:     "cause",
+				Severity:  100,
+			},
+			err: errors.New("measurement is required"),
+		},
+		{
+			desc: "missing value",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("value is required"),
+		},
+		{
+			desc: "missing cause",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Severity:    100,
+			},
+			err: errors.New("cause is required"),
+		},
+		{
+			desc: "higher severity",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    alarms.SeverityMax + 1,
+			},
+			err: alarms.ErrInvalidSeverity,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			err := tc.alarm.Validate()
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		})
+	}
+}
@@ -0,0 +1,104 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+	"github.com/go-kit/kit/endpoint"
+)
+
+func updateAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(updateAlarmReq)
+		if err := req.validate(); err != nil {
+			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmRes{}, svcerr.ErrAuthorization
+		}
+
+		alarm, err := svc.UpdateAlarm(ctx, session, req.Alarm)
+		if err != nil {
+			return alarmRes{}, err
+		}
+
+		return alarmRes{
+			Alarm: alarm,
+		}, nil
+	}
+}
+
+func viewAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(alarmReq)
+		if err := req.validate(); err != nil {
+			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmRes{}, svcerr.ErrAuthorization
+		}
+
+		alarm, err := svc.ViewAlarm(ctx, session, req.ID)
+		if err != nil {
+			return alarmRes{}, err
+		}
+
+		return alarmRes{
+			Alarm: alarm,
+		}, nil
+	}
+}
+
+func listAlarmsEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(listAlarmsReq)
+		if err := req.validate(); err != nil {
+			return alarmsPageRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmsPageRes{}, svcerr.ErrAuthorization
+		}
+
+		alarms, err := svc.ListAlarms(ctx, session, req.PageMetadata)
+		if err != nil {
+			return alarmsPageRes{}, err
+		}
+
+		return alarmsPageRes{
+			AlarmsPage: alarms,
+		}, nil
+	}
+}
+
+func deleteAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(alarmReq)
+		if err := req.validate(); err != nil {
+			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmRes{}, svcerr.ErrAuthorization
+		}
+
+		if err := svc.DeleteAlarm(ctx, session, req.ID); err != nil {
+			return alarmRes{}, err
+		}
+
+		return alarmRes{deleted: true}, nil
+	}
+}
@@ -0,0 +1,59 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"errors"
+
+	"github.com/absmach/magistrala/alarms"
+	api "github.com/absmach/magistrala/api/http"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+)
+
+type alarmReq struct {
+	alarms.Alarm `json:",inline"`
+}
+
+func (req alarmReq) validate() error {
+	if req.Alarm.ID == "" {
+		return errors.New("missing alarm id")
+	}
+
+	return nil
+}
+
+type updateAlarmReq struct {
+	alarms.Alarm `json:",inline"`
+}
+
+func (req updateAlarmReq) validate() error {
+	if req.Alarm.ID == "" {
+		return errors.New("missing alarm id")
+	}
+	if req.Alarm.AssigneeID == "" && req.Alarm.AcknowledgedBy == "" && req.Alarm.ResolvedBy == "" && len(req.Alarm.Metadata) == 0 {
+		return errors.New("at least one of assignee_id, acknowledged_by, resolved_by, or metadata must be set")
+	}
+
+	return nil
+}
+
+type listAlarmsReq struct {
+	alarms.PageMetadata
+}
+
+func (req listAlarmsReq) validate() error {
+	if req.Limit > api.MaxLimitSize || req.Limit < 1 {
+		return apiutil.ErrLimitSize
+	}
+
+	if req.Order != "" && req.Order != api.UpdatedAtOrder && req.Order != api.CreatedAtOrder {
+		return apiutil.ErrInvalidOrder
+	}
+
+	if req.Dir != api.AscDir && req.Dir != api.DescDir {
+		return apiutil.ErrInvalidDirection
+	}
+
+	return nil
+}
@@ -0,0 +1,70 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/alarms"
+)
+
+var (
+	_ magistrala.Response = (*alarmRes)(nil)
+	_ magistrala.Response = (*alarmsPageRes)(nil)
+)
+
+type alarmRes struct {
+	alarms.Alarm `json:",inline"`
+	created      bool
+	deleted      bool
+}
+
+func (res alarmRes) Headers() map[string]string {
+	switch {
+	case res.created:
+		return map[string]string{
+			"Location": fmt.Sprintf("/%s/alarms/%s", res.DomainID, res.ID),
+		}
+	default:
+		return map[string]string{}
+	}
+}
+
+func (res alarmRes) Code() int {
+	switch {
+	case res.created:
+		return http.StatusCreated
+	case res.deleted:
+		return http.StatusNoContent
+	default:
+		return http.StatusOK
+	}
+}
+
+func (res alarmRes) Empty() bool {
+	switch {
+	case res.deleted:
+		return true
+	default:
+		return false
+	}
+}
+
+type alarmsPageRes struct {
+	alarms.AlarmsPage `json:",inline"`
+}
+
+func (res alarmsPageRes) Headers() map[string]string {
+	return map[string]string{}
+}
+
+func (res alarmsPageRes) Code() int {
+	return http.StatusOK
+}
+
+func (res alarmsPageRes) Empty() bool {
+	return false
+}
@@ -0,0 +1,209 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"math"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/alarms"
+	api "github.com/absmach/magistrala/api/http"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	smqauthn "github.com/absmach/magistrala/pkg/authn"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/go-chi/chi/v5"
+	kithttp "github.com/go-kit/kit/transport/http"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+)
+
+func MakeHandler(svc alarms.Service, logger *slog.Logger, idp magistrala.IDProvider, instanceID string, authn smqauthn.AuthNMiddleware) http.Handler {
+	opts := []kithttp.ServerOption{
+		kithttp.ServerErrorEncoder(apiutil.LoggingErrorEncoder(logger, api.EncodeError)),
+	}
+
+	mux := chi.NewRouter()
+
+	mux.Route("/{domainID}/alarms", func(r chi.Router) {
+		r.Group(func(r chi.Router) {
+			r.Use(authn.WithOptions(smqauthn.WithDomainCheck(true)).Middleware())
+			r.Use(api.RequestIDMiddleware(idp))
+
+			r.Get("/", otelhttp.NewHandler(kithttp.NewServer(
+				listAlarmsEndpoint(svc),
+				decodeListAlarmsReq,
+				api.EncodeResponse,
+				opts...,
+			), "list_alarms").ServeHTTP)
+			r.Route("/{alarmID}", func(r chi.Router) {
+				r.Get("/", otelhttp.NewHandler(kithttp.NewServer(
+					viewAlarmEndpoint(svc),
+					decodeAlarmReq,
+					api.EncodeResponse,
+					opts...,
+				), "get_alarm").ServeHTTP)
+				r.Put("/", otelhttp.NewHandler(kithttp.NewServer(
+					updateAlarmEndpoint(svc),
+					decodeUpdateAlarmReq,
+					api.EncodeResponse,
+					opts...,
+				), "update_alarm").ServeHTTP)
+				r.Delete("/", otelhttp.NewHandler(kithttp.NewServer(
+					deleteAlarmEndpoint(svc),
+					decodeAlarmReq,
+					api.EncodeResponse,
+					opts...,
+				), "delete_alarm").ServeHTTP)
+			})
+		})
+	})
+
+	mux.Get("/health", magistrala.Health("alarms", instanceID))
+	mux.Handle("/metrics", promhttp.Handler())
+
+	return mux
+}
+
+func decodeListAlarmsReq(_ context.Context, r *http.Request) (any, error) {
+	offset, err := apiutil.ReadNumQuery[uint64](r, api.OffsetKey, api.DefOffset)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	limit, err := apiutil.ReadNumQuery[uint64](r, api.LimitKey, api.DefLimit)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	domainID, err := apiutil.ReadStringQuery(r, "domain_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	channelID, err := apiutil.ReadStringQuery(r, "channel_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	clientID, err := apiutil.ReadStringQuery(r, "client_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	subtopic, err := apiutil.ReadStringQuery(r, "subtopic", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	ruleID, err := apiutil.ReadStringQuery(r, "rule_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	s, err := apiutil.ReadStringQuery(r, api.StatusKey, alarms.All)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	status, err := alarms.ToStatus(s)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	assigneeID, err := apiutil.ReadStringQuery(r, "assignee_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	serverity, err := apiutil.ReadNumQuery(r, "severity", uint64(math.MaxUint8))
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	updatedBy, err := apiutil.ReadStringQuery(r, "updated_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	assignedBy, err := apiutil.ReadStringQuery(r, "assigned_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	acknowledgedBy, err := apiutil.ReadStringQuery(r, "acknowledged_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	resolvedBy, err := apiutil.ReadStringQuery(r, "resolved_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	cfrom, err := apiutil.ReadStringQuery(r, "created_from", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	cto, err := apiutil.ReadStringQuery(r, "created_to", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	order, err := apiutil.ReadStringQuery(r, api.OrderKey, api.DefOrder)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	dir, err := apiutil.ReadStringQuery(r, api.DirKey, "desc")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+
+	var createdFrom, createdTo time.Time
+	if cfrom != "" {
+		if createdFrom, err = time.Parse(time.RFC3339, cfrom); err != nil {
+			return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+	}
+	if cto != "" {
+		if createdTo, err = time.Parse(time.RFC3339, cto); err != nil {
+			return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+	}
+
+	return listAlarmsReq{
+		PageMetadata: alarms.PageMetadata{
+			Offset:         offset,
+			Limit:          limit,
+			DomainID:       domainID,
+			ChannelID:      channelID,
+			ClientID:       clientID,
+			Subtopic:       subtopic,
+			RuleID:         ruleID,
+			Status:         status,
+			AssigneeID:     assigneeID,
+			ResolvedBy:     resolvedBy,
+			Severity:       uint8(serverity),
+			UpdatedBy:      updatedBy,
+			AcknowledgedBy: acknowledgedBy,
+			AssignedBy:     assignedBy,
+			CreatedFrom:    createdFrom,
+			CreatedTo:      createdTo,
+			Dir:            dir,
+			Order:          order,
+		},
+	}, nil
+}
+
+func decodeAlarmReq(_ context.Context, r *http.Request) (any, error) {
+	return alarmReq{
+		Alarm: alarms.Alarm{
+			ID: chi.URLParam(r, "alarmID"),
+		},
+	}, nil
+}
+
+func decodeUpdateAlarmReq(_ context.Context, r *http.Request) (any, error) {
+	if !strings.Contains(r.Header.Get("Content-Type"), api.ContentType) {
+		return updateAlarmReq{}, apiutil.ErrUnsupportedContentType
+	}
+
+	req := updateAlarmReq{}
+	if err := json.NewDecoder(r.Body).Decode(&req.Alarm); err != nil {
+		return updateAlarmReq{}, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
+	}
+
+	req.Alarm.ID = chi.URLParam(r, "alarmID")
+
+	return req, nil
+}
@@ -0,0 +1,53 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build msg_fluxmq
+// +build msg_fluxmq
+
+package brokers
+
+import (
+	"context"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/pkg/messaging"
+	broker "github.com/absmach/magistrala/pkg/messaging/fluxmq"
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+const (
+	AllTopic = "alarms/#"
+
+	prefix = "alarms"
+)
+
+var cfg = jetstream.StreamConfig{
+	Name:              "alarms",
+	Description:       "Magistrala stream alarms",
+	Subjects:          []string{"alarms/#"},
+	Retention:         jetstream.LimitsPolicy,
+	MaxMsgsPerSubject: 1e6,
+	MaxAge:            time.Hour * 24,
+	MaxMsgSize:        1024 * 1024,
+	Discard:           jetstream.DiscardOld,
+	Storage:           jetstream.FileStorage,
+}
+
+func NewPubSub(ctx context.Context, url string, logger *slog.Logger) (messaging.PubSub, error) {
+	pb, err := broker.NewPubSub(ctx, url, logger, broker.Prefix(prefix), broker.JSStreamConfig(cfg), broker.ConnectionName("alarms-msg-pubsub"))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
+
+func NewPublisher(ctx context.Context, url string) (messaging.Publisher, error) {
+	pb, err := broker.NewPublisher(ctx, url, broker.Prefix(prefix), broker.JSStreamConfig(cfg), broker.ConnectionName("alarms-msg-pub"))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
@@ -0,0 +1,53 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !msg_fluxmq && !msg_rabbitmq && !rabbitmq
+// +build !msg_fluxmq,!msg_rabbitmq,!rabbitmq
+
+package brokers
+
+import (
+	"context"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/pkg/messaging"
+	broker "github.com/absmach/magistrala/pkg/messaging/nats"
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+const (
+	AllTopic = "alarms/#"
+
+	prefix = "alarms"
+)
+
+var cfg = jetstream.StreamConfig{
+	Name:              "alarms",
+	Description:       "Magistrala stream alarms",
+	Subjects:          []string{"alarms.>"},
+	Retention:         jetstream.LimitsPolicy,
+	MaxMsgsPerSubject: 1e6,
+	MaxAge:            time.Hour * 24,
+	MaxMsgSize:        1024 * 1024,
+	Discard:           jetstream.DiscardOld,
+	Storage:           jetstream.FileStorage,
+}
+
+func NewPubSub(ctx context.Context, url string, logger *slog.Logger) (messaging.PubSub, error) {
+	pb, err := broker.NewPubSub(ctx, url, logger, broker.Prefix(prefix), broker.JSStreamConfig(cfg))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
+
+func NewPublisher(ctx context.Context, url string) (messaging.Publisher, error) {
+	pb, err := broker.NewPublisher(ctx, url, broker.Prefix(prefix), broker.JSStreamConfig(cfg))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
@@ -0,0 +1,56 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package consumer
+
+import (
+	"bytes"
+	"context"
+	"encoding/gob"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/absmach/magistrala/pkg/messaging"
+)
+
+var errFailedToDecode = errors.New("failed to decode alarm")
+
+type handler struct {
+	svc    alarms.Service
+	logger *slog.Logger
+}
+
+func NewHandler(svc alarms.Service, logger *slog.Logger) messaging.MessageHandler {
+	return &handler{svc: svc, logger: logger}
+}
+
+func (h handler) Handle(msg *messaging.Message) (err error) {
+	if msg == nil {
+		return errors.New("message is empty")
+	}
+	if msg.GetPayload() == nil {
+		return errors.New("message payload is empty")
+	}
+
+	var alarm alarms.Alarm
+	if err := gob.NewDecoder(bytes.NewReader(msg.GetPayload())).Decode(&alarm); err != nil {
+		return messaging.NewError(errors.Wrap(errFailedToDecode, err), messaging.Term)
+	}
+	alarm.DomainID = msg.GetDomain()
+	alarm.ChannelID = msg.GetChannel()
+	alarm.ClientID = msg.ClientIdentity()
+	alarm.Subtopic = msg.GetSubtopic()
+	alarm.CreatedAt = time.Unix(0, int64(msg.GetCreated()))
+
+	if err := alarm.Validate(); err != nil {
+		return err
+	}
+
+	return h.svc.CreateAlarm(context.Background(), alarm)
+}
+
+func (h handler) Cancel() error {
+	return nil
+}
@@ -0,0 +1,6 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Package alarms contains domain concept definitions needed to support
+// Alarms service feature, i.e. create, read, update, and delete alarms.
+package alarms
@@ -0,0 +1,172 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/operations"
+	"github.com/absmach/magistrala/auth"
+	"github.com/absmach/magistrala/pkg/authn"
+	smqauthz "github.com/absmach/magistrala/pkg/authz"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+	"github.com/absmach/magistrala/pkg/permissions"
+	"github.com/absmach/magistrala/pkg/policies"
+)
+
+var (
+	errDomainUpdateAlarms = errors.New("not authorized to update alarms in domain")
+	errDomainDeleteAlarms = errors.New("not authorized to delete alarms in domain")
+	errDomainViewAlarms   = errors.New("not authorized to view alarms in domain")
+)
+
+type authorizationMiddleware struct {
+	svc         alarms.Service
+	authz       smqauthz.Authorization
+	entitiesOps permissions.EntitiesOperations[permissions.Operation]
+}
+
+var _ alarms.Service = (*authorizationMiddleware)(nil)
+
+func NewAuthorizationMiddleware(svc alarms.Service, authz smqauthz.Authorization, entitiesOps permissions.EntitiesOperations[permissions.Operation]) (alarms.Service, error) {
+	if err := entitiesOps.Validate(); err != nil {
+		return nil, err
+	}
+
+	return &authorizationMiddleware{
+		svc:         svc,
+		authz:       authz,
+		entitiesOps: entitiesOps,
+	}, nil
+}
+
+func (am *authorizationMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	return am.svc.CreateAlarm(ctx, alarm)
+}
+
+func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	if len(alarm.Metadata) > 0 {
+		if err := am.authorize(ctx, operations.OpUpdateAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	if alarm.AssigneeID != "" {
+		if err := am.authorize(ctx, operations.OpAssignAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+		domainUserID := auth.EncodeDomainUserID(session.DomainID, alarm.AssigneeID)
+		if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
+			Domain:      session.DomainID,
+			SubjectType: policies.UserType,
+			SubjectKind: policies.UsersKind,
+			Subject:     domainUserID,
+			Permission:  policies.MembershipPermission,
+			ObjectType:  policies.DomainType,
+			Object:      session.DomainID,
+		}, nil); err != nil {
+			return alarms.Alarm{}, err
+		}
+	}
+
+	if alarm.AcknowledgedBy != "" {
+		if err := am.authorize(ctx, operations.OpAcknowledgeAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	if alarm.ResolvedBy != "" {
+		if err := am.authorize(ctx, operations.OpResolveAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	return am.svc.UpdateAlarm(ctx, session, alarm)
+}
+
+func (am *authorizationMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	if err := am.authorize(ctx, operations.OpDeleteAlarm, session, policies.DomainType, session.DomainID); err != nil {
+		return errors.Wrap(errDomainDeleteAlarms, err)
+	}
+
+	return am.svc.DeleteAlarm(ctx, session, id)
+}
+
+func (am *authorizationMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	if pm.DomainID == "" {
+		pm.DomainID = session.DomainID
+	}
+
+	switch err := am.checkSuperAdmin(ctx, session); {
+	case err == nil:
+		session.SuperAdmin = true
+	case errors.Contains(err, svcerr.ErrSuperAdminAction):
+	default:
+		return alarms.AlarmsPage{}, err
+	}
+
+	return am.svc.ListAlarms(ctx, session, pm)
+}
+
+func (am *authorizationMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	if err := am.authorize(ctx, operations.OpViewAlarm, session, policies.DomainType, session.DomainID); err != nil {
+		return alarms.Alarm{}, errors.Wrap(errDomainViewAlarms, err)
+	}
+
+	return am.svc.ViewAlarm(ctx, session, id)
+}
+
+func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions.Operation, session authn.Session, objType, obj string) error {
+	perm, err := am.entitiesOps.GetPermission(operations.EntityType, op)
+	if err != nil {
+		return err
+	}
+
+	pr := smqauthz.PolicyReq{
+		Domain:      session.DomainID,
+		SubjectType: policies.UserType,
+		SubjectKind: policies.UsersKind,
+		Subject:     session.DomainUserID,
+		Object:      obj,
+		ObjectType:  objType,
+		Permission:  perm.String(),
+	}
+
+	var pat *smqauthz.PATReq
+	if session.PatID != "" {
+		opName := am.entitiesOps.OperationName(operations.EntityType, op)
+		pat = &smqauthz.PATReq{
+			UserID:     session.UserID,
+			PatID:      session.PatID,
+			EntityID:   auth.AnyIDs,
+			EntityType: auth.RulesType.String(),
+			Operation:  opName,
+			Domain:     session.DomainID,
+		}
+	}
+
+	if err := am.authz.Authorize(ctx, pr, pat); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
+	if session.Role != authn.SuperAdminRole {
+		return svcerr.ErrSuperAdminAction
+	}
+	if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
+		SubjectType: policies.UserType,
+		Subject:     session.UserID,
+		Permission:  policies.AdminPermission,
+		ObjectType:  policies.PlatformType,
+		Object:      policies.MagistralaObject,
+	}, nil); err != nil {
+		return err
+	}
+	return nil
+}
@@ -0,0 +1,6 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Package middleware provides middleware for the alarms service.
+// This is logging, metrics, and tracing middleware.
+package middleware
@@ -0,0 +1,155 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/go-chi/chi/v5/middleware"
+)
+
+type loggingMiddleware struct {
+	logger  *slog.Logger
+	service alarms.Service
+}
+
+var _ alarms.Service = (*loggingMiddleware)(nil)
+
+func NewLoggingMiddleware(logger *slog.Logger, service alarms.Service) alarms.Service {
+	return &loggingMiddleware{
+		logger:  logger,
+		service: service,
+	}
+}
+
+func (lm *loggingMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.Group("alarm",
+				slog.String("rule_id", alarm.RuleID),
+				slog.String("domain_id", alarm.DomainID),
+				slog.String("channel_id", alarm.ChannelID),
+				slog.String("client_id", alarm.ClientID),
+				slog.String("subtopic", alarm.Subtopic),
+				slog.String("measurement", alarm.Measurement),
+				slog.String("value", alarm.Value),
+				slog.String("unit", alarm.Unit),
+				slog.Uint64("status", uint64(alarm.Status)),
+				slog.Uint64("severity", uint64(alarm.Severity)),
+				slog.String("threshold", alarm.Threshold),
+				slog.String("cause", alarm.Cause),
+			),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("Create alarm failed", args...)
+			return
+		}
+		if alarm.ID != "" {
+			lm.logger.Info("Create alarm completed successfully", args...)
+		}
+	}(time.Now())
+
+	return lm.service.CreateAlarm(ctx, alarm)
+}
+
+func (lm *loggingMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (dba alarms.Alarm, err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.Group("alarm",
+				slog.String("id", dba.ID),
+				slog.String("rule_id", dba.RuleID),
+				slog.String("domain_id", dba.DomainID),
+				slog.String("channel_id", dba.ChannelID),
+				slog.String("client_id", dba.ClientID),
+				slog.String("subtopic", dba.Subtopic),
+				slog.String("measurement", dba.Measurement),
+				slog.String("value", dba.Value),
+				slog.String("unit", dba.Unit),
+				slog.String("status", dba.Status.String()),
+				slog.Uint64("severity", uint64(dba.Severity)),
+				slog.String("threshold", dba.Threshold),
+				slog.String("cause", dba.Cause),
+			),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("Update alarm failed", args...)
+			return
+		}
+		lm.logger.Info("Update alarm completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.UpdateAlarm(ctx, session, alarm)
+}
+
+func (lm *loggingMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (dba alarms.Alarm, err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.String("id", id),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("View alarm failed", args...)
+			return
+		}
+		lm.logger.Info("View alarm completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.ViewAlarm(ctx, session, id)
+}
+
+func (lm *loggingMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (dbp alarms.AlarmsPage, err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.Int("offset", int(pm.Offset)),
+			slog.Int("limit", int(pm.Limit)),
+			slog.String("rule_id", pm.RuleID),
+			slog.String("domain_id", pm.DomainID),
+			slog.String("channel_id", pm.ChannelID),
+			slog.String("client_id", pm.ClientID),
+			slog.String("subtopic", pm.Subtopic),
+			slog.String("status", pm.Status.String()),
+			slog.Uint64("severity", uint64(pm.Severity)),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("List alarms failed", args...)
+			return
+		}
+		lm.logger.Info("List alarms completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.ListAlarms(ctx, session, pm)
+}
+
+func (lm *loggingMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) (err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.String("id", id),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("Delete alarm failed", args...)
+			return
+		}
+		lm.logger.Info("Delete alarm completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.DeleteAlarm(ctx, session, id)
+}
@@ -0,0 +1,74 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/go-kit/kit/metrics"
+)
+
+type metricsMiddleware struct {
+	counter metrics.Counter
+	latency metrics.Histogram
+	service alarms.Service
+}
+
+var _ alarms.Service = (*metricsMiddleware)(nil)
+
+func NewMetricsMiddleware(counter metrics.Counter, latency metrics.Histogram, service alarms.Service) alarms.Service {
+	return &metricsMiddleware{
+		counter: counter,
+		latency: latency,
+		service: service,
+	}
+}
+
+func (mm *metricsMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "create_alarm").Add(1)
+		mm.latency.With("method", "create_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.CreateAlarm(ctx, alarm)
+}
+
+func (mm *metricsMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "update_alarm").Add(1)
+		mm.latency.With("method", "update_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.UpdateAlarm(ctx, session, alarm)
+}
+
+func (mm *metricsMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "get_alarm").Add(1)
+		mm.latency.With("method", "get_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.ViewAlarm(ctx, session, id)
+}
+
+func (mm *metricsMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "list_alarms").Add(1)
+		mm.latency.With("method", "list_alarms").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.ListAlarms(ctx, session, pm)
+}
+
+func (mm *metricsMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "delete_alarm").Add(1)
+		mm.latency.With("method", "delete_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.DeleteAlarm(ctx, session, id)
+}
@@ -0,0 +1,84 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	smqTracing "github.com/absmach/magistrala/pkg/tracing"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+)
+
+type tracingMiddleware struct {
+	tracer trace.Tracer
+	svc    alarms.Service
+}
+
+var _ alarms.Service = (*tracingMiddleware)(nil)
+
+func NewTracingMiddleware(tracer trace.Tracer, svc alarms.Service) alarms.Service {
+	return &tracingMiddleware{
+		tracer: tracer,
+		svc:    svc,
+	}
+}
+
+func (tm *tracingMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "create_alarm", trace.WithAttributes(
+		attribute.String("rule_id", alarm.RuleID),
+		attribute.String("measurement", alarm.Measurement),
+		attribute.String("value", alarm.Value),
+		attribute.String("unit", alarm.Unit),
+		attribute.String("cause", alarm.Cause),
+		attribute.String("status", alarm.Status.String()),
+	))
+	defer span.End()
+
+	return tm.svc.CreateAlarm(ctx, alarm)
+}
+
+func (tm *tracingMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "update_alarm", trace.WithAttributes(
+		attribute.String("rule_id", alarm.RuleID),
+		attribute.String("measurement", alarm.Measurement),
+		attribute.String("value", alarm.Value),
+		attribute.String("unit", alarm.Unit),
+		attribute.String("cause", alarm.Cause),
+		attribute.String("status", alarm.Status.String()),
+	))
+	defer span.End()
+
+	return tm.svc.UpdateAlarm(ctx, session, alarm)
+}
+
+func (tm *tracingMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "get_alarm", trace.WithAttributes(
+		attribute.String("id", id),
+	))
+	defer span.End()
+
+	return tm.svc.ViewAlarm(ctx, session, id)
+}
+
+func (tm *tracingMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "list_alarms", trace.WithAttributes(
+		attribute.Int("offset", int(pm.Offset)),
+		attribute.Int("limit", int(pm.Limit)),
+	))
+	defer span.End()
+
+	return tm.svc.ListAlarms(ctx, session, pm)
+}
+
+func (tm *tracingMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "delete_alarm", trace.WithAttributes(
+		attribute.String("id", id),
+	))
+	defer span.End()
+
+	return tm.svc.DeleteAlarm(ctx, session, id)
+}
@@ -0,0 +1,442 @@
+// Copyright (c) Abstract Machines
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewRepository creates a new instance of Repository. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewRepository(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Repository {
+	mock := &Repository{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// Repository is an autogenerated mock type for the Repository type
+type Repository struct {
+	mock.Mock
+}
+
+type Repository_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *Repository) EXPECT() *Repository_Expecter {
+	return &Repository_Expecter{mock: &_m.Mock}
+}
+
+// CreateAlarm provides a mock function for the type Repository
+func (_mock *Repository) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, alarm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, alarm)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, alarms.Alarm) error); ok {
+		r1 = returnFunc(ctx, alarm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_CreateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateAlarm'
+type Repository_CreateAlarm_Call struct {
+	*mock.Call
+}
+
+// CreateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarm alarms.Alarm
+func (_e *Repository_Expecter) CreateAlarm(ctx interface{}, alarm interface{}) *Repository_CreateAlarm_Call {
+	return &Repository_CreateAlarm_Call{Call: _e.mock.On("CreateAlarm", ctx, alarm)}
+}
+
+func (_c *Repository_CreateAlarm_Call) Run(run func(ctx context.Context, alarm alarms.Alarm)) *Repository_CreateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.Alarm
+		if args[1] != nil {
+			arg1 = args[1].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_CreateAlarm_Call) Return(alarm1 alarms.Alarm, err error) *Repository_CreateAlarm_Call {
+	_c.Call.Return(alarm1, err)
+	return _c
+}
+
+func (_c *Repository_CreateAlarm_Call) RunAndReturn(run func(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error)) *Repository_CreateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteAlarm provides a mock function for the type Repository
+func (_mock *Repository) DeleteAlarm(ctx context.Context, id string) error {
+	ret := _mock.Called(ctx, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAlarm")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) error); ok {
+		r0 = returnFunc(ctx, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// Repository_DeleteAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAlarm'
+type Repository_DeleteAlarm_Call struct {
+	*mock.Call
+}
+
+// DeleteAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - id string
+func (_e *Repository_Expecter) DeleteAlarm(ctx interface{}, id interface{}) *Repository_DeleteAlarm_Call {
+	return &Repository_DeleteAlarm_Call{Call: _e.mock.On("DeleteAlarm", ctx, id)}
+}
+
+func (_c *Repository_DeleteAlarm_Call) Run(run func(ctx context.Context, id string)) *Repository_DeleteAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_DeleteAlarm_Call) Return(err error) *Repository_DeleteAlarm_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *Repository_DeleteAlarm_Call) RunAndReturn(run func(ctx context.Context, id string) error) *Repository_DeleteAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListAllAlarms provides a mock function for the type Repository
+func (_mock *Repository) ListAllAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListAllAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ListAllAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListAllAlarms'
+type Repository_ListAllAlarms_Call struct {
+	*mock.Call
+}
+
+// ListAllAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - pm alarms.PageMetadata
+func (_e *Repository_Expecter) ListAllAlarms(ctx interface{}, pm interface{}) *Repository_ListAllAlarms_Call {
+	return &Repository_ListAllAlarms_Call{Call: _e.mock.On("ListAllAlarms", ctx, pm)}
+}
+
+func (_c *Repository_ListAllAlarms_Call) Run(run func(ctx context.Context, pm alarms.PageMetadata)) *Repository_ListAllAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.PageMetadata
+		if args[1] != nil {
+			arg1 = args[1].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ListAllAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListAllAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Repository_ListAllAlarms_Call) RunAndReturn(run func(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListAllAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListUserAlarms provides a mock function for the type Repository
+func (_mock *Repository) ListUserAlarms(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, userID, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListUserAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, userID, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, userID, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, userID, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ListUserAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListUserAlarms'
+type Repository_ListUserAlarms_Call struct {
+	*mock.Call
+}
+
+// ListUserAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - userID string
+//   - pm alarms.PageMetadata
+func (_e *Repository_Expecter) ListUserAlarms(ctx interface{}, userID interface{}, pm interface{}) *Repository_ListUserAlarms_Call {
+	return &Repository_ListUserAlarms_Call{Call: _e.mock.On("ListUserAlarms", ctx, userID, pm)}
+}
+
+func (_c *Repository_ListUserAlarms_Call) Run(run func(ctx context.Context, userID string, pm alarms.PageMetadata)) *Repository_ListUserAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 alarms.PageMetadata
+		if args[2] != nil {
+			arg2 = args[2].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ListUserAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListUserAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Repository_ListUserAlarms_Call) RunAndReturn(run func(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListUserAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateAlarm provides a mock function for the type Repository
+func (_mock *Repository) UpdateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, alarm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, alarm)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, alarms.Alarm) error); ok {
+		r1 = returnFunc(ctx, alarm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_UpdateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAlarm'
+type Repository_UpdateAlarm_Call struct {
+	*mock.Call
+}
+
+// UpdateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarm alarms.Alarm
+func (_e *Repository_Expecter) UpdateAlarm(ctx interface{}, alarm interface{}) *Repository_UpdateAlarm_Call {
+	return &Repository_UpdateAlarm_Call{Call: _e.mock.On("UpdateAlarm", ctx, alarm)}
+}
+
+func (_c *Repository_UpdateAlarm_Call) Run(run func(ctx context.Context, alarm alarms.Alarm)) *Repository_UpdateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.Alarm
+		if args[1] != nil {
+			arg1 = args[1].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_UpdateAlarm_Call) Return(alarm1 alarms.Alarm, err error) *Repository_UpdateAlarm_Call {
+	_c.Call.Return(alarm1, err)
+	return _c
+}
+
+func (_c *Repository_UpdateAlarm_Call) RunAndReturn(run func(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error)) *Repository_UpdateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ViewAlarm provides a mock function for the type Repository
+func (_mock *Repository) ViewAlarm(ctx context.Context, alarmID string, domainID string) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, alarmID, domainID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ViewAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, alarmID, domainID)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, alarmID, domainID)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = returnFunc(ctx, alarmID, domainID)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ViewAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ViewAlarm'
+type Repository_ViewAlarm_Call struct {
+	*mock.Call
+}
+
+// ViewAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarmID string
+//   - domainID string
+func (_e *Repository_Expecter) ViewAlarm(ctx interface{}, alarmID interface{}, domainID interface{}) *Repository_ViewAlarm_Call {
+	return &Repository_ViewAlarm_Call{Call: _e.mock.On("ViewAlarm", ctx, alarmID, domainID)}
+}
+
+func (_c *Repository_ViewAlarm_Call) Run(run func(ctx context.Context, alarmID string, domainID string)) *Repository_ViewAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ViewAlarm_Call) Return(alarm alarms.Alarm, err error) *Repository_ViewAlarm_Call {
+	_c.Call.Return(alarm, err)
+	return _c
+}
+
+func (_c *Repository_ViewAlarm_Call) RunAndReturn(run func(ctx context.Context, alarmID string, domainID string) (alarms.Alarm, error)) *Repository_ViewAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
@@ -0,0 +1,380 @@
+// Copyright (c) Abstract Machines
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewService creates a new instance of Service. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Service {
+	mock := &Service{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// Service is an autogenerated mock type for the Service type
+type Service struct {
+	mock.Mock
+}
+
+type Service_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *Service) EXPECT() *Service_Expecter {
+	return &Service_Expecter{mock: &_m.Mock}
+}
+
+// CreateAlarm provides a mock function for the type Service
+func (_mock *Service) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	ret := _mock.Called(ctx, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateAlarm")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) error); ok {
+		r0 = returnFunc(ctx, alarm)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// Service_CreateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateAlarm'
+type Service_CreateAlarm_Call struct {
+	*mock.Call
+}
+
+// CreateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarm alarms.Alarm
+func (_e *Service_Expecter) CreateAlarm(ctx interface{}, alarm interface{}) *Service_CreateAlarm_Call {
+	return &Service_CreateAlarm_Call{Call: _e.mock.On("CreateAlarm", ctx, alarm)}
+}
+
+func (_c *Service_CreateAlarm_Call) Run(run func(ctx context.Context, alarm alarms.Alarm)) *Service_CreateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.Alarm
+		if args[1] != nil {
+			arg1 = args[1].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_CreateAlarm_Call) Return(err error) *Service_CreateAlarm_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *Service_CreateAlarm_Call) RunAndReturn(run func(ctx context.Context, alarm alarms.Alarm) error) *Service_CreateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteAlarm provides a mock function for the type Service
+func (_mock *Service) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	ret := _mock.Called(ctx, session, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAlarm")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, string) error); ok {
+		r0 = returnFunc(ctx, session, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// Service_DeleteAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAlarm'
+type Service_DeleteAlarm_Call struct {
+	*mock.Call
+}
+
+// DeleteAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - id string
+func (_e *Service_Expecter) DeleteAlarm(ctx interface{}, session interface{}, id interface{}) *Service_DeleteAlarm_Call {
+	return &Service_DeleteAlarm_Call{Call: _e.mock.On("DeleteAlarm", ctx, session, id)}
+}
+
+func (_c *Service_DeleteAlarm_Call) Run(run func(ctx context.Context, session authn.Session, id string)) *Service_DeleteAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_DeleteAlarm_Call) Return(err error) *Service_DeleteAlarm_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *Service_DeleteAlarm_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, id string) error) *Service_DeleteAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListAlarms provides a mock function for the type Service
+func (_mock *Service) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, session, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, session, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, session, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authn.Session, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, session, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Service_ListAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListAlarms'
+type Service_ListAlarms_Call struct {
+	*mock.Call
+}
+
+// ListAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - pm alarms.PageMetadata
+func (_e *Service_Expecter) ListAlarms(ctx interface{}, session interface{}, pm interface{}) *Service_ListAlarms_Call {
+	return &Service_ListAlarms_Call{Call: _e.mock.On("ListAlarms", ctx, session, pm)}
+}
+
+func (_c *Service_ListAlarms_Call) Run(run func(ctx context.Context, session authn.Session, pm alarms.PageMetadata)) *Service_ListAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 alarms.PageMetadata
+		if args[2] != nil {
+			arg2 = args[2].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_ListAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Service_ListAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Service_ListAlarms_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Service_ListAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateAlarm provides a mock function for the type Service
+func (_mock *Service) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, session, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.Alarm) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, session, alarm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.Alarm) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, session, alarm)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authn.Session, alarms.Alarm) error); ok {
+		r1 = returnFunc(ctx, session, alarm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Service_UpdateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAlarm'
+type Service_UpdateAlarm_Call struct {
+	*mock.Call
+}
+
+// UpdateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - alarm alarms.Alarm
+func (_e *Service_Expecter) UpdateAlarm(ctx interface{}, session interface{}, alarm interface{}) *Service_UpdateAlarm_Call {
+	return &Service_UpdateAlarm_Call{Call: _e.mock.On("UpdateAlarm", ctx, session, alarm)}
+}
+
+func (_c *Service_UpdateAlarm_Call) Run(run func(ctx context.Context, session authn.Session, alarm alarms.Alarm)) *Service_UpdateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 alarms.Alarm
+		if args[2] != nil {
+			arg2 = args[2].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_UpdateAlarm_Call) Return(alarm1 alarms.Alarm, err error) *Service_UpdateAlarm_Call {
+	_c.Call.Return(alarm1, err)
+	return _c
+}
+
+func (_c *Service_UpdateAlarm_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error)) *Service_UpdateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ViewAlarm provides a mock function for the type Service
+func (_mock *Service) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, session, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ViewAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, string) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, session, id)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, string) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, session, id)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authn.Session, string) error); ok {
+		r1 = returnFunc(ctx, session, id)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Service_ViewAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ViewAlarm'
+type Service_ViewAlarm_Call struct {
+	*mock.Call
+}
+
+// ViewAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - id string
+func (_e *Service_Expecter) ViewAlarm(ctx interface{}, session interface{}, id interface{}) *Service_ViewAlarm_Call {
+	return &Service_ViewAlarm_Call{Call: _e.mock.On("ViewAlarm", ctx, session, id)}
+}
+
+func (_c *Service_ViewAlarm_Call) Run(run func(ctx context.Context, session authn.Session, id string)) *Service_ViewAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_ViewAlarm_Call) Return(alarm alarms.Alarm, err error) *Service_ViewAlarm_Call {
+	_c.Call.Return(alarm, err)
+	return _c
+}
+
+func (_c *Service_ViewAlarm_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error)) *Service_ViewAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
@@ -0,0 +1,52 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package operations
+
+import "github.com/absmach/magistrala/pkg/permissions"
+
+const EntityType = "alarm"
+
+// Alarm Operations.
+const (
+	OpViewAlarm permissions.Operation = iota
+	OpDeleteAlarm
+	OpListAlarms
+	OpAssignAlarm
+	OpAcknowledgeAlarm
+	OpResolveAlarm
+	OpUpdateAlarm
+)
+
+func OperationDetails() map[permissions.Operation]permissions.OperationDetails {
+	return map[permissions.Operation]permissions.OperationDetails{
+		OpViewAlarm: {
+			Name:               "view",
+			PermissionRequired: true,
+		},
+		OpDeleteAlarm: {
+			Name:               "delete",
+			PermissionRequired: true,
+		},
+		OpListAlarms: {
+			Name:               "list",
+			PermissionRequired: true,
+		},
+		OpAssignAlarm: {
+			Name:               "alarm_assign",
+			PermissionRequired: true,
+		},
+		OpAcknowledgeAlarm: {
+			Name:               "alarm_acknowledge",
+			PermissionRequired: true,
+		},
+		OpResolveAlarm: {
+			Name:               "alarm_resolve",
+			PermissionRequired: true,
+		},
+		OpUpdateAlarm: {
+			Name:               "update",
+			PermissionRequired: true,
+		},
+	}
+}
@@ -0,0 +1,536 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"math"
+	"strings"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	api "github.com/absmach/magistrala/api/http"
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	"github.com/absmach/magistrala/pkg/postgres"
+	"github.com/jmoiron/sqlx"
+)
+
+const alarmColumns = `alarms.id, alarms.rule_id, alarms.domain_id, alarms.channel_id, alarms.client_id, alarms.subtopic, alarms.measurement, alarms.value, alarms.unit,
+alarms.threshold, alarms.cause, alarms.status, alarms.severity, alarms.assignee_id, alarms.created_at, alarms.updated_at, alarms.updated_by, alarms.assigned_at,
+alarms.assigned_by, alarms.acknowledged_at, alarms.acknowledged_by, alarms.resolved_at, alarms.resolved_by, alarms.metadata`
+
+type repository struct {
+	db *sqlx.DB
+}
+
+var _ alarms.Repository = (*repository)(nil)
+
+func NewAlarmsRepo(db *sqlx.DB) alarms.Repository {
+	return &repository{db: db}
+}
+
+func (r *repository) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	query := `
+	WITH existing AS (
+		SELECT status, severity
+		FROM alarms
+		WHERE domain_id = :domain_id
+			AND rule_id = :rule_id
+			AND channel_id = :channel_id
+			AND client_id = :client_id
+			AND subtopic = :subtopic
+			AND measurement = :measurement
+			AND created_at <= :created_at
+		ORDER BY created_at DESC
+		LIMIT 1
+	)
+	INSERT INTO alarms (
+		id, rule_id, domain_id, channel_id, client_id, subtopic, measurement,
+		value, unit, threshold, cause, status, severity, assignee_id,
+		created_at, updated_at, updated_by, assigned_at, assigned_by,
+		acknowledged_at, acknowledged_by, resolved_at, resolved_by, metadata
+	)
+	SELECT
+		:id, :rule_id, :domain_id, :channel_id, :client_id, :subtopic, :measurement,
+		:value, :unit, :threshold, :cause, :status, :severity, :assignee_id,
+		:created_at, :updated_at, :updated_by, :assigned_at, :assigned_by,
+		:acknowledged_at, :acknowledged_by, :resolved_at, :resolved_by, :metadata
+	WHERE (
+		EXISTS (
+			SELECT 1 FROM existing
+			WHERE existing.status IS DISTINCT FROM :status
+			OR (:status = 0 AND existing.status = 0 AND existing.severity IS DISTINCT FROM :severity)
+		)
+		OR (
+			NOT EXISTS (SELECT 1 FROM existing) AND :status = 0
+		)
+	)
+	RETURNING
+		id, rule_id, domain_id, channel_id, client_id, subtopic, measurement,
+		value, unit, threshold, cause, status, severity, created_at,
+		assignee_id, updated_at, updated_by, assigned_at, assigned_by,
+		acknowledged_at, acknowledged_by, resolved_at, resolved_by, metadata
+	;
+	`
+	dba, err := toDBAlarm(alarm)
+	if err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrCreateEntity, err)
+	}
+	row, err := r.db.NamedQueryContext(ctx, query, dba)
+	if err != nil {
+		return alarms.Alarm{}, postgres.HandleError(repoerr.ErrCreateEntity, err)
+	}
+	defer row.Close()
+
+	if !row.Next() {
+		return alarms.Alarm{}, repoerr.ErrNotFound
+	}
+
+	dba = dbAlarm{}
+	if err := row.StructScan(&dba); err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrCreateEntity, err)
+	}
+
+	return toAlarm(dba)
+}
+
+func (r *repository) UpdateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	var query []string
+	var upq string
+	if alarm.Status != 0 {
+		query = append(query, "status = :status,")
+	}
+	if alarm.AssigneeID != "" {
+		query = append(query, "assignee_id = :assignee_id,")
+	}
+	if !alarm.AssignedAt.IsZero() {
+		query = append(query, "assigned_at = :assigned_at,")
+	}
+	if alarm.AssignedBy != "" {
+		query = append(query, "assigned_by = :assigned_by,")
+	}
+	if alarm.AcknowledgedBy != "" {
+		query = append(query, "acknowledged_by = :acknowledged_by,")
+	}
+	if !alarm.AcknowledgedAt.IsZero() {
+		query = append(query, "acknowledged_at = :acknowledged_at,")
+	}
+	if alarm.ResolvedBy != "" {
+		query = append(query, "resolved_by = :resolved_by,")
+	}
+	if !alarm.ResolvedAt.IsZero() {
+		query = append(query, "resolved_at = :resolved_at,")
+	}
+	if alarm.Metadata != nil {
+		query = append(query, "metadata = :metadata,")
+	}
+	if len(query) > 0 {
+		upq = strings.Join(query, " ")
+	}
+
+	q := fmt.Sprintf(`UPDATE alarms SET %s updated_by = :updated_by, updated_at = :updated_at WHERE id = :id
+		RETURNING id, rule_id, domain_id, channel_id, client_id, subtopic, measurement, value, unit, threshold,
+		cause, status, severity, assignee_id, assigned_at, assigned_by, acknowledged_at, acknowledged_by,
+		resolved_by, resolved_at, metadata, created_at, updated_by, updated_at;`, upq)
+
+	dba, err := toDBAlarm(alarm)
+	if err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrUpdateEntity, err)
+	}
+	row, err := r.db.NamedQueryContext(ctx, q, dba)
+	if err != nil {
+		return alarms.Alarm{}, postgres.HandleError(repoerr.ErrUpdateEntity, err)
+	}
+	defer row.Close()
+
+	if !row.Next() {
+		return alarms.Alarm{}, repoerr.ErrNotFound
+	}
+
+	dba = dbAlarm{}
+	if err := row.StructScan(&dba); err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrUpdateEntity, err)
+	}
+
+	return toAlarm(dba)
+}
+
+func (r *repository) ViewAlarm(ctx context.Context, alarmID, domainID string) (alarms.Alarm, error) {
+	query := `SELECT * FROM alarms WHERE id = :id AND domain_id = :domain_id;`
+	row, err := r.db.NamedQueryContext(ctx, query, map[string]any{
+		"id": alarmID, "domain_id": domainID,
+	})
+	if err != nil {
+		return alarms.Alarm{}, postgres.HandleError(repoerr.ErrViewEntity, err)
+	}
+	defer row.Close()
+
+	if !row.Next() {
+		return alarms.Alarm{}, repoerr.ErrNotFound
+	}
+
+	dba := dbAlarm{}
+	if err := row.StructScan(&dba); err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	alarm, err := toAlarm(dba)
+	if err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	return alarm, nil
+}
+
+func (r *repository) ListAllAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	query, err := pageQuery(pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	comQuery := fmt.Sprintf(`SELECT %s FROM alarms %s`, alarmColumns, query)
+
+	return r.alarmsPage(ctx, comQuery, pm)
+}
+
+func (r *repository) ListUserAlarms(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	clauses := []string{
+		`(
+			EXISTS (
+				SELECT 1
+				FROM rules_roles rr
+				JOIN rules_role_members rrm ON rrm.role_id = rr.id
+				WHERE rr.entity_id = alarms.rule_id AND rrm.member_id = :user_id
+			)
+			OR EXISTS (
+				SELECT 1
+				FROM domains_roles dr
+				JOIN domains_role_members drm ON drm.role_id = dr.id
+				JOIN domains_role_actions dra ON dra.role_id = dr.id
+				WHERE dr.entity_id = alarms.domain_id
+					AND drm.member_id = :user_id
+					AND dra.action LIKE 'alarm%'
+			)
+		)`,
+	}
+
+	clauses = append(clauses, pageQueryConditions(pm)...)
+	query := fmt.Sprintf("WHERE %s", strings.Join(clauses, " AND "))
+	pm.UserID = userID
+	comQuery := fmt.Sprintf(`SELECT DISTINCT %s FROM alarms %s`, alarmColumns, query)
+
+	return r.alarmsPage(ctx, comQuery, pm)
+}
+
+func (r *repository) alarmsPage(ctx context.Context, comQuery string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	dir := api.DescDir
+	if pm.Dir == api.AscDir {
+		dir = api.AscDir
+	}
+
+	var orderClause string
+	switch pm.Order {
+	case api.CreatedAtOrder:
+		orderClause = fmt.Sprintf("ORDER BY created_at %s, id %s", dir, dir)
+	default:
+		orderClause = fmt.Sprintf("ORDER BY COALESCE(updated_at, created_at) %s, id %s", dir, dir)
+	}
+
+	q := fmt.Sprintf(`SELECT * FROM (%s) AS sub_query %s LIMIT :limit OFFSET :offset;`, comQuery, orderClause)
+	cq := fmt.Sprintf(`SELECT COUNT(*) AS total_count FROM (%s) AS sub_query;`, comQuery)
+
+	rows, err := r.db.NamedQueryContext(ctx, q, pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+	defer rows.Close()
+
+	var items []alarms.Alarm
+	for rows.Next() {
+		dba := dbAlarm{}
+		if err := rows.StructScan(&dba); err != nil {
+			return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+		}
+
+		a, err := toAlarm(dba)
+		if err != nil {
+			return alarms.AlarmsPage{}, err
+		}
+
+		items = append(items, a)
+	}
+
+	total, err := postgres.Total(ctx, r.db, cq, pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	return alarms.AlarmsPage{
+		Total:  total,
+		Offset: pm.Offset,
+		Limit:  pm.Limit,
+		Alarms: items,
+	}, nil
+}
+
+func (r *repository) DeleteAlarm(ctx context.Context, id string) error {
+	query := `DELETE FROM alarms WHERE id = :id;`
+	result, err := r.db.NamedExecContext(ctx, query, map[string]any{"id": id})
+	if err != nil {
+		return errors.Wrap(repoerr.ErrRemoveEntity, err)
+	}
+
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return errors.Wrap(repoerr.ErrRemoveEntity, err)
+	}
+
+	if rowsAffected == 0 {
+		return repoerr.ErrNotFound
+	}
+
+	return nil
+}
+
+type dbAlarm struct {
+	ID             string        `db:"id"`
+	RuleID         string        `db:"rule_id"`
+	DomainID       string        `db:"domain_id"`
+	ChannelID      string        `db:"channel_id"`
+	ClientID       string        `db:"client_id"`
+	Subtopic       string        `db:"subtopic"`
+	Measurement    string        `db:"measurement"`
+	Value          string        `db:"value"`
+	Unit           string        `db:"unit"`
+	Cause          string        `db:"cause"`
+	Threshold      string        `db:"threshold"`
+	Status         alarms.Status `db:"status"`
+	Severity       uint8         `db:"severity"`
+	AssigneeID     string        `db:"assignee_id"`
+	CreatedAt      time.Time     `db:"created_at"`
+	UpdatedAt      sql.NullTime  `db:"updated_at,omitempty"`
+	UpdatedBy      *string       `db:"updated_by,omitempty"`
+	AssignedAt     sql.NullTime  `db:"assigned_at,omitempty"`
+	AssignedBy     *string       `db:"assigned_by,omitempty"`
+	AcknowledgedAt sql.NullTime  `db:"acknowledged_at,omitempty"`
+	AcknowledgedBy *string       `db:"acknowledged_by,omitempty"`
+	ResolvedAt     sql.NullTime  `db:"resolved_at,omitempty"`
+	ResolvedBy     *string       `db:"resolved_by,omitempty"`
+	Metadata       []byte        `db:"metadata,omitempty"`
+}
+
+func toDBAlarm(a alarms.Alarm) (dbAlarm, error) {
+	if a.CreatedAt.IsZero() {
+		a.CreatedAt = time.Now()
+	}
+	var updatedBy *string
+	if a.UpdatedBy != "" {
+		updatedBy = &a.UpdatedBy
+	}
+	var updatedAt sql.NullTime
+	if a.UpdatedAt != (time.Time{}) {
+		updatedAt = sql.NullTime{Time: a.UpdatedAt, Valid: true}
+	}
+
+	var acknowledgedBy *string
+	if a.AcknowledgedBy != "" {
+		acknowledgedBy = &a.AcknowledgedBy
+	}
+	var acknowledgedAt sql.NullTime
+	if a.AcknowledgedAt != (time.Time{}) {
+		acknowledgedAt = sql.NullTime{Time: a.AcknowledgedAt, Valid: true}
+	}
+
+	var resolvedBy *string
+	if a.ResolvedBy != "" {
+		resolvedBy = &a.ResolvedBy
+	}
+	var resolvedAt sql.NullTime
+	if a.ResolvedAt != (time.Time{}) {
+		resolvedAt = sql.NullTime{Time: a.ResolvedAt, Valid: true}
+	}
+
+	var assignedBy *string
+	if a.AssignedBy != "" {
+		assignedBy = &a.AssignedBy
+	}
+	var assignedAt sql.NullTime
+	if a.AssignedAt != (time.Time{}) {
+		assignedAt = sql.NullTime{Time: a.AssignedAt, Valid: true}
+	}
+
+	metadata := []byte("{}")
+	if len(a.Metadata) > 0 {
+		b, err := json.Marshal(a.Metadata)
+		if err != nil {
+			return dbAlarm{}, errors.Wrap(repoerr.ErrMalformedEntity, err)
+		}
+		metadata = b
+	}
+
+	return dbAlarm{
+		ID:             a.ID,
+		RuleID:         a.RuleID,
+		DomainID:       a.DomainID,
+		ChannelID:      a.ChannelID,
+		ClientID:       a.ClientID,
+		Subtopic:       a.Subtopic,
+		Measurement:    a.Measurement,
+		Value:          a.Value,
+		Unit:           a.Unit,
+		Cause:          a.Cause,
+		Threshold:      a.Threshold,
+		Status:         a.Status,
+		Severity:       a.Severity,
+		AssigneeID:     a.AssigneeID,
+		CreatedAt:      a.CreatedAt,
+		UpdatedAt:      updatedAt,
+		UpdatedBy:      updatedBy,
+		AssignedAt:     assignedAt,
+		AssignedBy:     assignedBy,
+		AcknowledgedAt: acknowledgedAt,
+		AcknowledgedBy: acknowledgedBy,
+		ResolvedAt:     resolvedAt,
+		ResolvedBy:     resolvedBy,
+		Metadata:       metadata,
+	}, nil
+}
+
+func toAlarm(dbr dbAlarm) (alarms.Alarm, error) {
+	var updatedBy string
+	if dbr.UpdatedBy != nil {
+		updatedBy = *dbr.UpdatedBy
+	}
+	var updatedAt time.Time
+	if dbr.UpdatedAt.Valid {
+		updatedAt = dbr.UpdatedAt.Time
+	}
+
+	var assignedBy string
+	if dbr.AssignedBy != nil {
+		assignedBy = *dbr.AssignedBy
+	}
+	var assignedAt time.Time
+	if dbr.AssignedAt.Valid {
+		assignedAt = dbr.AssignedAt.Time
+	}
+
+	var acknowledgedBy string
+	if dbr.AcknowledgedBy != nil {
+		acknowledgedBy = *dbr.AcknowledgedBy
+	}
+	var acknowledgedAt time.Time
+	if dbr.AcknowledgedAt.Valid {
+		acknowledgedAt = dbr.AcknowledgedAt.Time
+	}
+
+	var resolvedBy string
+	if dbr.ResolvedBy != nil {
+		resolvedBy = *dbr.ResolvedBy
+	}
+	var resolvedAt time.Time
+	if dbr.ResolvedAt.Valid {
+		resolvedAt = dbr.ResolvedAt.Time
+	}
+
+	var metadata map[string]any
+	if len(dbr.Metadata) > 0 {
+		err := json.Unmarshal(dbr.Metadata, &metadata)
+		if err != nil {
+			return alarms.Alarm{}, errors.Wrap(repoerr.ErrMalformedEntity, err)
+		}
+	}
+
+	return alarms.Alarm{
+		ID:             dbr.ID,
+		RuleID:         dbr.RuleID,
+		DomainID:       dbr.DomainID,
+		ChannelID:      dbr.ChannelID,
+		ClientID:       dbr.ClientID,
+		Subtopic:       dbr.Subtopic,
+		Measurement:    dbr.Measurement,
+		Value:          dbr.Value,
+		Unit:           dbr.Unit,
+		Threshold:      dbr.Threshold,
+		Cause:          dbr.Cause,
+		Status:         dbr.Status,
+		Severity:       dbr.Severity,
+		AssigneeID:     dbr.AssigneeID,
+		CreatedAt:      dbr.CreatedAt,
+		UpdatedAt:      updatedAt,
+		UpdatedBy:      updatedBy,
+		AssignedAt:     assignedAt,
+		AssignedBy:     assignedBy,
+		AcknowledgedAt: acknowledgedAt,
+		AcknowledgedBy: acknowledgedBy,
+		ResolvedAt:     resolvedAt,
+		ResolvedBy:     resolvedBy,
+		Metadata:       metadata,
+	}, nil
+}
+
+func pageQuery(pm alarms.PageMetadata) (string, error) {
+	query := pageQueryConditions(pm)
+
+	var emq string
+	if len(query) > 0 {
+		emq = fmt.Sprintf("WHERE %s", strings.Join(query, " AND "))
+	}
+
+	return emq, nil
+}
+
+func pageQueryConditions(pm alarms.PageMetadata) []string {
+	var query []string
+	if pm.DomainID != "" {
+		query = append(query, "alarms.domain_id = :domain_id")
+	}
+	if pm.RuleID != "" {
+		query = append(query, "alarms.rule_id = :rule_id")
+	}
+	if pm.ChannelID != "" {
+		query = append(query, "alarms.channel_id = :channel_id")
+	}
+	if pm.Subtopic != "" {
+		query = append(query, "alarms.subtopic = :subtopic")
+	}
+	if pm.ClientID != "" {
+		query = append(query, "alarms.client_id = :client_id")
+	}
+	if pm.Measurement != "" {
+		query = append(query, "alarms.measurement = :measurement")
+	}
+	if pm.Status != alarms.AllStatus {
+		query = append(query, "alarms.status = :status")
+	}
+	if pm.Severity != math.MaxUint8 {
+		query = append(query, "alarms.severity = :severity")
+	}
+	if pm.AssigneeID != "" {
+		query = append(query, "alarms.assignee_id = :assignee_id")
+	}
+	if pm.UpdatedBy != "" {
+		query = append(query, "alarms.updated_by = :updated_by")
+	}
+	if pm.ResolvedBy != "" {
+		query = append(query, "alarms.resolved_by = :resolved_by")
+	}
+	if pm.AcknowledgedBy != "" {
+		query = append(query, "alarms.acknowledged_by = :acknowledged_by")
+	}
+	if pm.AssignedBy != "" {
+		query = append(query, "alarms.assigned_by = :assigned_by")
+	}
+	if !pm.CreatedFrom.IsZero() {
+		query = append(query, "alarms.created_at >= :created_from")
+	}
+	if !pm.CreatedTo.IsZero() {
+		query = append(query, "alarms.created_at <= :created_to")
+	}
+	return query
+}
@@ -0,0 +1,690 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres_test
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/0x6flab/namegenerator"
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/postgres"
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	"github.com/absmach/magistrala/pkg/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	namegen    = namegenerator.NewGenerator()
+	idProvider = uuid.New()
+)
+
+func TestCreateAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Subtopic:    namegen.Generate(),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc:  "valid alarm",
+			alarm: alarm,
+			err:   nil,
+		},
+		{
+			desc:  "duplicate alarm",
+			alarm: alarm,
+			err:   repoerr.ErrNotFound,
+		},
+		{
+			desc: "missing rule id",
+			alarm: alarms.Alarm{
+				ID:          generateUUID(t),
+				DomainID:    generateUUID(t),
+				ChannelID:   generateUUID(t),
+				ClientID:    generateUUID(t),
+				Subtopic:    namegen.Generate(),
+				Measurement: namegen.Generate(),
+				Value:       namegen.Generate(),
+				Unit:        namegen.Generate(),
+				Threshold:   namegen.Generate(),
+				Cause:       namegen.Generate(),
+				Status:      0,
+				AssigneeID:  generateUUID(t),
+				CreatedAt:   time.Now().UTC(),
+
+				Metadata: map[string]any{
+					"key": "value",
+				},
+			},
+			err: repoerr.ErrCreateEntity,
+		},
+		{
+			desc: "invalid alarm",
+			alarm: alarms.Alarm{
+				ID:          generateUUID(t),
+				DomainID:    generateUUID(t),
+				ChannelID:   generateUUID(t),
+				ClientID:    generateUUID(t),
+				Subtopic:    namegen.Generate(),
+				Measurement: namegen.Generate(),
+				Value:       namegen.Generate(),
+				Unit:        namegen.Generate(),
+				Threshold:   namegen.Generate(),
+				Cause:       namegen.Generate(),
+				Status:      0,
+				AssigneeID:  generateUUID(t),
+				CreatedAt:   time.Now().UTC(),
+
+				Metadata: map[string]any{
+					"key": make(chan int),
+				},
+			},
+			err: repoerr.ErrCreateEntity,
+		},
+		{
+			desc:  "empty alarm",
+			alarm: alarms.Alarm{},
+			err:   repoerr.ErrCreateEntity,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarm, err := repo.CreateAlarm(context.Background(), tc.alarm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.alarm.RuleID, alarm.RuleID)
+			assert.Equal(t, tc.alarm.Measurement, alarm.Measurement)
+			assert.Equal(t, tc.alarm.Value, alarm.Value)
+			assert.Equal(t, tc.alarm.Unit, alarm.Unit)
+			assert.Equal(t, tc.alarm.Cause, alarm.Cause)
+			assert.Equal(t, tc.alarm.Status, alarm.Status)
+			assert.Equal(t, tc.alarm.DomainID, alarm.DomainID)
+			assert.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
+			assert.Equal(t, tc.alarm.Metadata, alarm.Metadata)
+		})
+	}
+}
+
+func TestUpdateAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+	alarm, err := repo.CreateAlarm(context.Background(), alarm)
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				ID:             alarm.ID,
+				Status:         alarms.ClearedStatus,
+				DomainID:       alarm.DomainID,
+				AssigneeID:     generateUUID(t),
+				AssignedBy:     generateUUID(t),
+				AssignedAt:     time.Now().UTC(),
+				AcknowledgedBy: generateUUID(t),
+				AcknowledgedAt: time.Now().UTC(),
+				CreatedAt:      alarm.CreatedAt,
+				UpdatedAt:      time.Now().UTC(),
+				UpdatedBy:      generateUUID(t),
+				ResolvedAt:     time.Now().UTC(),
+				ResolvedBy:     generateUUID(t),
+				Metadata: map[string]any{
+					"key": "value",
+				},
+			},
+			err: nil,
+		},
+		{
+			desc: "non existing alarm",
+			alarm: alarms.Alarm{
+				ID: generateUUID(t),
+			},
+			err: repoerr.ErrNotFound,
+		},
+		{
+			desc: "invalid alarm",
+			alarm: alarms.Alarm{
+				ID:         alarm.ID,
+				RuleID:     generateUUID(t),
+				Status:     0,
+				DomainID:   generateUUID(t),
+				AssigneeID: strings.Repeat("a", 40),
+				CreatedAt:  time.Now().UTC(),
+				Metadata: map[string]any{
+					"key": "value",
+				},
+			},
+			err: repoerr.ErrMalformedEntity,
+		},
+		{
+			desc:  "empty alarm",
+			alarm: alarms.Alarm{},
+			err:   repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarm, err := repo.UpdateAlarm(context.Background(), tc.alarm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.alarm.Status, alarm.Status)
+			assert.Equal(t, tc.alarm.DomainID, alarm.DomainID)
+			assert.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
+			assert.Equal(t, tc.alarm.UpdatedBy, alarm.UpdatedBy)
+			assert.Equal(t, tc.alarm.ResolvedBy, alarm.ResolvedBy)
+			assert.Equal(t, tc.alarm.AcknowledgedBy, alarm.AcknowledgedBy)
+			assert.Equal(t, tc.alarm.Metadata, alarm.Metadata)
+		})
+	}
+}
+
+func TestViewAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+	alarm, err := repo.CreateAlarm(context.Background(), alarm)
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+
+	cases := []struct {
+		desc     string
+		id       string
+		domainID string
+		err      error
+	}{
+		{
+			desc:     "valid alarm",
+			id:       alarm.ID,
+			domainID: alarm.DomainID,
+			err:      nil,
+		},
+		{
+			desc:     "non existing alarm id",
+			id:       generateUUID(t),
+			domainID: alarm.DomainID,
+			err:      repoerr.ErrNotFound,
+		},
+		{
+			desc:     "non existing domain id",
+			id:       alarm.ID,
+			domainID: generateUUID(t),
+			err:      repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarm, err := repo.ViewAlarm(context.Background(), tc.id, tc.domainID)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.id, alarm.ID)
+		})
+	}
+}
+
+func TestListAlarms(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+	repo := postgres.NewAlarmsRepo(db)
+	items := make([]alarms.Alarm, 1000)
+	for i := range 1000 {
+		items[i] = alarms.Alarm{
+			ID:          generateUUID(t),
+			RuleID:      generateUUID(t),
+			DomainID:    generateUUID(t),
+			ChannelID:   generateUUID(t),
+			ClientID:    generateUUID(t),
+			Measurement: namegen.Generate(),
+			Value:       namegen.Generate(),
+			Unit:        namegen.Generate(),
+			Threshold:   namegen.Generate(),
+			Cause:       namegen.Generate(),
+			Status:      0,
+			AssigneeID:  generateUUID(t),
+			CreatedAt:   time.Now().UTC(),
+			Metadata: map[string]any{
+				"key": "value",
+			},
+		}
+		alarm, err := repo.CreateAlarm(context.Background(), items[i])
+		require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		items[i].ID = alarm.ID
+	}
+
+	cases := []struct {
+		desc     string
+		pm       alarms.PageMetadata
+		response []alarms.Alarm
+		err      error
+	}{
+		{
+			desc: "valid page",
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  10,
+			},
+			response: items[:10],
+			err:      nil,
+		},
+		{
+			desc: "offset and limit",
+			pm: alarms.PageMetadata{
+				Offset: 10,
+				Limit:  50,
+			},
+			response: items[10:60],
+			err:      nil,
+		},
+		{
+			desc:     "empty page",
+			pm:       alarms.PageMetadata{},
+			response: []alarms.Alarm{},
+			err:      nil,
+		},
+		{
+			desc: "invalid page",
+			pm: alarms.PageMetadata{
+				Offset: 1000,
+				Limit:  10,
+			},
+			response: []alarms.Alarm{},
+			err:      nil,
+		},
+		{
+			desc: "invalid assignee id",
+			pm: alarms.PageMetadata{
+				Offset:     0,
+				Limit:      10,
+				AssigneeID: generateUUID(t),
+			},
+			response: []alarms.Alarm{},
+			err:      nil,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarms, err := repo.ListAllAlarms(context.Background(), tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.Equal(t, len(tc.response), len(alarms.Alarms))
+		})
+	}
+}
+
+func TestListUserAlarms(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM domains_role_actions")
+		require.Nil(t, err, fmt.Sprintf("clean domains_role_actions unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM domains_role_members")
+		require.Nil(t, err, fmt.Sprintf("clean domains_role_members unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM domains_roles")
+		require.Nil(t, err, fmt.Sprintf("clean domains_roles unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM domains")
+		require.Nil(t, err, fmt.Sprintf("clean domains unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM rules")
+		require.Nil(t, err, fmt.Sprintf("clean rules unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	domainID := generateUUID(t)
+	domainRoute := generateUUID(t)
+	userID := generateUUID(t)
+	otherUserID := generateUUID(t)
+	adminUserID := generateUUID(t)
+	domainUserID := generateUUID(t)
+
+	_, err := db.Exec(`INSERT INTO domains (id, name, route, status) VALUES ($1, $2, $3, $4)`, domainID, namegen.Generate(), domainRoute, 0)
+	require.Nil(t, err, fmt.Sprintf("insert domains unexpected error: %s", err))
+
+	// Create 10 rules and 10 alarms referencing them.
+	// Assign userID to the first 6 rules via role membership.
+	var ruleIDs []string
+	var createdAlarms []alarms.Alarm
+	for i := range 10 {
+		ruleID := generateUUID(t)
+		_, err := db.Exec(`INSERT INTO rules (id, name, domain_id, status, logic_type, logic_value) VALUES ($1, $2, $3, 0, 0, '')`,
+			ruleID, fmt.Sprintf("rule-%d", i), domainID)
+		require.Nil(t, err, fmt.Sprintf("insert rule unexpected error: %s", err))
+		ruleIDs = append(ruleIDs, ruleID)
+
+		alarm := alarms.Alarm{
+			ID:          generateUUID(t),
+			RuleID:      ruleID,
+			DomainID:    domainID,
+			ChannelID:   generateUUID(t),
+			ClientID:    generateUUID(t),
+			Measurement: namegen.Generate(),
+			Value:       namegen.Generate(),
+			Unit:        namegen.Generate(),
+			Threshold:   namegen.Generate(),
+			Cause:       namegen.Generate(),
+			Status:      0,
+			AssigneeID:  generateUUID(t),
+			CreatedAt:   time.Now().UTC().Add(time.Duration(i) * time.Minute),
+		}
+		alarm, err = repo.CreateAlarm(context.Background(), alarm)
+		require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		createdAlarms = append(createdAlarms, alarm)
+	}
+
+	// Assign userID to the first 6 rules via rules_roles + rules_role_members.
+	userRoleIDs := make([]string, 6)
+	for i := range 6 {
+		roleID := generateUUID(t)
+		userRoleIDs[i] = roleID
+		_, err := db.Exec(`INSERT INTO rules_roles (id, name, entity_id) VALUES ($1, $2, $3)`, roleID, "admin", ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_roles unexpected error: %s", err))
+		_, err = db.Exec(`INSERT INTO rules_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, roleID, userID, ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_role_members unexpected error: %s", err))
+	}
+
+	for i := range 10 {
+		var roleID string
+		if i < 6 {
+			roleID = userRoleIDs[i]
+		} else {
+			roleID = generateUUID(t)
+			_, err := db.Exec(`INSERT INTO rules_roles (id, name, entity_id) VALUES ($1, $2, $3)`, roleID, "admin", ruleIDs[i])
+			require.Nil(t, err, fmt.Sprintf("insert rules_roles unexpected error: %s", err))
+		}
+		_, err := db.Exec(`INSERT INTO rules_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, roleID, adminUserID, ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_role_members unexpected error: %s", err))
+	}
+
+	domainRoleID := generateUUID(t)
+	_, err = db.Exec(`INSERT INTO domains_roles (id, name, entity_id) VALUES ($1, $2, $3)`, domainRoleID, "admin", domainID)
+	require.Nil(t, err, fmt.Sprintf("insert domains_roles unexpected error: %s", err))
+	_, err = db.Exec(`INSERT INTO domains_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, domainRoleID, domainUserID, domainID)
+	require.Nil(t, err, fmt.Sprintf("insert domains_role_members unexpected error: %s", err))
+	_, err = db.Exec(`INSERT INTO domains_role_actions (role_id, action) VALUES ($1, $2)`, domainRoleID, "alarm_read")
+	require.Nil(t, err, fmt.Sprintf("insert domains_role_actions unexpected error: %s", err))
+
+	_ = createdAlarms
+
+	cases := []struct {
+		desc   string
+		userID string
+		pm     alarms.PageMetadata
+		count  int
+		err    error
+	}{
+		{
+			desc:   "list user alarms returns only accessible alarms",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 6,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with limit",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  3,
+			},
+			count: 3,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with offset",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 4,
+				Limit:  100,
+			},
+			count: 2,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with domain filter",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				DomainID: domainID,
+				Offset:   0,
+				Limit:    100,
+			},
+			count: 6,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with non-existing domain returns 0",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				DomainID: generateUUID(t),
+				Offset:   0,
+				Limit:    100,
+			},
+			count: 0,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for user with no role assignments returns 0",
+			userID: otherUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 0,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for admin user with role on all rules returns all alarms",
+			userID: adminUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 10,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for user with domain-level rule access returns all alarms",
+			userID: domainUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 10,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms ordered by created_at ascending",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+				Order:  "created_at",
+				Dir:    "asc",
+			},
+			count: 6,
+			err:   nil,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			page, err := repo.ListUserAlarms(context.Background(), tc.userID, tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+				return
+			}
+			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.Equal(t, tc.count, len(page.Alarms), fmt.Sprintf("%s: expected %d alarms, got %d", tc.desc, tc.count, len(page.Alarms)))
+		})
+	}
+}
+
+func TestDeleteAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+	alarm, err := repo.CreateAlarm(context.Background(), alarm)
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+
+	cases := []struct {
+		desc string
+		id   string
+		err  error
+	}{
+		{
+			desc: "valid alarm",
+			id:   alarm.ID,
+			err:  nil,
+		},
+		{
+			desc: "non existing alarm",
+			id:   generateUUID(t),
+			err:  repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			err := repo.DeleteAlarm(context.Background(), tc.id)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		})
+	}
+}
+
+func generateUUID(t *testing.T) string {
+	ulid, err := idProvider.ID()
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+	return ulid
+}
@@ -0,0 +1,65 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres
+
+import (
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	rpostgres "github.com/absmach/magistrala/re/postgres"
+	_ "github.com/jackc/pgx/v5/stdlib" // required for SQL access
+	migrate "github.com/rubenv/sql-migrate"
+)
+
+// Migration of Alarms service.
+func Migration() (*migrate.MemoryMigrationSource, error) {
+	alarmsMigration := &migrate.MemoryMigrationSource{
+		Migrations: []*migrate.Migration{
+			{
+				Id: "alarms_01",
+				// VARCHAR(36) for columns with IDs as UUIDS have a maximum of 36 characters
+				Up: []string{
+					`CREATE TABLE IF NOT EXISTS alarms (
+						id         	    VARCHAR(36) PRIMARY KEY,
+						rule_id		    VARCHAR(36) NOT NULL CHECK (length(rule_id) > 0),
+						domain_id	    VARCHAR(36) NOT NULL,
+						channel_id	    VARCHAR(36) NOT NULL,
+						subtopic        TEXT NOT NULL,
+						client_id	    VARCHAR(36) NOT NULL,
+						measurement	    TEXT NOT NULL,
+						value		    TEXT NOT NULL,
+						unit		    TEXT NOT NULL,
+						threshold	    TEXT NOT NULL,
+						cause	    	TEXT NOT NULL,
+						status          SMALLINT NOT NULL DEFAULT 0 CHECK (status >= 0),
+						severity        SMALLINT NOT NULL DEFAULT 0 CHECK (severity >= 0),
+						assignee_id	    VARCHAR(36),
+						created_at	    TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
+						updated_at	    TIMESTAMPTZ NULL,
+						updated_by	    VARCHAR(36) NULL,
+						assigned_at	    TIMESTAMPTZ NULL,
+						assigned_by	    VARCHAR(36) NULL,
+						acknowledged_at	TIMESTAMPTZ NULL,
+						acknowledged_by	VARCHAR(36) NULL,
+						resolved_at	    TIMESTAMPTZ NULL,
+						resolved_by	    VARCHAR(36) NULL,
+						metadata	    JSONB
+					);`,
+					"CREATE INDEX IF NOT EXISTS idx_alarms_state ON alarms (domain_id, rule_id, channel_id, subtopic, client_id, measurement, created_at DESC);",
+				},
+				Down: []string{
+					`DROP TABLE IF EXISTS alarms`,
+				},
+			},
+		},
+	}
+
+	rulesMigration, err := rpostgres.Migration()
+	if err != nil {
+		return &migrate.MemoryMigrationSource{}, errors.Wrap(repoerr.ErrRoleMigration, err)
+	}
+
+	alarmsMigration.Migrations = append(alarmsMigration.Migrations, rulesMigration.Migrations...)
+
+	return alarmsMigration, nil
+}
@@ -0,0 +1,97 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres_test
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+	"testing"
+	"time"
+
+	apostgres "github.com/absmach/magistrala/alarms/postgres"
+	"github.com/absmach/magistrala/pkg/postgres"
+	"github.com/jmoiron/sqlx"
+	dockertest "github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+	"go.opentelemetry.io/otel"
+)
+
+var (
+	db       *sqlx.DB
+	database postgres.Database
+	tracer   = otel.Tracer("repo_tests")
+)
+
+func TestMain(m *testing.M) {
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		log.Fatalf("Could not connect to docker: %s", err)
+	}
+
+	container, err := pool.RunWithOptions(&dockertest.RunOptions{
+		Repository: "postgres",
+		Tag:        "16.2-alpine",
+		Env: []string{
+			"POSTGRES_USER=test",
+			"POSTGRES_PASSWORD=test",
+			"POSTGRES_DB=test",
+			"listen_addresses = '*'",
+		},
+	}, func(config *docker.HostConfig) {
+		config.AutoRemove = true
+		config.RestartPolicy = docker.RestartPolicy{Name: "no"}
+	})
+	if err != nil {
+		log.Fatalf("Could not start container: %s", err)
+	}
+
+	port := container.GetPort("5432/tcp")
+
+	// exponential backoff-retry, because the application in the container might not be ready to accept connections yet
+	pool.MaxWait = 120 * time.Second
+	if err := pool.Retry(func() error {
+		url := fmt.Sprintf("host=localhost port=%s user=test dbname=test password=test sslmode=disable", port)
+		db, err := sql.Open("pgx", url)
+		if err != nil {
+			return err
+		}
+		return db.Ping()
+	}); err != nil {
+		log.Fatalf("Could not connect to docker: %s", err)
+	}
+
+	dbConfig := postgres.Config{
+		Host:        "localhost",
+		Port:        port,
+		User:        "test",
+		Pass:        "test",
+		Name:        "test",
+		SSLMode:     "disable",
+		SSLCert:     "",
+		SSLKey:      "",
+		SSLRootCert: "",
+	}
+
+	migration, err := apostgres.Migration()
+	if err != nil {
+		log.Fatalf("Could not get migration: %s", err)
+	}
+	if db, err = postgres.Setup(dbConfig, *migration); err != nil {
+		log.Fatalf("Could not setup test DB connection: %s", err)
+	}
+
+	database = postgres.NewDatabase(db, dbConfig, tracer)
+
+	code := m.Run()
+
+	// Defers will not be run when using os.Exit
+	db.Close()
+	if err := pool.Purge(container); err != nil {
+		log.Fatalf("Could not purge container: %s", err)
+	}
+
+	os.Exit(code)
+}
@@ -0,0 +1,70 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms
+
+import (
+	"context"
+	"time"
+
+	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/pkg/authn"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+)
+
+type service struct {
+	idp  magistrala.IDProvider
+	repo Repository
+}
+
+var _ Service = (*service)(nil)
+
+func NewService(idp magistrala.IDProvider, repo Repository) Service {
+	return &service{
+		idp:  idp,
+		repo: repo,
+	}
+}
+
+func (s *service) CreateAlarm(ctx context.Context, alarm Alarm) error {
+	id, err := s.idp.ID()
+	if err != nil {
+		return err
+	}
+	alarm.ID = id
+	if alarm.CreatedAt.IsZero() {
+		alarm.CreatedAt = time.Now()
+	}
+
+	if err := alarm.Validate(); err != nil {
+		return err
+	}
+
+	if _, err = s.repo.CreateAlarm(ctx, alarm); err != nil && err != repoerr.ErrNotFound {
+		return err
+	}
+
+	return nil
+}
+
+func (s *service) ViewAlarm(ctx context.Context, session authn.Session, alarmID string) (Alarm, error) {
+	return s.repo.ViewAlarm(ctx, alarmID, session.DomainID)
+}
+
+func (s *service) ListAlarms(ctx context.Context, session authn.Session, pm PageMetadata) (AlarmsPage, error) {
+	if session.SuperAdmin {
+		return s.repo.ListAllAlarms(ctx, pm)
+	}
+	return s.repo.ListUserAlarms(ctx, session.UserID, pm)
+}
+
+func (s *service) DeleteAlarm(ctx context.Context, session authn.Session, alarmID string) error {
+	return s.repo.DeleteAlarm(ctx, alarmID)
+}
+
+func (s *service) UpdateAlarm(ctx context.Context, session authn.Session, alarm Alarm) (Alarm, error) {
+	alarm.UpdatedAt = time.Now()
+	alarm.UpdatedBy = session.UserID
+
+	return s.repo.UpdateAlarm(ctx, alarm)
+}
@@ -0,0 +1,254 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/mocks"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	"github.com/absmach/magistrala/pkg/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+var idp = uuid.New()
+
+func newService(t *testing.T, repo *mocks.Repository) alarms.Service {
+	return alarms.NewService(idp, repo)
+}
+
+func TestCreateAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+	ts := time.Now()
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				RuleID:      "rule-id",
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+				CreatedAt:   ts,
+			},
+			err: nil,
+		},
+		{
+			desc: "missing rule_id",
+			alarm: alarms.Alarm{
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+				CreatedAt:   ts,
+			},
+			err: errors.New("rule_id is required"),
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			repoCall := repo.On("CreateAlarm", context.Background(), mock.Anything).Return(tc.alarm, tc.err)
+			err := svc.CreateAlarm(context.Background(), tc.alarm)
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestViewAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc     string
+		id       string
+		domainID string
+		err      error
+	}{
+		{
+			desc:     "valid alarm",
+			id:       "alarm-id",
+			domainID: "domain-id",
+			err:      nil,
+		},
+		{
+			desc:     "non existing alarm id",
+			id:       "alarm-id",
+			domainID: "domain-id",
+			err:      repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.domainID}
+			repoCall := repo.On("ViewAlarm", context.Background(), tc.id, tc.domainID).Return(alarms.Alarm{}, tc.err)
+			_, err := svc.ViewAlarm(context.Background(), s, tc.id)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestUpdateAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				RuleID:      "rule-id",
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: nil,
+		},
+		{
+			desc: "non existing alarm",
+			alarm: alarms.Alarm{
+				RuleID:      "rule-id",
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.alarm.DomainID}
+			repoCall := repo.On("UpdateAlarm", context.Background(), mock.Anything).Return(tc.alarm, tc.err)
+			_, err := svc.UpdateAlarm(context.Background(), s, tc.alarm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestListAlarms(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc string
+		pm   alarms.PageMetadata
+		page alarms.AlarmsPage
+		err  error
+	}{
+		{
+			desc: "valid page",
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  10,
+			},
+			page: alarms.AlarmsPage{
+				Offset: 0,
+				Limit:  10,
+				Total:  10,
+				Alarms: []alarms.Alarm{},
+			},
+			err: nil,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.pm.DomainID}
+			repoCall := repo.On("ListUserAlarms", context.Background(), s.UserID, tc.pm).Return(tc.page, tc.err)
+			_, err := svc.ListAlarms(context.Background(), s, tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestDeleteAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc string
+		id   string
+		err  error
+	}{
+		{
+			desc: "valid alarm",
+			id:   "alarm-id",
+			err:  nil,
+		},
+		{
+			desc: "non existing alarm",
+			id:   "alarm-id",
+			err:  repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.id}
+			repoCall := repo.On("DeleteAlarm", context.Background(), tc.id).Return(tc.err)
+			err := svc.DeleteAlarm(context.Background(), s, tc.id)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
@@ -0,0 +1,70 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms
+
+import (
+	"encoding/json"
+	"strings"
+
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+)
+
+type Status uint8
+
+const (
+	ActiveStatus Status = iota
+	ClearedStatus
+
+	// AllStatus is used for querying purposes to list alarms irrespective
+	// of their status. It is never stored in the database as the actual
+	// Alarm status and should always be the largest value in this enumeration.
+	AllStatus
+)
+
+const (
+	Active  = "active"
+	Cleared = "cleared"
+	Unknown = "unknown"
+	All     = "all"
+)
+
+// String converts alarm status to string literal.
+func (s Status) String() string {
+	switch s {
+	case ActiveStatus:
+		return Active
+	case ClearedStatus:
+		return Cleared
+	default:
+		return Unknown
+	}
+}
+
+// ToStatus converts string value to a valid Alarm status.
+func ToStatus(status string) (Status, error) {
+	switch strings.ToLower(status) {
+	case Active:
+		return ActiveStatus, nil
+	case Cleared:
+		return ClearedStatus, nil
+	case All:
+		return AllStatus, nil
+	default:
+		return Status(0), svcerr.ErrInvalidStatus
+	}
+}
+
+// Custom Marshaller for Alarm.
+func (s Status) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.String())
+}
+
+// Custom Unmarshaler for Alarm.
+func (s *Status) UnmarshalJSON(data []byte) error {
+	str := strings.Trim(string(data), "\"")
+	val, err := ToStatus(str)
+	*s = val
+
+	return err
+}
@@ -1,7 +1,7 @@
 // Copyright (c) Abstract Machines
 // SPDX-License-Identifier: Apache-2.0

-package supermq
+package magistrala

 // Response contains HTTP response specific methods.
 type Response interface {
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: auth/v1/auth.proto

@@ -70,10 +70,11 @@ func (x *AuthNReq) GetToken() string {

 type AuthNRes struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
-	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`                              // token id
-	UserId        string                 `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`        // user id
-	UserRole      uint32                 `protobuf:"varint,3,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"` // user role
-	Verified      bool                   `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"`                 // verified user
+	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	UserId        string                 `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	UserRole      uint32                 `protobuf:"varint,3,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"`
+	Verified      bool                   `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"`
+	TokenType     uint32                 `protobuf:"varint,5,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -136,24 +137,216 @@ func (x *AuthNRes) GetVerified() bool {
 	return false
 }

-type AuthZReq struct {
+func (x *AuthNRes) GetTokenType() uint32 {
+	if x != nil {
+		return x.TokenType
+	}
+	return 0
+}
+
+type PolicyReq struct {
 	state           protoimpl.MessageState `protogen:"open.v1"`
-	Domain          string                 `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`                                          // Domain
-	SubjectType     string                 `protobuf:"bytes,2,opt,name=subject_type,json=subjectType,proto3" json:"subject_type,omitempty"`             // Client or User
-	SubjectKind     string                 `protobuf:"bytes,3,opt,name=subject_kind,json=subjectKind,proto3" json:"subject_kind,omitempty"`             // ID or Token
-	SubjectRelation string                 `protobuf:"bytes,4,opt,name=subject_relation,json=subjectRelation,proto3" json:"subject_relation,omitempty"` // Subject relation
-	Subject         string                 `protobuf:"bytes,5,opt,name=subject,proto3" json:"subject,omitempty"`                                        // Subject value (id or token, depending on kind)
-	Relation        string                 `protobuf:"bytes,6,opt,name=relation,proto3" json:"relation,omitempty"`                                      // Relation to filter
-	Permission      string                 `protobuf:"bytes,7,opt,name=permission,proto3" json:"permission,omitempty"`                                  // Action
-	Object          string                 `protobuf:"bytes,8,opt,name=object,proto3" json:"object,omitempty"`                                          // Object ID
-	ObjectType      string                 `protobuf:"bytes,9,opt,name=object_type,json=objectType,proto3" json:"object_type,omitempty"`                // Client, User, Group
+	Domain          string                 `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	SubjectType     string                 `protobuf:"bytes,2,opt,name=subject_type,json=subjectType,proto3" json:"subject_type,omitempty"`
+	SubjectKind     string                 `protobuf:"bytes,3,opt,name=subject_kind,json=subjectKind,proto3" json:"subject_kind,omitempty"`
+	SubjectRelation string                 `protobuf:"bytes,4,opt,name=subject_relation,json=subjectRelation,proto3" json:"subject_relation,omitempty"`
+	Subject         string                 `protobuf:"bytes,5,opt,name=subject,proto3" json:"subject,omitempty"`
+	Relation        string                 `protobuf:"bytes,6,opt,name=relation,proto3" json:"relation,omitempty"`
+	Permission      string                 `protobuf:"bytes,7,opt,name=permission,proto3" json:"permission,omitempty"`
+	Object          string                 `protobuf:"bytes,8,opt,name=object,proto3" json:"object,omitempty"`
+	ObjectType      string                 `protobuf:"bytes,9,opt,name=object_type,json=objectType,proto3" json:"object_type,omitempty"`
 	unknownFields   protoimpl.UnknownFields
 	sizeCache       protoimpl.SizeCache
 }

+func (x *PolicyReq) Reset() {
+	*x = PolicyReq{}
+	mi := &file_auth_v1_auth_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PolicyReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PolicyReq) ProtoMessage() {}
+
+func (x *PolicyReq) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_v1_auth_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PolicyReq.ProtoReflect.Descriptor instead.
+func (*PolicyReq) Descriptor() ([]byte, []int) {
+	return file_auth_v1_auth_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *PolicyReq) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetSubjectType() string {
+	if x != nil {
+		return x.SubjectType
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetSubjectKind() string {
+	if x != nil {
+		return x.SubjectKind
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetSubjectRelation() string {
+	if x != nil {
+		return x.SubjectRelation
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetSubject() string {
+	if x != nil {
+		return x.Subject
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetRelation() string {
+	if x != nil {
+		return x.Relation
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetPermission() string {
+	if x != nil {
+		return x.Permission
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetObject() string {
+	if x != nil {
+		return x.Object
+	}
+	return ""
+}
+
+func (x *PolicyReq) GetObjectType() string {
+	if x != nil {
+		return x.ObjectType
+	}
+	return ""
+}
+
+type PATReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	PatId         string                 `protobuf:"bytes,1,opt,name=pat_id,json=patId,proto3" json:"pat_id,omitempty"`
+	Domain        string                 `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
+	Operation     string                 `protobuf:"bytes,3,opt,name=operation,proto3" json:"operation,omitempty"`
+	UserId        string                 `protobuf:"bytes,4,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	EntityId      string                 `protobuf:"bytes,5,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
+	EntityType    string                 `protobuf:"bytes,6,opt,name=entity_type,json=entityType,proto3" json:"entity_type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PATReq) Reset() {
+	*x = PATReq{}
+	mi := &file_auth_v1_auth_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PATReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PATReq) ProtoMessage() {}
+
+func (x *PATReq) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_v1_auth_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PATReq.ProtoReflect.Descriptor instead.
+func (*PATReq) Descriptor() ([]byte, []int) {
+	return file_auth_v1_auth_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *PATReq) GetPatId() string {
+	if x != nil {
+		return x.PatId
+	}
+	return ""
+}
+
+func (x *PATReq) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
+func (x *PATReq) GetOperation() string {
+	if x != nil {
+		return x.Operation
+	}
+	return ""
+}
+
+func (x *PATReq) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
+}
+
+func (x *PATReq) GetEntityId() string {
+	if x != nil {
+		return x.EntityId
+	}
+	return ""
+}
+
+func (x *PATReq) GetEntityType() string {
+	if x != nil {
+		return x.EntityType
+	}
+	return ""
+}
+
+type AuthZReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	PolicyReq     *PolicyReq             `protobuf:"bytes,1,opt,name=policy_req,json=policyReq,proto3" json:"policy_req,omitempty"`
+	PatReq        *PATReq                `protobuf:"bytes,2,opt,name=pat_req,json=patReq,proto3,oneof" json:"pat_req,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
 func (x *AuthZReq) Reset() {
 	*x = AuthZReq{}
-	mi := &file_auth_v1_auth_proto_msgTypes[2]
+	mi := &file_auth_v1_auth_proto_msgTypes[4]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -165,7 +358,7 @@ func (x *AuthZReq) String() string {
 func (*AuthZReq) ProtoMessage() {}

 func (x *AuthZReq) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_v1_auth_proto_msgTypes[2]
+	mi := &file_auth_v1_auth_proto_msgTypes[4]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -178,154 +371,21 @@ func (x *AuthZReq) ProtoReflect() protoreflect.Message {

 // Deprecated: Use AuthZReq.ProtoReflect.Descriptor instead.
 func (*AuthZReq) Descriptor() ([]byte, []int) {
-	return file_auth_v1_auth_proto_rawDescGZIP(), []int{2}
+	return file_auth_v1_auth_proto_rawDescGZIP(), []int{4}
 }

-func (x *AuthZReq) GetDomain() string {
+func (x *AuthZReq) GetPolicyReq() *PolicyReq {
 	if x != nil {
-		return x.Domain
+		return x.PolicyReq
 	}
-	return ""
+	return nil
 }

-func (x *AuthZReq) GetSubjectType() string {
+func (x *AuthZReq) GetPatReq() *PATReq {
 	if x != nil {
-		return x.SubjectType
+		return x.PatReq
 	}
-	return ""
-}
-
-func (x *AuthZReq) GetSubjectKind() string {
-	if x != nil {
-		return x.SubjectKind
-	}
-	return ""
-}
-
-func (x *AuthZReq) GetSubjectRelation() string {
-	if x != nil {
-		return x.SubjectRelation
-	}
-	return ""
-}
-
-func (x *AuthZReq) GetSubject() string {
-	if x != nil {
-		return x.Subject
-	}
-	return ""
-}
-
-func (x *AuthZReq) GetRelation() string {
-	if x != nil {
-		return x.Relation
-	}
-	return ""
-}
-
-func (x *AuthZReq) GetPermission() string {
-	if x != nil {
-		return x.Permission
-	}
-	return ""
-}
-
-func (x *AuthZReq) GetObject() string {
-	if x != nil {
-		return x.Object
-	}
-	return ""
-}
-
-func (x *AuthZReq) GetObjectType() string {
-	if x != nil {
-		return x.ObjectType
-	}
-	return ""
-}
-
-type AuthZPatReq struct {
-	state            protoimpl.MessageState `protogen:"open.v1"`
-	UserId           string                 `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`                                 // User id
-	PatId            string                 `protobuf:"bytes,2,opt,name=pat_id,json=patId,proto3" json:"pat_id,omitempty"`                                    // Pat id
-	EntityType       uint32                 `protobuf:"varint,3,opt,name=entity_type,json=entityType,proto3" json:"entity_type,omitempty"`                    // Entity type
-	OptionalDomainId string                 `protobuf:"bytes,4,opt,name=optional_domain_id,json=optionalDomainId,proto3" json:"optional_domain_id,omitempty"` // Optional domain id
-	Operation        uint32                 `protobuf:"varint,6,opt,name=operation,proto3" json:"operation,omitempty"`                                        // Operation
-	EntityId         string                 `protobuf:"bytes,7,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`                           // EntityID
-	unknownFields    protoimpl.UnknownFields
-	sizeCache        protoimpl.SizeCache
-}
-
-func (x *AuthZPatReq) Reset() {
-	*x = AuthZPatReq{}
-	mi := &file_auth_v1_auth_proto_msgTypes[3]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *AuthZPatReq) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*AuthZPatReq) ProtoMessage() {}
-
-func (x *AuthZPatReq) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_v1_auth_proto_msgTypes[3]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use AuthZPatReq.ProtoReflect.Descriptor instead.
-func (*AuthZPatReq) Descriptor() ([]byte, []int) {
-	return file_auth_v1_auth_proto_rawDescGZIP(), []int{3}
-}
-
-func (x *AuthZPatReq) GetUserId() string {
-	if x != nil {
-		return x.UserId
-	}
-	return ""
-}
-
-func (x *AuthZPatReq) GetPatId() string {
-	if x != nil {
-		return x.PatId
-	}
-	return ""
-}
-
-func (x *AuthZPatReq) GetEntityType() uint32 {
-	if x != nil {
-		return x.EntityType
-	}
-	return 0
-}
-
-func (x *AuthZPatReq) GetOptionalDomainId() string {
-	if x != nil {
-		return x.OptionalDomainId
-	}
-	return ""
-}
-
-func (x *AuthZPatReq) GetOperation() uint32 {
-	if x != nil {
-		return x.Operation
-	}
-	return 0
-}
-
-func (x *AuthZPatReq) GetEntityId() string {
-	if x != nil {
-		return x.EntityId
-	}
-	return ""
+	return nil
 }

 type AuthZRes struct {
@@ -338,7 +398,7 @@ type AuthZRes struct {

 func (x *AuthZRes) Reset() {
 	*x = AuthZRes{}
-	mi := &file_auth_v1_auth_proto_msgTypes[4]
+	mi := &file_auth_v1_auth_proto_msgTypes[5]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -350,7 +410,7 @@ func (x *AuthZRes) String() string {
 func (*AuthZRes) ProtoMessage() {}

 func (x *AuthZRes) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_v1_auth_proto_msgTypes[4]
+	mi := &file_auth_v1_auth_proto_msgTypes[5]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -363,7 +423,7 @@ func (x *AuthZRes) ProtoReflect() protoreflect.Message {

 // Deprecated: Use AuthZRes.ProtoReflect.Descriptor instead.
 func (*AuthZRes) Descriptor() ([]byte, []int) {
-	return file_auth_v1_auth_proto_rawDescGZIP(), []int{4}
+	return file_auth_v1_auth_proto_rawDescGZIP(), []int{5}
 }

 func (x *AuthZRes) GetAuthorized() bool {
@@ -386,13 +446,15 @@ const file_auth_v1_auth_proto_rawDesc = "" +
 	"\n" +
 	"\x12auth/v1/auth.proto\x12\aauth.v1\" \n" +
 	"\bAuthNReq\x12\x14\n" +
-	"\x05token\x18\x01 \x01(\tR\x05token\"l\n" +
+	"\x05token\x18\x01 \x01(\tR\x05token\"\x8b\x01\n" +
 	"\bAuthNRes\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\x12\x17\n" +
 	"\auser_id\x18\x02 \x01(\tR\x06userId\x12\x1b\n" +
 	"\tuser_role\x18\x03 \x01(\rR\buserRole\x12\x1a\n" +
-	"\bverified\x18\x04 \x01(\bR\bverified\"\xa2\x02\n" +
-	"\bAuthZReq\x12\x16\n" +
+	"\bverified\x18\x04 \x01(\bR\bverified\x12\x1d\n" +
+	"\n" +
+	"token_type\x18\x05 \x01(\rR\ttokenType\"\xa3\x02\n" +
+	"\tPolicyReq\x12\x16\n" +
 	"\x06domain\x18\x01 \x01(\tR\x06domain\x12!\n" +
 	"\fsubject_type\x18\x02 \x01(\tR\vsubjectType\x12!\n" +
 	"\fsubject_kind\x18\x03 \x01(\tR\vsubjectKind\x12)\n" +
@@ -404,25 +466,29 @@ const file_auth_v1_auth_proto_rawDesc = "" +
 	"permission\x12\x16\n" +
 	"\x06object\x18\b \x01(\tR\x06object\x12\x1f\n" +
 	"\vobject_type\x18\t \x01(\tR\n" +
-	"objectType\"\xc7\x01\n" +
-	"\vAuthZPatReq\x12\x17\n" +
-	"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x15\n" +
-	"\x06pat_id\x18\x02 \x01(\tR\x05patId\x12\x1f\n" +
-	"\ventity_type\x18\x03 \x01(\rR\n" +
-	"entityType\x12,\n" +
-	"\x12optional_domain_id\x18\x04 \x01(\tR\x10optionalDomainId\x12\x1c\n" +
-	"\toperation\x18\x06 \x01(\rR\toperation\x12\x1b\n" +
-	"\tentity_id\x18\a \x01(\tR\bentityId\":\n" +
+	"objectType\"\xac\x01\n" +
+	"\x06PATReq\x12\x15\n" +
+	"\x06pat_id\x18\x01 \x01(\tR\x05patId\x12\x16\n" +
+	"\x06domain\x18\x02 \x01(\tR\x06domain\x12\x1c\n" +
+	"\toperation\x18\x03 \x01(\tR\toperation\x12\x17\n" +
+	"\auser_id\x18\x04 \x01(\tR\x06userId\x12\x1b\n" +
+	"\tentity_id\x18\x05 \x01(\tR\bentityId\x12\x1f\n" +
+	"\ventity_type\x18\x06 \x01(\tR\n" +
+	"entityType\"x\n" +
+	"\bAuthZReq\x121\n" +
+	"\n" +
+	"policy_req\x18\x01 \x01(\v2\x12.auth.v1.PolicyReqR\tpolicyReq\x12-\n" +
+	"\apat_req\x18\x02 \x01(\v2\x0f.auth.v1.PATReqH\x00R\x06patReq\x88\x01\x01B\n" +
+	"\n" +
+	"\b_pat_req\":\n" +
 	"\bAuthZRes\x12\x1e\n" +
 	"\n" +
 	"authorized\x18\x01 \x01(\bR\n" +
 	"authorized\x12\x0e\n" +
-	"\x02id\x18\x02 \x01(\tR\x02id2\xf0\x01\n" +
+	"\x02id\x18\x02 \x01(\tR\x02id2z\n" +
 	"\vAuthService\x123\n" +
-	"\tAuthorize\x12\x11.auth.v1.AuthZReq\x1a\x11.auth.v1.AuthZRes\"\x00\x129\n" +
-	"\fAuthorizePAT\x12\x14.auth.v1.AuthZPatReq\x1a\x11.auth.v1.AuthZRes\"\x00\x126\n" +
-	"\fAuthenticate\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00\x129\n" +
-	"\x0fAuthenticatePAT\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00B-Z+github.com/absmach/supermq/api/grpc/auth/v1b\x06proto3"
+	"\tAuthorize\x12\x11.auth.v1.AuthZReq\x1a\x11.auth.v1.AuthZRes\"\x00\x126\n" +
+	"\fAuthenticate\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00B0Z.github.com/absmach/magistrala/api/grpc/auth/v1b\x06proto3"

 var (
 	file_auth_v1_auth_proto_rawDescOnce sync.Once
@@ -436,28 +502,27 @@ func file_auth_v1_auth_proto_rawDescGZIP() []byte {
 	return file_auth_v1_auth_proto_rawDescData
 }

-var file_auth_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_auth_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_auth_v1_auth_proto_goTypes = []any{
-	(*AuthNReq)(nil),    // 0: auth.v1.AuthNReq
-	(*AuthNRes)(nil),    // 1: auth.v1.AuthNRes
-	(*AuthZReq)(nil),    // 2: auth.v1.AuthZReq
-	(*AuthZPatReq)(nil), // 3: auth.v1.AuthZPatReq
-	(*AuthZRes)(nil),    // 4: auth.v1.AuthZRes
+	(*AuthNReq)(nil),  // 0: auth.v1.AuthNReq
+	(*AuthNRes)(nil),  // 1: auth.v1.AuthNRes
+	(*PolicyReq)(nil), // 2: auth.v1.PolicyReq
+	(*PATReq)(nil),    // 3: auth.v1.PATReq
+	(*AuthZReq)(nil),  // 4: auth.v1.AuthZReq
+	(*AuthZRes)(nil),  // 5: auth.v1.AuthZRes
 }
 var file_auth_v1_auth_proto_depIdxs = []int32{
-	2, // 0: auth.v1.AuthService.Authorize:input_type -> auth.v1.AuthZReq
-	3, // 1: auth.v1.AuthService.AuthorizePAT:input_type -> auth.v1.AuthZPatReq
-	0, // 2: auth.v1.AuthService.Authenticate:input_type -> auth.v1.AuthNReq
-	0, // 3: auth.v1.AuthService.AuthenticatePAT:input_type -> auth.v1.AuthNReq
-	4, // 4: auth.v1.AuthService.Authorize:output_type -> auth.v1.AuthZRes
-	4, // 5: auth.v1.AuthService.AuthorizePAT:output_type -> auth.v1.AuthZRes
-	1, // 6: auth.v1.AuthService.Authenticate:output_type -> auth.v1.AuthNRes
-	1, // 7: auth.v1.AuthService.AuthenticatePAT:output_type -> auth.v1.AuthNRes
-	4, // [4:8] is the sub-list for method output_type
-	0, // [0:4] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
+	2, // 0: auth.v1.AuthZReq.policy_req:type_name -> auth.v1.PolicyReq
+	3, // 1: auth.v1.AuthZReq.pat_req:type_name -> auth.v1.PATReq
+	4, // 2: auth.v1.AuthService.Authorize:input_type -> auth.v1.AuthZReq
+	0, // 3: auth.v1.AuthService.Authenticate:input_type -> auth.v1.AuthNReq
+	5, // 4: auth.v1.AuthService.Authorize:output_type -> auth.v1.AuthZRes
+	1, // 5: auth.v1.AuthService.Authenticate:output_type -> auth.v1.AuthNRes
+	4, // [4:6] is the sub-list for method output_type
+	2, // [2:4] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
 }

 func init() { file_auth_v1_auth_proto_init() }
@@ -465,13 +530,14 @@ func file_auth_v1_auth_proto_init() {
 	if File_auth_v1_auth_proto != nil {
 		return
 	}
+	file_auth_v1_auth_proto_msgTypes[4].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_auth_v1_auth_proto_rawDesc), len(file_auth_v1_auth_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   5,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: auth/v1/auth.proto

@@ -22,10 +22,8 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	AuthService_Authorize_FullMethodName       = "/auth.v1.AuthService/Authorize"
-	AuthService_AuthorizePAT_FullMethodName    = "/auth.v1.AuthService/AuthorizePAT"
-	AuthService_Authenticate_FullMethodName    = "/auth.v1.AuthService/Authenticate"
-	AuthService_AuthenticatePAT_FullMethodName = "/auth.v1.AuthService/AuthenticatePAT"
+	AuthService_Authorize_FullMethodName    = "/auth.v1.AuthService/Authorize"
+	AuthService_Authenticate_FullMethodName = "/auth.v1.AuthService/Authenticate"
 )

 // AuthServiceClient is the client API for AuthService service.
@@ -33,12 +31,10 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // AuthService is a service that provides authentication
-// and authorization functionalities for SuperMQ services.
+// and authorization functionalities for Magistrala services.
 type AuthServiceClient interface {
 	Authorize(ctx context.Context, in *AuthZReq, opts ...grpc.CallOption) (*AuthZRes, error)
-	AuthorizePAT(ctx context.Context, in *AuthZPatReq, opts ...grpc.CallOption) (*AuthZRes, error)
 	Authenticate(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error)
-	AuthenticatePAT(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error)
 }

 type authServiceClient struct {
@@ -59,16 +55,6 @@ func (c *authServiceClient) Authorize(ctx context.Context, in *AuthZReq, opts ..
 	return out, nil
 }

-func (c *authServiceClient) AuthorizePAT(ctx context.Context, in *AuthZPatReq, opts ...grpc.CallOption) (*AuthZRes, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(AuthZRes)
-	err := c.cc.Invoke(ctx, AuthService_AuthorizePAT_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *authServiceClient) Authenticate(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(AuthNRes)
@@ -79,27 +65,15 @@ func (c *authServiceClient) Authenticate(ctx context.Context, in *AuthNReq, opts
 	return out, nil
 }

-func (c *authServiceClient) AuthenticatePAT(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(AuthNRes)
-	err := c.cc.Invoke(ctx, AuthService_AuthenticatePAT_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 // AuthServiceServer is the server API for AuthService service.
 // All implementations must embed UnimplementedAuthServiceServer
 // for forward compatibility.
 //
 // AuthService is a service that provides authentication
-// and authorization functionalities for SuperMQ services.
+// and authorization functionalities for Magistrala services.
 type AuthServiceServer interface {
 	Authorize(context.Context, *AuthZReq) (*AuthZRes, error)
-	AuthorizePAT(context.Context, *AuthZPatReq) (*AuthZRes, error)
 	Authenticate(context.Context, *AuthNReq) (*AuthNRes, error)
-	AuthenticatePAT(context.Context, *AuthNReq) (*AuthNRes, error)
 	mustEmbedUnimplementedAuthServiceServer()
 }

@@ -111,16 +85,10 @@ type AuthServiceServer interface {
 type UnimplementedAuthServiceServer struct{}

 func (UnimplementedAuthServiceServer) Authorize(context.Context, *AuthZReq) (*AuthZRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authorize not implemented")
-}
-func (UnimplementedAuthServiceServer) AuthorizePAT(context.Context, *AuthZPatReq) (*AuthZRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method AuthorizePAT not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authorize not implemented")
 }
 func (UnimplementedAuthServiceServer) Authenticate(context.Context, *AuthNReq) (*AuthNRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
-}
-func (UnimplementedAuthServiceServer) AuthenticatePAT(context.Context, *AuthNReq) (*AuthNRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method AuthenticatePAT not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authenticate not implemented")
 }
 func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {}
 func (UnimplementedAuthServiceServer) testEmbeddedByValue()                     {}
@@ -133,7 +101,7 @@ type UnsafeAuthServiceServer interface {
 }

 func RegisterAuthServiceServer(s grpc.ServiceRegistrar, srv AuthServiceServer) {
-	// If the following call pancis, it indicates UnimplementedAuthServiceServer was
+	// If the following call panics, it indicates UnimplementedAuthServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -161,24 +129,6 @@ func _AuthService_Authorize_Handler(srv interface{}, ctx context.Context, dec fu
 	return interceptor(ctx, in, info, handler)
 }

-func _AuthService_AuthorizePAT_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(AuthZPatReq)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(AuthServiceServer).AuthorizePAT(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: AuthService_AuthorizePAT_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(AuthServiceServer).AuthorizePAT(ctx, req.(*AuthZPatReq))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _AuthService_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(AuthNReq)
 	if err := dec(in); err != nil {
@@ -197,24 +147,6 @@ func _AuthService_Authenticate_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }

-func _AuthService_AuthenticatePAT_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(AuthNReq)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(AuthServiceServer).AuthenticatePAT(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: AuthService_AuthenticatePAT_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(AuthServiceServer).AuthenticatePAT(ctx, req.(*AuthNReq))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 // AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -226,18 +158,10 @@ var AuthService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Authorize",
 			Handler:    _AuthService_Authorize_Handler,
 		},
-		{
-			MethodName: "AuthorizePAT",
-			Handler:    _AuthService_AuthorizePAT_Handler,
-		},
 		{
 			MethodName: "Authenticate",
 			Handler:    _AuthService_Authenticate_Handler,
 		},
-		{
-			MethodName: "AuthenticatePAT",
-			Handler:    _AuthService_AuthenticatePAT_Handler,
-		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "auth/v1/auth.proto",
@@ -0,0 +1,228 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.0
+// source: certs/v1/certs.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type EntityReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SerialNumber  string                 `protobuf:"bytes,1,opt,name=serial_number,json=serialNumber,proto3" json:"serial_number,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *EntityReq) Reset() {
+	*x = EntityReq{}
+	mi := &file_certs_v1_certs_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *EntityReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EntityReq) ProtoMessage() {}
+
+func (x *EntityReq) ProtoReflect() protoreflect.Message {
+	mi := &file_certs_v1_certs_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EntityReq.ProtoReflect.Descriptor instead.
+func (*EntityReq) Descriptor() ([]byte, []int) {
+	return file_certs_v1_certs_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *EntityReq) GetSerialNumber() string {
+	if x != nil {
+		return x.SerialNumber
+	}
+	return ""
+}
+
+type EntityRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	EntityId      string                 `protobuf:"bytes,1,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *EntityRes) Reset() {
+	*x = EntityRes{}
+	mi := &file_certs_v1_certs_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *EntityRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EntityRes) ProtoMessage() {}
+
+func (x *EntityRes) ProtoReflect() protoreflect.Message {
+	mi := &file_certs_v1_certs_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EntityRes.ProtoReflect.Descriptor instead.
+func (*EntityRes) Descriptor() ([]byte, []int) {
+	return file_certs_v1_certs_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *EntityRes) GetEntityId() string {
+	if x != nil {
+		return x.EntityId
+	}
+	return ""
+}
+
+type RevokeReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	EntityId      string                 `protobuf:"bytes,1,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RevokeReq) Reset() {
+	*x = RevokeReq{}
+	mi := &file_certs_v1_certs_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RevokeReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RevokeReq) ProtoMessage() {}
+
+func (x *RevokeReq) ProtoReflect() protoreflect.Message {
+	mi := &file_certs_v1_certs_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RevokeReq.ProtoReflect.Descriptor instead.
+func (*RevokeReq) Descriptor() ([]byte, []int) {
+	return file_certs_v1_certs_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *RevokeReq) GetEntityId() string {
+	if x != nil {
+		return x.EntityId
+	}
+	return ""
+}
+
+var File_certs_v1_certs_proto protoreflect.FileDescriptor
+
+const file_certs_v1_certs_proto_rawDesc = "" +
+	"\n" +
+	"\x14certs/v1/certs.proto\x12\rabsmach.certs\x1a\x1bgoogle/protobuf/empty.proto\"0\n" +
+	"\tEntityReq\x12#\n" +
+	"\rserial_number\x18\x01 \x01(\tR\fserialNumber\"(\n" +
+	"\tEntityRes\x12\x1b\n" +
+	"\tentity_id\x18\x01 \x01(\tR\bentityId\"(\n" +
+	"\tRevokeReq\x12\x1b\n" +
+	"\tentity_id\x18\x01 \x01(\tR\bentityId2\x96\x01\n" +
+	"\fCertsService\x12C\n" +
+	"\vGetEntityID\x12\x18.absmach.certs.EntityReq\x1a\x18.absmach.certs.EntityRes\"\x00\x12A\n" +
+	"\vRevokeCerts\x12\x18.absmach.certs.RevokeReq\x1a\x16.google.protobuf.Empty\"\x00B1Z/github.com/absmach/magistrala/api/grpc/certs/v1b\x06proto3"
+
+var (
+	file_certs_v1_certs_proto_rawDescOnce sync.Once
+	file_certs_v1_certs_proto_rawDescData []byte
+)
+
+func file_certs_v1_certs_proto_rawDescGZIP() []byte {
+	file_certs_v1_certs_proto_rawDescOnce.Do(func() {
+		file_certs_v1_certs_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_certs_v1_certs_proto_rawDesc), len(file_certs_v1_certs_proto_rawDesc)))
+	})
+	return file_certs_v1_certs_proto_rawDescData
+}
+
+var file_certs_v1_certs_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_certs_v1_certs_proto_goTypes = []any{
+	(*EntityReq)(nil),     // 0: absmach.certs.EntityReq
+	(*EntityRes)(nil),     // 1: absmach.certs.EntityRes
+	(*RevokeReq)(nil),     // 2: absmach.certs.RevokeReq
+	(*emptypb.Empty)(nil), // 3: google.protobuf.Empty
+}
+var file_certs_v1_certs_proto_depIdxs = []int32{
+	0, // 0: absmach.certs.CertsService.GetEntityID:input_type -> absmach.certs.EntityReq
+	2, // 1: absmach.certs.CertsService.RevokeCerts:input_type -> absmach.certs.RevokeReq
+	1, // 2: absmach.certs.CertsService.GetEntityID:output_type -> absmach.certs.EntityRes
+	3, // 3: absmach.certs.CertsService.RevokeCerts:output_type -> google.protobuf.Empty
+	2, // [2:4] is the sub-list for method output_type
+	0, // [0:2] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_certs_v1_certs_proto_init() }
+func file_certs_v1_certs_proto_init() {
+	if File_certs_v1_certs_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_certs_v1_certs_proto_rawDesc), len(file_certs_v1_certs_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   3,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_certs_v1_certs_proto_goTypes,
+		DependencyIndexes: file_certs_v1_certs_proto_depIdxs,
+		MessageInfos:      file_certs_v1_certs_proto_msgTypes,
+	}.Build()
+	File_certs_v1_certs_proto = out.File
+	file_certs_v1_certs_proto_goTypes = nil
+	file_certs_v1_certs_proto_depIdxs = nil
+}
@@ -0,0 +1,163 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.0
+// - protoc             v6.33.0
+// source: certs/v1/certs.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	CertsService_GetEntityID_FullMethodName = "/absmach.certs.CertsService/GetEntityID"
+	CertsService_RevokeCerts_FullMethodName = "/absmach.certs.CertsService/RevokeCerts"
+)
+
+// CertsServiceClient is the client API for CertsService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type CertsServiceClient interface {
+	GetEntityID(ctx context.Context, in *EntityReq, opts ...grpc.CallOption) (*EntityRes, error)
+	RevokeCerts(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*emptypb.Empty, error)
+}
+
+type certsServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewCertsServiceClient(cc grpc.ClientConnInterface) CertsServiceClient {
+	return &certsServiceClient{cc}
+}
+
+func (c *certsServiceClient) GetEntityID(ctx context.Context, in *EntityReq, opts ...grpc.CallOption) (*EntityRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(EntityRes)
+	err := c.cc.Invoke(ctx, CertsService_GetEntityID_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certsServiceClient) RevokeCerts(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, CertsService_RevokeCerts_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// CertsServiceServer is the server API for CertsService service.
+// All implementations must embed UnimplementedCertsServiceServer
+// for forward compatibility.
+type CertsServiceServer interface {
+	GetEntityID(context.Context, *EntityReq) (*EntityRes, error)
+	RevokeCerts(context.Context, *RevokeReq) (*emptypb.Empty, error)
+	mustEmbedUnimplementedCertsServiceServer()
+}
+
+// UnimplementedCertsServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedCertsServiceServer struct{}
+
+func (UnimplementedCertsServiceServer) GetEntityID(context.Context, *EntityReq) (*EntityRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetEntityID not implemented")
+}
+func (UnimplementedCertsServiceServer) RevokeCerts(context.Context, *RevokeReq) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method RevokeCerts not implemented")
+}
+func (UnimplementedCertsServiceServer) mustEmbedUnimplementedCertsServiceServer() {}
+func (UnimplementedCertsServiceServer) testEmbeddedByValue()                      {}
+
+// UnsafeCertsServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to CertsServiceServer will
+// result in compilation errors.
+type UnsafeCertsServiceServer interface {
+	mustEmbedUnimplementedCertsServiceServer()
+}
+
+func RegisterCertsServiceServer(s grpc.ServiceRegistrar, srv CertsServiceServer) {
+	// If the following call panics, it indicates UnimplementedCertsServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&CertsService_ServiceDesc, srv)
+}
+
+func _CertsService_GetEntityID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EntityReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertsServiceServer).GetEntityID(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: CertsService_GetEntityID_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertsServiceServer).GetEntityID(ctx, req.(*EntityReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertsService_RevokeCerts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertsServiceServer).RevokeCerts(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: CertsService_RevokeCerts_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertsServiceServer).RevokeCerts(ctx, req.(*RevokeReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// CertsService_ServiceDesc is the grpc.ServiceDesc for CertsService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var CertsService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "absmach.certs.CertsService",
+	HandlerType: (*CertsServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetEntityID",
+			Handler:    _CertsService_GetEntityID_Handler,
+		},
+		{
+			MethodName: "RevokeCerts",
+			Handler:    _CertsService_RevokeCerts_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "certs/v1/certs.proto",
+}
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: channels/v1/channels.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -333,7 +333,7 @@ const file_channels_v1_channels_proto_rawDesc = "" +
 	"\x17RemoveClientConnections\x12'.channels.v1.RemoveClientConnectionsReq\x1a'.channels.v1.RemoveClientConnectionsRes\"\x00\x12|\n" +
 	"\x1cUnsetParentGroupFromChannels\x12,.channels.v1.UnsetParentGroupFromChannelsReq\x1a,.channels.v1.UnsetParentGroupFromChannelsRes\"\x00\x12N\n" +
 	"\x0eRetrieveEntity\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00\x12T\n" +
-	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B1Z/github.com/absmach/supermq/api/grpc/channels/v1b\x06proto3"
+	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B4Z2github.com/absmach/magistrala/api/grpc/channels/v1b\x06proto3"

 var (
 	file_channels_v1_channels_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: channels/v1/channels.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -119,19 +119,19 @@ type ChannelsServiceServer interface {
 type UnimplementedChannelsServiceServer struct{}

 func (UnimplementedChannelsServiceServer) Authorize(context.Context, *AuthzReq) (*AuthzRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authorize not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authorize not implemented")
 }
 func (UnimplementedChannelsServiceServer) RemoveClientConnections(context.Context, *RemoveClientConnectionsReq) (*RemoveClientConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RemoveClientConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RemoveClientConnections not implemented")
 }
 func (UnimplementedChannelsServiceServer) UnsetParentGroupFromChannels(context.Context, *UnsetParentGroupFromChannelsReq) (*UnsetParentGroupFromChannelsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UnsetParentGroupFromChannels not implemented")
+	return nil, status.Error(codes.Unimplemented, "method UnsetParentGroupFromChannels not implemented")
 }
 func (UnimplementedChannelsServiceServer) RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntity not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntity not implemented")
 }
 func (UnimplementedChannelsServiceServer) RetrieveIDByRoute(context.Context, *v1.RetrieveIDByRouteReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
 }
 func (UnimplementedChannelsServiceServer) mustEmbedUnimplementedChannelsServiceServer() {}
 func (UnimplementedChannelsServiceServer) testEmbeddedByValue()                         {}
@@ -144,7 +144,7 @@ type UnsafeChannelsServiceServer interface {
 }

 func RegisterChannelsServiceServer(s grpc.ServiceRegistrar, srv ChannelsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedChannelsServiceServer was
+	// If the following call panics, it indicates UnimplementedChannelsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: clients/v1/clients.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -306,7 +306,7 @@ const file_clients_v1_clients_proto_rawDesc = "" +
 	"\x0eAddConnections\x12\x1c.common.v1.AddConnectionsReq\x1a\x1c.common.v1.AddConnectionsRes\"\x00\x12W\n" +
 	"\x11RemoveConnections\x12\x1f.common.v1.RemoveConnectionsReq\x1a\x1f.common.v1.RemoveConnectionsRes\"\x00\x12n\n" +
 	"\x18RemoveChannelConnections\x12'.clients.v1.RemoveChannelConnectionsReq\x1a'.clients.v1.RemoveChannelConnectionsRes\"\x00\x12t\n" +
-	"\x1aUnsetParentGroupFromClient\x12).clients.v1.UnsetParentGroupFromClientReq\x1a).clients.v1.UnsetParentGroupFromClientRes\"\x00B0Z.github.com/absmach/supermq/api/grpc/clients/v1b\x06proto3"
+	"\x1aUnsetParentGroupFromClient\x12).clients.v1.UnsetParentGroupFromClientReq\x1a).clients.v1.UnsetParentGroupFromClientRes\"\x00B3Z1github.com/absmach/magistrala/api/grpc/clients/v1b\x06proto3"

 var (
 	file_clients_v1_clients_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: clients/v1/clients.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -37,7 +37,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // ClientsService is a service that provides clients
-// authorization functionalities for SuperMQ services.
+// authorization functionalities for Magistrala services.
 type ClientsServiceClient interface {
 	// Authorize checks if the client is authorized to perform
 	Authenticate(ctx context.Context, in *AuthnReq, opts ...grpc.CallOption) (*AuthnRes, error)
@@ -132,7 +132,7 @@ func (c *clientsServiceClient) UnsetParentGroupFromClient(ctx context.Context, i
 // for forward compatibility.
 //
 // ClientsService is a service that provides clients
-// authorization functionalities for SuperMQ services.
+// authorization functionalities for Magistrala services.
 type ClientsServiceServer interface {
 	// Authorize checks if the client is authorized to perform
 	Authenticate(context.Context, *AuthnReq) (*AuthnRes, error)
@@ -153,25 +153,25 @@ type ClientsServiceServer interface {
 type UnimplementedClientsServiceServer struct{}

 func (UnimplementedClientsServiceServer) Authenticate(context.Context, *AuthnReq) (*AuthnRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authenticate not implemented")
 }
 func (UnimplementedClientsServiceServer) RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntity not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntity not implemented")
 }
 func (UnimplementedClientsServiceServer) RetrieveEntities(context.Context, *v1.RetrieveEntitiesReq) (*v1.RetrieveEntitiesRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntities not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntities not implemented")
 }
 func (UnimplementedClientsServiceServer) AddConnections(context.Context, *v1.AddConnectionsReq) (*v1.AddConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method AddConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method AddConnections not implemented")
 }
 func (UnimplementedClientsServiceServer) RemoveConnections(context.Context, *v1.RemoveConnectionsReq) (*v1.RemoveConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RemoveConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RemoveConnections not implemented")
 }
 func (UnimplementedClientsServiceServer) RemoveChannelConnections(context.Context, *RemoveChannelConnectionsReq) (*RemoveChannelConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RemoveChannelConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RemoveChannelConnections not implemented")
 }
 func (UnimplementedClientsServiceServer) UnsetParentGroupFromClient(context.Context, *UnsetParentGroupFromClientReq) (*UnsetParentGroupFromClientRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UnsetParentGroupFromClient not implemented")
+	return nil, status.Error(codes.Unimplemented, "method UnsetParentGroupFromClient not implemented")
 }
 func (UnimplementedClientsServiceServer) mustEmbedUnimplementedClientsServiceServer() {}
 func (UnimplementedClientsServiceServer) testEmbeddedByValue()                        {}
@@ -184,7 +184,7 @@ type UnsafeClientsServiceServer interface {
 }

 func RegisterClientsServiceServer(s grpc.ServiceRegistrar, srv ClientsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedClientsServiceServer was
+	// If the following call panics, it indicates UnimplementedClientsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: common/v1/common.proto

@@ -626,7 +626,7 @@ const file_common_v1_common_proto_rawDesc = "" +
 	"\x04type\x18\x04 \x01(\rR\x04type\"I\n" +
 	"\x14RetrieveIDByRouteReq\x12\x14\n" +
 	"\x05route\x18\x01 \x01(\tR\x05route\x12\x1b\n" +
-	"\tdomain_id\x18\x02 \x01(\tR\bdomainIdB/Z-github.com/absmach/supermq/api/grpc/common/v1b\x06proto3"
+	"\tdomain_id\x18\x02 \x01(\tR\bdomainIdB2Z0github.com/absmach/magistrala/api/grpc/common/v1b\x06proto3"

 var (
 	file_common_v1_common_proto_rawDescOnce sync.Once
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: domains/v1/domains.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -126,7 +126,7 @@ const file_domains_v1_domains_proto_rawDesc = "" +
 	"\x0eDomainsService\x12O\n" +
 	"\x15DeleteUserFromDomains\x12\x19.domains.v1.DeleteUserReq\x1a\x19.domains.v1.DeleteUserRes\"\x00\x12N\n" +
 	"\x0eRetrieveStatus\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00\x12T\n" +
-	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B5Z3github.com/absmach/supermq/internal/grpc/domains/v1b\x06proto3"
+	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B8Z6github.com/absmach/magistrala/internal/grpc/domains/v1b\x06proto3"

 var (
 	file_domains_v1_domains_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: domains/v1/domains.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -33,7 +33,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // DomainsService is a service that provides access to
-// domains functionalities for SuperMQ services.
+// domains functionalities for Magistrala services.
 type DomainsServiceClient interface {
 	DeleteUserFromDomains(ctx context.Context, in *DeleteUserReq, opts ...grpc.CallOption) (*DeleteUserRes, error)
 	RetrieveStatus(ctx context.Context, in *v1.RetrieveEntityReq, opts ...grpc.CallOption) (*v1.RetrieveEntityRes, error)
@@ -83,7 +83,7 @@ func (c *domainsServiceClient) RetrieveIDByRoute(ctx context.Context, in *v1.Ret
 // for forward compatibility.
 //
 // DomainsService is a service that provides access to
-// domains functionalities for SuperMQ services.
+// domains functionalities for Magistrala services.
 type DomainsServiceServer interface {
 	DeleteUserFromDomains(context.Context, *DeleteUserReq) (*DeleteUserRes, error)
 	RetrieveStatus(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error)
@@ -99,13 +99,13 @@ type DomainsServiceServer interface {
 type UnimplementedDomainsServiceServer struct{}

 func (UnimplementedDomainsServiceServer) DeleteUserFromDomains(context.Context, *DeleteUserReq) (*DeleteUserRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteUserFromDomains not implemented")
+	return nil, status.Error(codes.Unimplemented, "method DeleteUserFromDomains not implemented")
 }
 func (UnimplementedDomainsServiceServer) RetrieveStatus(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveStatus not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveStatus not implemented")
 }
 func (UnimplementedDomainsServiceServer) RetrieveIDByRoute(context.Context, *v1.RetrieveIDByRouteReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
 }
 func (UnimplementedDomainsServiceServer) mustEmbedUnimplementedDomainsServiceServer() {}
 func (UnimplementedDomainsServiceServer) testEmbeddedByValue()                        {}
@@ -118,7 +118,7 @@ type UnsafeDomainsServiceServer interface {
 }

 func RegisterDomainsServiceServer(s grpc.ServiceRegistrar, srv DomainsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedDomainsServiceServer was
+	// If the following call panics, it indicates UnimplementedDomainsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: groups/v1/groups.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -30,7 +30,7 @@ const file_groups_v1_groups_proto_rawDesc = "" +
 	"\n" +
 	"\x16groups/v1/groups.proto\x12\tgroups.v1\x1a\x16common/v1/common.proto2_\n" +
 	"\rGroupsService\x12N\n" +
-	"\x0eRetrieveEntity\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B/Z-github.com/absmach/supermq/api/grpc/groups/v1b\x06proto3"
+	"\x0eRetrieveEntity\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B2Z0github.com/absmach/magistrala/api/grpc/groups/v1b\x06proto3"

 var file_groups_v1_groups_proto_goTypes = []any{
 	(*v1.RetrieveEntityReq)(nil), // 0: common.v1.RetrieveEntityReq
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: groups/v1/groups.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -31,7 +31,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // GroupssService is a service that provides groups
-// functionalities for SuperMQ services.
+// functionalities for Magistrala services.
 type GroupsServiceClient interface {
 	RetrieveEntity(ctx context.Context, in *v1.RetrieveEntityReq, opts ...grpc.CallOption) (*v1.RetrieveEntityRes, error)
 }
@@ -59,7 +59,7 @@ func (c *groupsServiceClient) RetrieveEntity(ctx context.Context, in *v1.Retriev
 // for forward compatibility.
 //
 // GroupssService is a service that provides groups
-// functionalities for SuperMQ services.
+// functionalities for Magistrala services.
 type GroupsServiceServer interface {
 	RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error)
 	mustEmbedUnimplementedGroupsServiceServer()
@@ -73,7 +73,7 @@ type GroupsServiceServer interface {
 type UnimplementedGroupsServiceServer struct{}

 func (UnimplementedGroupsServiceServer) RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntity not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntity not implemented")
 }
 func (UnimplementedGroupsServiceServer) mustEmbedUnimplementedGroupsServiceServer() {}
 func (UnimplementedGroupsServiceServer) testEmbeddedByValue()                       {}
@@ -86,7 +86,7 @@ type UnsafeGroupsServiceServer interface {
 }

 func RegisterGroupsServiceServer(s grpc.ServiceRegistrar, srv GroupsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedGroupsServiceServer was
+	// If the following call panics, it indicates UnimplementedGroupsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -0,0 +1,873 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.0
+// source: readers/v1/readers.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Aggregation defines supported data aggregations.
+type Aggregation int32
+
+const (
+	Aggregation_AGGREGATION_UNSPECIFIED Aggregation = 0
+	Aggregation_AGGREGATION_MAX         Aggregation = 1
+	Aggregation_AGGREGATION_MIN         Aggregation = 2
+	Aggregation_AGGREGATION_SUM         Aggregation = 3
+	Aggregation_AGGREGATION_COUNT       Aggregation = 4
+	Aggregation_AGGREGATION_AVG         Aggregation = 5
+)
+
+// Enum value maps for Aggregation.
+var (
+	Aggregation_name = map[int32]string{
+		0: "AGGREGATION_UNSPECIFIED",
+		1: "AGGREGATION_MAX",
+		2: "AGGREGATION_MIN",
+		3: "AGGREGATION_SUM",
+		4: "AGGREGATION_COUNT",
+		5: "AGGREGATION_AVG",
+	}
+	Aggregation_value = map[string]int32{
+		"AGGREGATION_UNSPECIFIED": 0,
+		"AGGREGATION_MAX":         1,
+		"AGGREGATION_MIN":         2,
+		"AGGREGATION_SUM":         3,
+		"AGGREGATION_COUNT":       4,
+		"AGGREGATION_AVG":         5,
+	}
+)
+
+func (x Aggregation) Enum() *Aggregation {
+	p := new(Aggregation)
+	*p = x
+	return p
+}
+
+func (x Aggregation) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Aggregation) Descriptor() protoreflect.EnumDescriptor {
+	return file_readers_v1_readers_proto_enumTypes[0].Descriptor()
+}
+
+func (Aggregation) Type() protoreflect.EnumType {
+	return &file_readers_v1_readers_proto_enumTypes[0]
+}
+
+func (x Aggregation) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Aggregation.Descriptor instead.
+func (Aggregation) EnumDescriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{0}
+}
+
+type PageMetadata struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Limit         uint64                 `protobuf:"varint,1,opt,name=limit,proto3" json:"limit,omitempty"`
+	Offset        uint64                 `protobuf:"varint,2,opt,name=offset,proto3" json:"offset,omitempty"`
+	Protocol      string                 `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	Name          string                 `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	Value         float64                `protobuf:"fixed64,5,opt,name=value,proto3" json:"value,omitempty"`
+	Publisher     string                 `protobuf:"bytes,6,opt,name=publisher,proto3" json:"publisher,omitempty"`
+	BoolValue     bool                   `protobuf:"varint,7,opt,name=bool_value,json=boolValue,proto3" json:"bool_value,omitempty"`
+	StringValue   string                 `protobuf:"bytes,8,opt,name=string_value,json=stringValue,proto3" json:"string_value,omitempty"`
+	DataValue     string                 `protobuf:"bytes,9,opt,name=data_value,json=dataValue,proto3" json:"data_value,omitempty"`
+	From          float64                `protobuf:"fixed64,10,opt,name=from,proto3" json:"from,omitempty"`
+	To            float64                `protobuf:"fixed64,11,opt,name=to,proto3" json:"to,omitempty"`
+	Subtopic      string                 `protobuf:"bytes,12,opt,name=subtopic,proto3" json:"subtopic,omitempty"`
+	Interval      string                 `protobuf:"bytes,13,opt,name=interval,proto3" json:"interval,omitempty"`
+	Read          bool                   `protobuf:"varint,14,opt,name=read,proto3" json:"read,omitempty"`
+	Aggregation   Aggregation            `protobuf:"varint,15,opt,name=aggregation,proto3,enum=readers.v1.Aggregation" json:"aggregation,omitempty"`
+	Comparator    string                 `protobuf:"bytes,16,opt,name=comparator,proto3" json:"comparator,omitempty"`
+	Format        string                 `protobuf:"bytes,17,opt,name=format,proto3" json:"format,omitempty"`
+	Order         string                 `protobuf:"bytes,18,opt,name=order,proto3" json:"order,omitempty"`
+	Dir           string                 `protobuf:"bytes,19,opt,name=dir,proto3" json:"dir,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PageMetadata) Reset() {
+	*x = PageMetadata{}
+	mi := &file_readers_v1_readers_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PageMetadata) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PageMetadata) ProtoMessage() {}
+
+func (x *PageMetadata) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PageMetadata.ProtoReflect.Descriptor instead.
+func (*PageMetadata) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *PageMetadata) GetLimit() uint64 {
+	if x != nil {
+		return x.Limit
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetOffset() uint64 {
+	if x != nil {
+		return x.Offset
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetValue() float64 {
+	if x != nil {
+		return x.Value
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetPublisher() string {
+	if x != nil {
+		return x.Publisher
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetBoolValue() bool {
+	if x != nil {
+		return x.BoolValue
+	}
+	return false
+}
+
+func (x *PageMetadata) GetStringValue() string {
+	if x != nil {
+		return x.StringValue
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetDataValue() string {
+	if x != nil {
+		return x.DataValue
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetFrom() float64 {
+	if x != nil {
+		return x.From
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetTo() float64 {
+	if x != nil {
+		return x.To
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetSubtopic() string {
+	if x != nil {
+		return x.Subtopic
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetInterval() string {
+	if x != nil {
+		return x.Interval
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetRead() bool {
+	if x != nil {
+		return x.Read
+	}
+	return false
+}
+
+func (x *PageMetadata) GetAggregation() Aggregation {
+	if x != nil {
+		return x.Aggregation
+	}
+	return Aggregation_AGGREGATION_UNSPECIFIED
+}
+
+func (x *PageMetadata) GetComparator() string {
+	if x != nil {
+		return x.Comparator
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetFormat() string {
+	if x != nil {
+		return x.Format
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetOrder() string {
+	if x != nil {
+		return x.Order
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetDir() string {
+	if x != nil {
+		return x.Dir
+	}
+	return ""
+}
+
+type ReadMessagesRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Total         uint64                 `protobuf:"varint,1,opt,name=total,proto3" json:"total,omitempty"`
+	PageMetadata  *PageMetadata          `protobuf:"bytes,2,opt,name=page_metadata,json=pageMetadata,proto3" json:"page_metadata,omitempty"`
+	Messages      []*Message             `protobuf:"bytes,3,rep,name=messages,proto3" json:"messages,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ReadMessagesRes) Reset() {
+	*x = ReadMessagesRes{}
+	mi := &file_readers_v1_readers_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ReadMessagesRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ReadMessagesRes) ProtoMessage() {}
+
+func (x *ReadMessagesRes) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ReadMessagesRes.ProtoReflect.Descriptor instead.
+func (*ReadMessagesRes) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *ReadMessagesRes) GetTotal() uint64 {
+	if x != nil {
+		return x.Total
+	}
+	return 0
+}
+
+func (x *ReadMessagesRes) GetPageMetadata() *PageMetadata {
+	if x != nil {
+		return x.PageMetadata
+	}
+	return nil
+}
+
+func (x *ReadMessagesRes) GetMessages() []*Message {
+	if x != nil {
+		return x.Messages
+	}
+	return nil
+}
+
+type Message struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Payload:
+	//
+	//	*Message_Senml
+	//	*Message_Json
+	Payload       isMessage_Payload `protobuf_oneof:"payload"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Message) Reset() {
+	*x = Message{}
+	mi := &file_readers_v1_readers_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Message) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Message) ProtoMessage() {}
+
+func (x *Message) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Message.ProtoReflect.Descriptor instead.
+func (*Message) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *Message) GetPayload() isMessage_Payload {
+	if x != nil {
+		return x.Payload
+	}
+	return nil
+}
+
+func (x *Message) GetSenml() *SenMLMessage {
+	if x != nil {
+		if x, ok := x.Payload.(*Message_Senml); ok {
+			return x.Senml
+		}
+	}
+	return nil
+}
+
+func (x *Message) GetJson() *JsonMessage {
+	if x != nil {
+		if x, ok := x.Payload.(*Message_Json); ok {
+			return x.Json
+		}
+	}
+	return nil
+}
+
+type isMessage_Payload interface {
+	isMessage_Payload()
+}
+
+type Message_Senml struct {
+	Senml *SenMLMessage `protobuf:"bytes,1,opt,name=senml,proto3,oneof"`
+}
+
+type Message_Json struct {
+	Json *JsonMessage `protobuf:"bytes,2,opt,name=json,proto3,oneof"`
+}
+
+func (*Message_Senml) isMessage_Payload() {}
+
+func (*Message_Json) isMessage_Payload() {}
+
+type BaseMessage struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Channel       string                 `protobuf:"bytes,1,opt,name=channel,proto3" json:"channel,omitempty"`
+	Subtopic      string                 `protobuf:"bytes,2,opt,name=subtopic,proto3" json:"subtopic,omitempty"`
+	Publisher     string                 `protobuf:"bytes,3,opt,name=publisher,proto3" json:"publisher,omitempty"`
+	Protocol      string                 `protobuf:"bytes,4,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *BaseMessage) Reset() {
+	*x = BaseMessage{}
+	mi := &file_readers_v1_readers_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *BaseMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*BaseMessage) ProtoMessage() {}
+
+func (x *BaseMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use BaseMessage.ProtoReflect.Descriptor instead.
+func (*BaseMessage) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *BaseMessage) GetChannel() string {
+	if x != nil {
+		return x.Channel
+	}
+	return ""
+}
+
+func (x *BaseMessage) GetSubtopic() string {
+	if x != nil {
+		return x.Subtopic
+	}
+	return ""
+}
+
+func (x *BaseMessage) GetPublisher() string {
+	if x != nil {
+		return x.Publisher
+	}
+	return ""
+}
+
+func (x *BaseMessage) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+type SenMLMessage struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Base          *BaseMessage           `protobuf:"bytes,1,opt,name=base,proto3" json:"base,omitempty"`
+	Name          string                 `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Unit          string                 `protobuf:"bytes,3,opt,name=unit,proto3" json:"unit,omitempty"`
+	Time          float64                `protobuf:"fixed64,4,opt,name=time,proto3" json:"time,omitempty"`
+	UpdateTime    float64                `protobuf:"fixed64,5,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
+	Value         *float64               `protobuf:"fixed64,6,opt,name=value,proto3,oneof" json:"value,omitempty"`
+	StringValue   *string                `protobuf:"bytes,7,opt,name=string_value,json=stringValue,proto3,oneof" json:"string_value,omitempty"`
+	DataValue     *string                `protobuf:"bytes,8,opt,name=data_value,json=dataValue,proto3,oneof" json:"data_value,omitempty"`
+	BoolValue     *bool                  `protobuf:"varint,9,opt,name=bool_value,json=boolValue,proto3,oneof" json:"bool_value,omitempty"`
+	Sum           *float64               `protobuf:"fixed64,10,opt,name=sum,proto3,oneof" json:"sum,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SenMLMessage) Reset() {
+	*x = SenMLMessage{}
+	mi := &file_readers_v1_readers_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SenMLMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SenMLMessage) ProtoMessage() {}
+
+func (x *SenMLMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SenMLMessage.ProtoReflect.Descriptor instead.
+func (*SenMLMessage) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SenMLMessage) GetBase() *BaseMessage {
+	if x != nil {
+		return x.Base
+	}
+	return nil
+}
+
+func (x *SenMLMessage) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetUnit() string {
+	if x != nil {
+		return x.Unit
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetTime() float64 {
+	if x != nil {
+		return x.Time
+	}
+	return 0
+}
+
+func (x *SenMLMessage) GetUpdateTime() float64 {
+	if x != nil {
+		return x.UpdateTime
+	}
+	return 0
+}
+
+func (x *SenMLMessage) GetValue() float64 {
+	if x != nil && x.Value != nil {
+		return *x.Value
+	}
+	return 0
+}
+
+func (x *SenMLMessage) GetStringValue() string {
+	if x != nil && x.StringValue != nil {
+		return *x.StringValue
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetDataValue() string {
+	if x != nil && x.DataValue != nil {
+		return *x.DataValue
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetBoolValue() bool {
+	if x != nil && x.BoolValue != nil {
+		return *x.BoolValue
+	}
+	return false
+}
+
+func (x *SenMLMessage) GetSum() float64 {
+	if x != nil && x.Sum != nil {
+		return *x.Sum
+	}
+	return 0
+}
+
+type JsonMessage struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Base          *BaseMessage           `protobuf:"bytes,1,opt,name=base,proto3" json:"base,omitempty"`
+	Created       int64                  `protobuf:"varint,2,opt,name=created,proto3" json:"created,omitempty"`
+	Payload       []byte                 `protobuf:"bytes,3,opt,name=payload,proto3" json:"payload,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *JsonMessage) Reset() {
+	*x = JsonMessage{}
+	mi := &file_readers_v1_readers_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *JsonMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*JsonMessage) ProtoMessage() {}
+
+func (x *JsonMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use JsonMessage.ProtoReflect.Descriptor instead.
+func (*JsonMessage) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *JsonMessage) GetBase() *BaseMessage {
+	if x != nil {
+		return x.Base
+	}
+	return nil
+}
+
+func (x *JsonMessage) GetCreated() int64 {
+	if x != nil {
+		return x.Created
+	}
+	return 0
+}
+
+func (x *JsonMessage) GetPayload() []byte {
+	if x != nil {
+		return x.Payload
+	}
+	return nil
+}
+
+type ReadMessagesReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	ChannelId     string                 `protobuf:"bytes,1,opt,name=channel_id,json=channelId,proto3" json:"channel_id,omitempty"`
+	DomainId      string                 `protobuf:"bytes,2,opt,name=domain_id,json=domainId,proto3" json:"domain_id,omitempty"`
+	PageMetadata  *PageMetadata          `protobuf:"bytes,3,opt,name=page_metadata,json=pageMetadata,proto3" json:"page_metadata,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ReadMessagesReq) Reset() {
+	*x = ReadMessagesReq{}
+	mi := &file_readers_v1_readers_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ReadMessagesReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ReadMessagesReq) ProtoMessage() {}
+
+func (x *ReadMessagesReq) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ReadMessagesReq.ProtoReflect.Descriptor instead.
+func (*ReadMessagesReq) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *ReadMessagesReq) GetChannelId() string {
+	if x != nil {
+		return x.ChannelId
+	}
+	return ""
+}
+
+func (x *ReadMessagesReq) GetDomainId() string {
+	if x != nil {
+		return x.DomainId
+	}
+	return ""
+}
+
+func (x *ReadMessagesReq) GetPageMetadata() *PageMetadata {
+	if x != nil {
+		return x.PageMetadata
+	}
+	return nil
+}
+
+var File_readers_v1_readers_proto protoreflect.FileDescriptor
+
+const file_readers_v1_readers_proto_rawDesc = "" +
+	"\n" +
+	"\x18readers/v1/readers.proto\x12\n" +
+	"readers.v1\"\x8c\x04\n" +
+	"\fPageMetadata\x12\x14\n" +
+	"\x05limit\x18\x01 \x01(\x04R\x05limit\x12\x16\n" +
+	"\x06offset\x18\x02 \x01(\x04R\x06offset\x12\x1a\n" +
+	"\bprotocol\x18\x03 \x01(\tR\bprotocol\x12\x12\n" +
+	"\x04name\x18\x04 \x01(\tR\x04name\x12\x14\n" +
+	"\x05value\x18\x05 \x01(\x01R\x05value\x12\x1c\n" +
+	"\tpublisher\x18\x06 \x01(\tR\tpublisher\x12\x1d\n" +
+	"\n" +
+	"bool_value\x18\a \x01(\bR\tboolValue\x12!\n" +
+	"\fstring_value\x18\b \x01(\tR\vstringValue\x12\x1d\n" +
+	"\n" +
+	"data_value\x18\t \x01(\tR\tdataValue\x12\x12\n" +
+	"\x04from\x18\n" +
+	" \x01(\x01R\x04from\x12\x0e\n" +
+	"\x02to\x18\v \x01(\x01R\x02to\x12\x1a\n" +
+	"\bsubtopic\x18\f \x01(\tR\bsubtopic\x12\x1a\n" +
+	"\binterval\x18\r \x01(\tR\binterval\x12\x12\n" +
+	"\x04read\x18\x0e \x01(\bR\x04read\x129\n" +
+	"\vaggregation\x18\x0f \x01(\x0e2\x17.readers.v1.AggregationR\vaggregation\x12\x1e\n" +
+	"\n" +
+	"comparator\x18\x10 \x01(\tR\n" +
+	"comparator\x12\x16\n" +
+	"\x06format\x18\x11 \x01(\tR\x06format\x12\x14\n" +
+	"\x05order\x18\x12 \x01(\tR\x05order\x12\x10\n" +
+	"\x03dir\x18\x13 \x01(\tR\x03dir\"\x97\x01\n" +
+	"\x0fReadMessagesRes\x12\x14\n" +
+	"\x05total\x18\x01 \x01(\x04R\x05total\x12=\n" +
+	"\rpage_metadata\x18\x02 \x01(\v2\x18.readers.v1.PageMetadataR\fpageMetadata\x12/\n" +
+	"\bmessages\x18\x03 \x03(\v2\x13.readers.v1.MessageR\bmessages\"u\n" +
+	"\aMessage\x120\n" +
+	"\x05senml\x18\x01 \x01(\v2\x18.readers.v1.SenMLMessageH\x00R\x05senml\x12-\n" +
+	"\x04json\x18\x02 \x01(\v2\x17.readers.v1.JsonMessageH\x00R\x04jsonB\t\n" +
+	"\apayload\"}\n" +
+	"\vBaseMessage\x12\x18\n" +
+	"\achannel\x18\x01 \x01(\tR\achannel\x12\x1a\n" +
+	"\bsubtopic\x18\x02 \x01(\tR\bsubtopic\x12\x1c\n" +
+	"\tpublisher\x18\x03 \x01(\tR\tpublisher\x12\x1a\n" +
+	"\bprotocol\x18\x04 \x01(\tR\bprotocol\"\xfb\x02\n" +
+	"\fSenMLMessage\x12+\n" +
+	"\x04base\x18\x01 \x01(\v2\x17.readers.v1.BaseMessageR\x04base\x12\x12\n" +
+	"\x04name\x18\x02 \x01(\tR\x04name\x12\x12\n" +
+	"\x04unit\x18\x03 \x01(\tR\x04unit\x12\x12\n" +
+	"\x04time\x18\x04 \x01(\x01R\x04time\x12\x1f\n" +
+	"\vupdate_time\x18\x05 \x01(\x01R\n" +
+	"updateTime\x12\x19\n" +
+	"\x05value\x18\x06 \x01(\x01H\x00R\x05value\x88\x01\x01\x12&\n" +
+	"\fstring_value\x18\a \x01(\tH\x01R\vstringValue\x88\x01\x01\x12\"\n" +
+	"\n" +
+	"data_value\x18\b \x01(\tH\x02R\tdataValue\x88\x01\x01\x12\"\n" +
+	"\n" +
+	"bool_value\x18\t \x01(\bH\x03R\tboolValue\x88\x01\x01\x12\x15\n" +
+	"\x03sum\x18\n" +
+	" \x01(\x01H\x04R\x03sum\x88\x01\x01B\b\n" +
+	"\x06_valueB\x0f\n" +
+	"\r_string_valueB\r\n" +
+	"\v_data_valueB\r\n" +
+	"\v_bool_valueB\x06\n" +
+	"\x04_sum\"n\n" +
+	"\vJsonMessage\x12+\n" +
+	"\x04base\x18\x01 \x01(\v2\x17.readers.v1.BaseMessageR\x04base\x12\x18\n" +
+	"\acreated\x18\x02 \x01(\x03R\acreated\x12\x18\n" +
+	"\apayload\x18\x03 \x01(\fR\apayload\"\x8c\x01\n" +
+	"\x0fReadMessagesReq\x12\x1d\n" +
+	"\n" +
+	"channel_id\x18\x01 \x01(\tR\tchannelId\x12\x1b\n" +
+	"\tdomain_id\x18\x02 \x01(\tR\bdomainId\x12=\n" +
+	"\rpage_metadata\x18\x03 \x01(\v2\x18.readers.v1.PageMetadataR\fpageMetadata*\x95\x01\n" +
+	"\vAggregation\x12\x1b\n" +
+	"\x17AGGREGATION_UNSPECIFIED\x10\x00\x12\x13\n" +
+	"\x0fAGGREGATION_MAX\x10\x01\x12\x13\n" +
+	"\x0fAGGREGATION_MIN\x10\x02\x12\x13\n" +
+	"\x0fAGGREGATION_SUM\x10\x03\x12\x15\n" +
+	"\x11AGGREGATION_COUNT\x10\x04\x12\x13\n" +
+	"\x0fAGGREGATION_AVG\x10\x052\\\n" +
+	"\x0eReadersService\x12J\n" +
+	"\fReadMessages\x12\x1b.readers.v1.ReadMessagesReq\x1a\x1b.readers.v1.ReadMessagesRes\"\x00B3Z1github.com/absmach/magistrala/api/grpc/readers/v1b\x06proto3"
+
+var (
+	file_readers_v1_readers_proto_rawDescOnce sync.Once
+	file_readers_v1_readers_proto_rawDescData []byte
+)
+
+func file_readers_v1_readers_proto_rawDescGZIP() []byte {
+	file_readers_v1_readers_proto_rawDescOnce.Do(func() {
+		file_readers_v1_readers_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_readers_v1_readers_proto_rawDesc), len(file_readers_v1_readers_proto_rawDesc)))
+	})
+	return file_readers_v1_readers_proto_rawDescData
+}
+
+var file_readers_v1_readers_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_readers_v1_readers_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_readers_v1_readers_proto_goTypes = []any{
+	(Aggregation)(0),        // 0: readers.v1.Aggregation
+	(*PageMetadata)(nil),    // 1: readers.v1.PageMetadata
+	(*ReadMessagesRes)(nil), // 2: readers.v1.ReadMessagesRes
+	(*Message)(nil),         // 3: readers.v1.Message
+	(*BaseMessage)(nil),     // 4: readers.v1.BaseMessage
+	(*SenMLMessage)(nil),    // 5: readers.v1.SenMLMessage
+	(*JsonMessage)(nil),     // 6: readers.v1.JsonMessage
+	(*ReadMessagesReq)(nil), // 7: readers.v1.ReadMessagesReq
+}
+var file_readers_v1_readers_proto_depIdxs = []int32{
+	0, // 0: readers.v1.PageMetadata.aggregation:type_name -> readers.v1.Aggregation
+	1, // 1: readers.v1.ReadMessagesRes.page_metadata:type_name -> readers.v1.PageMetadata
+	3, // 2: readers.v1.ReadMessagesRes.messages:type_name -> readers.v1.Message
+	5, // 3: readers.v1.Message.senml:type_name -> readers.v1.SenMLMessage
+	6, // 4: readers.v1.Message.json:type_name -> readers.v1.JsonMessage
+	4, // 5: readers.v1.SenMLMessage.base:type_name -> readers.v1.BaseMessage
+	4, // 6: readers.v1.JsonMessage.base:type_name -> readers.v1.BaseMessage
+	1, // 7: readers.v1.ReadMessagesReq.page_metadata:type_name -> readers.v1.PageMetadata
+	7, // 8: readers.v1.ReadersService.ReadMessages:input_type -> readers.v1.ReadMessagesReq
+	2, // 9: readers.v1.ReadersService.ReadMessages:output_type -> readers.v1.ReadMessagesRes
+	9, // [9:10] is the sub-list for method output_type
+	8, // [8:9] is the sub-list for method input_type
+	8, // [8:8] is the sub-list for extension type_name
+	8, // [8:8] is the sub-list for extension extendee
+	0, // [0:8] is the sub-list for field type_name
+}
+
+func init() { file_readers_v1_readers_proto_init() }
+func file_readers_v1_readers_proto_init() {
+	if File_readers_v1_readers_proto != nil {
+		return
+	}
+	file_readers_v1_readers_proto_msgTypes[2].OneofWrappers = []any{
+		(*Message_Senml)(nil),
+		(*Message_Json)(nil),
+	}
+	file_readers_v1_readers_proto_msgTypes[4].OneofWrappers = []any{}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_readers_v1_readers_proto_rawDesc), len(file_readers_v1_readers_proto_rawDesc)),
+			NumEnums:      1,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_readers_v1_readers_proto_goTypes,
+		DependencyIndexes: file_readers_v1_readers_proto_depIdxs,
+		EnumInfos:         file_readers_v1_readers_proto_enumTypes,
+		MessageInfos:      file_readers_v1_readers_proto_msgTypes,
+	}.Build()
+	File_readers_v1_readers_proto = out.File
+	file_readers_v1_readers_proto_goTypes = nil
+	file_readers_v1_readers_proto_depIdxs = nil
+}
@@ -0,0 +1,130 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.0
+// - protoc             v6.33.0
+// source: readers/v1/readers.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	ReadersService_ReadMessages_FullMethodName = "/readers.v1.ReadersService/ReadMessages"
+)
+
+// ReadersServiceClient is the client API for ReadersService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+//
+// ReadersService is a service that provides access to
+// readers functionalities for Magistrala services.
+type ReadersServiceClient interface {
+	ReadMessages(ctx context.Context, in *ReadMessagesReq, opts ...grpc.CallOption) (*ReadMessagesRes, error)
+}
+
+type readersServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewReadersServiceClient(cc grpc.ClientConnInterface) ReadersServiceClient {
+	return &readersServiceClient{cc}
+}
+
+func (c *readersServiceClient) ReadMessages(ctx context.Context, in *ReadMessagesReq, opts ...grpc.CallOption) (*ReadMessagesRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ReadMessagesRes)
+	err := c.cc.Invoke(ctx, ReadersService_ReadMessages_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ReadersServiceServer is the server API for ReadersService service.
+// All implementations must embed UnimplementedReadersServiceServer
+// for forward compatibility.
+//
+// ReadersService is a service that provides access to
+// readers functionalities for Magistrala services.
+type ReadersServiceServer interface {
+	ReadMessages(context.Context, *ReadMessagesReq) (*ReadMessagesRes, error)
+	mustEmbedUnimplementedReadersServiceServer()
+}
+
+// UnimplementedReadersServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedReadersServiceServer struct{}
+
+func (UnimplementedReadersServiceServer) ReadMessages(context.Context, *ReadMessagesReq) (*ReadMessagesRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method ReadMessages not implemented")
+}
+func (UnimplementedReadersServiceServer) mustEmbedUnimplementedReadersServiceServer() {}
+func (UnimplementedReadersServiceServer) testEmbeddedByValue()                        {}
+
+// UnsafeReadersServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ReadersServiceServer will
+// result in compilation errors.
+type UnsafeReadersServiceServer interface {
+	mustEmbedUnimplementedReadersServiceServer()
+}
+
+func RegisterReadersServiceServer(s grpc.ServiceRegistrar, srv ReadersServiceServer) {
+	// If the following call panics, it indicates UnimplementedReadersServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&ReadersService_ServiceDesc, srv)
+}
+
+func _ReadersService_ReadMessages_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ReadMessagesReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ReadersServiceServer).ReadMessages(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ReadersService_ReadMessages_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ReadersServiceServer).ReadMessages(ctx, req.(*ReadMessagesReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ReadersService_ServiceDesc is the grpc.ServiceDesc for ReadersService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ReadersService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "readers.v1.ReadersService",
+	HandlerType: (*ReadersServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ReadMessages",
+			Handler:    _ReadersService_ReadMessages_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "readers/v1/readers.proto",
+}
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: token/v1/token.proto

@@ -30,6 +30,7 @@ type IssueReq struct {
 	UserRole      uint32                 `protobuf:"varint,2,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"`
 	Type          uint32                 `protobuf:"varint,3,opt,name=type,proto3" json:"type,omitempty"`
 	Verified      bool                   `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"`
+	Description   string                 `protobuf:"bytes,5,opt,name=description,proto3" json:"description,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -92,6 +93,13 @@ func (x *IssueReq) GetVerified() bool {
 	return false
 }

+func (x *IssueReq) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
 type RefreshReq struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	RefreshToken  string                 `protobuf:"bytes,1,opt,name=refresh_token,json=refreshToken,proto3" json:"refresh_token,omitempty"`
@@ -144,6 +152,58 @@ func (x *RefreshReq) GetVerified() bool {
 	return false
 }

+type RevokeReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	TokenId       string                 `protobuf:"bytes,1,opt,name=token_id,json=tokenId,proto3" json:"token_id,omitempty"`
+	UserId        string                 `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RevokeReq) Reset() {
+	*x = RevokeReq{}
+	mi := &file_token_v1_token_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RevokeReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RevokeReq) ProtoMessage() {}
+
+func (x *RevokeReq) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RevokeReq.ProtoReflect.Descriptor instead.
+func (*RevokeReq) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *RevokeReq) GetTokenId() string {
+	if x != nil {
+		return x.TokenId
+	}
+	return ""
+}
+
+func (x *RevokeReq) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
+}
+
 // If a token is not carrying any information itself, the type
 // field can be used to determine how to validate the token.
 // Also, different tokens can be encoded in different ways.
@@ -158,7 +218,7 @@ type Token struct {

 func (x *Token) Reset() {
 	*x = Token{}
-	mi := &file_token_v1_token_proto_msgTypes[2]
+	mi := &file_token_v1_token_proto_msgTypes[3]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -170,7 +230,7 @@ func (x *Token) String() string {
 func (*Token) ProtoMessage() {}

 func (x *Token) ProtoReflect() protoreflect.Message {
-	mi := &file_token_v1_token_proto_msgTypes[2]
+	mi := &file_token_v1_token_proto_msgTypes[3]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -183,7 +243,7 @@ func (x *Token) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Token.ProtoReflect.Descriptor instead.
 func (*Token) Descriptor() ([]byte, []int) {
-	return file_token_v1_token_proto_rawDescGZIP(), []int{2}
+	return file_token_v1_token_proto_rawDescGZIP(), []int{3}
 }

 func (x *Token) GetAccessToken() string {
@@ -207,29 +267,219 @@ func (x *Token) GetAccessType() string {
 	return ""
 }

+type RevokeRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RevokeRes) Reset() {
+	*x = RevokeRes{}
+	mi := &file_token_v1_token_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RevokeRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RevokeRes) ProtoMessage() {}
+
+func (x *RevokeRes) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RevokeRes.ProtoReflect.Descriptor instead.
+func (*RevokeRes) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{4}
+}
+
+type ListUserRefreshTokensReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	UserId        string                 `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListUserRefreshTokensReq) Reset() {
+	*x = ListUserRefreshTokensReq{}
+	mi := &file_token_v1_token_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListUserRefreshTokensReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListUserRefreshTokensReq) ProtoMessage() {}
+
+func (x *ListUserRefreshTokensReq) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListUserRefreshTokensReq.ProtoReflect.Descriptor instead.
+func (*ListUserRefreshTokensReq) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *ListUserRefreshTokensReq) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
+}
+
+type ListUserRefreshTokensRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	RefreshTokens []*RefreshToken        `protobuf:"bytes,1,rep,name=refresh_tokens,json=refreshTokens,proto3" json:"refresh_tokens,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListUserRefreshTokensRes) Reset() {
+	*x = ListUserRefreshTokensRes{}
+	mi := &file_token_v1_token_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListUserRefreshTokensRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListUserRefreshTokensRes) ProtoMessage() {}
+
+func (x *ListUserRefreshTokensRes) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListUserRefreshTokensRes.ProtoReflect.Descriptor instead.
+func (*ListUserRefreshTokensRes) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *ListUserRefreshTokensRes) GetRefreshTokens() []*RefreshToken {
+	if x != nil {
+		return x.RefreshTokens
+	}
+	return nil
+}
+
+type RefreshToken struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Description   string                 `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RefreshToken) Reset() {
+	*x = RefreshToken{}
+	mi := &file_token_v1_token_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RefreshToken) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RefreshToken) ProtoMessage() {}
+
+func (x *RefreshToken) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RefreshToken.ProtoReflect.Descriptor instead.
+func (*RefreshToken) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *RefreshToken) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
+func (x *RefreshToken) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
 var File_token_v1_token_proto protoreflect.FileDescriptor

 const file_token_v1_token_proto_rawDesc = "" +
 	"\n" +
-	"\x14token/v1/token.proto\x12\btoken.v1\"p\n" +
+	"\x14token/v1/token.proto\x12\btoken.v1\"\x92\x01\n" +
 	"\bIssueReq\x12\x17\n" +
 	"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x1b\n" +
 	"\tuser_role\x18\x02 \x01(\rR\buserRole\x12\x12\n" +
 	"\x04type\x18\x03 \x01(\rR\x04type\x12\x1a\n" +
-	"\bverified\x18\x04 \x01(\bR\bverified\"M\n" +
+	"\bverified\x18\x04 \x01(\bR\bverified\x12 \n" +
+	"\vdescription\x18\x05 \x01(\tR\vdescription\"M\n" +
 	"\n" +
 	"RefreshReq\x12#\n" +
 	"\rrefresh_token\x18\x01 \x01(\tR\frefreshToken\x12\x1a\n" +
-	"\bverified\x18\x02 \x01(\bR\bverified\"\x87\x01\n" +
+	"\bverified\x18\x02 \x01(\bR\bverified\"?\n" +
+	"\tRevokeReq\x12\x19\n" +
+	"\btoken_id\x18\x01 \x01(\tR\atokenId\x12\x17\n" +
+	"\auser_id\x18\x02 \x01(\tR\x06userId\"\x87\x01\n" +
 	"\x05Token\x12!\n" +
 	"\faccess_token\x18\x01 \x01(\tR\vaccessToken\x12(\n" +
 	"\rrefresh_token\x18\x02 \x01(\tH\x00R\frefreshToken\x88\x01\x01\x12\x1f\n" +
 	"\vaccess_type\x18\x03 \x01(\tR\n" +
 	"accessTypeB\x10\n" +
-	"\x0e_refresh_token2r\n" +
+	"\x0e_refresh_token\"\v\n" +
+	"\tRevokeRes\"3\n" +
+	"\x18ListUserRefreshTokensReq\x12\x17\n" +
+	"\auser_id\x18\x01 \x01(\tR\x06userId\"Y\n" +
+	"\x18ListUserRefreshTokensRes\x12=\n" +
+	"\x0erefresh_tokens\x18\x01 \x03(\v2\x16.token.v1.RefreshTokenR\rrefreshTokens\"@\n" +
+	"\fRefreshToken\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\tR\x02id\x12 \n" +
+	"\vdescription\x18\x02 \x01(\tR\vdescription2\x8b\x02\n" +
 	"\fTokenService\x12.\n" +
 	"\x05Issue\x12\x12.token.v1.IssueReq\x1a\x0f.token.v1.Token\"\x00\x122\n" +
-	"\aRefresh\x12\x14.token.v1.RefreshReq\x1a\x0f.token.v1.Token\"\x00B.Z,github.com/absmach/supermq/api/grpc/token/v1b\x06proto3"
+	"\aRefresh\x12\x14.token.v1.RefreshReq\x1a\x0f.token.v1.Token\"\x00\x124\n" +
+	"\x06Revoke\x12\x13.token.v1.RevokeReq\x1a\x13.token.v1.RevokeRes\"\x00\x12a\n" +
+	"\x15ListUserRefreshTokens\x12\".token.v1.ListUserRefreshTokensReq\x1a\".token.v1.ListUserRefreshTokensRes\"\x00B1Z/github.com/absmach/magistrala/api/grpc/token/v1b\x06proto3"

 var (
 	file_token_v1_token_proto_rawDescOnce sync.Once
@@ -243,22 +493,32 @@ func file_token_v1_token_proto_rawDescGZIP() []byte {
 	return file_token_v1_token_proto_rawDescData
 }

-var file_token_v1_token_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_token_v1_token_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
 var file_token_v1_token_proto_goTypes = []any{
-	(*IssueReq)(nil),   // 0: token.v1.IssueReq
-	(*RefreshReq)(nil), // 1: token.v1.RefreshReq
-	(*Token)(nil),      // 2: token.v1.Token
+	(*IssueReq)(nil),                 // 0: token.v1.IssueReq
+	(*RefreshReq)(nil),               // 1: token.v1.RefreshReq
+	(*RevokeReq)(nil),                // 2: token.v1.RevokeReq
+	(*Token)(nil),                    // 3: token.v1.Token
+	(*RevokeRes)(nil),                // 4: token.v1.RevokeRes
+	(*ListUserRefreshTokensReq)(nil), // 5: token.v1.ListUserRefreshTokensReq
+	(*ListUserRefreshTokensRes)(nil), // 6: token.v1.ListUserRefreshTokensRes
+	(*RefreshToken)(nil),             // 7: token.v1.RefreshToken
 }
 var file_token_v1_token_proto_depIdxs = []int32{
-	0, // 0: token.v1.TokenService.Issue:input_type -> token.v1.IssueReq
-	1, // 1: token.v1.TokenService.Refresh:input_type -> token.v1.RefreshReq
-	2, // 2: token.v1.TokenService.Issue:output_type -> token.v1.Token
-	2, // 3: token.v1.TokenService.Refresh:output_type -> token.v1.Token
-	2, // [2:4] is the sub-list for method output_type
-	0, // [0:2] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
+	7, // 0: token.v1.ListUserRefreshTokensRes.refresh_tokens:type_name -> token.v1.RefreshToken
+	0, // 1: token.v1.TokenService.Issue:input_type -> token.v1.IssueReq
+	1, // 2: token.v1.TokenService.Refresh:input_type -> token.v1.RefreshReq
+	2, // 3: token.v1.TokenService.Revoke:input_type -> token.v1.RevokeReq
+	5, // 4: token.v1.TokenService.ListUserRefreshTokens:input_type -> token.v1.ListUserRefreshTokensReq
+	3, // 5: token.v1.TokenService.Issue:output_type -> token.v1.Token
+	3, // 6: token.v1.TokenService.Refresh:output_type -> token.v1.Token
+	4, // 7: token.v1.TokenService.Revoke:output_type -> token.v1.RevokeRes
+	6, // 8: token.v1.TokenService.ListUserRefreshTokens:output_type -> token.v1.ListUserRefreshTokensRes
+	5, // [5:9] is the sub-list for method output_type
+	1, // [1:5] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }

 func init() { file_token_v1_token_proto_init() }
@@ -266,14 +526,14 @@ func file_token_v1_token_proto_init() {
 	if File_token_v1_token_proto != nil {
 		return
 	}
-	file_token_v1_token_proto_msgTypes[2].OneofWrappers = []any{}
+	file_token_v1_token_proto_msgTypes[3].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_token_v1_token_proto_rawDesc), len(file_token_v1_token_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   3,
+			NumMessages:   8,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: token/v1/token.proto

@@ -22,8 +22,10 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	TokenService_Issue_FullMethodName   = "/token.v1.TokenService/Issue"
-	TokenService_Refresh_FullMethodName = "/token.v1.TokenService/Refresh"
+	TokenService_Issue_FullMethodName                 = "/token.v1.TokenService/Issue"
+	TokenService_Refresh_FullMethodName               = "/token.v1.TokenService/Refresh"
+	TokenService_Revoke_FullMethodName                = "/token.v1.TokenService/Revoke"
+	TokenService_ListUserRefreshTokens_FullMethodName = "/token.v1.TokenService/ListUserRefreshTokens"
 )

 // TokenServiceClient is the client API for TokenService service.
@@ -32,6 +34,8 @@ const (
 type TokenServiceClient interface {
 	Issue(ctx context.Context, in *IssueReq, opts ...grpc.CallOption) (*Token, error)
 	Refresh(ctx context.Context, in *RefreshReq, opts ...grpc.CallOption) (*Token, error)
+	Revoke(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*RevokeRes, error)
+	ListUserRefreshTokens(ctx context.Context, in *ListUserRefreshTokensReq, opts ...grpc.CallOption) (*ListUserRefreshTokensRes, error)
 }

 type tokenServiceClient struct {
@@ -62,12 +66,34 @@ func (c *tokenServiceClient) Refresh(ctx context.Context, in *RefreshReq, opts .
 	return out, nil
 }

+func (c *tokenServiceClient) Revoke(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*RevokeRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(RevokeRes)
+	err := c.cc.Invoke(ctx, TokenService_Revoke_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *tokenServiceClient) ListUserRefreshTokens(ctx context.Context, in *ListUserRefreshTokensReq, opts ...grpc.CallOption) (*ListUserRefreshTokensRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ListUserRefreshTokensRes)
+	err := c.cc.Invoke(ctx, TokenService_ListUserRefreshTokens_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // TokenServiceServer is the server API for TokenService service.
 // All implementations must embed UnimplementedTokenServiceServer
 // for forward compatibility.
 type TokenServiceServer interface {
 	Issue(context.Context, *IssueReq) (*Token, error)
 	Refresh(context.Context, *RefreshReq) (*Token, error)
+	Revoke(context.Context, *RevokeReq) (*RevokeRes, error)
+	ListUserRefreshTokens(context.Context, *ListUserRefreshTokensReq) (*ListUserRefreshTokensRes, error)
 	mustEmbedUnimplementedTokenServiceServer()
 }

@@ -79,10 +105,16 @@ type TokenServiceServer interface {
 type UnimplementedTokenServiceServer struct{}

 func (UnimplementedTokenServiceServer) Issue(context.Context, *IssueReq) (*Token, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Issue not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Issue not implemented")
 }
 func (UnimplementedTokenServiceServer) Refresh(context.Context, *RefreshReq) (*Token, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Refresh not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Refresh not implemented")
+}
+func (UnimplementedTokenServiceServer) Revoke(context.Context, *RevokeReq) (*RevokeRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method Revoke not implemented")
+}
+func (UnimplementedTokenServiceServer) ListUserRefreshTokens(context.Context, *ListUserRefreshTokensReq) (*ListUserRefreshTokensRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListUserRefreshTokens not implemented")
 }
 func (UnimplementedTokenServiceServer) mustEmbedUnimplementedTokenServiceServer() {}
 func (UnimplementedTokenServiceServer) testEmbeddedByValue()                      {}
@@ -95,7 +127,7 @@ type UnsafeTokenServiceServer interface {
 }

 func RegisterTokenServiceServer(s grpc.ServiceRegistrar, srv TokenServiceServer) {
-	// If the following call pancis, it indicates UnimplementedTokenServiceServer was
+	// If the following call panics, it indicates UnimplementedTokenServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -141,6 +173,42 @@ func _TokenService_Refresh_Handler(srv interface{}, ctx context.Context, dec fun
 	return interceptor(ctx, in, info, handler)
 }

+func _TokenService_Revoke_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(TokenServiceServer).Revoke(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: TokenService_Revoke_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(TokenServiceServer).Revoke(ctx, req.(*RevokeReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _TokenService_ListUserRefreshTokens_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListUserRefreshTokensReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(TokenServiceServer).ListUserRefreshTokens(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: TokenService_ListUserRefreshTokens_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(TokenServiceServer).ListUserRefreshTokens(ctx, req.(*ListUserRefreshTokensReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // TokenService_ServiceDesc is the grpc.ServiceDesc for TokenService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -156,6 +224,14 @@ var TokenService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Refresh",
 			Handler:    _TokenService_Refresh_Handler,
 		},
+		{
+			MethodName: "Revoke",
+			Handler:    _TokenService_Revoke_Handler,
+		},
+		{
+			MethodName: "ListUserRefreshTokens",
+			Handler:    _TokenService_ListUserRefreshTokens_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "token/v1/token.proto",
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: users/v1/users.proto

@@ -155,25 +155,26 @@ func (x *RetrieveUsersRes) GetUsers() []*User {
 }

 type User struct {
-	state          protoimpl.MessageState `protogen:"open.v1"`
-	Id             string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
-	FirstName      string                 `protobuf:"bytes,2,opt,name=first_name,json=firstName,proto3" json:"first_name,omitempty"`
-	LastName       string                 `protobuf:"bytes,3,opt,name=last_name,json=lastName,proto3" json:"last_name,omitempty"`
-	Tags           []string               `protobuf:"bytes,4,rep,name=tags,proto3" json:"tags,omitempty"`
-	Metadata       *structpb.Struct       `protobuf:"bytes,5,opt,name=metadata,proto3" json:"metadata,omitempty"`
-	Status         uint32                 `protobuf:"varint,6,opt,name=status,proto3" json:"status,omitempty"`
-	Role           uint32                 `protobuf:"varint,7,opt,name=role,proto3" json:"role,omitempty"`
-	ProfilePicture string                 `protobuf:"bytes,8,opt,name=profile_picture,json=profilePicture,proto3" json:"profile_picture,omitempty"`
-	Username       string                 `protobuf:"bytes,9,opt,name=username,proto3" json:"username,omitempty"`
-	Email          string                 `protobuf:"bytes,10,opt,name=email,proto3" json:"email,omitempty"`
-	CreatedAt      *timestamppb.Timestamp `protobuf:"bytes,11,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
-	UpdatedAt      *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=updated_at,json=updatedAt,proto3" json:"updated_at,omitempty"`
-	UpdatedBy      string                 `protobuf:"bytes,13,opt,name=updated_by,json=updatedBy,proto3" json:"updated_by,omitempty"`
-	VerifiedAt     *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=verified_at,json=verifiedAt,proto3" json:"verified_at,omitempty"`
-	AuthProvider   string                 `protobuf:"bytes,15,opt,name=auth_provider,json=authProvider,proto3" json:"auth_provider,omitempty"`
-	Permissions    []string               `protobuf:"bytes,16,rep,name=permissions,proto3" json:"permissions,omitempty"`
-	unknownFields  protoimpl.UnknownFields
-	sizeCache      protoimpl.SizeCache
+	state           protoimpl.MessageState `protogen:"open.v1"`
+	Id              string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	FirstName       string                 `protobuf:"bytes,2,opt,name=first_name,json=firstName,proto3" json:"first_name,omitempty"`
+	LastName        string                 `protobuf:"bytes,3,opt,name=last_name,json=lastName,proto3" json:"last_name,omitempty"`
+	Tags            []string               `protobuf:"bytes,4,rep,name=tags,proto3" json:"tags,omitempty"`
+	Metadata        *structpb.Struct       `protobuf:"bytes,5,opt,name=metadata,proto3" json:"metadata,omitempty"`
+	PrivateMetadata *structpb.Struct       `protobuf:"bytes,6,opt,name=private_metadata,json=privateMetadata,proto3" json:"private_metadata,omitempty"`
+	Status          uint32                 `protobuf:"varint,7,opt,name=status,proto3" json:"status,omitempty"`
+	Role            uint32                 `protobuf:"varint,8,opt,name=role,proto3" json:"role,omitempty"`
+	ProfilePicture  string                 `protobuf:"bytes,9,opt,name=profile_picture,json=profilePicture,proto3" json:"profile_picture,omitempty"`
+	Username        string                 `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty"`
+	Email           string                 `protobuf:"bytes,11,opt,name=email,proto3" json:"email,omitempty"`
+	CreatedAt       *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
+	UpdatedAt       *timestamppb.Timestamp `protobuf:"bytes,13,opt,name=updated_at,json=updatedAt,proto3" json:"updated_at,omitempty"`
+	UpdatedBy       string                 `protobuf:"bytes,14,opt,name=updated_by,json=updatedBy,proto3" json:"updated_by,omitempty"`
+	VerifiedAt      *timestamppb.Timestamp `protobuf:"bytes,15,opt,name=verified_at,json=verifiedAt,proto3" json:"verified_at,omitempty"`
+	AuthProvider    string                 `protobuf:"bytes,16,opt,name=auth_provider,json=authProvider,proto3" json:"auth_provider,omitempty"`
+	Permissions     []string               `protobuf:"bytes,17,rep,name=permissions,proto3" json:"permissions,omitempty"`
+	unknownFields   protoimpl.UnknownFields
+	sizeCache       protoimpl.SizeCache
 }

 func (x *User) Reset() {
@@ -241,6 +242,13 @@ func (x *User) GetMetadata() *structpb.Struct {
 	return nil
 }

+func (x *User) GetPrivateMetadata() *structpb.Struct {
+	if x != nil {
+		return x.PrivateMetadata
+	}
+	return nil
+}
+
 func (x *User) GetStatus() uint32 {
 	if x != nil {
 		return x.Status
@@ -331,32 +339,33 @@ const file_users_v1_users_proto_rawDesc = "" +
 	"\x05total\x18\x01 \x01(\x04R\x05total\x12\x14\n" +
 	"\x05limit\x18\x02 \x01(\x04R\x05limit\x12\x16\n" +
 	"\x06offset\x18\x03 \x01(\x04R\x06offset\x12$\n" +
-	"\x05users\x18\x04 \x03(\v2\x0e.users.v1.UserR\x05users\"\xbb\x04\n" +
+	"\x05users\x18\x04 \x03(\v2\x0e.users.v1.UserR\x05users\"\xff\x04\n" +
 	"\x04User\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\x12\x1d\n" +
 	"\n" +
 	"first_name\x18\x02 \x01(\tR\tfirstName\x12\x1b\n" +
 	"\tlast_name\x18\x03 \x01(\tR\blastName\x12\x12\n" +
 	"\x04tags\x18\x04 \x03(\tR\x04tags\x123\n" +
-	"\bmetadata\x18\x05 \x01(\v2\x17.google.protobuf.StructR\bmetadata\x12\x16\n" +
-	"\x06status\x18\x06 \x01(\rR\x06status\x12\x12\n" +
-	"\x04role\x18\a \x01(\rR\x04role\x12'\n" +
-	"\x0fprofile_picture\x18\b \x01(\tR\x0eprofilePicture\x12\x1a\n" +
-	"\busername\x18\t \x01(\tR\busername\x12\x14\n" +
-	"\x05email\x18\n" +
-	" \x01(\tR\x05email\x129\n" +
+	"\bmetadata\x18\x05 \x01(\v2\x17.google.protobuf.StructR\bmetadata\x12B\n" +
+	"\x10private_metadata\x18\x06 \x01(\v2\x17.google.protobuf.StructR\x0fprivateMetadata\x12\x16\n" +
+	"\x06status\x18\a \x01(\rR\x06status\x12\x12\n" +
+	"\x04role\x18\b \x01(\rR\x04role\x12'\n" +
+	"\x0fprofile_picture\x18\t \x01(\tR\x0eprofilePicture\x12\x1a\n" +
+	"\busername\x18\n" +
+	" \x01(\tR\busername\x12\x14\n" +
+	"\x05email\x18\v \x01(\tR\x05email\x129\n" +
 	"\n" +
-	"created_at\x18\v \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x129\n" +
+	"created_at\x18\f \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x129\n" +
 	"\n" +
-	"updated_at\x18\f \x01(\v2\x1a.google.protobuf.TimestampR\tupdatedAt\x12\x1d\n" +
+	"updated_at\x18\r \x01(\v2\x1a.google.protobuf.TimestampR\tupdatedAt\x12\x1d\n" +
 	"\n" +
-	"updated_by\x18\r \x01(\tR\tupdatedBy\x12;\n" +
-	"\vverified_at\x18\x0e \x01(\v2\x1a.google.protobuf.TimestampR\n" +
+	"updated_by\x18\x0e \x01(\tR\tupdatedBy\x12;\n" +
+	"\vverified_at\x18\x0f \x01(\v2\x1a.google.protobuf.TimestampR\n" +
 	"verifiedAt\x12#\n" +
-	"\rauth_provider\x18\x0f \x01(\tR\fauthProvider\x12 \n" +
-	"\vpermissions\x18\x10 \x03(\tR\vpermissions2Y\n" +
+	"\rauth_provider\x18\x10 \x01(\tR\fauthProvider\x12 \n" +
+	"\vpermissions\x18\x11 \x03(\tR\vpermissions2Y\n" +
 	"\fUsersService\x12I\n" +
-	"\rRetrieveUsers\x12\x1a.users.v1.RetrieveUsersReq\x1a\x1a.users.v1.RetrieveUsersRes\"\x00B.Z,github.com/absmach/supermq/api/grpc/users/v1b\x06proto3"
+	"\rRetrieveUsers\x12\x1a.users.v1.RetrieveUsersReq\x1a\x1a.users.v1.RetrieveUsersRes\"\x00B1Z/github.com/absmach/magistrala/api/grpc/users/v1b\x06proto3"

 var (
 	file_users_v1_users_proto_rawDescOnce sync.Once
@@ -381,16 +390,17 @@ var file_users_v1_users_proto_goTypes = []any{
 var file_users_v1_users_proto_depIdxs = []int32{
 	2, // 0: users.v1.RetrieveUsersRes.users:type_name -> users.v1.User
 	3, // 1: users.v1.User.metadata:type_name -> google.protobuf.Struct
-	4, // 2: users.v1.User.created_at:type_name -> google.protobuf.Timestamp
-	4, // 3: users.v1.User.updated_at:type_name -> google.protobuf.Timestamp
-	4, // 4: users.v1.User.verified_at:type_name -> google.protobuf.Timestamp
-	0, // 5: users.v1.UsersService.RetrieveUsers:input_type -> users.v1.RetrieveUsersReq
-	1, // 6: users.v1.UsersService.RetrieveUsers:output_type -> users.v1.RetrieveUsersRes
-	6, // [6:7] is the sub-list for method output_type
-	5, // [5:6] is the sub-list for method input_type
-	5, // [5:5] is the sub-list for extension type_name
-	5, // [5:5] is the sub-list for extension extendee
-	0, // [0:5] is the sub-list for field type_name
+	3, // 2: users.v1.User.private_metadata:type_name -> google.protobuf.Struct
+	4, // 3: users.v1.User.created_at:type_name -> google.protobuf.Timestamp
+	4, // 4: users.v1.User.updated_at:type_name -> google.protobuf.Timestamp
+	4, // 5: users.v1.User.verified_at:type_name -> google.protobuf.Timestamp
+	0, // 6: users.v1.UsersService.RetrieveUsers:input_type -> users.v1.RetrieveUsersReq
+	1, // 7: users.v1.UsersService.RetrieveUsers:output_type -> users.v1.RetrieveUsersRes
+	7, // [7:8] is the sub-list for method output_type
+	6, // [6:7] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
 }

 func init() { file_users_v1_users_proto_init() }
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: users/v1/users.proto

@@ -72,7 +72,7 @@ type UsersServiceServer interface {
 type UnimplementedUsersServiceServer struct{}

 func (UnimplementedUsersServiceServer) RetrieveUsers(context.Context, *RetrieveUsersReq) (*RetrieveUsersRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveUsers not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveUsers not implemented")
 }
 func (UnimplementedUsersServiceServer) mustEmbedUnimplementedUsersServiceServer() {}
 func (UnimplementedUsersServiceServer) testEmbeddedByValue()                      {}
@@ -85,7 +85,7 @@ type UnsafeUsersServiceServer interface {
 }

 func RegisterUsersServiceServer(s grpc.ServiceRegistrar, srv UsersServiceServer) {
-	// If the following call pancis, it indicates UnimplementedUsersServiceServer was
+	// If the following call panics, it indicates UnimplementedUsersServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -11,13 +11,12 @@ import (
 	"regexp"
 	"strings"

-	"github.com/absmach/supermq"
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/clients"
-	"github.com/absmach/supermq/groups"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
-	"github.com/absmach/supermq/users"
+	"github.com/absmach/magistrala"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/clients"
+	"github.com/absmach/magistrala/groups"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/absmach/magistrala/users"
 	"github.com/gofrs/uuid/v5"
 )

@@ -38,6 +37,7 @@ const (
 	MetadataKey = "metadata"
 	NameKey     = "name"
 	TagKey      = "tag"
+	TagsKey     = "tags"
 	StatusKey   = "status"

 	ClientKey   = "client"
@@ -158,7 +158,7 @@ func ValidateUserName(name string) error {

 // EncodeResponse encodes successful response.
 func EncodeResponse(_ context.Context, w http.ResponseWriter, response any) error {
-	if ar, ok := response.(supermq.Response); ok {
+	if ar, ok := response.(magistrala.Response); ok {
 		for k, v := range ar.Headers() {
 			w.Header().Set(k, v)
 		}
@@ -184,146 +184,47 @@ func EncodeError(_ context.Context, err error, w http.ResponseWriter) {
 		return
 	}

-	var wrapper error
-	if errors.Contains(err, apiutil.ErrValidation) {
-		wrapper, err = errors.Unwrap(err)
-	}
-
-	switch {
-	case errors.Contains(err, errors.ErrTryAgain):
-		w.WriteHeader(http.StatusUnprocessableEntity)
-	case errors.Contains(err, errors.ErrEmailAlreadyExists),
-		errors.Contains(err, errors.ErrUsernameNotAvailable),
-		errors.Contains(err, errors.ErrRouteNotAvailable),
-		errors.Contains(err, errors.ErrChannelRouteNotAvailable),
-		errors.Contains(err, errors.ErrDomainRouteNotAvailable),
-		errors.Contains(err, svcerr.ErrExternalAuthProviderCouldNotUpdate):
+	switch retErr := err.(type) {
+	case *errors.RequestError:
 		w.WriteHeader(http.StatusBadRequest)
-	case errors.Contains(err, svcerr.ErrAuthorization),
-		errors.Contains(err, svcerr.ErrDomainAuthorization),
-		errors.Contains(err, svcerr.ErrUnauthorizedPAT),
-		errors.Contains(err, svcerr.ErrSuperAdminAction):
-		err = unwrap(err)
-		w.WriteHeader(http.StatusForbidden)
-
-	case errors.Contains(err, svcerr.ErrAuthentication),
-		errors.Contains(err, apiutil.ErrBearerToken),
-		errors.Contains(err, svcerr.ErrLogin),
-		errors.Contains(err, apiutil.ErrUnsupportedTokenType):
-		err = unwrap(err)
+		if err := json.NewEncoder(w).Encode(retErr); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		return
+	case *errors.AuthNError:
 		w.WriteHeader(http.StatusUnauthorized)
-	case errors.Contains(err, svcerr.ErrMalformedEntity),
-		errors.Contains(err, apiutil.ErrMalformedPolicy),
-		errors.Contains(err, apiutil.ErrMissingSecret),
-		errors.Contains(err, errors.ErrMalformedEntity),
-		errors.Contains(err, apiutil.ErrMissingID),
-		errors.Contains(err, apiutil.ErrInvalidVerification),
-		errors.Contains(err, apiutil.ErrMissingName),
-		errors.Contains(err, apiutil.ErrMissingEmail),
-		errors.Contains(err, apiutil.ErrInvalidEmail),
-		errors.Contains(err, apiutil.ErrMissingHost),
-		errors.Contains(err, apiutil.ErrInvalidResetPass),
-		errors.Contains(err, apiutil.ErrEmptyList),
-		errors.Contains(err, apiutil.ErrMissingMemberKind),
-		errors.Contains(err, apiutil.ErrMissingMemberType),
-		errors.Contains(err, apiutil.ErrLimitSize),
-		errors.Contains(err, apiutil.ErrBearerKey),
-		errors.Contains(err, svcerr.ErrInvalidStatus),
-		errors.Contains(err, apiutil.ErrNameSize),
-		errors.Contains(err, apiutil.ErrInvalidIDFormat),
-		errors.Contains(err, apiutil.ErrInvalidQueryParams),
-		errors.Contains(err, apiutil.ErrMissingRelation),
-		errors.Contains(err, apiutil.ErrValidation),
-		errors.Contains(err, apiutil.ErrMissingPass),
-		errors.Contains(err, apiutil.ErrMissingConfPass),
-		errors.Contains(err, apiutil.ErrPasswordFormat),
-		errors.Contains(err, svcerr.ErrInvalidRole),
-		errors.Contains(err, svcerr.ErrInvalidPolicy),
-		errors.Contains(err, apiutil.ErrInvitationState),
-		errors.Contains(err, apiutil.ErrInvalidAPIKey),
-		errors.Contains(err, svcerr.ErrViewEntity),
-		errors.Contains(err, apiutil.ErrMissingCertData),
-		errors.Contains(err, apiutil.ErrInvalidContact),
-		errors.Contains(err, apiutil.ErrInvalidTopic),
-		errors.Contains(err, apiutil.ErrInvalidCertData),
-		errors.Contains(err, apiutil.ErrEmptyMessage),
-		errors.Contains(err, apiutil.ErrInvalidLevel),
-		errors.Contains(err, apiutil.ErrInvalidDirection),
-		errors.Contains(err, apiutil.ErrInvalidEntityType),
-		errors.Contains(err, apiutil.ErrMissingEntityType),
-		errors.Contains(err, apiutil.ErrInvalidTimeFormat),
-		errors.Contains(err, svcerr.ErrSearch),
-		errors.Contains(err, apiutil.ErrEmptySearchQuery),
-		errors.Contains(err, apiutil.ErrLenSearchQuery),
-		errors.Contains(err, apiutil.ErrMissingDomainID),
-		errors.Contains(err, apiutil.ErrMissingUserID),
-		errors.Contains(err, apiutil.ErrMissingPATID),
-		errors.Contains(err, apiutil.ErrMissingUsername),
-		errors.Contains(err, apiutil.ErrMissingUsernameEmail),
-		errors.Contains(err, apiutil.ErrMissingFirstName),
-		errors.Contains(err, apiutil.ErrMissingLastName),
-		errors.Contains(err, apiutil.ErrInvalidUsername),
-		errors.Contains(err, apiutil.ErrMissingIdentity),
-		errors.Contains(err, apiutil.ErrInvalidProfilePictureURL),
-		errors.Contains(err, apiutil.ErrSelfParentingNotAllowed),
-		errors.Contains(err, apiutil.ErrMissingChildrenGroupIDs),
-		errors.Contains(err, apiutil.ErrMissingParentGroupID),
-		errors.Contains(err, apiutil.ErrMissingConnectionType),
-		errors.Contains(err, apiutil.ErrMissingRoleName),
-		errors.Contains(err, apiutil.ErrMissingRoleID),
-		errors.Contains(err, apiutil.ErrMissingPolicyEntityType),
-		errors.Contains(err, apiutil.ErrMissingRoleMembers),
-		errors.Contains(err, apiutil.ErrMissingDescription),
-		errors.Contains(err, apiutil.ErrMissingEntityID),
-		errors.Contains(err, apiutil.ErrInvalidRouteFormat),
-		errors.Contains(err, svcerr.ErrRetainOneMember),
-		errors.Contains(err, apiutil.ErrMissingRoute):
-		err = unwrap(err)
-		w.WriteHeader(http.StatusBadRequest)
-
-	case errors.Contains(err, svcerr.ErrCreateEntity),
-		errors.Contains(err, svcerr.ErrUpdateEntity),
-		errors.Contains(err, svcerr.ErrRemoveEntity),
-		errors.Contains(err, svcerr.ErrEnableClient),
-		errors.Contains(err, svcerr.ErrEnableUser),
-		errors.Contains(err, svcerr.ErrDisableUser):
-		err = unwrap(err)
-		w.WriteHeader(http.StatusUnprocessableEntity)
-
-	case errors.Contains(err, svcerr.ErrNotFound):
-		err = unwrap(err)
-		w.WriteHeader(http.StatusNotFound)
-
-	case errors.Contains(err, errors.ErrStatusAlreadyAssigned),
-		errors.Contains(err, svcerr.ErrInvitationAlreadyRejected),
-		errors.Contains(err, svcerr.ErrInvitationAlreadyAccepted),
-		errors.Contains(err, svcerr.ErrConflict):
-		err = unwrap(err)
-		w.WriteHeader(http.StatusConflict)
-
-	case errors.Contains(err, apiutil.ErrUnsupportedContentType):
-		err = unwrap(err)
+		if err := json.NewEncoder(w).Encode(retErr); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		return
+	case *errors.AuthZError:
+		w.WriteHeader(http.StatusForbidden)
+		if err := json.NewEncoder(w).Encode(retErr); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		return
+	case *errors.MediaTypeError:
 		w.WriteHeader(http.StatusUnsupportedMediaType)
-
+		if err := json.NewEncoder(w).Encode(retErr); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		return
+	case *errors.ServiceError:
+		w.WriteHeader(http.StatusUnprocessableEntity)
+		if err := json.NewEncoder(w).Encode(retErr); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		return
+	case *errors.NotFoundError:
+		w.WriteHeader(http.StatusNotFound)
+		if err := json.NewEncoder(w).Encode(retErr); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		return
+	case *errors.InternalError:
+		w.WriteHeader(http.StatusInternalServerError)
+		return
 	default:
 		w.WriteHeader(http.StatusInternalServerError)
 	}
-
-	if wrapper != nil {
-		err = errors.Wrap(wrapper, err)
-	}
-
-	if errorVal, ok := err.(errors.Error); ok {
-		if err := json.NewEncoder(w).Encode(errorVal); err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-		}
-	}
-}
-
-func unwrap(err error) error {
-	wrapper, err := errors.Unwrap(err)
-	if wrapper != nil {
-		return wrapper
-	}
-	return err
 }
@@ -10,16 +10,16 @@ import (
 	"testing"
 	"time"

-	"github.com/absmach/supermq"
-	api "github.com/absmach/supermq/api/http"
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/internal/testsutil"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	"github.com/absmach/magistrala"
+	api "github.com/absmach/magistrala/api/http"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/internal/testsutil"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
 	"github.com/stretchr/testify/assert"
 )

-var _ supermq.Response = (*response)(nil)
+var _ magistrala.Response = (*response)(nil)

 var validUUID = testsutil.GenerateUUID(&testing.T{})

@@ -218,121 +218,104 @@ func TestEncodeResponse(t *testing.T) {

 func TestEncodeError(t *testing.T) {
 	cases := []struct {
-		desc string
-		errs []error
-		code int
+		desc       string
+		err        error
+		code       int
+		hasBody    bool
+		checkError bool
 	}{
 		{
-			desc: "BadRequest",
-			errs: []error{
-				apiutil.ErrMissingSecret,
-				svcerr.ErrMalformedEntity,
-				errors.ErrMalformedEntity,
-				apiutil.ErrMissingID,
-				apiutil.ErrEmptyList,
-				apiutil.ErrMissingMemberType,
-				apiutil.ErrMissingMemberKind,
-				apiutil.ErrLimitSize,
-				apiutil.ErrNameSize,
-				svcerr.ErrViewEntity,
-			},
-			code: http.StatusBadRequest,
+			desc:    "RequestError - Missing Secret",
+			err:     apiutil.ErrMissingSecret,
+			code:    http.StatusBadRequest,
+			hasBody: true,
 		},
 		{
-			desc: "BadRequest with validation error",
-			errs: []error{
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrMissingSecret),
-				errors.Wrap(apiutil.ErrValidation, svcerr.ErrMalformedEntity),
-				errors.Wrap(apiutil.ErrValidation, errors.ErrMalformedEntity),
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrMissingID),
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrEmptyList),
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrMissingMemberType),
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrMissingMemberKind),
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrLimitSize),
-				errors.Wrap(apiutil.ErrValidation, apiutil.ErrNameSize),
-			},
-			code: http.StatusBadRequest,
+			desc:    "RequestError - Missing ID",
+			err:     apiutil.ErrMissingID,
+			code:    http.StatusBadRequest,
+			hasBody: true,
 		},
 		{
-			desc: "Unauthorized",
-			errs: []error{
-				svcerr.ErrAuthentication,
-				svcerr.ErrAuthentication,
-				apiutil.ErrBearerToken,
-			},
-			code: http.StatusUnauthorized,
-		},
-
-		{
-			desc: "NotFound",
-			errs: []error{
-				svcerr.ErrNotFound,
-			},
-			code: http.StatusNotFound,
+			desc:    "RequestError - Empty List",
+			err:     apiutil.ErrEmptyList,
+			code:    http.StatusBadRequest,
+			hasBody: true,
 		},
 		{
-			desc: "Conflict",
-			errs: []error{
-				svcerr.ErrConflict,
-				svcerr.ErrConflict,
-			},
-			code: http.StatusConflict,
+			desc:    "RequestError - Conflict",
+			err:     svcerr.ErrConflict,
+			code:    http.StatusBadRequest,
+			hasBody: true,
 		},
 		{
-			desc: "Forbidden",
-			errs: []error{
-				svcerr.ErrAuthorization,
-				svcerr.ErrAuthorization,
-				svcerr.ErrDomainAuthorization,
-			},
-			code: http.StatusForbidden,
+			desc:    "NotFoundError - Not Found",
+			err:     svcerr.ErrNotFound,
+			code:    http.StatusNotFound,
+			hasBody: true,
 		},
 		{
-			desc: "UnsupportedMediaType",
-			errs: []error{
-				apiutil.ErrUnsupportedContentType,
-			},
-			code: http.StatusUnsupportedMediaType,
+			desc:    "AuthNError - Authentication Failed",
+			err:     svcerr.ErrAuthentication,
+			code:    http.StatusUnauthorized,
+			hasBody: true,
 		},
 		{
-			desc: "StatusUnprocessableEntity",
-			errs: []error{
-				svcerr.ErrCreateEntity,
-				svcerr.ErrUpdateEntity,
-				svcerr.ErrRemoveEntity,
-			},
-			code: http.StatusUnprocessableEntity,
+			desc:    "AuthZError - Authorization Failed",
+			err:     svcerr.ErrAuthorization,
+			code:    http.StatusForbidden,
+			hasBody: true,
 		},
 		{
-			desc: "InternalServerError",
-			errs: []error{
-				errors.New("test"),
-			},
-			code: http.StatusInternalServerError,
+			desc:    "AuthZError - Domain Authorization Failed",
+			err:     svcerr.ErrDomainAuthorization,
+			code:    http.StatusForbidden,
+			hasBody: true,
+		},
+		{
+			desc:    "MediaTypeError - Unsupported Content Type",
+			err:     apiutil.ErrUnsupportedContentType,
+			code:    http.StatusUnsupportedMediaType,
+			hasBody: true,
+		},
+		{
+			desc:    "ServiceError - Create Entity Failed",
+			err:     svcerr.ErrCreateEntity,
+			code:    http.StatusUnprocessableEntity,
+			hasBody: true,
+		},
+		{
+			desc:    "ServiceError - Update Entity Failed",
+			err:     svcerr.ErrUpdateEntity,
+			code:    http.StatusUnprocessableEntity,
+			hasBody: true,
+		},
+		{
+			desc:    "ServiceError - Remove Entity Failed",
+			err:     svcerr.ErrRemoveEntity,
+			code:    http.StatusUnprocessableEntity,
+			hasBody: true,
+		},
+		{
+			desc:    "InternalError",
+			err:     errors.NewInternalError(),
+			code:    http.StatusInternalServerError,
+			hasBody: false,
 		},
 	}

 	for _, c := range cases {
 		t.Run(c.desc, func(t *testing.T) {
 			responseWriter := newResponseWriter()
-			for _, err := range c.errs {
-				api.EncodeError(context.Background(), err, responseWriter)
-				assert.Equal(t, c.code, responseWriter.StatusCode())
-
-				message := body{}
-				jerr := json.Unmarshal(responseWriter.Body(), &message)
-				assert.NoError(t, jerr)
-
-				var wrapper error
-				switch errors.Contains(err, apiutil.ErrValidation) {
-				case true:
-					wrapper, err = errors.Unwrap(err)
-					assert.Equal(t, err.Error(), message.Error)
-					assert.Equal(t, wrapper.Error(), message.Message)
-				case false:
-					assert.Equal(t, err.Error(), message.Message)
-				}
+			api.EncodeError(context.Background(), c.err, responseWriter)
+			assert.Equal(t, c.code, responseWriter.StatusCode())
+			if !c.hasBody {
+				return
 			}
+			message := body{}
+			jerr := json.Unmarshal(responseWriter.Body(), &message)
+			assert.NoError(t, jerr)
+			assert.NotEmpty(t, message.Message)
 		})
 	}
 }
@@ -7,11 +7,11 @@ import (
 	"context"
 	"net/http"

-	"github.com/absmach/supermq"
+	"github.com/absmach/magistrala"
 	"github.com/go-chi/chi/v5/middleware"
 )

-func RequestIDMiddleware(idp supermq.IDProvider) func(http.Handler) http.Handler {
+func RequestIDMiddleware(idp magistrala.IDProvider) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			requestID, err := idp.ID()
@@ -3,275 +3,278 @@

 package util

-import "github.com/absmach/supermq/pkg/errors"
+import "github.com/absmach/magistrala/pkg/errors"

 // Errors defined in this file are used by the LoggingErrorEncoder decorator
 // to distinguish and log API request validation errors and avoid that service
 // errors are logged twice.
 var (
 	// ErrValidation indicates that an error was returned by the API.
-	ErrValidation = errors.New("something went wrong with the request")
+	ErrValidation = errors.NewRequestError("something went wrong with the request")

 	// ErrBearerToken indicates missing or invalid bearer user token.
-	ErrBearerToken = errors.New("missing or invalid bearer user token")
+	ErrBearerToken = errors.NewAuthNError("missing or invalid bearer user token")

 	// ErrBearerKey indicates missing or invalid bearer entity key.
-	ErrBearerKey = errors.New("missing or invalid bearer entity key")
+	ErrBearerKey = errors.NewAuthNError("missing or invalid bearer entity key")

 	// ErrMissingID indicates missing entity ID.
-	ErrMissingID = errors.New("missing entity id")
+	ErrMissingID = errors.NewRequestError("missing entity id")

 	// ErrMissingEntityID indicates missing entity ID.
-	ErrMissingEntityID = errors.New("missing entity id")
+	ErrMissingEntityID = errors.NewRequestError("missing entity id")

 	// ErrMissingClientID indicates missing client ID.
-	ErrMissingClientID = errors.New("missing cient id")
+	ErrMissingClientID = errors.NewRequestError("missing client id")

 	// ErrMissingChannelID indicates missing client ID.
-	ErrMissingChannelID = errors.New("missing channel id")
+	ErrMissingChannelID = errors.NewRequestError("missing channel id")

 	// ErrMissingConnectionType indicates missing connection tpye.
-	ErrMissingConnectionType = errors.New("missing connection type")
+	ErrMissingConnectionType = errors.NewRequestError("missing connection type")

 	// ErrMissingParentGroupID indicates missing parent group ID.
-	ErrMissingParentGroupID = errors.New("missing parent group id")
+	ErrMissingParentGroupID = errors.NewRequestError("missing parent group id")

 	// ErrMissingChildrenGroupIDs indicates missing children group IDs.
-	ErrMissingChildrenGroupIDs = errors.New("missing children group ids")
+	ErrMissingChildrenGroupIDs = errors.NewRequestError("missing children group ids")

 	// ErrSelfParentingNotAllowed indicates child id is same as parent id.
-	ErrSelfParentingNotAllowed = errors.New("self parenting not allowed")
+	ErrSelfParentingNotAllowed = errors.NewRequestError("self parenting not allowed")

 	// ErrInvalidChildGroupID indicates invalid child group ID.
-	ErrInvalidChildGroupID = errors.New("invalid child group id")
+	ErrInvalidChildGroupID = errors.NewRequestError("invalid child group id")

 	// ErrInvalidAuthKey indicates invalid auth key.
 	ErrInvalidAuthKey = errors.New("invalid auth key")

 	// ErrInvalidIDFormat indicates an invalid ID format.
-	ErrInvalidIDFormat = errors.New("invalid id format provided")
+	ErrInvalidIDFormat = errors.NewRequestError("invalid id format provided")

 	// ErrNameSize indicates that name size exceeds the max.
-	ErrNameSize = errors.New("invalid name size")
+	ErrNameSize = errors.NewRequestError("invalid name size")

 	// ErrEmailSize indicates that email size exceeds the max.
-	ErrEmailSize = errors.New("invalid email size")
+	ErrEmailSize = errors.NewRequestError("invalid email size")

 	// ErrInvalidRole indicates that an invalid role.
-	ErrInvalidRole = errors.New("invalid client role")
+	ErrInvalidRole = errors.NewRequestError("invalid client role")

 	// ErrLimitSize indicates that an invalid limit.
-	ErrLimitSize = errors.New("invalid limit size")
+	ErrLimitSize = errors.NewRequestError("invalid limit size")

 	// ErrLevel indicates that an invalid level.
-	ErrLevel = errors.New("invalid level")
+	ErrLevel = errors.NewRequestError("invalid level")

 	// ErrOffsetSize indicates an invalid offset.
-	ErrOffsetSize = errors.New("invalid offset size")
+	ErrOffsetSize = errors.NewRequestError("invalid offset size")

 	// ErrInvalidOrder indicates an invalid list order.
-	ErrInvalidOrder = errors.New("invalid list order provided")
+	ErrInvalidOrder = errors.NewRequestError("invalid list order provided")

 	// ErrInvalidDirection indicates an invalid list direction.
-	ErrInvalidDirection = errors.New("invalid list direction provided")
+	ErrInvalidDirection = errors.NewRequestError("invalid list direction provided")

 	// ErrInvalidMemberKind indicates an invalid member kind.
-	ErrInvalidMemberKind = errors.New("invalid member kind")
+	ErrInvalidMemberKind = errors.NewRequestError("invalid member kind")

 	// ErrEmptyList indicates that entity data is empty.
-	ErrEmptyList = errors.New("empty list provided")
+	ErrEmptyList = errors.NewRequestError("empty list provided")

 	// ErrMissingRoleName indicates that role name is empty.
-	ErrMissingRoleName = errors.New("empty role name")
+	ErrMissingRoleName = errors.NewRequestError("empty role name")

 	// ErrMissingRoleID indicates that role id is empty.
-	ErrMissingRoleID = errors.New("empty role id")
+	ErrMissingRoleID = errors.NewRequestError("empty role id")

 	// ErrMissingRoleOperations indicates that role operations are empty.
-	ErrMissingRoleOperations = errors.New("empty role operations")
+	ErrMissingRoleOperations = errors.NewRequestError("empty role operations")

 	// ErrMissingRoleMembers indicates that role members are empty.
-	ErrMissingRoleMembers = errors.New("empty role members")
+	ErrMissingRoleMembers = errors.NewRequestError("empty role members")

 	// ErrMalformedPolicy indicates that policies are malformed.
-	ErrMalformedPolicy = errors.New("malformed policy")
+	ErrMalformedPolicy = errors.NewRequestError("malformed policy")

 	// ErrMissingPolicySub indicates that policies are subject.
-	ErrMissingPolicySub = errors.New("malformed policy subject")
+	ErrMissingPolicySub = errors.NewRequestError("malformed policy subject")

 	// ErrMissingPolicyObj indicates missing policies object.
-	ErrMissingPolicyObj = errors.New("malformed policy object")
+	ErrMissingPolicyObj = errors.NewRequestError("malformed policy object")

 	// ErrMalformedPolicyAct indicates missing policies action.
-	ErrMalformedPolicyAct = errors.New("malformed policy action")
+	ErrMalformedPolicyAct = errors.NewRequestError("malformed policy action")

 	// ErrMissingPolicyEntityType indicates missing policies entity type.
-	ErrMissingPolicyEntityType = errors.New("missing policy entity type")
+	ErrMissingPolicyEntityType = errors.NewRequestError("missing policy entity type")

 	// ErrMalformedPolicyPer indicates missing policies relation.
-	ErrMalformedPolicyPer = errors.New("malformed policy permission")
+	ErrMalformedPolicyPer = errors.NewRequestError("malformed policy permission")

 	// ErrMissingCertData indicates missing cert data (ttl).
-	ErrMissingCertData = errors.New("missing certificate data")
+	ErrMissingCertData = errors.NewRequestError("missing certificate data")

 	// ErrInvalidCertData indicates invalid cert data (ttl).
-	ErrInvalidCertData = errors.New("invalid certificate data")
+	ErrInvalidCertData = errors.NewRequestError("invalid certificate data")

 	// ErrInvalidTopic indicates an invalid subscription topic.
-	ErrInvalidTopic = errors.New("invalid Subscription topic")
+	ErrInvalidTopic = errors.NewRequestError("invalid Subscription topic")

 	// ErrInvalidContact indicates an invalid subscription contract.
-	ErrInvalidContact = errors.New("invalid Subscription contact")
+	ErrInvalidContact = errors.NewRequestError("invalid Subscription contact")

 	// ErrMissingEmail indicates missing email.
-	ErrMissingEmail = errors.New("missing email")
+	ErrMissingEmail = errors.NewRequestError("missing email")

 	// ErrInvalidEmail indicates missing email.
-	ErrInvalidEmail = errors.New("invalid email")
+	ErrInvalidEmail = errors.NewRequestError("invalid email")

 	// ErrMissingHost indicates missing host.
-	ErrMissingHost = errors.New("missing host")
+	ErrMissingHost = errors.NewRequestError("missing host")

 	// ErrMissingPass indicates missing password.
-	ErrMissingPass = errors.New("missing password")
+	ErrMissingPass = errors.NewRequestError("missing password")

 	// ErrMissingConfPass indicates missing conf password.
-	ErrMissingConfPass = errors.New("missing conf password")
+	ErrMissingConfPass = errors.NewRequestError("missing conf password")

 	// ErrInvalidResetPass indicates an invalid reset password.
-	ErrInvalidResetPass = errors.New("invalid reset password")
+	ErrInvalidResetPass = errors.NewRequestError("invalid reset password")

 	// ErrInvalidComparator indicates an invalid comparator.
-	ErrInvalidComparator = errors.New("invalid comparator")
+	ErrInvalidComparator = errors.NewRequestError("invalid comparator")

 	// ErrMissingMemberIDs indicates missing member ids.
-	ErrMissingMemberIDs = errors.New("missing member ids")
+	ErrMissingMemberIDs = errors.NewRequestError("missing member ids")

 	// ErrMissingMemberType indicates missing group member type.
-	ErrMissingMemberType = errors.New("missing group member type")
+	ErrMissingMemberType = errors.NewRequestError("missing group member type")

 	// ErrMissingMemberKind indicates missing group member kind.
-	ErrMissingMemberKind = errors.New("missing group member kind")
+	ErrMissingMemberKind = errors.NewRequestError("missing group member kind")

 	// ErrMissingRelation indicates missing relation.
-	ErrMissingRelation = errors.New("missing relation")
+	ErrMissingRelation = errors.NewRequestError("missing relation")

 	// ErrInvalidRelation indicates an invalid relation.
-	ErrInvalidRelation = errors.New("invalid relation")
+	ErrInvalidRelation = errors.NewRequestError("invalid relation")

 	// ErrInvalidAPIKey indicates an invalid API key type.
-	ErrInvalidAPIKey = errors.New("invalid api key type")
+	ErrInvalidAPIKey = errors.NewRequestError("invalid api key type")

 	// ErrInvitationState indicates an invalid invitation state.
-	ErrInvitationState = errors.New("invalid invitation state")
+	ErrInvitationState = errors.NewRequestError("invalid invitation state")

 	// ErrMissingIdentity indicates missing entity Identity.
-	ErrMissingIdentity = errors.New("missing entity identity")
+	ErrMissingIdentity = errors.NewRequestError("missing entity identity")

 	// ErrMissingSecret indicates missing secret.
-	ErrMissingSecret = errors.New("missing secret")
+	ErrMissingSecret = errors.NewRequestError("missing secret")

 	// ErrPasswordFormat indicates weak password.
-	ErrPasswordFormat = errors.New("password does not meet the requirements")
+	ErrPasswordFormat = errors.NewRequestError("password does not meet the requirements")

 	// ErrMissingName indicates missing identity name.
-	ErrMissingName = errors.New("missing identity name")
+	ErrMissingName = errors.NewRequestError("missing identity name")

 	// ErrMissingRoute indicates missing route.
-	ErrMissingRoute = errors.New("missing route")
+	ErrMissingRoute = errors.NewRequestError("missing route")

 	// ErrInvalidLevel indicates an invalid group level.
-	ErrInvalidLevel = errors.New("invalid group level (should be between 0 and 5)")
+	ErrInvalidLevel = errors.NewRequestError("invalid group level (should be between 0 and 5)")

 	// ErrNotFoundParam indicates that the parameter was not found in the query.
-	ErrNotFoundParam = errors.New("parameter not found in the query")
+	ErrNotFoundParam = errors.NewRequestError("parameter not found in the query")

 	// ErrInvalidQueryParams indicates invalid query parameters.
-	ErrInvalidQueryParams = errors.New("invalid query parameters")
+	ErrInvalidQueryParams = errors.NewRequestError("invalid query parameters")

 	// ErrInvalidVisibilityType indicates invalid visibility type.
-	ErrInvalidVisibilityType = errors.New("invalid visibility type")
+	ErrInvalidVisibilityType = errors.NewRequestError("invalid visibility type")

 	// ErrUnsupportedContentType indicates unacceptable or lack of Content-Type.
-	ErrUnsupportedContentType = errors.New("unsupported content type")
+	ErrUnsupportedContentType = errors.NewMediaTypeError("unsupported content type")

 	// ErrRollbackTx indicates failed to rollback transaction.
-	ErrRollbackTx = errors.New("failed to rollback transaction")
+	ErrRollbackTx = errors.NewRequestError("failed to rollback transaction")

 	// ErrInvalidAggregation indicates invalid aggregation value.
-	ErrInvalidAggregation = errors.New("invalid aggregation value")
+	ErrInvalidAggregation = errors.NewRequestError("invalid aggregation value")

 	// ErrInvalidInterval indicates invalid interval value.
-	ErrInvalidInterval = errors.New("invalid interval value")
+	ErrInvalidInterval = errors.NewRequestError("invalid interval value")

 	// ErrMissingFrom indicates missing from value.
-	ErrMissingFrom = errors.New("missing from time value")
+	ErrMissingFrom = errors.NewRequestError("missing from time value")

 	// ErrMissingTo indicates missing to value.
-	ErrMissingTo = errors.New("missing to time value")
+	ErrMissingTo = errors.NewRequestError("missing to time value")

 	// ErrEmptyMessage indicates empty message.
-	ErrEmptyMessage = errors.New("empty message")
+	ErrEmptyMessage = errors.NewRequestError("empty message")

 	// ErrMissingEntityType indicates missing entity type.
-	ErrMissingEntityType = errors.New("missing entity type")
+	ErrMissingEntityType = errors.NewRequestError("missing entity type")

 	// ErrInvalidEntityType indicates invalid entity type.
-	ErrInvalidEntityType = errors.New("invalid entity type")
+	ErrInvalidEntityType = errors.NewRequestError("invalid entity type")

 	// ErrInvalidTimeFormat indicates invalid time format i.e not unix time.
-	ErrInvalidTimeFormat = errors.New("invalid time format use unix time")
+	ErrInvalidTimeFormat = errors.NewRequestError("invalid time format use unix time")

 	// ErrEmptySearchQuery indicates search query should not be empty.
-	ErrEmptySearchQuery = errors.New("search query must not be empty")
+	ErrEmptySearchQuery = errors.NewRequestError("search query must not be empty")

 	// ErrLenSearchQuery indicates search query length.
-	ErrLenSearchQuery = errors.New("search query must be at least 3 characters")
+	ErrLenSearchQuery = errors.NewRequestError("search query must be at least 3 characters")

 	// ErrMissingDomainID indicates missing domainID.
-	ErrMissingDomainID = errors.New("missing domainID")
+	ErrMissingDomainID = errors.NewRequestError("missing domainID")

 	// ErrMissingUsername indicates missing user name.
-	ErrMissingUsername = errors.New("missing username")
+	ErrMissingUsername = errors.NewRequestError("missing username")

 	// ErrInvalidUsername indicates invalid user name.
-	ErrInvalidUsername = errors.New("invalid username")
+	ErrInvalidUsername = errors.NewRequestError("invalid username")

 	// ErrMissingFirstName indicates missing first name.
-	ErrMissingFirstName = errors.New("missing first name")
+	ErrMissingFirstName = errors.NewRequestError("missing first name")

 	// ErrMissingLastName indicates missing last name.
-	ErrMissingLastName = errors.New("missing last name")
+	ErrMissingLastName = errors.NewRequestError("missing last name")

 	// ErrInvalidProfilePictureURL indicates that the profile picture url is invalid.
-	ErrInvalidProfilePictureURL = errors.New("invalid profile picture url")
+	ErrInvalidProfilePictureURL = errors.NewRequestError("invalid profile picture url")

-	ErrMultipleEntitiesFilter = errors.New("multiple entities are provided in filter are not supported")
+	ErrMultipleEntitiesFilter = errors.NewRequestError("multiple entities are provided in filter are not supported")

 	// ErrMissingDescription indicates missing description.
-	ErrMissingDescription = errors.New("missing description")
+	ErrMissingDescription = errors.NewRequestError("missing description")

 	// ErrUnsupportedTokenType indicates that this type of token is not supported.
-	ErrUnsupportedTokenType = errors.New("unsupported content token type")
+	ErrUnsupportedTokenType = errors.NewRequestError("unsupported content token type")

 	// ErrMissingUserID indicates missing user ID.
-	ErrMissingUserID = errors.New("missing user id")
+	ErrMissingUserID = errors.NewRequestError("missing user id")

 	// ErrMissingPATID indicates missing pat ID.
-	ErrMissingPATID = errors.New("missing pat id")
+	ErrMissingPATID = errors.NewRequestError("missing pat id")

 	// ErrInvalidNameFormat indicates invalid name format.
-	ErrInvalidNameFormat = errors.New("invalid name format")
+	ErrInvalidNameFormat = errors.NewRequestError("invalid name format")

 	// ErrInvalidRouteFormat indicates invalid route format.
-	ErrInvalidRouteFormat = errors.New("invalid route format")
+	ErrInvalidRouteFormat = errors.NewRequestError("invalid route format")

 	// ErrMissingUsernameEmail indicates missing user name / email.
-	ErrMissingUsernameEmail = errors.New("missing username / email")
+	ErrMissingUsernameEmail = errors.NewRequestError("missing username / email")

 	// ErrInvalidVerification indicates invalid email verification.
-	ErrInvalidVerification = errors.New("invalid verification")
+	ErrInvalidVerification = errors.NewRequestError("invalid verification")

 	// ErrEmailNotVerified indicates invalid email not verified.
-	ErrEmailNotVerified = errors.New("email not verified")
+	ErrEmailNotVerified = errors.NewRequestError("email not verified")
+
+	// ErrMalformedRequest indicates malformed request body.
+	ErrMalformedRequestBody = errors.NewRequestError("request body is not a valid JSON, expecting a valid JSON")
 )
@@ -8,11 +8,16 @@ import (
 	"strings"
 )

-// BearerPrefix represents the token prefix for Bearer authentication scheme.
-const BearerPrefix = "Bearer "
+const (
+	// BearerPrefix represents the token prefix for Bearer authentication scheme.
+	BearerPrefix = "Bearer "

-// ClientPrefix represents the key prefix for Client authentication scheme.
-const ClientPrefix = "Client "
+	// ClientPrefix represents the key prefix for Client authentication scheme.
+	ClientPrefix = "Client "
+
+	// BasicAuthPrefix represents the prefix for Basic authentication scheme.
+	BasicAuthPrefix = "Basic "
+)

 // ExtractBearerToken returns value of the bearer token. If there is no bearer token - an empty value is returned.
 func ExtractBearerToken(r *http.Request) string {
@@ -7,7 +7,7 @@ import (
 	"net/http"
 	"testing"

-	apiutil "github.com/absmach/supermq/api/http/util"
+	apiutil "github.com/absmach/magistrala/api/http/util"
 	"github.com/stretchr/testify/assert"
 )

@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"strconv"

-	"github.com/absmach/supermq/pkg/errors"
+	"github.com/absmach/magistrala/pkg/errors"
 	kithttp "github.com/go-kit/kit/transport/http"
 )

@@ -11,10 +11,10 @@ import (
 	"net/url"
 	"testing"

-	apiutil "github.com/absmach/supermq/api/http/util"
-	smqlog "github.com/absmach/supermq/logger"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	mglog "github.com/absmach/magistrala/logger"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
 	"github.com/stretchr/testify/assert"
 )

@@ -355,7 +355,7 @@ func TestLoggingErrorEncoder(t *testing.T) {
 				encCalled = true
 			}

-			errorEncoder := apiutil.LoggingErrorEncoder(smqlog.NewMock(), encFunc)
+			errorEncoder := apiutil.LoggingErrorEncoder(mglog.NewMock(), encFunc)
 			errorEncoder(context.Background(), c.err, httptest.NewRecorder())

 			assert.True(t, encCalled)
@@ -2,21 +2,21 @@
 # SPDX-License-Identifier: Apache-2.0

 asyncapi: '2.6.0'
-id: 'https://github.com/absmach/supermq/blob/main/api/asyncapi/mqtt.yaml'
+id: 'https://github.com/absmach/magistrala/blob/main/api/asyncapi/mqtt.yaml'
 info:
-  title: SuperMQ MQTT Adapter
+  title: Magistrala MQTT Adapter
  version: '0.18.0'
  contact:
-    name: SuperMQ Team
-    url: 'https://github.com/absmach/supermq'
-    email: info@abstractmachines.fr
+    name: Magistrala Team
+    url: 'https://github.com/absmach/magistrala'
+    email: info@absmach.eu
  description: |
    MQTT adapter provides an MQTT API for sending messages through the platform. MQTT adapter uses [mProxy](https://github.com/absmach/mproxy) for proxying traffic between client and MQTT broker.
    Additionally, the MQTT adapter and the message broker are replicating the traffic between brokers.

  license:
    name: Apache 2.0
-    url: 'https://github.com/absmach/supermq/blob/main/LICENSE'
+    url: 'https://github.com/absmach/magistrala/blob/main/LICENSE'


 defaultContentType: application/json
@@ -2,18 +2,18 @@
 # SPDX-License-Identifier: Apache-2.0

 asyncapi: 2.6.0
-id: 'https://github.com/absmach/supermq/blob/main/api/asyncapi/websocket.yaml'
+id: 'https://github.com/absmach/magistrala/blob/main/api/asyncapi/websocket.yaml'
 info:
-  title: SuperMQ WebSocket adapter
+  title: Magistrala WebSocket adapter
  description: WebSocket adapter provides a WebSocket API for sending messages through communication channels. WebSocket adapter uses [mProxy](https://github.com/absmach/mproxy) for proxying traffic between client and MQTT broker.
  version: '0.18.0'
  contact:
-    name: SuperMQ Team
-    url: 'https://github.com/absmach/supermq'
-    email: info@abstractmachines.fr
+    name: Magistrala Team
+    url: 'https://github.com/absmach/magistrala'
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: 'https://github.com/absmach/supermq/blob/main/LICENSE'
+    url: 'https://github.com/absmach/magistrala/blob/main/LICENSE'
 tags:
  - name: WebSocket
 defaultContentType: application/json
@@ -28,8 +28,8 @@ servers:
        description: Hostname of the WebSocket adapter
        default: localhost
      port:
-        description: SuperMQ WebSocket Adapter port
-        default: '8186'
+        description: Magistrala WebSocket Adapter port
+        default: '8008'

 channels:
  'm/{domainPrefix}/c/{channelPrefix}/{subtopic}':
@@ -74,7 +74,7 @@ channels:
        - bearerAuth: []
  /version:
    subscribe:
-      summary: Get the version of the SuperMQ adapter
+      summary: Get the version of the Magistrala adapter
      operationId: getVersion
      bindings:
        http:
@@ -1,5 +1,5 @@
-# SuperMQ OpenAPI Specification
+# Magistrala OpenAPI Specification

-This folder contains an OpenAPI specifications for SuperMQ API.
+This folder contains an OpenAPI specifications for Magistrala API.

-View specification in Swagger UI at [docs.api.supermq.abstractmachines.fr](https://docs.api.supermq.abstractmachines.fr)
+View specification in Swagger UI at [docs.api.magistrala.absmach.eu](https://docs.api.magistrala.absmach.eu)
@@ -0,0 +1,508 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Alarms API
+  description: |
+    HTTP API for managing alarms service.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:8050
+  - url: https://localhost:8050
+
+tags:
+  - name: alarms
+    description: Everything about your Alarms
+    externalDocs:
+      description: Find out more about alarms
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /{domainID}/alarms:
+    get:
+      operationId: listAlarms
+      summary: List Alarms
+      description: |
+        Retrieves a list of alarms with optional filtering
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit'
+        - $ref: '#/components/parameters/Order'
+        - $ref: '#/components/parameters/Dir'
+        - $ref: '#/components/parameters/ChannelID'
+        - $ref: '#/components/parameters/ClientID'
+        - $ref: '#/components/parameters/Subtopic'
+        - $ref: '#/components/parameters/RuleID'
+        - $ref: '#/components/parameters/Status'
+        - $ref: '#/components/parameters/AssigneeID'
+        - $ref: '#/components/parameters/Severity'
+        - $ref: '#/components/parameters/UpdatedBy'
+        - $ref: '#/components/parameters/AssignedBy'
+        - $ref: '#/components/parameters/AcknowledgedBy'
+        - $ref: '#/components/parameters/ResolvedBy'
+        - $ref: '#/components/parameters/CreatedFrom'
+        - $ref: '#/components/parameters/CreatedTo'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/AlarmsPageRes'
+        '400':
+          description: Failed due to malformed query parameters
+        '401':
+          description: Missing or invalid access token
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/alarms/{alarmID}:
+    get:
+      operationId: viewAlarm
+      summary: View Alarm
+      description: Retrieves an alarm by ID
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/AlarmID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/AlarmRes'
+        '400':
+          description: Missing or invalid alarm ID
+        '401':
+          description: Missing or invalid access token
+        '403':
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Alarm does not exist
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    put:
+      operationId: updateAlarm
+      summary: Update Alarm
+      description: Updates an existing alarm
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/AlarmID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/AlarmUpdateReq'
+      responses:
+        '200':
+          $ref: '#/components/responses/AlarmRes'
+        '400':
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        '403':
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Alarm does not exist
+        '415':
+          description: Missing or invalid content type
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    delete:
+      operationId: deleteAlarm
+      summary: Delete Alarm
+      description: Deletes an alarm
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/AlarmID'
+      security:
+        - bearerAuth: []
+      responses:
+        '204':
+          description: Alarm deleted successfully
+        '400':
+          description: Failed due to malformed alarm ID
+        '401':
+          description: Missing or invalid access token
+        '403':
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Alarm does not exist
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /health:
+    get:
+      summary: Retrieves service health check info
+      tags:
+        - health
+      security: []
+      responses:
+        '200':
+          $ref: '#/components/responses/HealthRes'
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+components:
+  schemas:
+    Alarm:
+      type: object
+      properties:
+        id:
+          type: string
+          description: Unique alarm identifier
+          readOnly: true
+        rule_id:
+          type: string
+          description: Rule ID that triggered this alarm
+        domain_id:
+          type: string
+          description: Domain ID this alarm belongs to
+        channel_id:
+          type: string
+          description: Channel ID where the alarm was triggered
+        client_id:
+          type: string
+          description: Client ID that triggered the alarm
+        subtopic:
+          type: string
+          description: Subtopic associated with the alarm
+        status:
+          type: string
+          description: Alarm status
+          enum: [active, cleared]
+        measurement:
+          type: string
+          description: Measurement that triggered the alarm
+        value:
+          type: string
+          description: Value that triggered the alarm
+        unit:
+          type: string
+          description: Unit of measurement
+        threshold:
+          type: string
+          description: Threshold value that was exceeded
+        cause:
+          type: string
+          description: Cause or description of the alarm
+        severity:
+          type: integer
+          description: Severity level (0-100)
+          minimum: 0
+          maximum: 100
+        assignee_id:
+          type: string
+          description: ID of the user assigned to this alarm
+        created_at:
+          type: string
+          format: date-time
+          description: Creation timestamp
+          readOnly: true
+        updated_at:
+          type: string
+          format: date-time
+          description: Last update timestamp
+          readOnly: true
+        updated_by:
+          type: string
+          description: User who last updated the alarm
+          readOnly: true
+        assigned_at:
+          type: string
+          format: date-time
+          description: When the alarm was assigned
+          readOnly: true
+        assigned_by:
+          type: string
+          description: User who assigned the alarm
+          readOnly: true
+        acknowledged_at:
+          type: string
+          format: date-time
+          description: When the alarm was acknowledged
+          readOnly: true
+        acknowledged_by:
+          type: string
+          description: User who acknowledged the alarm
+          readOnly: true
+        resolved_at:
+          type: string
+          format: date-time
+          description: When the alarm was resolved
+          readOnly: true
+        resolved_by:
+          type: string
+          description: User who resolved the alarm
+          readOnly: true
+        metadata:
+          type: object
+          description: Custom metadata
+          additionalProperties: true
+
+    AlarmsPage:
+      type: object
+      properties:
+        offset:
+          type: integer
+          description: Number of items to skip during retrieval
+          minimum: 0
+          default: 0
+        limit:
+          type: integer
+          description: Size of the subset to retrieve
+          minimum: 1
+          maximum: 1000
+          default: 10
+        total:
+          type: integer
+          description: Total number of results
+          minimum: 0
+        alarms:
+          type: array
+          minItems: 0
+          items:
+            $ref: '#/components/schemas/Alarm'
+      required:
+        - alarms
+        - total
+        - offset
+        - limit
+
+  parameters:
+    DomainID:
+      name: domainID
+      description: Domain ID
+      in: path
+      required: true
+      schema:
+        type: string
+    AlarmID:
+      name: alarmID
+      description: Alarm ID
+      in: path
+      required: true
+      schema:
+        type: string
+    Offset:
+      name: offset
+      description: Number of items to skip
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+    Limit:
+      name: limit
+      description: Size of the subset to retrieve
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 10
+        minimum: 1
+        maximum: 1000
+    Order:
+      name: order
+      description: Order by field
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [created_at, updated_at]
+        default: created_at
+    Dir:
+      name: dir
+      description: Sort direction
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [asc, desc]
+        default: desc
+    ChannelID:
+      name: channel_id
+      description: Filter by channel ID
+      in: query
+      required: false
+      schema:
+        type: string
+    ClientID:
+      name: client_id
+      description: Filter by client ID
+      in: query
+      required: false
+      schema:
+        type: string
+    Subtopic:
+      name: subtopic
+      description: Filter by subtopic
+      in: query
+      required: false
+      schema:
+        type: string
+    RuleID:
+      name: rule_id
+      description: Filter by rule ID
+      in: query
+      required: false
+      schema:
+        type: string
+    Status:
+      name: status
+      description: Filter by alarm status
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [active, cleared, all]
+        default: all
+    AssigneeID:
+      name: assignee_id
+      description: Filter by assignee ID
+      in: query
+      required: false
+      schema:
+        type: string
+    Severity:
+      name: severity
+      description: Filter by severity level
+      in: query
+      required: false
+      schema:
+        type: integer
+        minimum: 0
+        maximum: 100
+    UpdatedBy:
+      name: updated_by
+      description: Filter by user who updated
+      in: query
+      required: false
+      schema:
+        type: string
+    AssignedBy:
+      name: assigned_by
+      description: Filter by user who assigned
+      in: query
+      required: false
+      schema:
+        type: string
+    AcknowledgedBy:
+      name: acknowledged_by
+      description: Filter by user who acknowledged
+      in: query
+      required: false
+      schema:
+        type: string
+    ResolvedBy:
+      name: resolved_by
+      description: Filter by user who resolved
+      in: query
+      required: false
+      schema:
+        type: string
+    CreatedFrom:
+      name: created_from
+      description: Filter alarms created after this time (RFC3339 format)
+      in: query
+      required: false
+      schema:
+        type: string
+        format: date-time
+    CreatedTo:
+      name: created_to
+      description: Filter alarms created before this time (RFC3339 format)
+      in: query
+      required: false
+      schema:
+        type: string
+        format: date-time
+
+  requestBodies:
+    AlarmUpdateReq:
+      description: JSON-formatted document describing the alarm update
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                type: string
+                description: Alarm status
+                enum: [active, cleared]
+              assignee_id:
+                type: string
+                description: ID of the user assigned to this alarm
+              severity:
+                type: integer
+                description: Severity level (0-100)
+                minimum: 0
+                maximum: 100
+              metadata:
+                type: object
+                description: Custom metadata
+                additionalProperties: true
+
+  responses:
+    AlarmRes:
+      description: Alarm data retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Alarm'
+      links:
+        update:
+          operationId: updateAlarm
+          parameters:
+            alarmID: $response.body#/id
+            domainID: $response.body#/domain_id
+        delete:
+          operationId: deleteAlarm
+          parameters:
+            alarmID: $response.body#/id
+            domainID: $response.body#/domain_id
+    AlarmsPageRes:
+      description: Alarms page retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/AlarmsPage'
+    ServiceError:
+      description: Unexpected server-side error occurred
+    HealthRes:
+      description: Service Health Check
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Auth Service
+  title: Magistrala Auth Service
  description: |
    This is the Auth Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform users. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: Everything about your Keys.
    externalDocs:
      description: Find out more about keys
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: PATs
    description: Everything about your Personal Access Tokens.
    externalDocs:
      description: Find out more about Personal Access Tokens
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Service health check endpoint.
    externalDocs:
      description: Find out more about health check
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /keys:
@@ -81,6 +81,8 @@ paths:
          description: Missing or invalid access token provided.
        "404":
          description: A non-existent entity request.
+        "422":
+          description: Service can't process request.
        "500":
          $ref: "#/components/responses/ServiceError"

@@ -100,6 +102,8 @@ paths:
          description: Missing or invalid access token provided.
        "404":
          description: A non-existent entity request.
+        "422":
+          description: Service can't process request.
        "500":
          $ref: "#/components/responses/ServiceError"

@@ -124,7 +128,7 @@ paths:
          description: Missing or invalid content type.
        "500":
          $ref: "#/components/responses/ServiceError"
-    
+
    get:
      operationId: listPATs
      tags:
@@ -144,7 +148,7 @@ paths:
          description: Missing or invalid access token provided.
        "500":
          $ref: "#/components/responses/ServiceError"
-    
+
    delete:
      operationId: clearAllPATs
      tags:
@@ -159,7 +163,7 @@ paths:
          description: Missing or invalid access token provided.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}:
    get:
      operationId: retrievePAT
@@ -181,7 +185,7 @@ paths:
          description: PAT not found.
        "500":
          $ref: "#/components/responses/ServiceError"
-    
+
    delete:
      operationId: deletePAT
      tags:
@@ -200,7 +204,7 @@ paths:
          description: PAT not found.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/name:
    patch:
      operationId: updatePATName
@@ -226,7 +230,7 @@ paths:
          description: Missing or invalid content type.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/description:
    patch:
      operationId: updatePATDescription
@@ -252,7 +256,7 @@ paths:
          description: Missing or invalid content type.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/secret/reset:
    patch:
      operationId: resetPATSecret
@@ -278,7 +282,7 @@ paths:
          description: Missing or invalid content type.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/secret/revoke:
    patch:
      operationId: revokePATSecret
@@ -298,7 +302,7 @@ paths:
          description: PAT not found.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/scope:
    get:
      operationId: listScopes
@@ -322,7 +326,7 @@ paths:
          description: PAT not found.
        "500":
          $ref: "#/components/responses/ServiceError"
-    
+
    delete:
      operationId: clearAllScopes
      tags:
@@ -341,7 +345,7 @@ paths:
          description: PAT not found.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/scope/add:
    patch:
      operationId: addScope
@@ -369,7 +373,7 @@ paths:
          description: Database cannot process the request.
        "500":
          $ref: "#/components/responses/ServiceError"
-  
+
  /pats/{patID}/scope/remove:
    patch:
      operationId: removeScope
@@ -396,7 +400,6 @@ paths:
        "500":
          $ref: "#/components/responses/ServiceError"

-
  /health:
    get:
      summary: Retrieves service health check info.
@@ -465,7 +468,7 @@ components:
          format: date-time
          example: "2019-11-26T13:31:52Z"
          description: Time when the PAT was revoked
-    
+
    PATsPage:
      type: object
      properties:
@@ -486,20 +489,10 @@ components:
          items:
            $ref: "#/components/schemas/PAT"
          description: List of Personal Access Tokens
-    
+
    Scope:
      type: object
      properties:
-        id:
-          type: string
-          format: uuid
-          example: "c5747f2f-2a7c-4fe1-b41a-51a5ae290945"
-          description: Scope unique identifier
-        pat_id:
-          type: string
-          format: uuid
-          example: "9118de62-c680-46b7-ad0a-21748a52833a"
-          description: PAT ID this scope belongs to
        optional_domain_id:
          type: string
          format: uuid
@@ -507,7 +500,8 @@ components:
          description: Optional domain ID for the scope
        entity_type:
          type: string
-          enum: [groups, channels, clients, domains, users, dashboards, messages]
+          enum:
+            [groups, channels, clients, domains, users, dashboards, messages]
          example: "groups"
          description: Type of entity the scope applies to
        entity_id:
@@ -516,10 +510,21 @@ components:
          description: ID of the entity the scope applies to. '*' means all entities of the specified type.
        operation:
          type: string
-          enum: [create, read, list, update, delete, share, unshare, publish, subscribe]
+          enum:
+            [
+              create,
+              read,
+              list,
+              update,
+              delete,
+              share,
+              unshare,
+              publish,
+              subscribe,
+            ]
          example: "read"
          description: Operation allowed by this scope
-    
+
    ScopesPage:
      type: object
      properties:
@@ -679,9 +684,11 @@ components:
            type: object
            required:
              - name
+              - duration
            properties:
              name:
                type: string
+                minLength: 1
                example: "My PAT"
                description: Name of the Personal Access Token
              description:
@@ -690,9 +697,10 @@ components:
                description: Description of the Personal Access Token
              duration:
                type: string
+                pattern: "^[0-9]+(ns|us|µs|ms|s|m|h|d|w|y)$"
                example: "30d"
                description: Duration for which the PAT is valid. Format is a duration string (e.g. "30d", "24h", "1y").
-    
+
    UpdatePATNameRequest:
      description: JSON-formatted document describing PAT name update request.
      required: true
@@ -707,7 +715,7 @@ components:
                type: string
                example: "New PAT Name"
                description: New name for the Personal Access Token
-    
+
    UpdatePATDescriptionRequest:
      description: JSON-formatted document describing PAT description update request.
      required: true
@@ -722,7 +730,7 @@ components:
                type: string
                example: "New PAT Description"
                description: New description for the Personal Access Token
-    
+
    ResetPATSecretRequest:
      description: JSON-formatted document describing PAT secret reset request.
      required: true
@@ -730,12 +738,15 @@ components:
        application/json:
          schema:
            type: object
+            required:
+              - duration
            properties:
              duration:
                type: string
+                pattern: "^[0-9]+(ns|us|µs|ms|s|m|h|d|w|y)$"
                example: "30d"
                description: Duration for which the new PAT secret is valid. Format is a duration string (e.g. "30d", "24h", "1y").
-    
+
    AddScopeRequest:
      description: JSON-formatted document describing add scope request.
      required: true
@@ -751,7 +762,7 @@ components:
                items:
                  $ref: "#/components/schemas/Scope"
                description: List of scopes to add
-    
+
    RemoveScopeRequest:
      description: JSON-formatted document describing remove scope request.
      required: true
@@ -793,14 +804,14 @@ components:
        application/json:
          schema:
            $ref: "#/components/schemas/PAT"
-    
+
    PATsPageRes:
      description: Page of Personal Access Tokens.
      content:
        application/json:
          schema:
            $ref: "#/components/schemas/PATsPage"
-    
+
    ScopesPageRes:
      description: Page of scopes.
      content:
@@ -0,0 +1,722 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.3
+info:
+  title: Certs Service API
+  description: |
+    Certificate management service for issuing, renewing, revoking, and managing X.509 certificates.
+    This service provides PKI functionality including certificate lifecycle management, OCSP responder,
+    and CRL generation.
+  version: 1.0.0
+  contact:
+    name: Abstract Machines
+  license:
+    name: Apache-2.0
+    url: https://www.apache.org/licenses/LICENSE-2.0.html
+
+servers:
+  - url: http://localhost:9019
+    description: Development server
+
+tags:
+  - name: certificates
+    description: Certificate lifecycle management operations
+  - name: pki
+    description: PKI infrastructure operations (OCSP, CRL, CA)
+  - name: health
+    description: Service health and monitoring
+
+security:
+  - BearerAuth: []
+
+paths:
+  /{domainID}/certs/issue/{entityID}:
+    post:
+      tags:
+        - certificates
+      summary: Issue a new certificate
+      description: Issues a new X.509 certificate for the specified entity with custom subject options
+      operationId: issueCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/EntityID'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IssueCertRequest'
+      responses:
+        '201':
+          description: Certificate successfully issued
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CertificateResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{id}/renew:
+    patch:
+      tags:
+        - certificates
+      summary: Renew a certificate
+      description: Renews an existing certificate with extended TTL and new serial number
+      operationId: renewCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/CertID'
+      responses:
+        '200':
+          description: Certificate successfully renewed
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenewCertResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{id}/revoke:
+    patch:
+      tags:
+        - certificates
+      summary: Revoke a certificate
+      description: Revokes a certificate by its serial number
+      operationId: revokeCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/CertID'
+      responses:
+        '204':
+          description: Certificate successfully revoked
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '422':
+          $ref: '#/components/responses/UnprocessableEntity'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{entityID}/delete:
+    delete:
+      tags:
+        - certificates
+      summary: Delete certificates for an entity
+      description: Deletes all certificates associated with the specified entity
+      operationId: deleteCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/EntityID'
+      responses:
+        '204':
+          description: Certificates successfully deleted
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '422':
+          $ref: '#/components/responses/UnprocessableEntity'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs:
+    get:
+      tags:
+        - certificates
+      summary: List certificates
+      description: Retrieves a paginated list of certificates with optional filtering by entity ID
+      operationId: listCerts
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit'
+        - $ref: '#/components/parameters/EntityIDFilter'
+      responses:
+        '200':
+          description: Certificates successfully retrieved
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CertificateListResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{id}:
+    get:
+      tags:
+        - certificates
+      summary: View certificate details
+      description: Retrieves detailed information about a specific certificate by serial number
+      operationId: viewCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/CertID'
+      responses:
+        '200':
+          description: Certificate details successfully retrieved
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ViewCertResponse'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/csrs/{entityID}:
+    post:
+      tags:
+        - certificates
+      summary: Issue certificate from CSR
+      description: Issues a certificate from a Certificate Signing Request (CSR)
+      operationId: issueFromCSR
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/EntityID'
+        - $ref: '#/components/parameters/TTL'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IssueFromCSRRequest'
+      responses:
+        '200':
+          description: Certificate successfully issued from CSR
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IssueFromCSRResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/csrs/{entityID}:
+    post:
+      tags:
+        - certificates
+      summary: Issue certificate from CSR (Internal)
+      description: Issues a certificate from a CSR using internal agent authentication
+      operationId: issueFromCSRInternal
+      security:
+        - AgentAuth: []
+      parameters:
+        - $ref: '#/components/parameters/EntityID'
+        - $ref: '#/components/parameters/TTL'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IssueFromCSRRequest'
+      responses:
+        '200':
+          description: Certificate successfully issued from CSR
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IssueFromCSRResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/ocsp:
+    post:
+      tags:
+        - pki
+      summary: OCSP responder
+      description: |
+        Online Certificate Status Protocol (OCSP) responder endpoint.
+        Accepts both binary OCSP requests and JSON format requests.
+      operationId: ocsp
+      security: []
+      parameters:
+        - name: force_status
+          in: query
+          description: Force a specific OCSP status for testing
+          required: false
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/ocsp-request:
+            schema:
+              type: string
+              format: binary
+              description: DER-encoded OCSP request
+          application/json:
+            schema:
+              $ref: '#/components/schemas/OCSPRequest'
+      responses:
+        '200':
+          description: OCSP response
+          content:
+            application/ocsp-response:
+              schema:
+                type: string
+                format: binary
+                description: DER-encoded OCSP response
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/crl:
+    get:
+      tags:
+        - pki
+      summary: Generate Certificate Revocation List
+      description: Generates and returns the current Certificate Revocation List (CRL)
+      operationId: generateCRL
+      security: []
+      responses:
+        '200':
+          description: CRL successfully generated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CRLResponse'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/view-ca:
+    get:
+      tags:
+        - pki
+      summary: View CA certificate
+      description: Retrieves the CA certificate chain (root and intermediate certificates)
+      operationId: viewCA
+      security: []
+      responses:
+        '200':
+          description: CA certificate successfully retrieved
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ViewCertResponse'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/download-ca:
+    get:
+      tags:
+        - pki
+      summary: Download CA certificate
+      description: Downloads the CA certificate as a ZIP file
+      operationId: downloadCA
+      security: []
+      responses:
+        '200':
+          description: CA certificate ZIP file
+          content:
+            application/zip:
+              schema:
+                type: string
+                format: binary
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /health:
+    get:
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        '200':
+          $ref: '#/components/responses/HealthRes'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /metrics:
+    get:
+      tags:
+        - health
+      summary: Prometheus metrics
+      description: Returns Prometheus metrics for monitoring
+      operationId: metrics
+      security: []
+      responses:
+        '200':
+          description: Metrics successfully retrieved
+          content:
+            text/plain:
+              schema:
+                type: string
+
+components:
+  securitySchemes:
+    BearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: User authentication token
+    AgentAuth:
+      type: http
+      scheme: bearer
+      description: Agent authentication token for internal operations
+
+  parameters:
+    DomainID:
+      name: domainID
+      in: path
+      required: true
+      description: Domain identifier
+      schema:
+        type: string
+    EntityID:
+      name: entityID
+      in: path
+      required: true
+      description: Entity identifier for the certificate
+      schema:
+        type: string
+    CertID:
+      name: id
+      in: path
+      required: true
+      description: Certificate serial number
+      schema:
+        type: string
+    Offset:
+      name: offset
+      in: query
+      description: Number of items to skip
+      schema:
+        type: integer
+        minimum: 0
+        default: 0
+    Limit:
+      name: limit
+      in: query
+      description: Maximum number of items to return
+      schema:
+        type: integer
+        minimum: 1
+        maximum: 100
+        default: 10
+    EntityIDFilter:
+      name: entity_id
+      in: query
+      description: Filter certificates by entity ID
+      schema:
+        type: string
+    TTL:
+      name: ttl
+      in: query
+      description: Time to live for the certificate (e.g., "8760h", "365d")
+      schema:
+        type: string
+
+  schemas:
+    IssueCertRequest:
+      type: object
+      required:
+        - options
+      properties:
+        ttl:
+          type: string
+          description: Time to live for the certificate (e.g., "8760h" for 1 year)
+          example: "8760h"
+        ip_addresses:
+          type: array
+          items:
+            type: string
+          description: IP addresses to include in the certificate
+          example: ["192.168.1.1", "10.0.0.1"]
+        options:
+          $ref: '#/components/schemas/SubjectOptions'
+
+    SubjectOptions:
+      type: object
+      required:
+        - common_name
+      properties:
+        common_name:
+          type: string
+          description: Common Name (CN) for the certificate subject
+          example: "example.com"
+        organization:
+          type: array
+          items:
+            type: string
+          description: Organization (O)
+          example: ["Abstract Machines"]
+        organizational_unit:
+          type: array
+          items:
+            type: string
+          description: Organizational Unit (OU)
+          example: ["Engineering"]
+        country:
+          type: array
+          items:
+            type: string
+          description: Country (C)
+          example: ["US"]
+        province:
+          type: array
+          items:
+            type: string
+          description: Province or State (ST)
+          example: ["California"]
+        locality:
+          type: array
+          items:
+            type: string
+          description: Locality or City (L)
+          example: ["San Francisco"]
+        street_address:
+          type: array
+          items:
+            type: string
+          description: Street Address
+          example: ["123 Main St"]
+        postal_code:
+          type: array
+          items:
+            type: string
+          description: Postal Code
+          example: ["94105"]
+        dns_names:
+          type: array
+          items:
+            type: string
+          description: DNS names for Subject Alternative Names
+          example: ["example.com", "www.example.com"]
+        ip_addresses:
+          type: array
+          items:
+            type: string
+          description: IP addresses for Subject Alternative Names
+          example: ["192.168.1.1"]
+
+    CertificateResponse:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Unique serial number of the certificate
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        key:
+          type: string
+          description: PEM-encoded private key
+          example: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+        revoked:
+          type: boolean
+          description: Whether the certificate is revoked
+          example: false
+        expiry_time:
+          type: string
+          format: date-time
+          description: Certificate expiration time
+          example: "2026-11-05T12:00:00Z"
+        entity_id:
+          type: string
+          description: Entity identifier associated with the certificate
+          example: "entity-123"
+
+    RenewCertResponse:
+      type: object
+      properties:
+        certificate:
+          $ref: '#/components/schemas/ViewCertResponse'
+
+    ViewCertResponse:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Certificate serial number
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        key:
+          type: string
+          description: PEM-encoded private key
+          example: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+        revoked:
+          type: boolean
+          description: Revocation status
+          example: false
+        expiry_time:
+          type: string
+          format: date-time
+          description: Expiration timestamp
+          example: "2026-11-05T12:00:00Z"
+        entity_id:
+          type: string
+          description: Associated entity identifier
+          example: "entity-123"
+
+    CertificateListResponse:
+      type: object
+      properties:
+        total:
+          type: integer
+          format: uint64
+          description: Total number of certificates
+          example: 100
+        offset:
+          type: integer
+          format: uint64
+          description: Current offset
+          example: 0
+        limit:
+          type: integer
+          format: uint64
+          description: Current limit
+          example: 10
+        certificates:
+          type: array
+          items:
+            $ref: '#/components/schemas/ViewCertResponse'
+
+    IssueFromCSRRequest:
+      type: object
+      required:
+        - csr
+      properties:
+        csr:
+          type: string
+          format: byte
+          description: PEM-encoded Certificate Signing Request
+          example: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K..."
+
+    IssueFromCSRResponse:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Serial number of the issued certificate
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        revoked:
+          type: boolean
+          description: Revocation status
+          example: false
+        expiry_time:
+          type: string
+          format: date-time
+          description: Expiration timestamp
+          example: "2026-11-05T12:00:00Z"
+        entity_id:
+          type: string
+          description: Associated entity identifier
+          example: "entity-123"
+
+    OCSPRequest:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Certificate serial number to check
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate to check
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        status:
+          type: string
+          description: Force a specific status (for testing)
+          enum: [good, revoked, unknown]
+
+    CRLResponse:
+      type: object
+      properties:
+        crl:
+          type: string
+          format: byte
+          description: DER-encoded Certificate Revocation List
+
+    Error:
+      type: object
+      properties:
+        error:
+          type: string
+          description: Error message
+          example: "invalid request"
+
+  responses:
+    BadRequest:
+      description: Bad request - invalid parameters or malformed request
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    Unauthorized:
+      description: Unauthorized - invalid or missing authentication token
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    NotFound:
+      description: Resource not found
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    UnprocessableEntity:
+      description: Unprocessable entity - request cannot be processed
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    InternalServerError:
+      description: Internal server error
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: './schemas/health_info.yaml'
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Channels Service
+  title: Magistrala Channels Service
  description: |
    This is the Channels Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform channels. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: CRUD operations for your channels
    externalDocs:
      description: Find out more about channels
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Connections
    description: All operations involving channel and client connections
    externalDocs:
      description: Find out more about channel and client connections
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /{domainID}/channels:
@@ -89,6 +89,7 @@ paths:
        - $ref: "#/components/parameters/Offset"
        - $ref: "#/components/parameters/Order"
        - $ref: "#/components/parameters/Direction"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/Metadata"
        - $ref: "#/components/parameters/Status"
        - $ref: "#/components/parameters/ChannelName"
@@ -101,6 +102,8 @@ paths:
        - $ref: "#/components/parameters/Client"
        - $ref: "#/components/parameters/Group"
        - $ref: "#/components/parameters/User"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      responses:
        "200":
          $ref: "#/components/responses/ChannelPageRes"
@@ -656,9 +659,7 @@ components:
          example: 10
          description: Maximum number of items to return in one page.
      required:
-        - channels
        - total
-        - offset

    ChannelUpdate:
      type: object
@@ -705,7 +706,10 @@ components:
          type: array
          description: Connection types.
          items:
-            example: publish
+            type: string
+            enum:
+              - publish
+              - subscribe

    ChannelConnectionReqSchema:
      type: object
@@ -719,7 +723,10 @@ components:
          type: array
          description: Connection types.
          items:
-            example: publish
+            type: string
+            enum:
+              - publish
+              - subscribe

    Error:
      type: object
@@ -776,16 +783,12 @@ components:

    Tags:
      name: tags
-      description: Client tags.
+      description: Channel tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
-        type: array
-        minItems: 0
-        uniqueItems: true
-        items:
-          type: string
+        type: string
      required: false
-      example: ["yello", "orange"]
+      example: "orange,yellow"

    ChannelName:
      name: name
@@ -831,7 +834,6 @@ components:
      in: query
      schema:
        type: string
-        minimum: 0
      required: false

    Limit:
@@ -844,7 +846,7 @@ components:
        maximum: 100
        minimum: 1
      required: false
-      example: "100"
+      example: 100

    Offset:
      name: offset
@@ -855,8 +857,8 @@ components:
        default: 0
        minimum: 0
      required: false
-      example: "0"
-    
+      example: 0
+
    Order:
      name: order
      description: Field by which to order the results
@@ -944,6 +946,26 @@ components:
      required: false
      example: bb7edb32-2eac-4aad-aebe-ed96fe073879

+    CreatedFrom:
+      name: created_from
+      description: Filter channels created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter channels created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
  requestBodies:
    ChannelCreateReq:
      description: JSON-formatted document describing the new channel to be registered
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Clients Service
+  title: Magistrala Clients Service
  description: |
    This is the Clients Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform clients. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: CRUD operations for your clients
    externalDocs:
      description: Find out more about clients
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Roles
    description: All operations involving roles for clients
    externalDocs:
      description: Find out more about roles
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /{domainID}/clients:
@@ -100,6 +100,8 @@ paths:
        - $ref: "#/components/parameters/ConnectionType"
        - $ref: "#/components/parameters/Group"
        - $ref: "#/components/parameters/User"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      security:
        - bearerAuth: []
      responses:
@@ -181,7 +183,7 @@ paths:

    patch:
      operationId: updateClient
-      summary: Updates name and metadata of the client.
+      summary: Updates name, metadata, and private metadata of the client.
      description: |
        Update is performed by replacing the current resource data with values
        provided in a request payload. Note that the client's type and ID
@@ -323,7 +325,7 @@ paths:
        - bearerAuth: []
      responses:
        "200":
-          $ref: "#/components/responses/ClientRes"
+          $ref: "#/components/responses/DisabledClientRes"
        "400":
          description: Failed due to malformed client's ID.
        "401":
@@ -943,10 +945,14 @@ components:
              example: bb7edb32-2eac-4aad-aebe-ed96fe073879
              minimum: 8
              description: Free-form account secret used for acquiring auth token(s).
+        private_metadata:
+          type: object
+          example: { "model": "example" }
+          description: Arbitrary, object-encoded client's data private to the client.
        metadata:
          type: object
          example: { "model": "example" }
-          description: Arbitrary, object-encoded client's data.
+          description: Arbitrary, object-encoded client's data visible to other clients.
        status:
          type: string
          description: Client Status
@@ -1001,10 +1007,14 @@ components:
              type: string
              example: bb7edb32-2eac-4aad-aebe-ed96fe073879
              description: Client secret password.
+        private_metadata:
+          type: object
+          example: { "model": "example" }
+          description: Arbitrary, object-encoded client's data private to the client.
        metadata:
          type: object
          example: { "model": "example" }
-          description: Arbitrary, object-encoded client's data.
+          description: Arbitrary, object-encoded client's data visible to other clients.
        status:
          type: string
          description: Client Status
@@ -1058,10 +1068,14 @@ components:
              type: string
              example: ""
              description: Client secret password.
+        private_metadata:
+          type: object
+          example: { "model": "example" }
+          description: Arbitrary, object-encoded client's data private to the client.
        metadata:
          type: object
          example: { "model": "example" }
-          description: Arbitrary, object-encoded client's data.
+          description: Arbitrary, object-encoded client's data visible to other clients.
        status:
          type: string
          description: Client Status
@@ -1113,9 +1127,14 @@ components:
        metadata:
          type: object
          example: { "role": "general" }
-          description: Arbitrary, object-encoded client's data.
+          description: Arbitrary, object-encoded client's data visible to other clients.
+        private_metadata:
+          type: object
+          example: { "role": "general" }
+          description: Arbitrary, object-encoded client's data private to the client.
      required:
        - name
+        - private_metadata
        - metadata

    ClientTags:
@@ -1130,6 +1149,63 @@ components:
          items:
            type: string

+    DisabledClient:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+          example: bb7edb32-2eac-4aad-aebe-ed96fe073879
+          description: Client unique identifier.
+        name:
+          type: string
+          example: clientName
+          description: Client name.
+        tags:
+          type: array
+          minItems: 0
+          items:
+            type: string
+          example: ["tag1", "tag2"]
+          description: Client tags.
+        domain_id:
+          type: string
+          format: uuid
+          example: bb7edb32-2eac-4aad-aebe-ed96fe073879
+          description: ID of the domain to which client belongs.
+        credentials:
+          type: object
+          properties:
+            identity:
+              type: string
+              example: clientIDentity
+              description: Client Identity for example email address.
+            secret:
+              type: string
+              example: bb7edb32-2eac-4aad-aebe-ed96fe073879
+              description: Client secret password.
+        metadata:
+          type: object
+          example: { "model": "example" }
+          description: Arbitrary, object-encoded client's data visible to other clients.
+        status:
+          type: string
+          description: Client Status
+          format: string
+          example: disabled
+        created_at:
+          type: string
+          format: date-time
+          example: "2019-11-26 13:31:52"
+          description: Time when the channel was created.
+        updated_at:
+          type: string
+          format: date-time
+          example: "2019-11-26 13:31:52"
+          description: Time when the channel was created.
+      xml:
+        name: client
+
    ClientSecret:
      type: object
      properties:
@@ -1208,16 +1284,12 @@ components:

    Tags:
      name: tags
-      description: Client tags.
+      description: Clients tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
-        type: array
-        minItems: 0
-        uniqueItems: true
-        items:
-          type: string
+        type: string
      required: false
-      example: ["yello", "orange"]
+      example: "orange,yellow"

    Metadata:
      name: metadata
@@ -1225,7 +1297,6 @@ components:
      in: query
      schema:
        type: string
-        minimum: 0
      required: false

    Limit:
@@ -1238,7 +1309,7 @@ components:
        maximum: 100
        minimum: 1
      required: false
-      example: "100"
+      example: 100

    Offset:
      name: offset
@@ -1249,7 +1320,7 @@ components:
        default: 0
        minimum: 0
      required: false
-      example: "0"
+      example: 0

    Order:
      name: order
@@ -1349,6 +1420,26 @@ components:
        minLength: 36
      required: false
      example: bb7edb32-2eac-4aad-aebe-ed96fe073879
+    
+    CreatedFrom:
+      name: created_from
+      description: Filter clients created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter clients created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"

  requestBodies:
    ClientCreateReq:
@@ -1370,7 +1461,7 @@ components:
              $ref: "#/components/schemas/ClientReqObj"

    ClientUpdateReq:
-      description: JSON-formated document describing the metadata and name of client to be update
+      description: JSON-formated document describing the metadata, private metadata and name of client to be update
      required: true
      content:
        application/json:
@@ -1447,6 +1538,13 @@ components:
          schema:
            $ref: "#/components/schemas/Client"

+    DisabledClientRes:
+      description: Data retrieved.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/DisabledClient"
+
    ClientPageRes:
      description: Data retrieved.
      content:
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Domains Service
+  title: Magistrala Domains Service
  description: |
    This is the Domains Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform domains. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,22 +24,22 @@ tags:
    description: CRUD operations for your domains
    externalDocs:
      description: Find out more about domains
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Roles
    description: All operations involving roles for domains
    externalDocs:
      description: Find out more about roles
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Invitations
    description: All operations involving invitations for domains
    externalDocs:
      description: Find out more about Invitations
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Service health check endpoint.
    externalDocs:
      description: Find out more about health check
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /domains:
@@ -76,6 +76,7 @@ paths:
        - $ref: "#/components/parameters/Order"
        - $ref: "#/components/parameters/Direction"
        - $ref: "#/components/parameters/Metadata"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/Status"
        - $ref: "#/components/parameters/DomainName"
        - $ref: "./schemas/roles.yaml#/components/parameters/ActionsQuery"
@@ -83,6 +84,8 @@ paths:
        - $ref: "./schemas/roles.yaml#/components/parameters/RoleNameQuery"
        - $ref: "#/components/parameters/AccessType"
        - $ref: "#/components/parameters/OnlyTotal"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      tags:
        - Domains
      security:
@@ -1179,6 +1182,14 @@ components:
      schema:
        type: object
        additionalProperties: {}
+    Tags:
+      name: tags
+      description: Domain tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
+      in: query
+      schema:
+        type: string
+      required: false
+      example: "orange,yellow"
    Type:
      name: type
      description: The type of the API Key.
@@ -1282,6 +1293,26 @@ components:
        default: false
      required: false

+    CreatedFrom:
+      name: created_from
+      description: Filter domains created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter domains created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
  requestBodies:
    DomainCreateReq:
      description: JSON-formatted document describing the new domain to be registered
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Groups Service
+  title: Magistrala Groups Service
  description: |
    This is the Groups Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform groups. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: CRUD operations for your groups
    externalDocs:
      description: Find out more about users groups
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Roles
    description: All operations involving roles for groups
    externalDocs:
      description: Find out more about roles
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /{domainID}/groups:
@@ -92,16 +92,19 @@ paths:
        - $ref: "#/components/parameters/DirectionOrder"
        - $ref: "#/components/parameters/Level"
        - $ref: "#/components/parameters/Tree"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/Metadata"
        - $ref: "#/components/parameters/GroupName"
        - $ref: "#/components/parameters/RootGroup"
        - $ref: "#/components/parameters/Status"
-        - $ref: "#/components/parameters/ID" 
+        - $ref: "#/components/parameters/ID"
        - $ref: "./schemas/roles.yaml#/components/parameters/ActionsQuery"
        - $ref: "./schemas/roles.yaml#/components/parameters/RoleIDQuery"
        - $ref: "./schemas/roles.yaml#/components/parameters/RoleNameQuery"
        - $ref: "#/components/parameters/AccessType"
-        - $ref: "#/components/parameters/OnlyTotal" 
+        - $ref: "#/components/parameters/OnlyTotal"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      responses:
        "200":
          $ref: "#/components/responses/GroupPageRes"
@@ -328,6 +331,8 @@ paths:
        - $ref: "#/components/parameters/Level"
        - $ref: "#/components/parameters/Tree"
        - $ref: "#/components/parameters/Direction"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      responses:
        "200":
          $ref: "#/components/responses/GroupsHierarchyPageRes"
@@ -362,6 +367,11 @@ paths:
      responses:
        "200":
          description: Parent group set.
+          content:
+            application/json:
+              schema:
+                type: object
+          links: {}
        "400":
          description: Failed due to malformed group's ID.
        "401":
@@ -392,6 +402,11 @@ paths:
      responses:
        "200":
          description: Parent group removed.
+          content:
+            application/json:
+              schema:
+                type: object
+          links: {}
        "400":
          description: Failed due to malformed group's ID.
        "401":
@@ -1140,7 +1155,7 @@ components:
          description: User's last name.
        email:
          type: string
-          example: user@supermq.com
+          example: user@magistrala.com
          description: User's email address.
        tags:
          type: array
@@ -1377,16 +1392,12 @@ components:

    Tags:
      name: tags
-      description: User tags.
+      description: Group tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
-        type: array
-        minItems: 0
-        uniqueItems: true
-        items:
-          type: string
+        type: string
      required: false
-      example: ["yello", "orange"]
+      example: "orange,yellow"

    GroupName:
      name: name
@@ -1398,7 +1409,7 @@ components:
      example: "groupName"

    GroupDescription:
-      name: name
+      name: description
      description: Group's description.
      in: query
      schema:
@@ -1513,7 +1524,6 @@ components:
      in: query
      schema:
        type: string
-        minimum: 0
      required: false

    Limit:
@@ -1526,7 +1536,7 @@ components:
        maximum: 100
        minimum: 1
      required: false
-      example: "100"
+      example: 100

    Offset:
      name: offset
@@ -1537,9 +1547,9 @@ components:
        default: 0
        minimum: 0
      required: false
-      example: "0"
-    
-    Order: 
+      example: 0
+
+    Order:
      name: order
      description: Field by which to order the results
      in: query
@@ -1547,8 +1557,8 @@ components:
        type: string
      required: false
      example: created_at
-    
-    DirectionOrder: 
+
+    DirectionOrder:
      name: order
      description: Direction of ordering the results.
      in: query
@@ -1560,7 +1570,7 @@ components:
      required: false
      example: desc

-    ID: 
+    ID:
      name: id
      description: List groups with the given ID.
      in: query
@@ -1569,7 +1579,7 @@ components:
        format: uuid
      required: false
      example: bb7edb32-2eac-4aad-aebe-ed96fe073879
-    
+
    AccessType:
      name: access_type
      description: Type of access the user has on the group.
@@ -1583,8 +1593,8 @@ components:
          - indirect_group
      required: false
      example: direct
-    
-    OnlyTotal: 
+
+    OnlyTotal:
      name: only_total
      description: If true, the response will contain only the total number of groups that match the query parameters.
      in: query
@@ -1592,7 +1602,27 @@ components:
        type: boolean
        default: false
      required: false
-    
+
+    CreatedFrom:
+      name: created_from
+      description: Filter groups created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter groups created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
    User:
      name: user
      description: If provided lists groups associated with a user with the provided ID. Only available for admin users.
@@ -1663,10 +1693,10 @@ components:
          operationId: getGroup
          parameters:
            groupID: $response.body#/id
-        get_children:
-          operationId: listChildrenGroups
-          parameters:
-            groupID: $response.body#/id
+        # get_children:
+        #   operationId: listChildrenGroups
+        #   parameters:
+        #     groupID: $response.body#/id
        update:
          operationId: updateGroup
          parameters:
@@ -1710,6 +1740,7 @@ components:
        application/json:
          schema:
            $ref: "#/components/schemas/GroupsPage"
+      links: {}

    GroupsHierarchyPageRes:
      description: Group hierarchy retrieved.
@@ -1717,6 +1748,7 @@ components:
        application/json:
          schema:
            $ref: "#/components/schemas/GroupsHierarchyPage"
+      links: {}

    MembersPageRes:
      description: Group members retrieved.
@@ -1724,6 +1756,7 @@ components:
        application/json:
          schema:
            $ref: "#/components/schemas/MembersPage"
+      links: {}

    HealthRes:
      description: Service Health Check.
@@ -3,16 +3,16 @@

 openapi: 3.0.1
 info:
-  title: SuperMQ http adapter
+  title: Magistrala http adapter
  description: |
    HTTP API for sending messages through communication channels.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,7 +24,7 @@ tags:
    description: Everything about your Messages
    externalDocs:
      description: Find out more about messages
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /m/{domainPrefix}/c/{channelPrefix}:
@@ -47,6 +47,8 @@ paths:
          description: Message discarded due to its malformed content.
        "401":
          description: Missing or invalid access token provided.
+        "403":
+          description: Access denied to the requested resource.
        "404":
          description: Message discarded due to invalid channel id.
        "415":
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Journal Log Service
+  title: Magistrala Journal Log Service
  description: |
    This is the Journal Log Server based on the OpenAPI 3.0 specification.  It is the HTTP API for viewing journal log history. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@mainflux.com
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -75,7 +75,7 @@ paths:
        This includes connection status, messages sent/received, and other metrics.
      parameters:
        - $ref: "#/components/parameters/domain_id"
-        - $ref: '#/components/parameters/client_id'
+        - $ref: "#/components/parameters/client_id"
      security:
        - bearerAuth: []
      responses:
@@ -319,7 +319,7 @@ components:
        default: 0
        minimum: 0
      required: false
-      example: "0"
+      example: 0

    limit:
      name: limit
@@ -328,10 +328,10 @@ components:
      schema:
        type: integer
        default: 10
-        maximum: 10
+        maximum: 100
        minimum: 1
      required: false
-      example: "10"
+      example: 10

    operation:
      name: operation
@@ -365,7 +365,7 @@ components:
      description: Start date in unix time.
      in: query
      schema:
-        type: string
+        type: integer
        format: int64
      required: false
      example: 1966777289
@@ -375,7 +375,7 @@ components:
      description: End date in unix time.
      in: query
      schema:
-        type: string
+        type: integer
        format: int64
      required: false
      example: 1966777289
@@ -0,0 +1,292 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Notifiers service
+  description: |
+    HTTP API for Notifiers service.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:9014
+  - url: https://localhost:9014
+  - url: http://localhost:9015
+  - url: https://localhost:9015
+
+tags:
+  - name: notifiers
+    description: Everything about your Notifiers
+    externalDocs:
+      description: Find out more about notifiers
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /subscriptions:
+    post:
+      operationId: createSubscription
+      summary: Create subscription
+      description: Creates a new subscription give a topic and contact.
+      tags:
+        - notifiers
+      requestBody:
+        $ref: "#/components/requestBodies/Create"
+      responses:
+        "201":
+          $ref: "#/components/responses/Create"
+        "400":
+          description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "409":
+          description: Failed due to using an existing topic and contact.
+        "415":
+          description: Missing or invalid content type.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    get:
+      operationId: listSubscriptions
+      summary: List subscriptions
+      description: List subscriptions given list parameters.
+      tags:
+        - notifiers
+      parameters:
+        - $ref: "#/components/parameters/Topic"
+        - $ref: "#/components/parameters/Contact"
+        - $ref: "#/components/parameters/Offset"
+        - $ref: "#/components/parameters/Limit"
+      responses:
+        "200":
+          $ref: "#/components/responses/Page"
+        "400":
+          description: Failed due to malformed query parameters.
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "404":
+          description: A non-existent entity request.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+  /subscriptions/{id}:
+    get:
+      operationId: viewSubscription
+      summary: Get subscription with the provided id
+      description: Retrieves a subscription with the provided id.
+      tags:
+        - notifiers
+      parameters:
+        - $ref: "#/components/parameters/Id"
+      responses:
+        "200":
+          $ref: "#/components/responses/View"
+        "400":
+          description: Failed due to malformed ID.
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "404":
+          description: A non-existent entity request.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    delete:
+      operationId: removeSubscription
+      summary: Delete subscription with the provided id
+      description: Removes a subscription with the provided id.
+      tags:
+        - notifiers
+      parameters:
+        - $ref: "#/components/parameters/Id"
+      responses:
+        "204":
+          description: Subscription removed
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "404":
+          description: A non-existent entity request.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+  /health:
+    get:
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        "200":
+          $ref: "#/components/responses/HealthRes"
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+components:
+  schemas:
+    Subscription:
+      type: object
+      properties:
+        id:
+          type: string
+          format: ulid
+          example: 01EWDVKBQSG80B6PQRS9PAAY35
+          description: ULID id of the subscription.
+        owner_id:
+          type: string
+          format: uuid
+          example: 18167738-f7a8-4e96-a123-58c3cd14de3a
+          description: An id of the owner who created subscription.
+        topic:
+          type: string
+          example: topic/subtopic
+          description: Topic to which the user subscribes.
+        contact:
+          type: string
+          example: user@example.com
+          description: The contact of the user to which the notification will be sent.
+    CreateSubscription:
+      type: object
+      properties:
+        topic:
+          type: string
+          example: topic/subtopic
+          description: Topic to which the user subscribes.
+        contact:
+          type: string
+          example: user@example.com
+          description: The contact of the user to which the notification will be sent.
+    Page:
+      type: object
+      properties:
+        subscriptions:
+          type: array
+          minItems: 0
+          uniqueItems: true
+          items:
+            $ref: "#/components/schemas/Subscription"
+        total:
+          type: integer
+          description: Total number of items.
+        offset:
+          type: integer
+          description: Number of items to skip during retrieval.
+        limit:
+          type: integer
+          description: Maximum number of items to return in one page.
+
+  parameters:
+    Id:
+      name: id
+      description: Unique identifier.
+      in: path
+      schema:
+        type: string
+        format: ulid
+      required: true
+    Limit:
+      name: limit
+      description: Size of the subset to retrieve.
+      in: query
+      schema:
+        type: integer
+        default: 10
+        maximum: 100
+        minimum: 1
+      required: false
+    Offset:
+      name: offset
+      description: Number of items to skip during retrieval.
+      in: query
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+      required: false
+    Topic:
+      name: topic
+      description: Topic name.
+      in: query
+      schema:
+        type: string
+      required: false
+    Contact:
+      name: contact
+      description: Subscription contact.
+      in: query
+      schema:
+        type: string
+      required: false
+
+  requestBodies:
+    Create:
+      description: JSON-formatted document describing the new subscription to be created
+      required: true
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/CreateSubscription"
+
+  responses:
+    Create:
+      description: Created a new subscription.
+      headers:
+        Location:
+          content:
+            text/plain:
+              schema:
+                type: string
+                description: Created subscription relative URL
+                example: /subscriptions/{id}
+    View:
+      description: View subscription.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/Subscription"
+      links:
+        delete:
+          operationId: removeSubscription
+          parameters:
+            id: $response.body#/id
+    Page:
+      description: Data retrieved.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/Page"
+    ServiceError:
+      description: Unexpected server-side error occurred.
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
+
+security:
+  - bearerAuth: []
@@ -0,0 +1,312 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala reader service
+  description: |
+    HTTP API for reading messages.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:9003
+  - url: https://localhost:9003
+  - url: http://localhost:9005
+  - url: https://localhost:9005
+  - url: http://localhost:9009
+  - url: https://localhost:9009
+  - url: http://localhost:9011
+  - url: https://localhost:9011
+
+tags:
+  - name: readers
+    description: Everything about your Readers
+    externalDocs:
+      description: Find out more about readers
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /{domainID}/channels/{chanId}/messages:
+    get:
+      operationId: getMessages
+      summary: Retrieves messages sent to single channel
+      description: |
+        Retrieves a list of messages sent to specific channel. Due to
+        performance concerns, data is retrieved in subsets. The API readers must
+        ensure that the entire dataset is consumed either by making subsequent
+        requests, or by increasing the subset size of the initial request.
+      tags:
+        - readers
+      parameters:
+        - $ref: "#/components/parameters/DomainID"
+        - $ref: "#/components/parameters/ChanId"
+        - $ref: "#/components/parameters/Limit"
+        - $ref: "#/components/parameters/Offset"
+        - $ref: "#/components/parameters/Publisher"
+        - $ref: "#/components/parameters/Name"
+        - $ref: "#/components/parameters/Value"
+        - $ref: "#/components/parameters/BoolValue"
+        - $ref: "#/components/parameters/StringValue"
+        - $ref: "#/components/parameters/DataValue"
+        - $ref: "#/components/parameters/From"
+        - $ref: "#/components/parameters/To"
+        - $ref: "#/components/parameters/Aggregation"
+        - $ref: "#/components/parameters/Interval"
+      responses:
+        "200":
+          $ref: "#/components/responses/MessagesPageRes"
+        "400":
+          description: Failed due to malformed query parameters.
+        "401":
+          description: Missing or invalid access token provided.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+  /health:
+    get:
+      operationId: health
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        "200":
+          $ref: "#/components/responses/HealthRes"
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+components:
+  schemas:
+    MessagesPage:
+      type: object
+      properties:
+        total:
+          type: number
+          description: Total number of items that are present on the system.
+        offset:
+          type: number
+          description: Number of items that were skipped during retrieval.
+        limit:
+          type: number
+          description: Size of the subset that was retrieved.
+        messages:
+          type: array
+          minItems: 0
+          uniqueItems: true
+          items:
+            type: object
+            properties:
+              channel:
+                type: integer
+                description: Unique channel id.
+              publisher:
+                type: integer
+                description: Unique publisher id.
+              protocol:
+                type: string
+                description: Protocol name.
+              name:
+                type: string
+                description: Measured parameter name.
+              unit:
+                type: string
+                description: Value unit.
+              value:
+                type: number
+                description: Measured value in number.
+              stringValue:
+                type: string
+                description: Measured value in string format.
+              boolValue:
+                type: boolean
+                description: Measured value in boolean format.
+              dataValue:
+                type: string
+                description: Measured value in binary format.
+              valueSum:
+                type: number
+                description: Sum value.
+              time:
+                type: number
+                description: Time of measurement.
+              updateTime:
+                type: number
+                description: Time of updating measurement.
+
+  parameters:
+    DomainID:
+      name: domainID
+      description: Unique domain identifier.
+      in: path
+      schema:
+        type: string
+        format: uuid
+      required: true
+    ChanId:
+      name: chanId
+      description: Unique channel identifier.
+      in: path
+      schema:
+        type: string
+        format: uuid
+      required: true
+    Limit:
+      name: limit
+      description: Size of the subset to retrieve.
+      in: query
+      schema:
+        type: integer
+        default: 10
+        maximum: 100
+        minimum: 1
+      required: false
+    Offset:
+      name: offset
+      description: Number of items to skip during retrieval.
+      in: query
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+      required: false
+    Publisher:
+      name: Publisher
+      description: Unique thing identifier.
+      in: query
+      schema:
+        type: string
+        format: uuid
+      required: false
+    Name:
+      name: name
+      description: SenML message name.
+      in: query
+      schema:
+        type: string
+      required: false
+    Value:
+      name: v
+      description: SenML message value.
+      in: query
+      schema:
+        type: string
+      required: false
+    BoolValue:
+      name: vb
+      description: SenML message bool value.
+      in: query
+      schema:
+        type: boolean
+      required: false
+    StringValue:
+      name: vs
+      description: SenML message string value.
+      in: query
+      schema:
+        type: string
+      required: false
+    DataValue:
+      name: vd
+      description: SenML message data value.
+      in: query
+      schema:
+        type: string
+      required: false
+    Comparator:
+      name: comparator
+      description: Value comparison operator.
+      in: query
+      schema:
+        type: string
+        default: eq
+        enum:
+          - eq
+          - lt
+          - le
+          - gt
+          - ge
+      required: false
+    From:
+      name: from
+      description: SenML message time in nanoseconds (integer part represents seconds).
+      in: query
+      schema:
+        type: number
+      example: 1709218556069
+      required: false
+    To:
+      name: to
+      description: SenML message time in nanoseconds (integer part represents seconds).
+      in: query
+      schema:
+        type: number
+      example: 1709218757503
+      required: false
+    Aggregation:
+      name: aggregation
+      description: Aggregation function.
+      in: query
+      schema:
+        type: string
+        enum:
+          - MAX
+          - AVG
+          - MIN
+          - SUM
+          - COUNT
+          - max
+          - min
+          - sum
+          - avg
+          - count
+      example: MAX
+      required: false
+    Interval:
+      name: interval
+      description: Aggregation interval.
+      in: query
+      schema:
+        type: string
+      example: 10s
+      required: false
+
+  responses:
+    MessagesPageRes:
+      description: Data retrieved.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/MessagesPage"
+    ServiceError:
+      description: Unexpected server-side error occurred.
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
+
+    thingAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: uuid
+      description: |
+        * Things access: "Authorization: Thing <thing_key>"
+
+security:
+  - bearerAuth: []
+  - thingAuth: []
@@ -0,0 +1,553 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Reports Service API
+  description: |
+    HTTP API for managing reports service.
+  version: 0.18.5
+servers:
+  - url: http://localhost:9017
+tags:
+  - name: reports
+    description: Operations related to report configurations and generation
+paths:
+  /{domainID}/reports:
+    post:
+      operationId: generateReport
+      summary: Generate a report
+      description: Generates a report based on the provided configuration or an existing config. The action determines the response format.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/GenerateReportRequest'
+      responses:
+        '200':
+          description: Report generated successfully (content varies by action)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenerateReportResponse'
+            application/octet-stream:
+              schema:
+                type: string
+                format: binary
+        '400':
+          description: Invalid request parameters
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs:
+    post:
+      operationId: addReportConfig
+      summary: Create a report configuration
+      description: Creates a new report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AddReportConfigRequest'
+      responses:
+        '201':
+          description: Report configuration created
+          headers:
+            Location:
+              schema:
+                type: string
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '400':
+          description: Invalid request body
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    get:
+      operationId: listReportConfigs
+      summary: List report configurations
+      description: Retrieves a paginated list of report configurations.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: List of report configurations
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ListReportsConfigResponse'
+        '400':
+          description: Invalid query parameters
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}:
+    get:
+      operationId: viewReportConfig
+      summary: View a report configuration
+      description: Retrieves details of a specific report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Report configuration details
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '404':
+          description: Report configuration not found
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    patch:
+      operationId: updateReportConfig
+      summary: Update a report configuration
+      description: Updates specified fields of a report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UpdateReportConfigRequest'
+      responses:
+        '200':
+          description: Report configuration updated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '400':
+          description: Invalid request body
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    delete:
+      operationId: deleteReportConfig
+      summary: Delete a report configuration
+      description: Permanently deletes a report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '204':
+          description: Report configuration deleted
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}/schedule:
+    patch:
+      operationId: updateReportSchedule
+      summary: Update report schedule
+      description: Updates the schedule of a report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Schedule'
+      responses:
+        '200':
+          description: Schedule updated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '400':
+          description: Invalid schedule
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}/enable:
+    post:
+      operationId: enableReportConfig
+      summary: Enable a report configuration
+      description: Enables a report configuration to generate scheduled reports.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Report configuration enabled
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}/disable:
+    post:
+      operationId: disableReportConfig
+      summary: Disable a report configuration
+      description: Disables a report configuration, stopping scheduled reports.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Report configuration disabled
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /health:
+    get:
+      summary: Service health check
+      tags:
+        - health
+      responses:
+        '200':
+          $ref: '#/components/responses/HealthRes'
+
+components:
+  schemas:
+    ReportConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          readOnly: true
+        name:
+          type: string
+        description:
+          type: string
+        domain_id:
+          type: string
+          readOnly: true
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+        status:
+          $ref: '#/components/schemas/Status'
+        created_at:
+          type: string
+          format: date-time
+          readOnly: true
+        created_by:
+          type: string
+          readOnly: true
+        updated_at:
+          type: string
+          format: date-time
+          readOnly: true
+        updated_by:
+          type: string
+          readOnly: true
+      required:
+        - name
+        - metrics
+        - config
+
+    Schedule:
+      type: object
+      properties:
+        recurring:
+          type: string
+          enum: [None, Daily, Weekly, Monthly]
+        recurring_period:
+          type: integer
+          minimum: 1
+        start_time:
+          type: string
+          format: date-time
+        next_run:
+          type: string
+          format: date-time
+          readOnly: true
+
+    MetricConfig:
+      type: object
+      properties:
+        title:
+          type: string
+          maxLength: 100
+        format:
+          type: string
+          enum: [pdf, csv, html]
+        aggregation:
+          $ref: '#/components/schemas/AggConfig'
+
+    AggConfig:
+      type: object
+      properties:
+        window:
+          type: string
+        function:
+          type: string
+          enum: [sum, average, max, min]
+
+    EmailSetting:
+      type: object
+      properties:
+        recipients:
+          type: array
+          items:
+            type: string
+            format: email
+        subject:
+          type: string
+        body_template:
+          type: string
+      required:
+        - recipients
+        - subject
+
+    ReqMetric:
+      type: object
+      properties:
+        name:
+          type: string
+        type:
+          type: string
+          enum: [gauge, counter, histogram]
+        parameters:
+          type: object
+      required:
+        - name
+        - type
+
+    Status:
+      type: string
+      enum: [enabled, disabled]
+
+    GenerateReportRequest:
+      type: object
+      properties:
+        action:
+          type: string
+          enum: [view, download, email]
+        config_id:
+          type: string
+        name:
+          type: string
+        description:
+          type: string
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+      required:
+        - action
+
+    GenerateReportResponse:
+      type: object
+      properties:
+        total:
+          type: integer
+        from:
+          type: string
+          format: date-time
+        to:
+          type: string
+          format: date-time
+        aggregation:
+          $ref: '#/components/schemas/AggConfig'
+        reports:
+          type: array
+          items:
+            $ref: '#/components/schemas/Report'
+
+    Report:
+      type: object
+      properties:
+        timestamp:
+          type: string
+          format: date-time
+        value:
+          type: number
+        metric_name:
+          type: string
+
+    AddReportConfigRequest:
+      type: object
+      properties:
+        name:
+          type: string
+        description:
+          type: string
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+        status:
+          $ref: '#/components/schemas/Status'
+      required:
+        - name
+        - metrics
+        - config
+
+    UpdateReportConfigRequest:
+      type: object
+      properties:
+        name:
+          type: string
+        description:
+          type: string
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+        status:
+          $ref: '#/components/schemas/Status'
+
+    ListReportsConfigResponse:
+      type: object
+      properties:
+        total:
+          type: integer
+        offset:
+          type: integer
+        limit:
+          type: integer
+        report_configs:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReportConfig'
+
+  parameters:
+    DomainID:
+      name: domainID
+      in: path
+      required: true
+      schema:
+        type: string
+    ReportID:
+      name: reportID
+      in: path
+      required: true
+      schema:
+        type: string
+    Offset:
+      name: offset
+      in: query
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+    Limit:
+      name: limit
+      in: query
+      schema:
+        type: integer
+        default: 10
+        minimum: 1
+        maximum: 100
+
+  responses:
+    ServiceError:
+      description: Unexpected server error
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: './schemas/health_info.yaml'
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
@@ -0,0 +1,586 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Rules Engine API
+  description: |
+    HTTP API for managing rules engine service.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:9008
+  - url: http://localhost:9008
+
+tags:
+  - name: rules engine
+    description: Everything about your Rules Engine
+    externalDocs:
+      description: Find out more about rules engine
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /{domainID}/rules:
+    post:
+      operationId: createRule
+      summary: Create Rule
+      description: |
+        Creates a new rule for message processing
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/RuleCreateReq'
+      responses:
+        '201':
+          $ref: '#/components/responses/RuleCreateRes'
+        '400':
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        '415':
+          description: Missing or invalid content type
+        "500":
+          $ref: "#/components/responses/ServiceError"
+        "503":
+          description: Failed to receive response from the clients service.
+    get:
+      operationId: getRules
+      summary: List Rules
+      description: |
+        Retrieves a list of rules with optional filtering
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit' 
+        - $ref: '#/components/parameters/InputChannel'
+        - $ref: '#/components/parameters/OutputChannel'
+        - $ref: '#/components/parameters/Status'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/RuleListRes'
+        '400':
+          description: Failed due to malformed query parameters
+        '401':
+          description: Missing or invalid access token
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /{domainID}/rules/{ruleID}:
+    get:
+      operationId: getRule
+      summary: View Rule
+      description: Retrieves a rule by ID
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/RuleRes'
+        "400":
+          description: Missing or invalid rule
+        "403":
+          description: Failed to perform authorization over the entity
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Rule does not exist
+        "422":
+          description: Database can't process request
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    put:
+      operationId: updateRule
+      summary: Update Rule
+      description: Updates an existing rule
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/RuleUpdateReq'
+      responses:
+        '200':
+          $ref: '#/components/responses/RuleRes'
+        '400':
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Rule does not exist
+        "415":
+          description: Missing or invalid content type.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    delete:
+      operationId: removeRule
+      summary: Delete Rule
+      description: Deletes a rule
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '204':
+          description: Rule deleted successfully
+        "400":
+          description: Failed due to malformed rule ID
+        '401':
+          description: Missing or invalid access token
+        "403":
+          description: Failed to perform authorization over the entity
+        "422":
+          description: Database can't process request
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /{domainID}/rules/{ruleID}/enable:
+    put:
+      operationId: enableRule
+      summary: Enable Rule
+      description: Enables a rule for processing
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Rule enabled successfully
+        "400":
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        "403":
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Rule does not exist
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /{domainID}/rules/{ruleID}/disable:
+    put:
+      operationId: disableRule
+      summary: Disable Rule
+      description: Disables a rule from processing
+      tags:
+        - Rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Rule disabled successfully
+        "400":
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        "403":
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Rule does not exist
+        "422":
+          description: Database can't process request
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /health:
+    get:
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        "200":
+          $ref: "#/components/responses/HealthRes"
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+components:
+  schemas:
+    RulesListRes:
+      type: object
+      properties:
+        total:
+          type: integer
+          description: Total number of results
+          minimum: 0
+        offset:
+          type: integer
+          description: Number of items to skip during retrieval
+          minimum: 0
+          default: 0
+        limit:
+          type: integer
+          description: Size of the subset to retrieve
+          maximum: 100
+          default: 10
+        rules:
+          type: array
+          minItems: 0
+          uniqueItems: true
+          items:
+            $ref: '#/components/schemas/Rule'
+      required:
+        - rules
+
+    Rule:
+      type: object
+      properties:
+        id:
+          type: string
+          description: Unique rule identifier
+        name:
+          type: string
+          description: Rule name
+        domain:
+          type: string
+          description: Domain ID this rule belongs to
+        metadata:
+          type: object
+          description: Custom metadata
+          additionalProperties:
+            type: string
+        input_channel:
+          type: string
+          description: Input channel for receiving messages
+        input_topic:
+          type: string
+          description: Input topic for receiving messages
+        logic:
+          type: object
+          description: Rule processing logic script
+          properties:
+            script:
+              type: string
+              description: Script content
+        output_channel:
+          type: string
+          description: Output channel for processed messages
+        output_topic:
+          type: string
+          description: Output topic for processed messages
+        schedule:
+          type: object
+          description: Rule execution schedule
+          properties:
+            start_datetime:
+              type: string
+              format: date-time
+              description: When the schedule becomes active
+            time:
+              type: string
+              format: date-time
+              description: Specific time for the rule to run
+            recurring:
+              type: string
+              description: Schedule recurrence pattern
+              enum: [None, Daily, Weekly, Monthly]
+            recurring_period:
+              type: integer
+              minimum: 1
+              description: Controls how many intervals to skip between executions (1 = every interval, 2 = every second interval, etc.)
+        status:
+          type: string
+          description: Rule status
+          enum: [enabled, disabled]
+        created_at:
+          type: string
+          format: date-time
+          description: Creation timestamp
+          readOnly: true
+        created_by:
+          type: string
+          description: User who created the rule
+        updated_at:
+          type: string
+          format: date-time
+          description: Last update timestamp
+          readOnly: true
+        updated_by:
+          type: string
+          description: User who last updated the rule
+      required:
+        - name
+        - domain
+        - input_channel
+        - input_topic
+        - logic
+        - status
+
+  parameters:
+    DomainID:
+      name: domainID
+      description: Domain ID
+      in: path
+      required: true
+      schema:
+        type: string
+    RuleID:
+      name: ruleID
+      description: Rule ID
+      in: path
+      required: true
+      schema:
+        type: string
+    Offset:
+      name: offset
+      description: Number of items to skip
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+    Limit:
+      name: limit
+      description: Size of the subset
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 10
+        minimum: 1
+    InputChannel:
+      name: input_channel
+      description: Filter by input channel
+      in: query
+      required: false
+      schema:
+        type: string
+    OutputChannel:
+      name: output_channel
+      description: Filter by output channel
+      in: query
+      required: false
+      schema:
+        type: string
+    Status:
+      name: status
+      description: Filter by rule status
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [enabled, disabled]
+        default: enabled
+
+  requestBodies:
+    RuleCreateReq:
+      description: JSON-formatted document describing the new rule
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              name:
+                type: string
+                description: Rule name
+              domain:
+                type: string
+                description: Domain ID this rule belongs to
+              metadata:
+                type: object
+                description: Custom metadata
+                additionalProperties:
+                  type: string
+              input_channel:
+                type: string
+                description: Input channel for receiving messages
+              input_topic:
+                type: string
+                description: Input topic for receiving messages
+              logic:
+                type: object
+                description: Rule processing logic script
+                properties:
+                  script:
+                    type: string
+                    description: Script content
+              output_channel:
+                type: string
+                description: Output channel for processed messages
+              output_topic:
+                type: string
+                description: Output topic for processed messages
+              schedule:
+                type: object
+                description: Rule execution schedule
+                properties:
+                  start_datetime:
+                    type: string
+                    format: date-time
+                    description: When the schedule becomes active
+                  time:
+                    type: string
+                    format: date-time
+                    description: Specific time for the rule to run
+                  recurring:
+                    type: string
+                    description: Schedule recurrence pattern
+                    enum: [None, Daily, Weekly, Monthly]
+                  recurring_period:
+                    type: integer
+                    minimum: 1
+                    description: Controls how many intervals to skip between executions
+              status:
+                type: string
+                description: Rule status
+                enum: [enabled, disabled]
+            required:
+              - name
+              - domain
+              - input_channel
+              - input_topic
+              - logic
+              - schedule
+    RuleUpdateReq:
+      description: JSON-formatted document describing the rule update
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              name:
+                type: string
+                description: Rule name
+              metadata:
+                type: object
+                description: Custom metadata
+                additionalProperties:
+                  type: string
+              input_channel:
+                type: string
+                description: Input channel for receiving messages
+              input_topic:
+                type: string
+                description: Input topic for receiving messages
+              logic:
+                type: object
+                description: Rule processing logic script
+                properties:
+                  script:
+                    type: string
+                    description: Script content
+              output_channel:
+                type: string
+                description: Output channel for processed messages
+              output_topic:
+                type: string
+                description: Output topic for processed messages
+              schedule:
+                type: object
+                description: Rule execution schedule
+                properties:
+                  start_datetime:
+                    type: string
+                    format: date-time
+                    description: When the schedule becomes active
+                  time:
+                    type: string
+                    format: date-time
+                    description: Specific time for the rule to run
+                  recurring:
+                    type: string
+                    description: Schedule recurrence pattern
+                    enum: [None, Daily, Weekly, Monthly]
+                  recurring_period:
+                    type: integer
+                    minimum: 1
+                    description: Controls how many intervals to skip between executions
+              status:
+                type: string
+                description: Rule status
+                enum: [enabled, disabled]
+
+  responses:
+    RuleCreateRes:
+      description: Rule registered
+      headers:
+        Location:
+          content:
+            text/plain:
+              schema:
+                type: string
+                description: Created rule's relative URL (i.e. /rules/{ruleID})
+    RuleListRes:
+      description: Data retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/RulesListRes'
+    RuleRes:
+      description: Data retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Rule'
+      links:
+        update:
+          operationId: updateRule
+          parameters:
+            ruleID: $response.body#/id
+        enable:
+          operationId: enableRule
+          parameters:
+            ruleID: $response.body#/id
+        disable:
+          operationId: disableRule
+          parameters:
+            ruleID: $response.body#/id
+        delete:
+          operationId: removeRule
+          parameters:
+            ruleID: $response.body#/id
+    ServiceError:
+      description: Unexpected server-side error occurred
+    HealthRes:
+      description: Service Health Check
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
@@ -1,431 +0,0 @@
-# Copyright (c) Abstract Machines
-# SPDX-License-Identifier: Apache-2.0
-
-openapi: 3.0.1
-info:
-  title: SuperMQ twins service
-  description: |
-    HTTP API for managing digital twins and their states.
-    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
-  contact:
-    email: info@abstractmachines.fr
-  license:
-    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
-  version: 0.18.0
-
-servers:
-  - url: http://localhost:9018
-  - url: https://localhost:9018
-
-tags:
-  - name: twins
-    description: Everything about your Twins
-    externalDocs:
-      description: Find out more about twins
-      url: https://docs.supermq.abstractmachines.fr/
-
-paths:
-  /twins:
-    post:
-      operationId: createTwin
-      summary: Adds new twin
-      description: |
-        Adds new twin to the list of twins owned by user identified using
-        the provided access token.
-      tags:
-        - twins
-      requestBody:
-        $ref: "#/components/requestBodies/TwinReq"
-      responses:
-        "201":
-          $ref: "#/components/responses/TwinCreateRes"
-        "400":
-          description: Failed due to malformed JSON.
-        "401":
-          description: Missing or invalid access token provided.
-        "415":
-          description: Missing or invalid content type.
-        "422":
-          description: Database can't process request.
-        "500":
-          $ref: "#/components/responses/ServiceError"
-
-    get:
-      operationId: getTwins
-      summary: Retrieves twins
-      description: |
-        Retrieves a list of twins. Due to performance concerns, data
-        is retrieved in subsets.
-      tags:
-        - twins
-      parameters:
-        - $ref: "#/components/parameters/Limit"
-        - $ref: "#/components/parameters/Offset"
-        - $ref: "#/components/parameters/Name"
-        - $ref: "#/components/parameters/Metadata"
-      responses:
-        "200":
-          $ref: "#/components/responses/TwinsPageRes"
-        "400":
-          description: Failed due to malformed query parameters.
-        "401":
-          description: Missing or invalid access token provided.
-        "422":
-          description: Database can't process request.
-        "500":
-          $ref: "#/components/responses/ServiceError"
-
-  /twins/{twinID}:
-    get:
-      operationId: getTwin
-      summary: Retrieves twin info
-      tags:
-        - twins
-      parameters:
-        - $ref: "#/components/parameters/TwinID"
-      responses:
-        "200":
-          $ref: "#/components/responses/TwinRes"
-        "400":
-          description: Failed due to malformed twin's ID.
-        "401":
-          description: Missing or invalid access token provided.
-        "404":
-          description: Twin does not exist.
-        "422":
-          description: Database can't process request.
-        "500":
-          $ref: "#/components/responses/ServiceError"
-    put:
-      operationId: updateTwin
-      summary: Updates twin info
-      description: |
-        Update is performed by replacing the current resource data with values
-        provided in a request payload. Note that the twin's ID cannot be changed.
-      tags:
-        - twins
-      parameters:
-        - $ref: "#/components/parameters/TwinID"
-      requestBody:
-        $ref: "#/components/requestBodies/TwinReq"
-      responses:
-        "200":
-          description: Twin updated.
-        "400":
-          description: Failed due to malformed twin's ID or malformed JSON.
-        "401":
-          description: Missing or invalid access token provided.
-        "404":
-          description: Twin does not exist.
-        "415":
-          description: Missing or invalid content type.
-        "422":
-          description: Database can't process request.
-        "500":
-          $ref: "#/components/responses/ServiceError"
-    delete:
-      operationId: removeTwin
-      summary: Removes a twin
-      description: Removes a twin.
-      tags:
-        - twins
-      parameters:
-        - $ref: "#/components/parameters/TwinID"
-      responses:
-        "204":
-          description: Twin removed.
-        "400":
-          description: Failed due to malformed twin's ID.
-        "401":
-          description: Missing or invalid access token provided
-        "404":
-          description: Twin does not exist.
-        "415":
-          description: Missing or invalid content type.
-        "422":
-          description: Database can't process request.
-        "500":
-          $ref: "#/components/responses/ServiceError"
-
-  /states/{twinID}:
-    get:
-      operationId: getStates
-      summary: Retrieves states of twin with id twinID
-      description: |
-        Retrieves a list of states. Due to performance concerns, data
-        is retrieved in subsets.
-      tags:
-        - states
-      parameters:
-        - $ref: "#/components/parameters/TwinID"
-        - $ref: "#/components/parameters/Limit"
-        - $ref: "#/components/parameters/Offset"
-      responses:
-        "200":
-          $ref: "#/components/responses/StatesPageRes"
-        "400":
-          description: Failed due to malformed query parameters.
-        "401":
-          description: Missing or invalid access token provided.
-        "404":
-          description: Twin does not exist.
-        "422":
-          description: Database can't process request.
-        "500":
-          $ref: "#/components/responses/ServiceError"
-  /health:
-    get:
-      summary: Retrieves service health check info.
-      tags:
-        - health
-      security: []
-      responses:
-        "200":
-          $ref: "#/components/responses/HealthRes"
-        "500":
-          $ref: "#/components/responses/ServiceError"
-
-components:
-  parameters:
-    Limit:
-      name: limit
-      description: Size of the subset to retrieve.
-      in: query
-      schema:
-        type: integer
-        default: 10
-        maximum: 100
-        minimum: 1
-      required: false
-    Offset:
-      name: offset
-      description: Number of items to skip during retrieval.
-      in: query
-      schema:
-        type: integer
-        default: 0
-        minimum: 0
-      required: false
-    Name:
-      name: name
-      description: Twin name
-      in: query
-      schema:
-        type: string
-      required: false
-    Metadata:
-      name: metadata
-      description: |
-        Metadata filter. Filtering is performed matching the parameter with
-        metadata on top level. Parameter is json.
-      in: query
-      schema:
-        type: string
-        minimum: 0
-      required: false
-    TwinID:
-      name: twinID
-      description: Unique twin identifier.
-      in: path
-      schema:
-        type: string
-        format: uuid
-        minimum: 1
-      required: true
-
-  schemas:
-    Attribute:
-      type: object
-      properties:
-        name:
-          type: string
-          description: Name of the attribute.
-        channel:
-          type: string
-          description: SuperMQ channel used by attribute.
-        subtopic:
-          type: string
-          description: Subtopic used by attribute.
-        persist_state:
-          type: boolean
-          description: Trigger state creation based on the attribute.
-    Definition:
-      type: object
-      properties:
-        delta:
-          type: number
-          description: Minimal time delay before new state creation.
-        attributes:
-          type: array
-          minItems: 0
-          items:
-            $ref: "#/components/schemas/Attribute"
-    TwinReqObj:
-      type: object
-      properties:
-        name:
-          type: string
-          description: Free-form twin name.
-        metadata:
-          type: object
-          description: Arbitrary, object-encoded twin's data.
-        definition:
-          $ref: "#/components/schemas/Definition"
-    TwinResObj:
-      type: object
-      properties:
-        owner:
-          type: string
-          description: Email address of SuperMQ user that owns twin.
-        id:
-          type: string
-          format: uuid
-          description: Unique twin identifier generated by the service.
-        name:
-          type: string
-          description: Free-form twin name.
-        revision:
-          type: number
-          description: Oridnal revision number of twin.
-        created:
-          type: string
-          format: date
-          description: Twin creation date and time.
-        updated:
-          type: string
-          format: date
-          description: Twin update date and time.
-        definitions:
-          type: array
-          minItems: 0
-          items:
-            $ref: "#/components/schemas/Definition"
-        metadata:
-          type: object
-          description: Arbitrary, object-encoded twin's data.
-    TwinsPage:
-      type: object
-      properties:
-        twins:
-          type: array
-          minItems: 0
-          items:
-            $ref: "#/components/schemas/TwinResObj"
-        total:
-          type: integer
-          description: Total number of items.
-        offset:
-          type: integer
-          description: Number of items to skip during retrieval.
-        limit:
-          type: integer
-          description: Maximum number of items to return in one page.
-      required:
-        - twins
-    State:
-      type: object
-      properties:
-        twin_id:
-          type: string
-          format: uuid
-          description: ID of twin state belongs to.
-        id:
-          type: number
-          description: State position in a time row of states.
-        created:
-          type: string
-          format: date
-          description: State creation date.
-        payload:
-          type: object
-          description: Object-encoded states's payload.
-    StatesPage:
-      type: object
-      properties:
-        states:
-          type: array
-          minItems: 0
-          items:
-            $ref: "#/components/schemas/State"
-        total:
-          type: integer
-          description: Total number of items.
-        offset:
-          type: integer
-          description: Number of items to skip during retrieval.
-        limit:
-          type: integer
-          description: Maximum number of items to return in one page.
-      required:
-        - states
-
-  requestBodies:
-    TwinReq:
-      description: JSON-formatted document describing the twin to create or update.
-      content:
-        application/json:
-          schema:
-            $ref: "#/components/schemas/TwinReqObj"
-      required: true
-
-  responses:
-    TwinCreateRes:
-      description: Created twin's relative URL (i.e. /twins/{twinID}).
-      headers:
-        Location:
-          content:
-            text/plain:
-              schema:
-                type: string
-    TwinRes:
-      description: Data retrieved.
-      content:
-        application/json:
-          schema:
-            $ref: "#/components/schemas/TwinResObj"
-      links:
-        update:
-          operationId: updateTwin
-          parameters:
-            twinID: $response.body#/id
-        delete:
-          operationId: removeTwin
-          parameters:
-            twinID: $response.body#/id
-        states:
-          operationId: getStates
-          parameters:
-            twinID: $response.body#/id
-    TwinsPageRes:
-      description: Data retrieved.
-      content:
-        application/json:
-          schema:
-            $ref: "#/components/schemas/TwinsPage"
-    StatesPageRes:
-      description: Data retrieved.
-      content:
-        application/json:
-          schema:
-            $ref: "#/components/schemas/StatesPage"
-    ServiceError:
-      description: Unexpected server-side error occurred.
-    HealthRes:
-      description: Service Health Check.
-      content:
-        application/health+json:
-          schema:
-            $ref: "./schemas/health_info.yaml"
-
-  securitySchemes:
-    bearerAuth:
-      type: http
-      scheme: bearer
-      bearerFormat: JWT
-      description: |
-        * Users access: "Authorization: Bearer <user_token>"
-
-security:
-  - bearerAuth: []
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Users Service
+  title: Magistrala Users Service
  description: |
    This is the Users Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform users. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,12 +24,12 @@ tags:
    description: Everything about your Users
    externalDocs:
      description: Find out more about users
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.abstractmachines.fr/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /users:
@@ -83,8 +83,10 @@ paths:
        - $ref: "#/components/parameters/LastName"
        - $ref: "#/components/parameters/Username"
        - $ref: "#/components/parameters/Email"
-        - $ref: "#/components/parameters/Tag"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/OnlyTotal"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      security:
        - bearerAuth: []
      responses:
@@ -116,7 +118,7 @@ paths:
        - bearerAuth: []
      responses:
        "200":
-          $ref: "#/components/responses/UserRes"
+          $ref: "#/components/responses/UserProfileRes"
        "400":
          description: Failed due to malformed query parameters.
        "401":
@@ -154,10 +156,10 @@ paths:

    patch:
      operationId: updateUser
-      summary: Updates first, last name and metadata of the user.
+      summary: Updates first, last name, metadata, and private metadata of the user.
      description: |
-        Updates name and metadata of the user with provided ID. Name and metadata
-        is updated using authorization token and the new received info.
+        Updates name, metadata and private metadata of the user with provided ID. Name, metadata
+        and private metadata are updated using authorization token and the new received info.
      tags:
        - Users
      parameters:
@@ -461,7 +463,7 @@ paths:
        - bearerAuth: []
      responses:
        "200":
-          $ref: "#/components/responses/UserRes"
+          $ref: "#/components/responses/UserProfileRes"
        "400":
          description: Failed due to malformed JSON.
        "401":
@@ -569,7 +571,7 @@ paths:
      requestBody:
        $ref: "#/components/requestBodies/IssueTokenReq"
      responses:
-        "200":
+        "201":
          $ref: "#/components/responses/TokenRes"
        "400":
          description: Failed due to malformed JSON.
@@ -610,6 +612,57 @@ paths:
        "500":
          $ref: "#/components/responses/ServiceError"

+  /users/tokens/revoke:
+    post:
+      operationId: revokeRefreshToken
+      summary: Revoke Refresh Token
+      description: |
+        Revokes a specific refresh token by its ID. This invalidates the
+        refresh token so it can no longer be used to obtain new access tokens.
+      tags:
+        - Users
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: "#/components/requestBodies/RevokeRefreshTokenReq"
+      responses:
+        "204":
+          description: Refresh token revoked successfully.
+        "400":
+          description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.
+        "404":
+          description: A non-existent entity request.
+        "415":
+          description: Missing or invalid content type.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /users/tokens/refresh-tokens:
+    get:
+      operationId: listActiveRefreshTokens
+      summary: List Active Refresh Tokens
+      description: |
+        Lists all active refresh token sessions for the currently authenticated user.
+      tags:
+        - Users
+      security:
+        - bearerAuth: []
+      responses:
+        "200":
+          $ref: "#/components/responses/RefreshTokensPageRes"
+        "400":
+          description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.
+        "404":
+          description: A non-existent entity request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
  /users/send-verification:
    post:
      operationId: sendVerification
@@ -706,7 +759,7 @@ components:
              type: string
              format: password
              example: password
-              minimum: 8
+              minLength: 8
              description: Free-form account secret used for acquiring auth token(s).
          required:
            - username
@@ -714,7 +767,11 @@ components:
        metadata:
          type: object
          example: { "domain": "example.com" }
-          description: Arbitrary, object-encoded user's data.
+          description: Arbitrary, object-encoded user's data visible to other users.
+        private_metadata:
+          type: object
+          example: { "domain": "example.com" }
+          description: Arbitrary, object-encoded user's data private to the user.
        profile_picture:
          type: string
          example: "https://example.com/profile.jpg"
@@ -758,7 +815,7 @@ components:
          description: User tags.
        email:
          type: string
-          example: "john.doe@supermq.com"
+          example: "john.doe@magistrala.com"
          description: User email for example email address.
        credentials:
          type: object
@@ -770,7 +827,11 @@ components:
        metadata:
          type: object
          example: { "address": "example" }
-          description: Arbitrary, object-encoded user's data.
+          description: Arbitrary, object-encoded user's data visible to other users.
+        private_metadata:
+          type: object
+          example: { "address": "example" }
+          description: Arbitrary, object-encoded user's data private to the user.
        profile_picture:
          type: string
          example: "https://example.com/profile.jpg"
@@ -811,7 +872,7 @@ components:
          description: User's last name.
        email:
          type: string
-          example: user@supermq.com
+          example: user@magistrala.com
          description: User's email address.
        tags:
          type: array
@@ -830,12 +891,12 @@ components:
            secret:
              type: string
              example: password
-              minimum: 8
+              minLength: 8
              description: User secret password.
        metadata:
          type: object
          example: { "role": "general" }
-          description: Arbitrary, object-encoded user's data.
+          description: Arbitrary, object-encoded user's data visible to other users.
        status:
          type: string
          description: User Status
@@ -894,11 +955,11 @@ components:
        metadata:
          type: object
          example: { "role": "general" }
-          description: Arbitrary, object-encoded user's data.
-      required:
-        - first_name
-        - last_name
-        - metadata
+          description: Arbitrary, object-encoded user's data visible to other users.
+        private_metadata:
+          type: object
+          example: { "role": "general" }
+          description: Arbitrary, object-encoded user's data private to the user.

    UserTags:
      type: object
@@ -908,7 +969,6 @@ components:
          example: ["yello", "orange"]
          description: User tags.
          minItems: 0
-          uniqueItems: true
          items:
            type: string

@@ -927,7 +987,7 @@ components:
      properties:
        email:
          type: string
-          example: user@supermq.com
+          example: user@magistrala.com
          description: User email address.
      required:
        - email
@@ -938,12 +998,12 @@ components:
        old_secret:
          type: string
          example: oldpassword
-          minimum: 8
+          minLength: 8
          description: Old user secret password.
        new_secret:
          type: string
          example: newpassword
-          minimum: 8
+          minLength: 8
          description: New user secret password.
      required:
        - old_secret
@@ -1029,12 +1089,36 @@ components:
        password:
          type: string
          example: password
-          minimum: 8
+          minLength: 8
          description: User secret password.
      required:
        - username
        - password

+    RefreshToken:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+          example: "bb7edb32-2eac-4aad-aebe-ed96fe073879"
+          description: Unique identifier of the refresh token.
+        description:
+          type: string
+          example: "Chrome browser session"
+          description: Description of the refresh token session.
+
+    RefreshTokensPage:
+      type: object
+      properties:
+        refresh_tokens:
+          type: array
+          items:
+            $ref: "#/components/schemas/RefreshToken"
+          description: List of active refresh tokens.
+      required:
+        - refresh_tokens
+
    Error:
      type: object
      properties:
@@ -1138,14 +1222,14 @@ components:
      required: false
      example: enabled

-    Tag:
-      name: tag
-      description: User tag.
+    Tags:
+      name: tags
+      description: User tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
        type: string
      required: false
-      example: "orange"
+      example: "orange,yellow"

    GroupName:
      name: name
@@ -1278,7 +1362,7 @@ components:
        maximum: 100
        minimum: 1
      required: false
-      example: "100"
+      example: 100

    Offset:
      name: offset
@@ -1289,7 +1373,7 @@ components:
        default: 0
        minimum: 0
      required: false
-      example: "0"
+      example: 0

    Order:
      name: order
@@ -1321,6 +1405,26 @@ components:
        default: false
      required: false

+    CreatedFrom:
+      name: created_from
+      description: Filter users created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter users created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
    VerificationToken:
      name: token
      description: Verification token.
@@ -1339,7 +1443,7 @@ components:
            $ref: "#/components/schemas/UserReqObj"

    UserUpdateReq:
-      description: JSON-formated document describing the metadata and name of user to be update
+      description: JSON-formated document describing the name, metadata and private_metadata of user to be update
      required: true
      content:
        application/json:
@@ -1444,18 +1548,34 @@ components:
                format: password
                description: New password.
                example: "12345678"
-                minimum: 8
+                minLength: 8
              confirm_password:
                type: string
                format: password
                description: New confirmation password.
                example: "12345678"
-                minimum: 8
+                minLength: 8
              token:
                type: string
                format: jwt
                description: Reset token generated and sent in email.

+    RevokeRefreshTokenReq:
+      description: JSON-formatted document describing the refresh token to revoke.
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              token_id:
+                type: string
+                format: uuid
+                example: "bb7edb32-2eac-4aad-aebe-ed96fe073879"
+                description: The unique identifier of the refresh token to revoke.
+            required:
+              - token_id
+
    PasswordChange:
      description: Password change data. User can change its password.
      required: true
@@ -1467,11 +1587,11 @@ components:
              password:
                type: string
                format: password
-                minimum: 8
+                minLength: 8
                description: New password.
              old_password:
                type: string
-                minimum: 8
+                minLength: 8
                format: password
                description: Old password.

@@ -1533,6 +1653,13 @@ components:
          schema:
            $ref: "#/components/schemas/User"

+    UserProfileRes:
+      description: Data retrieved for current user profile.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/User"
+
    UserPageRes:
      description: Data retrieved.
      content:
@@ -1560,6 +1687,13 @@ components:
                example: access
                description: User access token type.

+    RefreshTokensPageRes:
+      description: List of active refresh tokens for the authenticated user.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/RefreshTokensPage"
+
    HealthRes:
      description: Service Health Check.
      content:
@@ -8,7 +8,7 @@ User service is using Auth service gRPC API to obtain login token or password re

 - ID - key ID
 - Type - one of the three types described below
- IssuerID - an ID of the SuperMQ User who issued the key
+- IssuerID - an ID of the Magistrala User who issued the key
 - Subject - user ID for which the key is issued
 - IssuedAt - the timestamp when the key is issued
 - ExpiresAt - the timestamp after which the key is invalid
@@ -29,7 +29,7 @@ API keys are similar to the User keys. The main difference is that API keys have

 Recovery key is the password recovery key. It's short-lived token used for password recovery process.

-For in-depth explanation of the aforementioned scenarios, as well as thorough understanding of SuperMQ, please check out the [official documentation][doc].
+For in-depth explanation of the aforementioned scenarios, as well as thorough understanding of Magistrala, please check out the [official documentation][doc].

 The following actions are supported:

@@ -40,7 +40,7 @@ The following actions are supported:

 ## Domains

-Domains are used to group users and clients. Each domain has a unique route that is associated with the domain. Domains are used to group users and their entities.
+Domains are used to group users and clients. Each domain has a unique `route` that is associated with the domain. Domains are used to group users and their entities.

 Domain consists of the following fields:

@@ -59,63 +59,63 @@ Domain consists of the following fields:

 The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.

-| Variable                            | Description                                                                          | Default                        |
-| ----------------------------------- | ------------------------------------------------------------------------------------ | ------------------------------ |
-| SMQ_AUTH_LOG_LEVEL                  | Log level for the Auth service (debug, info, warn, error)                            | info                           |
-| SMQ_AUTH_DB_HOST                    | Database host address                                                                | localhost                      |
-| SMQ_AUTH_DB_PORT                    | Database host port                                                                   | 5432                           |
-| SMQ_AUTH_DB_USER                    | Database user                                                                        | supermq                        |
-| SMQ_AUTH_DB_PASSWORD                | Database password                                                                    | supermq                        |
-| SMQ_AUTH_DB_NAME                    | Name of the database used by the service                                             | auth                           |
-| SMQ_AUTH_DB_SSL_MODE                | Database connection SSL mode (disable, require, verify-ca, verify-full)              | disable                        |
-| SMQ_AUTH_DB_SSL_CERT                | Path to the PEM encoded certificate file                                             | ""                             |
-| SMQ_AUTH_DB_SSL_KEY                 | Path to the PEM encoded key file                                                     | ""                             |
-| SMQ_AUTH_DB_SSL_ROOT_CERT           | Path to the PEM encoded root certificate file                                        | ""                             |
-| SMQ_AUTH_HTTP_HOST                  | Auth service HTTP host                                                               | ""                             |
-| SMQ_AUTH_HTTP_PORT                  | Auth service HTTP port                                                               | 8189                           |
-| SMQ_AUTH_HTTP_SERVER_CERT           | Path to the PEM encoded HTTP server certificate file                                 | ""                             |
-| SMQ_AUTH_HTTP_SERVER_KEY            | Path to the PEM encoded HTTP server key file                                         | ""                             |
-| SMQ_AUTH_GRPC_HOST                  | Auth service gRPC host                                                               | ""                             |
-| SMQ_AUTH_GRPC_PORT                  | Auth service gRPC port                                                               | 8181                           |
-| SMQ_AUTH_GRPC_SERVER_CERT           | Path to the PEM encoded gRPC server certificate file                                 | ""                             |
-| SMQ_AUTH_GRPC_SERVER_KEY            | Path to the PEM encoded gRPC server key file                                         | ""                             |
-| SMQ_AUTH_GRPC_SERVER_CA_CERTS       | Path to the PEM encoded gRPC server CA certificate file                              | ""                             |
-| SMQ_AUTH_GRPC_CLIENT_CA_CERTS       | Path to the PEM encoded gRPC client CA certificate file                              | ""                             |
-| SMQ_AUTH_SECRET_KEY                 | String used for signing tokens                                                       | secret                         |
-| SMQ_AUTH_ACCESS_TOKEN_DURATION      | The access token expiration period                                                   | 1h                             |
-| SMQ_AUTH_REFRESH_TOKEN_DURATION     | The refresh token expiration period                                                  | 24h                            |
-| SMQ_AUTH_INVITATION_DURATION        | The invitation token expiration period                                               | 168h                           |
-| SMQ_AUTH_CACHE_URL                  | Redis URL for caching PAT scopes                                                     | redis://localhost:6379/0       |
-| SMQ_AUTH_CACHE_KEY_DURATION         | Duration for which PAT scope cache keys are valid                                    | 10m                            |
-| SMQ_SPICEDB_HOST                    | SpiceDB host address                                                                 | localhost                      |
-| SMQ_SPICEDB_PORT                    | SpiceDB host port                                                                    | 50051                          |
-| SMQ_SPICEDB_PRE_SHARED_KEY          | SpiceDB pre-shared key                                                               | 12345678                       |
-| SMQ_SPICEDB_SCHEMA_FILE             | Path to SpiceDB schema file                                                          | ./docker/spicedb/schema.zed    |
-| SMQ_JAEGER_URL                      | Jaeger server URL                                                                    | <http://jaeger:4318/v1/traces> |
-| SMQ_JAEGER_TRACE_RATIO              | Jaeger sampling ratio                                                                | 1.0                            |
-| SMQ_SEND_TELEMETRY                  | Send telemetry to supermq call home server                                           | true                           |
-| SMQ_ADAPTER_INSTANCE_ID        | Adapter instance ID                                                                  | ""                             |
-| SMQ_CALLOUT_URLS               | Comma-separated list of callout URLs                                                 | ""                             |
-| SMQ_CALLOUT_METHOD             | Callout method                                                                       | POST                           |
-| SMQ_CALLOUT_TLS_VERIFICATION   | Enable TLS verification for callouts                                                 | true                           |
-| SMQ_CALLOUT_TIMEOUT            | Callout timeout                                                                      | 10s                            |
-| SMQ_CALLOUT_CA_CERT            | Path to CA certificate file                                                          | ""                             |
-| SMQ_CALLOUT_CERT               | Path to client certificate file                                                      | ""                             |
-| SMQ_CALLOUT_KEY                | Path to client key file                                                              | ""                             |
-| SMQ_CALLOUT_OPERATIONS | Invoke callout if the authorization permission matches any of the given permissions. | ""                             |
+| Variable                         | Description                                                                          | Default                        |
+| :------------------------------- | :----------------------------------------------------------------------------------- | :----------------------------- |
+| `MG_AUTH_LOG_LEVEL`              | Log level for the Auth service (debug, info, warn, error)                            | info                           |
+| `MG_AUTH_DB_HOST`                | Database host address                                                                | localhost                      |
+| `MG_AUTH_DB_PORT`                | Database host port                                                                   | 5432                           |
+| `MG_AUTH_DB_USER`                | Database user                                                                        | magistrala                     |
+| `MG_AUTH_DB_PASSWORD`            | Database password                                                                    | magistrala                     |
+| `MG_AUTH_DB_NAME`                | Name of the database used by the service                                             | auth                           |
+| `MG_AUTH_DB_SSL_MODE`            | Database connection SSL mode (disable, require, verify-ca, verify-full)              | disable                        |
+| `MG_AUTH_DB_SSL_CERT`            | Path to the PEM encoded certificate file                                             | ""                             |
+| `MG_AUTH_DB_SSL_KEY`             | Path to the PEM encoded key file                                                     | ""                             |
+| `MG_AUTH_DB_SSL_ROOT_CERT`       | Path to the PEM encoded root certificate file                                        | ""                             |
+| `MG_AUTH_HTTP_HOST`              | Auth service HTTP host                                                               | ""                             |
+| `MG_AUTH_HTTP_PORT`              | Auth service HTTP port                                                               | 8189                           |
+| `MG_AUTH_HTTP_SERVER_CERT`       | Path to the PEM encoded HTTP server certificate file                                 | ""                             |
+| `MG_AUTH_HTTP_SERVER_KEY`        | Path to the PEM encoded HTTP server key file                                         | ""                             |
+| `MG_AUTH_GRPC_HOST`              | Auth service gRPC host                                                               | ""                             |
+| `MG_AUTH_GRPC_PORT`              | Auth service gRPC port                                                               | 8181                           |
+| `MG_AUTH_GRPC_SERVER_CERT`       | Path to the PEM encoded gRPC server certificate file                                 | ""                             |
+| `MG_AUTH_GRPC_SERVER_KEY`        | Path to the PEM encoded gRPC server key file                                         | ""                             |
+| `MG_AUTH_GRPC_SERVER_CA_CERTS`   | Path to the PEM encoded gRPC server CA certificate file                              | ""                             |
+| `MG_AUTH_GRPC_CLIENT_CA_CERTS`   | Path to the PEM encoded gRPC client CA certificate file                              | ""                             |
+| `MG_AUTH_SECRET_KEY`             | String used for signing tokens                                                       | secret                         |
+| `MG_AUTH_ACCESS_TOKEN_DURATION`  | The access token expiration period                                                   | 1h                             |
+| `MG_AUTH_REFRESH_TOKEN_DURATION` | The refresh token expiration period                                                  | 24h                            |
+| `MG_AUTH_INVITATION_DURATION`    | The invitation token expiration period                                               | 168h                           |
+| `MG_AUTH_CACHE_URL`              | Redis URL for caching PAT scopes                                                     | redis://localhost:6379/0       |
+| `MG_AUTH_CACHE_KEY_DURATION`     | Duration for which PAT scope cache keys are valid                                    | 10m                            |
+| `MG_SPICEDB_HOST`                | SpiceDB host address                                                                 | localhost                      |
+| `MG_SPICEDB_PORT`                | SpiceDB host port                                                                    | 50051                          |
+| `MG_SPICEDB_PRE_SHARED_KEY`      | SpiceDB pre-shared key                                                               | 12345678                       |
+| `MG_SPICEDB_SCHEMA_FILE`         | Path to SpiceDB schema file                                                          | ./docker/spicedb/schema.zed    |
+| `MG_JAEGER_URL`                  | Jaeger server URL                                                                    | <http://jaeger:4318/v1/traces> |
+| `MG_JAEGER_TRACE_RATIO`          | Jaeger sampling ratio                                                                | 1.0                            |
+| `MG_SEND_TELEMETRY`              | Send telemetry to magistrala call home server                                        | true                           |
+| `MG_ADAPTER_INSTANCE_ID`         | Adapter instance ID                                                                  | ""                             |
+| `MG_CALLOUT_URLS`                | Comma-separated list of callout URLs                                                 | ""                             |
+| `MG_CALLOUT_METHOD`              | Callout method                                                                       | POST                           |
+| `MG_CALLOUT_TLS_VERIFICATION`    | Enable TLS verification for callouts                                                 | true                           |
+| `MG_CALLOUT_TIMEOUT`             | Callout timeout                                                                      | 10s                            |
+| `MG_CALLOUT_CA_CERT`             | Path to CA certificate file                                                          | ""                             |
+| `MG_CALLOUT_CERT`                | Path to client certificate file                                                      | ""                             |
+| `MG_CALLOUT_KEY`                 | Path to client key file                                                              | ""                             |
+| `MG_CALLOUT_OPERATIONS`          | Invoke callout if the authorization permission matches any of the given permissions. | ""                             |

 ## Deployment

-The service itself is distributed as Docker container. Check the [`auth`](https://github.com/absmach/supermq/blob/main/docker/docker-compose.yaml) service section in docker-compose file to see how service is deployed.
+The service itself is distributed as Docker container. Check the [`auth`](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml) service section in docker-compose file to see how service is deployed.

 Running this service outside of container requires working instance of the postgres database, SpiceDB, and Jaeger server.
 To start the service outside of the container, execute the following shell script:

 ```bash
 # download the latest version of the service
-git clone https://github.com/absmach/supermq
+git clone https://github.com/absmach/magistrala

-cd supermq
+cd magistrala

 # compile the service
 make auth
@@ -124,54 +124,54 @@ make auth
 make install

 # set the environment variables and run the service
-SMQ_AUTH_LOG_LEVEL=info \
-SMQ_AUTH_DB_HOST=localhost \
-SMQ_AUTH_DB_PORT=5432 \
-SMQ_AUTH_DB_USER=supermq \
-SMQ_AUTH_DB_PASSWORD=supermq \
-SMQ_AUTH_DB_NAME=auth \
-SMQ_AUTH_DB_SSL_MODE=disable \
-SMQ_AUTH_DB_SSL_CERT="" \
-SMQ_AUTH_DB_SSL_KEY="" \
-SMQ_AUTH_DB_SSL_ROOT_CERT="" \
-SMQ_AUTH_HTTP_HOST=localhost \
-SMQ_AUTH_HTTP_PORT=8189 \
-SMQ_AUTH_HTTP_SERVER_CERT="" \
-SMQ_AUTH_HTTP_SERVER_KEY="" \
-SMQ_AUTH_GRPC_HOST=localhost \
-SMQ_AUTH_GRPC_PORT=8181 \
-SMQ_AUTH_GRPC_SERVER_CERT="" \
-SMQ_AUTH_GRPC_SERVER_KEY="" \
-SMQ_AUTH_GRPC_SERVER_CA_CERTS="" \
-SMQ_AUTH_GRPC_CLIENT_CA_CERTS="" \
-SMQ_AUTH_SECRET_KEY=secret \
-SMQ_AUTH_ACCESS_TOKEN_DURATION=1h \
-SMQ_AUTH_REFRESH_TOKEN_DURATION=24h \
-SMQ_AUTH_INVITATION_DURATION=168h \
-SMQ_SPICEDB_HOST=localhost \
-SMQ_SPICEDB_PORT=50051 \
-SMQ_SPICEDB_PRE_SHARED_KEY=12345678 \
-SMQ_SPICEDB_SCHEMA_FILE=./docker/spicedb/schema.zed \
-SMQ_JAEGER_URL=http://localhost:14268/api/traces \
-SMQ_JAEGER_TRACE_RATIO=1.0 \
-SMQ_SEND_TELEMETRY=true \
-SMQ_AUTH_ADAPTER_INSTANCE_ID="" \
-SMQ_CALLOUT_URLS="" \
-SMQ_CALLOUT_METHOD="POST" \
-SMQ_CALLOUT_TLS_VERIFICATION=true \
-$GOBIN/supermq-auth
+MG_AUTH_LOG_LEVEL=info \
+MG_AUTH_DB_HOST=localhost \
+MG_AUTH_DB_PORT=5432 \
+MG_AUTH_DB_USER=magistrala \
+MG_AUTH_DB_PASSWORD=magistrala \
+MG_AUTH_DB_NAME=auth \
+MG_AUTH_DB_SSL_MODE=disable \
+MG_AUTH_DB_SSL_CERT="" \
+MG_AUTH_DB_SSL_KEY="" \
+MG_AUTH_DB_SSL_ROOT_CERT="" \
+MG_AUTH_HTTP_HOST=localhost \
+MG_AUTH_HTTP_PORT=8189 \
+MG_AUTH_HTTP_SERVER_CERT="" \
+MG_AUTH_HTTP_SERVER_KEY="" \
+MG_AUTH_GRPC_HOST=localhost \
+MG_AUTH_GRPC_PORT=8181 \
+MG_AUTH_GRPC_SERVER_CERT="" \
+MG_AUTH_GRPC_SERVER_KEY="" \
+MG_AUTH_GRPC_SERVER_CA_CERTS="" \
+MG_AUTH_GRPC_CLIENT_CA_CERTS="" \
+MG_AUTH_SECRET_KEY=secret \
+MG_AUTH_ACCESS_TOKEN_DURATION=1h \
+MG_AUTH_REFRESH_TOKEN_DURATION=24h \
+MG_AUTH_INVITATION_DURATION=168h \
+MG_SPICEDB_HOST=localhost \
+MG_SPICEDB_PORT=50051 \
+MG_SPICEDB_PRE_SHARED_KEY=12345678 \
+MG_SPICEDB_SCHEMA_FILE=./docker/spicedb/schema.zed \
+MG_JAEGER_URL=http://localhost:14268/api/traces \
+MG_JAEGER_TRACE_RATIO=1.0 \
+MG_SEND_TELEMETRY=true \
+MG_AUTH_ADAPTER_INSTANCE_ID="" \
+MG_CALLOUT_URLS="" \
+MG_CALLOUT_METHOD="POST" \
+MG_CALLOUT_TLS_VERIFICATION=true \
+$GOBIN/magistrala-auth
 ```

-Setting `SMQ_AUTH_HTTP_SERVER_CERT` and `SMQ_AUTH_HTTP_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key.
-Setting `SMQ_AUTH_GRPC_SERVER_CERT` and `SMQ_AUTH_GRPC_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key. Setting `SMQ_AUTH_GRPC_SERVER_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs. Setting `SMQ_AUTH_GRPC_CLIENT_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs.
+Setting `MG_AUTH_HTTP_SERVER_CERT` and `MG_AUTH_HTTP_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key.
+Setting `MG_AUTH_GRPC_SERVER_CERT` and `MG_AUTH_GRPC_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key. Setting `MG_AUTH_GRPC_SERVER_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs. Setting `MG_AUTH_GRPC_CLIENT_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs.

 ## Personal Access Tokens (PATs)

-Personal Access Tokens (PATs) provide a secure way to authenticate with SuperMQ APIs without using your primary credentials. They are particularly useful for automation, CI/CD pipelines, and integrating with third-party services.
+Personal Access Tokens (PATs) provide a secure way to authenticate with Magistrala APIs without using your primary credentials. They are particularly useful for automation, CI/CD pipelines, and integrating with third-party services.

 ### Overview

-PATs in SuperMQ are designed with the following features:
+PATs in Magistrala are designed with the following features:

 - **Scoped Access**: Each token can be limited to specific operations on specific resources
 - **Expiration Control**: Set custom expiration times for tokens
@@ -183,7 +183,7 @@ PATs in SuperMQ are designed with the following features:

 A PAT consists of three parts separated by underscores:

-```
+```bash
 pat_<encoded-user-and-pat-id>_<random-string>
 ```

@@ -195,7 +195,7 @@ Where:

 ### PAT Operations

-SuperMQ supports the following operations for PATs:
+Magistrala supports the following operations for PATs:

 | Operation   | Description                          |
 | ----------- | ------------------------------------ |
@@ -318,7 +318,7 @@ curl --location --request PATCH 'http://localhost:9001/pats/a2500226-95dc-4285-8

 When making API requests, include the PAT in the Authorization header:

-```
+```bash
 Authorization: Bearer pat_<encoded-user-and-pat-id>_<random-string>
 ```

@@ -444,6 +444,6 @@ When a PAT is used for authentication:

 ## Usage

-For more information about service capabilities and its usage, please check out the [API documentation](https://docs.api.supermq.abstractmachines.fr/?urls.primaryName=auth.yaml).
+For more information about service capabilities and its usage, please check out the [API documentation](https://docs.api.magistrala.absmach.eu/?urls.primaryName=auth.yaml).

-[doc]: https://docs.supermq.abstractmachines.fr
+[doc]: https://magistrala.absmach.eu/docs/
@@ -7,9 +7,9 @@ import (
 	"context"
 	"time"

-	grpcAuthV1 "github.com/absmach/supermq/api/grpc/auth/v1"
-	"github.com/absmach/supermq/auth"
-	grpcapi "github.com/absmach/supermq/auth/api/grpc"
+	grpcAuthV1 "github.com/absmach/magistrala/api/grpc/auth/v1"
+	"github.com/absmach/magistrala/auth"
+	grpcapi "github.com/absmach/magistrala/auth/api/grpc"
 	"github.com/go-kit/kit/endpoint"
 	kitgrpc "github.com/go-kit/kit/transport/grpc"
 	"google.golang.org/grpc"
@@ -18,11 +18,9 @@ import (
 const authSvcName = "auth.v1.AuthService"

 type authGrpcClient struct {
-	authenticate    endpoint.Endpoint
-	authenticatePAT endpoint.Endpoint
-	authorize       endpoint.Endpoint
-	authorizePAT    endpoint.Endpoint
-	timeout         time.Duration
+	authenticate endpoint.Endpoint
+	authorize    endpoint.Endpoint
+	timeout      time.Duration
 }

 var _ grpcAuthV1.AuthServiceClient = (*authGrpcClient)(nil)
@@ -38,14 +36,6 @@ func NewAuthClient(conn *grpc.ClientConn, timeout time.Duration) grpcAuthV1.Auth
 			decodeIdentifyResponse,
 			grpcAuthV1.AuthNRes{},
 		).Endpoint(),
-		authenticatePAT: kitgrpc.NewClient(
-			conn,
-			authSvcName,
-			"AuthenticatePAT",
-			encodeIdentifyRequest,
-			decodeIdentifyPATResponse,
-			grpcAuthV1.AuthNRes{},
-		).Endpoint(),
 		authorize: kitgrpc.NewClient(
 			conn,
 			authSvcName,
@@ -54,14 +44,6 @@ func NewAuthClient(conn *grpc.ClientConn, timeout time.Duration) grpcAuthV1.Auth
 			decodeAuthorizeResponse,
 			grpcAuthV1.AuthZRes{},
 		).Endpoint(),
-		authorizePAT: kitgrpc.NewClient(
-			conn,
-			authSvcName,
-			"AuthorizePAT",
-			encodeAuthorizePATRequest,
-			decodeAuthorizeResponse,
-			grpcAuthV1.AuthZRes{},
-		).Endpoint(),
 		timeout: timeout,
 	}
 }
@@ -75,7 +57,7 @@ func (client authGrpcClient) Authenticate(ctx context.Context, token *grpcAuthV1
 		return &grpcAuthV1.AuthNRes{}, grpcapi.DecodeError(err)
 	}
 	ir := res.(authenticateRes)
-	return &grpcAuthV1.AuthNRes{Id: ir.id, UserId: ir.userID, UserRole: uint32(ir.userRole), Verified: ir.verified}, nil
+	return &grpcAuthV1.AuthNRes{Id: ir.id, UserId: ir.userID, UserRole: uint32(ir.userRole), Verified: ir.verified, TokenType: uint32(ir.tokenType)}, nil
 }

 func encodeIdentifyRequest(_ context.Context, grpcReq any) (any, error) {
@@ -85,40 +67,45 @@ func encodeIdentifyRequest(_ context.Context, grpcReq any) (any, error) {

 func decodeIdentifyResponse(_ context.Context, grpcRes any) (any, error) {
 	res := grpcRes.(*grpcAuthV1.AuthNRes)
-	return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole), verified: res.GetVerified()}, nil
-}
-
-func (client authGrpcClient) AuthenticatePAT(ctx context.Context, token *grpcAuthV1.AuthNReq, _ ...grpc.CallOption) (*grpcAuthV1.AuthNRes, error) {
-	ctx, cancel := context.WithTimeout(ctx, client.timeout)
-	defer cancel()
-
-	res, err := client.authenticatePAT(ctx, authenticateReq{token: token.GetToken()})
-	if err != nil {
-		return &grpcAuthV1.AuthNRes{}, grpcapi.DecodeError(err)
-	}
-	ir := res.(authenticateRes)
-	return &grpcAuthV1.AuthNRes{Id: ir.id, UserId: ir.userID, UserRole: uint32(ir.userRole)}, nil
-}
-
-func decodeIdentifyPATResponse(_ context.Context, grpcRes any) (any, error) {
-	res := grpcRes.(*grpcAuthV1.AuthNRes)
-	return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole)}, nil
+	return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole), verified: res.GetVerified(), tokenType: auth.KeyType(res.GetTokenType())}, nil
 }

 func (client authGrpcClient) Authorize(ctx context.Context, req *grpcAuthV1.AuthZReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
 	ctx, cancel := context.WithTimeout(ctx, client.timeout)
 	defer cancel()

-	res, err := client.authorize(ctx, authReq{
-		Domain:      req.GetDomain(),
-		SubjectType: req.GetSubjectType(),
-		Subject:     req.GetSubject(),
-		SubjectKind: req.GetSubjectKind(),
-		Relation:    req.GetRelation(),
-		Permission:  req.GetPermission(),
-		ObjectType:  req.GetObjectType(),
-		Object:      req.GetObject(),
-	})
+	var authReqData authReq
+
+	if req != nil {
+		policyReq := req.GetPolicyReq()
+		patReq := req.GetPatReq()
+
+		if policyReq != nil {
+			authReqData = authReq{
+				Domain:      policyReq.GetDomain(),
+				SubjectType: policyReq.GetSubjectType(),
+				Subject:     policyReq.GetSubject(),
+				SubjectKind: policyReq.GetSubjectKind(),
+				Relation:    policyReq.GetRelation(),
+				Permission:  policyReq.GetPermission(),
+				ObjectType:  policyReq.GetObjectType(),
+				Object:      policyReq.GetObject(),
+			}
+		}
+
+		if patReq != nil {
+			if patReq.GetDomain() != "" {
+				authReqData.Domain = patReq.GetDomain()
+			}
+			authReqData.UserID = patReq.GetUserId()
+			authReqData.PatID = patReq.GetPatId()
+			authReqData.EntityType = patReq.GetEntityType()
+			authReqData.Operation = patReq.GetOperation()
+			authReqData.EntityID = patReq.GetEntityId()
+		}
+	}
+
+	res, err := client.authorize(ctx, authReqData)
 	if err != nil {
 		return &grpcAuthV1.AuthZRes{}, grpcapi.DecodeError(err)
 	}
@@ -134,46 +121,30 @@ func decodeAuthorizeResponse(_ context.Context, grpcRes any) (any, error) {

 func encodeAuthorizeRequest(_ context.Context, grpcReq any) (any, error) {
 	req := grpcReq.(authReq)
-	return &grpcAuthV1.AuthZReq{
-		Domain:      req.Domain,
-		SubjectType: req.SubjectType,
-		Subject:     req.Subject,
-		SubjectKind: req.SubjectKind,
-		Relation:    req.Relation,
-		Permission:  req.Permission,
-		ObjectType:  req.ObjectType,
-		Object:      req.Object,
-	}, nil
-}

-func (client authGrpcClient) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZPatReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
-	ctx, cancel := context.WithTimeout(ctx, client.timeout)
-	defer cancel()
-
-	res, err := client.authorizePAT(ctx, authPATReq{
-		userID:           req.GetUserId(),
-		patID:            req.GetPatId(),
-		entityType:       auth.EntityType(req.GetEntityType()),
-		optionalDomainID: req.GetOptionalDomainId(),
-		operation:        auth.Operation(req.GetOperation()),
-		entityID:         req.GetEntityId(),
-	})
-	if err != nil {
-		return &grpcAuthV1.AuthZRes{}, grpcapi.DecodeError(err)
+	authZReq := &grpcAuthV1.AuthZReq{
+		PolicyReq: &grpcAuthV1.PolicyReq{
+			Domain:      req.Domain,
+			SubjectType: req.SubjectType,
+			Subject:     req.Subject,
+			SubjectKind: req.SubjectKind,
+			Relation:    req.Relation,
+			Permission:  req.Permission,
+			ObjectType:  req.ObjectType,
+			Object:      req.Object,
+		},
 	}

-	ar := res.(authorizeRes)
-	return &grpcAuthV1.AuthZRes{Authorized: ar.authorized, Id: ar.id}, nil
-}
+	if req.PatID != "" {
+		authZReq.PatReq = &grpcAuthV1.PATReq{
+			PatId:      req.PatID,
+			Domain:     req.Domain,
+			Operation:  req.Operation,
+			UserId:     req.UserID,
+			EntityId:   req.EntityID,
+			EntityType: req.EntityType,
+		}
+	}

-func encodeAuthorizePATRequest(_ context.Context, grpcReq any) (any, error) {
-	req := grpcReq.(authPATReq)
-	return &grpcAuthV1.AuthZPatReq{
-		UserId:           req.userID,
-		PatId:            req.patID,
-		EntityType:       uint32(req.entityType),
-		OptionalDomainId: req.optionalDomainID,
-		Operation:        uint32(req.operation),
-		EntityId:         req.entityID,
-	}, nil
+	return authZReq, nil
 }
@@ -6,8 +6,8 @@ package auth
 import (
 	"context"

-	"github.com/absmach/supermq/auth"
-	"github.com/absmach/supermq/pkg/policies"
+	"github.com/absmach/magistrala/auth"
+	"github.com/absmach/magistrala/pkg/policies"
 	"github.com/go-kit/kit/endpoint"
 )

@@ -23,23 +23,7 @@ func authenticateEndpoint(svc auth.Service) endpoint.Endpoint {
 			return authenticateRes{}, err
 		}

-		return authenticateRes{userID: key.Subject, userRole: key.Role, verified: key.Verified}, nil
-	}
-}
-
-func authenticatePATEndpoint(svc auth.Service) endpoint.Endpoint {
-	return func(ctx context.Context, request any) (any, error) {
-		req := request.(authenticateReq)
-		if err := req.validate(); err != nil {
-			return authenticateRes{}, err
-		}
-
-		pat, err := svc.IdentifyPAT(ctx, req.token)
-		if err != nil {
-			return authenticateRes{}, err
-		}
-
-		return authenticateRes{id: pat.ID, userID: pat.User, userRole: pat.Role}, nil
+		return authenticateRes{id: key.ID, userID: key.Subject, userRole: key.Role, verified: key.Verified, tokenType: key.Type}, nil
 	}
 }

@@ -50,6 +34,23 @@ func authorizeEndpoint(svc auth.Service) endpoint.Endpoint {
 		if err := req.validate(); err != nil {
 			return authorizeRes{}, err
 		}
+
+		var pat *auth.PATAuthz
+		if req.PatID != "" {
+			entityType, err := auth.ParseEntityType(req.EntityType)
+			if err != nil {
+				return authorizeRes{authorized: false}, err
+			}
+			pat = &auth.PATAuthz{
+				PatID:      req.PatID,
+				UserID:     req.UserID,
+				EntityType: entityType,
+				EntityID:   req.EntityID,
+				Operation:  req.Operation,
+				Domain:     req.Domain,
+			}
+		}
+
 		err := svc.Authorize(ctx, policies.Policy{
 			Domain:      req.Domain,
 			SubjectType: req.SubjectType,
@@ -59,22 +60,7 @@ func authorizeEndpoint(svc auth.Service) endpoint.Endpoint {
 			Permission:  req.Permission,
 			ObjectType:  req.ObjectType,
 			Object:      req.Object,
-		})
-		if err != nil {
-			return authorizeRes{authorized: false}, err
-		}
-		return authorizeRes{authorized: true}, nil
-	}
-}
-
-func authorizePATEndpoint(svc auth.Service) endpoint.Endpoint {
-	return func(ctx context.Context, request any) (any, error) {
-		req := request.(authPATReq)
-
-		if err := req.validate(); err != nil {
-			return authorizeRes{}, err
-		}
-		err := svc.AuthorizePAT(ctx, req.userID, req.patID, req.entityType, req.optionalDomainID, req.operation, req.entityID)
+		}, pat)
 		if err != nil {
 			return authorizeRes{authorized: false}, err
 		}
@@ -10,13 +10,14 @@ import (
 	"testing"
 	"time"

-	grpcAuthV1 "github.com/absmach/supermq/api/grpc/auth/v1"
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/auth"
-	grpcapi "github.com/absmach/supermq/auth/api/grpc/auth"
-	"github.com/absmach/supermq/internal/testsutil"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	grpcAuthV1 "github.com/absmach/magistrala/api/grpc/auth/v1"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/auth"
+	grpcapi "github.com/absmach/magistrala/auth/api/grpc/auth"
+	"github.com/absmach/magistrala/internal/testsutil"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+	"github.com/absmach/magistrala/pkg/policies"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"google.golang.org/grpc"
@@ -25,25 +26,14 @@ import (

 const (
 	port            = 8081
-	secret          = "secret"
-	email           = "test@example.com"
 	id              = "testID"
-	clientsType     = "clients"
 	usersType       = "users"
-	description     = "Description"
-	groupName       = "smqx"
 	adminPermission = "admin"
-
 	authoritiesObj  = "authorities"
 	memberRelation  = "member"
-	loginDuration   = 30 * time.Minute
-	refreshDuration = 24 * time.Hour
-	invalidDuration = 7 * 24 * time.Hour
 	validToken      = "valid"
 	inValidToken    = "invalid"
 	validPATToken   = "valid"
-	inValidPATToken = "invalid"
-	validPolicy     = "valid"
 )

 var (
@@ -73,6 +63,7 @@ func TestIdentify(t *testing.T) {
 	cases := []struct {
 		desc   string
 		token  string
+		key    auth.Key
 		idt    *grpcAuthV1.AuthNRes
 		svcErr error
 		err    error
@@ -80,12 +71,14 @@ func TestIdentify(t *testing.T) {
 		{
 			desc:  "authenticate user with valid user token",
 			token: validToken,
+			key:   auth.Key{ID: "", Subject: id, Role: auth.UserRole},
 			idt:   &grpcAuthV1.AuthNRes{UserId: id, UserRole: uint32(auth.UserRole)},
 			err:   nil,
 		},
 		{
 			desc:   "authenticate user with invalid user token",
 			token:  "invalid",
+			key:    auth.Key{},
 			idt:    &grpcAuthV1.AuthNRes{},
 			svcErr: svcerr.ErrAuthentication,
 			err:    svcerr.ErrAuthentication,
@@ -96,11 +89,26 @@ func TestIdentify(t *testing.T) {
 			idt:   &grpcAuthV1.AuthNRes{},
 			err:   apiutil.ErrBearerToken,
 		},
+		{
+			desc:  "authenticate user with valid PAT token",
+			token: "pat_" + validPATToken,
+			key:   auth.Key{ID: id, Type: auth.PersonalAccessToken, Subject: clientID, Role: auth.UserRole},
+			idt:   &grpcAuthV1.AuthNRes{Id: id, UserId: clientID, UserRole: uint32(auth.UserRole), TokenType: uint32(auth.PersonalAccessToken)},
+			err:   nil,
+		},
+		{
+			desc:   "authenticate user with invalid PAT token",
+			token:  "pat_invalid",
+			key:    auth.Key{},
+			idt:    &grpcAuthV1.AuthNRes{},
+			svcErr: svcerr.ErrAuthentication,
+			err:    svcerr.ErrAuthentication,
+		},
 	}

 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			svcCall := svc.On("Identify", mock.Anything, mock.Anything).Return(auth.Key{Subject: id, Role: auth.UserRole}, tc.svcErr)
+			svcCall := svc.On("Identify", mock.Anything, tc.token).Return(tc.key, tc.svcErr)
 			idt, err := grpcClient.Authenticate(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
 			if idt != nil {
 				assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
@@ -123,18 +131,22 @@ func TestAuthorize(t *testing.T) {
 		token        string
 		authRequest  *grpcAuthV1.AuthZReq
 		authResponse *grpcAuthV1.AuthZRes
+		expectedReq  *policies.Policy
+		expectedPAT  *auth.PATAuthz
 		err          error
 	}{
 		{
 			desc:  "authorize user with authorized token",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     id,
-				SubjectType: usersType,
-				Object:      authoritiesObj,
-				ObjectType:  usersType,
-				Relation:    memberRelation,
-				Permission:  adminPermission,
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
 			err:          nil,
@@ -143,12 +155,14 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with unauthorized token",
 			token: inValidToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     id,
-				SubjectType: usersType,
-				Object:      authoritiesObj,
-				ObjectType:  usersType,
-				Relation:    memberRelation,
-				Permission:  adminPermission,
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
 			err:          svcerr.ErrAuthorization,
@@ -157,12 +171,14 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty subject",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     "",
-				SubjectType: usersType,
-				Object:      authoritiesObj,
-				ObjectType:  usersType,
-				Relation:    memberRelation,
-				Permission:  adminPermission,
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     "",
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
 			err:          apiutil.ErrMissingPolicySub,
@@ -171,12 +187,14 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty subject type",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     id,
-				SubjectType: "",
-				Object:      authoritiesObj,
-				ObjectType:  usersType,
-				Relation:    memberRelation,
-				Permission:  adminPermission,
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: "",
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
 			err:          apiutil.ErrMissingPolicySub,
@@ -185,12 +203,14 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty object",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     id,
-				SubjectType: usersType,
-				Object:      "",
-				ObjectType:  usersType,
-				Relation:    memberRelation,
-				Permission:  adminPermission,
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      "",
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
 			err:          apiutil.ErrMissingPolicyObj,
@@ -199,12 +219,14 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty object type",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     id,
-				SubjectType: usersType,
-				Object:      authoritiesObj,
-				ObjectType:  "",
-				Relation:    memberRelation,
-				Permission:  adminPermission,
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  "",
+					Relation:    memberRelation,
+					Permission:  adminPermission,
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
 			err:          apiutil.ErrMissingPolicyObj,
@@ -213,20 +235,161 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty permission",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				Subject:     id,
-				SubjectType: usersType,
-				Object:      authoritiesObj,
-				ObjectType:  usersType,
-				Relation:    memberRelation,
-				Permission:  "",
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  "",
+				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
 			err:          apiutil.ErrMalformedPolicyPer,
 		},
+		{
+			desc:  "authorize user with valid PAT token",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZReq{
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					UserId:     id,
+					EntityId:   clientID,
+					EntityType: auth.ClientsScopeStr,
+				},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
+			err:          nil,
+		},
+		{
+			desc:  "authorize bootstrap PAT keeps PAT domain when policy domain is empty",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZReq{
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.MembershipPermission,
+					ObjectType:  policies.DomainType,
+					Object:      domainID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "create",
+					UserId:     id,
+					EntityId:   auth.AnyIDs,
+					EntityType: auth.BootstrapStr,
+				},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
+			expectedReq: &policies.Policy{
+				Domain:      domainID,
+				SubjectType: policies.UserType,
+				SubjectKind: policies.UsersKind,
+				Subject:     id,
+				Permission:  policies.MembershipPermission,
+				ObjectType:  policies.DomainType,
+				Object:      domainID,
+			},
+			expectedPAT: &auth.PATAuthz{
+				PatID:      id,
+				UserID:     id,
+				EntityType: auth.BootstrapType,
+				EntityID:   auth.AnyIDs,
+				Operation:  "create",
+				Domain:     domainID,
+			},
+			err: nil,
+		},
+		{
+			desc:  "authorize user with unauthorized PAT token",
+			token: inValidToken,
+			authRequest: &grpcAuthV1.AuthZReq{
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					UserId:     id,
+					EntityId:   clientID,
+					EntityType: auth.ClientsScopeStr,
+				},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
+			err:          svcerr.ErrAuthorization,
+		},
+		{
+			desc:  "authorize PAT with missing user id",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZReq{
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					EntityId:   clientID,
+					EntityType: auth.ClientsScopeStr,
+				},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
+			err:          apiutil.ErrMissingUserID,
+		},
+		{
+			desc:  "authorize PAT with missing entity id",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZReq{
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					UserId:     id,
+					EntityType: auth.ClientsScopeStr,
+				},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
+			err:          apiutil.ErrMissingID,
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			svcCall := svc.On("Authorize", mock.Anything, mock.Anything).Return(tc.err)
+			svcCall := svc.On("Authorize", mock.Anything, mock.Anything, mock.Anything).Return(tc.err)
 			ar, err := grpcClient.Authorize(context.Background(), tc.authRequest)
 			if ar != nil {
 				assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
@@ -236,139 +399,3 @@ func TestAuthorize(t *testing.T) {
 		})
 	}
 }
-
-func TestIdentifyPAT(t *testing.T) {
-	conn, err := grpc.NewClient(authAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	assert.Nil(t, err, fmt.Sprintf("Unexpected error creating client connection %s", err))
-	defer conn.Close()
-	grpcClient := grpcapi.NewAuthClient(conn, time.Second)
-
-	cases := []struct {
-		desc   string
-		token  string
-		idt    *grpcAuthV1.AuthNRes
-		svcErr error
-		err    error
-	}{
-		{
-			desc:  "authenticate user with valid user token",
-			token: validToken,
-			idt:   &grpcAuthV1.AuthNRes{Id: id, UserId: clientID},
-			err:   nil,
-		},
-		{
-			desc:   "authenticate user with invalid user token",
-			token:  "invalid",
-			idt:    &grpcAuthV1.AuthNRes{},
-			svcErr: svcerr.ErrAuthentication,
-			err:    svcerr.ErrAuthentication,
-		},
-		{
-			desc:  "authenticate user with empty token",
-			token: "",
-			idt:   &grpcAuthV1.AuthNRes{},
-			err:   apiutil.ErrBearerToken,
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.desc, func(t *testing.T) {
-			svcCall := svc.On("IdentifyPAT", mock.Anything, tc.token).Return(auth.PAT{ID: id, User: clientID, IssuedAt: time.Now()}, tc.svcErr)
-			idt, err := grpcClient.AuthenticatePAT(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
-			if idt != nil {
-				assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
-			}
-			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
-			svcCall.Unset()
-		})
-	}
-}
-
-func TestAuthorizePAT(t *testing.T) {
-	conn, err := grpc.NewClient(authAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	assert.Nil(t, err, fmt.Sprintf("Unexpected error creating client connection %s", err))
-	defer conn.Close()
-
-	grpcClient := grpcapi.NewAuthClient(conn, time.Second)
-	cases := []struct {
-		desc         string
-		token        string
-		authRequest  *grpcAuthV1.AuthZPatReq
-		authResponse *grpcAuthV1.AuthZRes
-		err          error
-	}{
-		{
-			desc:  "authorize user with authorized token",
-			token: validPATToken,
-			authRequest: &grpcAuthV1.AuthZPatReq{
-				UserId:           id,
-				PatId:            id,
-				EntityType:       uint32(auth.ClientsType),
-				OptionalDomainId: domainID,
-				Operation:        uint32(auth.CreateOp),
-				EntityId:         clientID,
-			},
-			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
-			err:          nil,
-		},
-		{
-			desc:  "authorize user with unauthorized token",
-			token: inValidPATToken,
-			authRequest: &grpcAuthV1.AuthZPatReq{
-				UserId:           id,
-				PatId:            id,
-				EntityType:       uint32(auth.ClientsType),
-				OptionalDomainId: domainID,
-				Operation:        uint32(auth.CreateOp),
-				EntityId:         clientID,
-			},
-			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
-			err:          svcerr.ErrAuthorization,
-		},
-		{
-			desc:  "authorize user with missing user id",
-			token: validPATToken,
-			authRequest: &grpcAuthV1.AuthZPatReq{
-				PatId:            id,
-				EntityType:       uint32(auth.ClientsType),
-				OptionalDomainId: domainID,
-				Operation:        uint32(auth.CreateOp),
-				EntityId:         clientID,
-			},
-			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
-			err:          apiutil.ErrMissingUserID,
-		},
-		{
-			desc:  "authorize user with missing pat id",
-			token: validPATToken,
-			authRequest: &grpcAuthV1.AuthZPatReq{
-				UserId:           id,
-				EntityType:       uint32(auth.ClientsType),
-				OptionalDomainId: domainID,
-				Operation:        uint32(auth.CreateOp),
-				EntityId:         clientID,
-			},
-			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
-			err:          apiutil.ErrMissingPATID,
-		},
-	}
-	for _, tc := range cases {
-		t.Run(tc.desc, func(t *testing.T) {
-			svcCall := svc.On("AuthorizePAT",
-				mock.Anything,
-				tc.authRequest.UserId,
-				tc.authRequest.PatId,
-				mock.Anything,
-				tc.authRequest.OptionalDomainId,
-				mock.Anything,
-				mock.Anything,
-				mock.Anything).Return(tc.err)
-			ar, err := grpcClient.AuthorizePAT(context.Background(), tc.authRequest)
-			if ar != nil {
-				assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
-			}
-			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
-			svcCall.Unset()
-		})
-	}
-}
@@ -4,8 +4,7 @@
 package auth

 import (
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/auth"
+	apiutil "github.com/absmach/magistrala/api/http/util"
 )

 type authenticateReq struct {
@@ -33,9 +32,28 @@ type authReq struct {
 	Permission  string
 	ObjectType  string
 	Object      string
+
+	// PAT authorization fields
+	UserID     string
+	PatID      string
+	EntityType string
+	Operation  string
+	EntityID   string
 }

 func (req authReq) validate() error {
+	if req.PatID != "" {
+		if req.UserID == "" {
+			return apiutil.ErrMissingUserID
+		}
+		if req.EntityID == "" {
+			return apiutil.ErrMissingID
+		}
+		if req.EntityType == "" {
+			return apiutil.ErrMissingPolicyObj
+		}
+	}
+
 	if req.Subject == "" || req.SubjectType == "" {
 		return apiutil.ErrMissingPolicySub
 	}
@@ -50,22 +68,3 @@ func (req authReq) validate() error {

 	return nil
 }
-
-type authPATReq struct {
-	userID           string
-	patID            string
-	entityType       auth.EntityType
-	optionalDomainID string
-	operation        auth.Operation
-	entityID         string
-}
-
-func (req authPATReq) validate() error {
-	if req.userID == "" {
-		return apiutil.ErrMissingUserID
-	}
-	if req.patID == "" {
-		return apiutil.ErrMissingPATID
-	}
-	return nil
-}
@@ -3,13 +3,14 @@

 package auth

-import smqauth "github.com/absmach/supermq/auth"
+import "github.com/absmach/magistrala/auth"

 type authenticateRes struct {
-	id       string
-	userID   string
-	userRole smqauth.Role
-	verified bool
+	id        string
+	userID    string
+	userRole  auth.Role
+	verified  bool
+	tokenType auth.KeyType
 }

 type authorizeRes struct {
--- a/Show More
+++ b/Show More