NOISSUE - Bump the go-dependency group across 1 directory with 3 updates (#3531 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump actions/checkout from 6 to 7 in /.github/workflows in the gh-dependency group across 1 directory (#3530 )
2026-06-23 04:10:28 +00:00 · 2026-06-19 17:13:43 +02:00 · 2026-06-19 17:08:11 +02:00 · 2026-06-19 16:52:13 +02:00 · 2026-06-16 16:23:06 +02:00 · 2026-06-12 13:43:21 +02:00
1122 changed files with 117132 additions and 19111 deletions
@@ -1 +1 @@
-*   @absmach/supermq
+*   @absmach/magistrala
@@ -5,7 +5,7 @@ blank_issues_enabled: false
 contact_links:
  - name: Google group
    url: https://groups.google.com/forum/#!forum/mainflux
-    about: Join the SuperMQ community on Google group.
+    about: Join the Magistrala community on Google group.
  - name: Gitter
    url: https://gitter.im/mainflux/mainflux
-    about: Join the SuperMQ community on Gitter.
+    about: Join the Magistrala community on Gitter.
@@ -3,8 +3,8 @@ SPDX-License-Identifier: Apache-2.0 -->

 <!--

-Pull request title should be `SMQ-XXX - description` or `NOISSUE - description` where XXX is ID of the issue that this PR relate to.
-Please review the [CONTRIBUTING.md](https://github.com/absmach/supermq/blob/main/CONTRIBUTING.md) file for detailed contributing guidelines.
+Pull request title should be `MG-XXX - description` or `NOISSUE - description` where XXX is ID of the issue that this PR relate to.
+Please review the [CONTRIBUTING.md](https://github.com/absmach/magistrala/blob/main/CONTRIBUTING.md) file for detailed contributing guidelines.

 For Work In Progress Pull Requests, please use the Draft PR feature, see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for further details.

@@ -5,9 +5,11 @@ version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "./.github/workflows"
+    target-branch: "main"
    schedule:
-      interval: "monthly"
+      interval: "weekly"
      day: "monday"
+      time: "06:00"
      timezone: "Europe/Paris"
    groups:
      gh-dependency:
@@ -16,16 +18,24 @@ updates:

  - package-ecosystem: "gomod"
    directory: "/"
+    target-branch: "main"
    schedule:
      interval: "weekly"
      day: "monday"
+      time: "06:15"
      timezone: "Europe/Paris"
+    groups:
+      go-dependency:
+        patterns:
+          - "*"

  - package-ecosystem: "docker"
-    directory: "./docker"
+    directory: "/docker"
+    target-branch: "main"
    schedule:
-      interval: "monthly"
+      interval: "weekly"
      day: "monday"
+      time: "06:30"
      timezone: "Europe/Paris"
    groups:
      docker-dependency:
@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>SuperMQ API Documentation</title>
+    <title>Magistrala API Documentation</title>
    <link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui.css">
    <style>
        body {
@@ -101,7 +101,7 @@ SPDX-License-Identifier: Apache-2.0
 </head>
 <body>
    <div class="service-selector">
-        <h1>SuperMQ API Documentation</h1>
+        <h1>Magistrala API Documentation</h1>
        <div class="service-dropdown-container">
            <label for="serviceDropdown">Select Service:</label>
            <select id="serviceDropdown" class="service-dropdown"></select>
@@ -15,9 +15,14 @@ on:
      - "clients/api/http/**"
      - "domains/api/http/**"
      - "groups/api/http/**"
-      - "http/api/**"
      - "journal/api/**"
      - "users/api/**"
+      - "bootstrap/api/**"
+      - "certs/api/http/**"
+      - "readers/api/http/**"
+      - "re/api/**"
+      - "alarms/api/**"
+      - "reports/api/**"
      - "apidocs/openapi/**"
  pull_request:
    branches:
@@ -30,9 +35,14 @@ on:
      - "clients/api/http/**"
      - "domains/api/http/**"
      - "groups/api/http/**"
-      - "http/api/**"
      - "journal/api/**"
      - "users/api/**"
+      - "bootstrap/api/**"
+      - "certs/api/http/**"
+      - "readers/api/http/**"
+      - "re/api/**"
+      - "alarms/api/**"
+      - "reports/api/**"
      - "apidocs/openapi/**"

 concurrency:
@@ -50,31 +60,32 @@ env:
  CLIENTS_URL: http://localhost:9006
  CHANNELS_URL: http://localhost:9005
  GROUPS_URL: http://localhost:9004
-  HTTP_ADAPTER_URL: http://localhost:8008
  AUTH_URL: http://localhost:9001
  JOURNAL_URL: http://localhost:9021
+  BOOTSTRAP_URL: http://localhost:9013
+  CERTS_URL: http://localhost:9019
+  READERS_URL: http://localhost:9011
+  RE_URL: http://localhost:9008
+  ALARMS_URL: http://localhost:8050
+  REPORTS_URL: http://localhost:9017

 jobs:
  api-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
        with:
          fetch-depth: 0

-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
-
      - name: Install Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
        id: changes
        with:
          filters: |
@@ -93,10 +104,6 @@ jobs:
              - "apidocs/openapi/domains.yaml"
              - "domains/api/http/**"

-            http:
-              - "apidocs/openapi/http.yaml"
-              - "http/api/**"
-
            clients:
              - "apidocs/openapi/clients.yaml"
              - "clients/api/http/**"
@@ -113,6 +120,30 @@ jobs:
              - "apidocs/openapi/users.yaml"
              - "users/api/**"

+            bootstrap:
+              - "apidocs/openapi/bootstrap.yaml"
+              - "bootstrap/api/**"
+
+            certs:
+              - "apidocs/openapi/certs.yaml"
+              - "certs/api/http/**"
+
+            readers:
+              - "apidocs/openapi/readers.yaml"
+              - "readers/api/http/**"
+
+            re:
+              - "apidocs/openapi/rules.yaml"
+              - "re/api/**"
+
+            alarms:
+              - "apidocs/openapi/alarms.yaml"
+              - "alarms/api/**"
+
+            reports:
+              - "apidocs/openapi/reports.yaml"
+              - "reports/api/**"
+
      - name: Build images
        run: make all -j $(nproc) && make dockers_dev -j $(nproc)

@@ -139,12 +170,12 @@ jobs:
          export USER_TOKEN=$(curl -sSX POST $TOKENS_URL -H "Content-Type: application/json" -d "{\"identity\": \"$USER_IDENTITY\",\"secret\": \"$USER_SECRET\"}" | jq -r .access_token)
          export DOMAIN_ID=$(curl -sSX POST $CREATE_DOMAINS_URL -H "Content-Type: application/json" -H "Authorization: Bearer $USER_TOKEN" -d "{\"name\":\"$DOMAIN_NAME\",\"route\":\"$DOMAIN_NAME\"}" | jq -r .id)
          echo "USER_TOKEN=$USER_TOKEN" >> $GITHUB_ENV
-          export CLIENT_SECRET=$(supermq-cli provision test | /usr/bin/grep -Eo '"secret": "[^"]+"' | awk 'NR % 2 == 0' | sed 's/"secret": "\(.*\)"/\1/')
+          export CLIENT_SECRET=$(magistrala-cli provision test | /usr/bin/grep -Eo '"secret": "[^"]+"' | awk 'NR % 2 == 0' | sed 's/"secret": "\(.*\)"/\1/')
          echo "CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV

      - name: Run Users API tests
        if: steps.changes.outputs.users == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/users.yaml
          base-url: ${{ env.USERS_URL }}
@@ -153,7 +184,7 @@ jobs:

      - name: Run Groups API tests
        if: steps.changes.outputs.groups == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/groups.yaml
          base-url: ${{ env.GROUPS_URL }}
@@ -162,7 +193,7 @@ jobs:

      - name: Run Clients API tests
        if: steps.changes.outputs.clients == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/clients.yaml
          base-url: ${{ env.CLIENTS_URL }}
@@ -171,25 +202,16 @@ jobs:

      - name: Run Channels API tests
        if: steps.changes.outputs.channels == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/channels.yaml
          base-url: ${{ env.CHANNELS_URL }}
          checks: all
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

-      - name: Run HTTP Adapter API tests
-        if: steps.changes.outputs.http == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
-        with:
-          schema: apidocs/openapi/http.yaml
-          base-url: ${{ env.HTTP_ADAPTER_URL }}
-          checks: all
-          args: '--header "Authorization: Client ${{ env.CLIENT_SECRET }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
-
      - name: Run Auth API tests
        if: steps.changes.outputs.auth == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/auth.yaml
          base-url: ${{ env.AUTH_URL }}
@@ -198,7 +220,7 @@ jobs:

      - name: Run Domains API tests
        if: steps.changes.outputs.domains == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/domains.yaml
          base-url: ${{ env.DOMAIN_URL }}
@@ -207,13 +229,67 @@ jobs:

      - name: Run Journal API tests
        if: steps.changes.outputs.journal == 'true' || steps.changes.outputs.workflow == 'true'
-        uses: schemathesis/action@v2.1.0
+        uses: schemathesis/action@v3.0.0
        with:
          schema: apidocs/openapi/journal.yaml
          base-url: ${{ env.JOURNAL_URL }}
          checks: all
          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'

+      - name: Run Bootstrap API tests
+        if: steps.changes.outputs.bootstrap == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/bootstrap.yaml
+          base-url: ${{ env.BOOTSTRAP_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Certs API tests
+        if: steps.changes.outputs.certs == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/certs.yaml
+          base-url: ${{ env.CERTS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Readers API tests
+        if: steps.changes.outputs.readers == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/readers.yaml
+          base-url: ${{ env.READERS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Rules Engine API tests
+        if: steps.changes.outputs.re == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/rules.yaml
+          base-url: ${{ env.RE_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Alarms API tests
+        if: steps.changes.outputs.alarms == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/alarms.yaml
+          base-url: ${{ env.ALARMS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
+      - name: Run Reports API tests
+        if: steps.changes.outputs.reports == 'true' || steps.changes.outputs.workflow == 'true'
+        uses: schemathesis/action@v3.0.0
+        with:
+          schema: apidocs/openapi/reports.yaml
+          base-url: ${{ env.REPORTS_URL }}
+          checks: all
+          args: '--header "Authorization: Bearer ${{ env.USER_TOKEN }}" --suppress-health-check=filter_too_much --exclude-checks=positive_data_acceptance --phases=examples'
+
      - name: Stop containers
        if: always()
        run: make run_latest down args="-v" && make run_addons down args="-v"
@@ -8,12 +8,12 @@ on:
    branches:
      - main
    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - '.github/workflows/**'
-      - 'LICENSE'
-      - 'MAINTAINERS'
-      - 'CODEOWNERS'
+      - "**/*.md"
+      - "docs/**"
+      - ".github/workflows/**"
+      - "LICENSE"
+      - "MAINTAINERS"
+      - "CODEOWNERS"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,35 +29,31 @@ jobs:
    needs: [lint-and-build]
    permissions:
      contents: read
+      packages: write

    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
        with:
          fetch-depth: 0
          fetch-tags: true

-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
-
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Set up Docker Build
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

-      - name: Login to DockerHub
-        uses: docker/login-action@v3
+      - name: Login to GHCR
+        uses: docker/login-action@v4
        with:
-          registry: docker.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Docker images
        run: |
          make latest -j $(nproc)
-
@@ -13,20 +13,16 @@ jobs:
    runs-on: ubuntu-latest
    env:
      PROTOC_VERSION: "33.0"
-      PROTOC_GEN_GO_VERSION: "v1.36.10"
-      PROTOC_GEN_GO_GRPC_VERSION: "v1.5.1"
+      PROTOC_GEN_GO_VERSION: "v1.36.11"
+      PROTOC_GEN_GO_GRPC_VERSION: "v1.6.0"
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
-
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+        uses: actions/checkout@v7

      - name: Install Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Set GOBIN
@@ -41,7 +37,7 @@ jobs:
          git diff --exit-code

      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
        id: changes
        with:
          base: main
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Check License Header
        run: |
@@ -12,22 +12,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
-
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+        uses: actions/checkout@v7

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Run linters
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@v9.2.1
        with:
-          version: v2.7.2
+          version: v2.10.1
          args: --config ./tools/config/.golangci.yaml

  build:
@@ -36,16 +32,12 @@ jobs:
    needs: lint
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
-
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+        uses: actions/checkout@v7

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Build all binaries
@@ -60,25 +52,18 @@ jobs:
      fail-fast: true
      matrix:
        variant:
-          - name: rabbitmq
-            env: SMQ_MESSAGE_BROKER_TYPE=msg_rabbitmq
-            target: mqtt
          - name: redis
-            env: SMQ_ES_TYPE=es_redis
-            target: mqtt
+            env: MG_ES_TYPE=es_redis
+            target: fluxmq

    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
-
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+        uses: actions/checkout@v7

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Compile check for ${{ matrix.variant.name }}
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Build Swagger UI
        run: |
@@ -42,4 +42,4 @@ jobs:
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./swagger-ui
-          cname: docs.api.supermq.absmach.eu
+          cname: docs.api.magistrala.absmach.eu
@@ -8,7 +8,7 @@ on:
    branches:
      - main
    paths-ignore:
-      - '**.md'
+      - '**/*.md'
      - 'docs/**'
      - 'LICENSE'
      - 'MAINTAINERS'
@@ -22,39 +22,17 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  check-certs:
-    name: Check Certs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v6
-
-      - name: Fetch Certs
-        run: |
-          make fetch_certs
-          if [[ -n $(git status --porcelain docker/addons/certs) ]]; then
-            echo "Certs docker file is not up to date. Please update it"
-            git diff docker/addons/certs
-            exit 1
-          else
-            exit 0
-          fi
-
  lint-proto:
    name: Lint Proto
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v6
-
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+        uses: actions/checkout@v7

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Install protolint
@@ -66,25 +44,22 @@ jobs:
          protolint .

  lint-and-build:
-    needs: [check-certs, lint-proto]
+    needs: [lint-proto]
    uses: ./.github/workflows/lint-and-build.yaml

-
-
  detect-changes:
    name: Detect Changes
    runs-on: ubuntu-latest
    outputs:
      modules: ${{ steps.set-matrix.outputs.modules }}
-      workflow_changed: ${{ steps.changes.outputs.workflow }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
        with:
          fetch-depth: 0

      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
        id: changes
        with:
          filters: |
@@ -100,6 +75,13 @@ jobs:
              - "pkg/ulid/**"
              - "pkg/uuid/**"

+            bootstrap:
+              - "bootstrap/**"
+              - "cmd/bootstrap/**"
+              - "pkg/bootstrap/**"
+              - "provision/**"
+              - "pkg/sdk/**"
+
            channels:
              - "channels/**"
              - "cmd/channels/**"
@@ -131,14 +113,6 @@ jobs:
              - "domains/api/grpc/**"
              - "internal/grpc/**"

-            coap:
-              - "coap/**"
-              - "cmd/coap/**"
-              - "auth.pb.go"
-              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
-
            domains:
              - "domains/**"
              - "cmd/domains/**"
@@ -160,15 +134,6 @@ jobs:
              - "domains/api/grpc/**"
              - "internal/grpc/**"

-            http:
-              - "http/**"
-              - "cmd/http/**"
-              - "auth.pb.go"
-              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
-              - "logger/**"
-
            internal:
              - "internal/**"

@@ -183,16 +148,6 @@ jobs:
            logger:
              - "logger/**"

-            mqtt:
-              - "mqtt/**"
-              - "cmd/mqtt/**"
-              - "auth.pb.go"
-              - "auth_grpc.pb.go"
-              - "clients/**"
-              - "pkg/messaging/**"
-              - "logger/**"
-              - "pkg/events/**"
-
            pkg-errors:
              - "pkg/errors/**"

@@ -211,7 +166,6 @@ jobs:
              - "pkg/errors/**"
              - "pkg/groups/**"
              - "auth/**"
-              - "http/**"
              - "internal/*"
              - "clients/**"
              - "users/**"
@@ -220,6 +174,9 @@ jobs:
              - "groups/**"
              - "journal/**"
              - "api/http/**"
+              - "re/**"
+              - "alarms/**"
+              - "reports/**"

            pkg-transformers:
              - "pkg/transformers/**"
@@ -253,9 +210,28 @@ jobs:

            consumers:
              - "consumers/**"
+              - "cmd/postgres-writer/**"
+              - "cmd/timescale-writer/**"
+              - "cmd/smpp-notifier/**"
+              - "cmd/smtp-notifier/**"

            readers:
              - "readers/**"
+              - "cmd/postgres-reader/**"
+              - "cmd/timescale-reader/**"
+
+            re:
+              - "re/**"
+              - "cmd/re/**"
+              - "re/api/**"
+
+            alarms:
+              - "alarms/**"
+              - "cmd/alarms/**"
+
+            reports:
+              - "reports/**"
+              - "cmd/reports/**"

      - name: Set matrix for changed modules
        id: set-matrix
@@ -264,21 +240,19 @@ jobs:

          if [[ "${{ steps.changes.outputs.workflow }}" == "true" || "${{ steps.changes.outputs.pkg-errors }}" == "true" ]]; then
            # If workflow or pkg/errors changed, test everything
-            modules=("auth" "channels" "cli" "clients" "coap" "domains" "groups" "http" "internal" "journal" "logger" "mqtt" "pkg-errors" "pkg-events" "pkg-grpcclient" "pkg-messaging" "pkg-sdk" "pkg-transformers" "pkg-ulid" "pkg-uuid" "users" "notifications" "api" "consumers" "readers")
+            modules=("auth" "bootstrap" "channels" "cli" "clients" "domains" "groups" "internal" "journal" "logger" "pkg-errors" "pkg-events" "pkg-grpcclient" "pkg-messaging" "pkg-sdk" "pkg-transformers" "pkg-ulid" "pkg-uuid" "users" "notifications" "api" "consumers" "readers" "re" "alarms" "reports")
          else
            # Add only changed modules
            [[ "${{ steps.changes.outputs.auth }}" == "true" ]] && modules+=("auth")
+            [[ "${{ steps.changes.outputs.bootstrap }}" == "true" ]] && modules+=("bootstrap")
            [[ "${{ steps.changes.outputs.channels }}" == "true" ]] && modules+=("channels")
            [[ "${{ steps.changes.outputs.cli }}" == "true" ]] && modules+=("cli")
            [[ "${{ steps.changes.outputs.clients }}" == "true" ]] && modules+=("clients")
-            [[ "${{ steps.changes.outputs.coap }}" == "true" ]] && modules+=("coap")
            [[ "${{ steps.changes.outputs.domains }}" == "true" ]] && modules+=("domains")
            [[ "${{ steps.changes.outputs.groups }}" == "true" ]] && modules+=("groups")
-            [[ "${{ steps.changes.outputs.http }}" == "true" ]] && modules+=("http")
            [[ "${{ steps.changes.outputs.internal }}" == "true" ]] && modules+=("internal")
            [[ "${{ steps.changes.outputs.journal }}" == "true" ]] && modules+=("journal")
            [[ "${{ steps.changes.outputs.logger }}" == "true" ]] && modules+=("logger")
-            [[ "${{ steps.changes.outputs.mqtt }}" == "true" ]] && modules+=("mqtt")
            [[ "${{ steps.changes.outputs.pkg-errors }}" == "true" ]] && modules+=("pkg-errors")
            [[ "${{ steps.changes.outputs.pkg-events }}" == "true" ]] && modules+=("pkg-events")
            [[ "${{ steps.changes.outputs.pkg-grpcclient }}" == "true" ]] && modules+=("pkg-grpcclient")
@@ -292,6 +266,9 @@ jobs:
            [[ "${{ steps.changes.outputs.api }}" == "true" ]] && modules+=("api")
            [[ "${{ steps.changes.outputs.consumers }}" == "true" ]] && modules+=("consumers")
            [[ "${{ steps.changes.outputs.readers }}" == "true" ]] && modules+=("readers")
+            [[ "${{ steps.changes.outputs.re }}" == "true" ]] && modules+=("re")
+            [[ "${{ steps.changes.outputs.alarms }}" == "true" ]] && modules+=("alarms")
+            [[ "${{ steps.changes.outputs.reports }}" == "true" ]] && modules+=("reports")
          fi

          # Convert to JSON array
@@ -312,16 +289,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+        uses: actions/checkout@v7

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ steps.go-version.outputs.version }}
+          go-version-file: go.mod
          cache-dependency-path: "go.sum"

      - name: Verify dependencies
@@ -347,7 +320,7 @@ jobs:
          go test -mod=readonly --race -v -count=1 -failfast -coverprofile=coverage-${{ matrix.module }}.out ./$dir/...

      - name: Upload coverage
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: coverage-${{ matrix.module }}
          path: coverage-${{ matrix.module }}.out
@@ -360,17 +333,17 @@ jobs:
    if: always() && needs.run-tests.result != 'cancelled'
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Download all coverage artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
        with:
          pattern: coverage-*
          path: coverage
          merge-multiple: true

      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v7
        with:
          token: ${{ secrets.CODECOV }}
          directory: ./coverage
@@ -18,3 +18,6 @@ coverage

 # Ignore Openbao data directory as it contains runtime-generated data
 docker/addons/certs/openbao/
+
+# Ignore SeaweedFS data directory as it contains runtime-generated data
+docker/data/*
@@ -1,12 +1,12 @@
 # Adopters

-As SuperMQ Community grows, we'd like to keep track of SuperMQ adopters to grow the community, contact other users, share experiences and best practices.
+As Magistrala Community grows, we'd like to keep track of Magistrala adopters to grow the community, contact other users, share experiences and best practices.

-To accomplish this, we created a public ledger. The list of organizations and users who consider themselves as SuperMQ adopters and that **publicly/officially** shared information and/or details of their adoption journey(optional).
+To accomplish this, we created a public ledger. The list of organizations and users who consider themselves as Magistrala adopters and that **publicly/officially** shared information and/or details of their adoption journey(optional).
 Where users themselves directly maintain the list.

 ## Adding yourself as an adopter
-If you are using SuperMQ, please consider adding yourself as an adopter with a brief description of your use case by opening a pull request to this file and adding a section describing your adoption of SuperMQ technology.
+If you are using Magistrala, please consider adding yourself as an adopter with a brief description of your use case by opening a pull request to this file and adding a section describing your adoption of Magistrala technology.

 **Please send PRs to add or remove organizations/users**

@@ -25,12 +25,12 @@ Pull request commit must be [signed](https://docs.github.com/en/github/authentic
 * There is no minimum requirement or adaptation size, but we request to list permanent deployments only, i.e., no demo or trial deployments. Commercial or production use is not required. A well-done home lab setup can be equally impressive as a large-scale commercial deployment.


-**The list of organizations/users that have publicly shared the usage of SuperMQ:**
+**The list of organizations/users that have publicly shared the usage of Magistrala:**

-**Note**: Several other organizations/users couldn't publicly share their usage details but are active project contributors and SuperMQ Community members.
+**Note**: Several other organizations/users couldn't publicly share their usage details but are active project contributors and Magistrala Community members.


 ## Adopters list (alphabetical)


-**Note:** The list is maintained by the users themselves. If you find yourself on this list, and you think it's inappropriate. Please contact [project maintainers](https://github.com/absmach/supermq/blob/main/MAINTAINERS) and you will be permanently removed from the list.
+**Note:** The list is maintained by the users themselves. If you find yourself on this list, and you think it's inappropriate. Please contact [project maintainers](https://github.com/absmach/magistrala/blob/main/MAINTAINERS) and you will be permanently removed from the list.
@@ -1,6 +1,6 @@
-# Contributing to SuperMQ
+# Contributing to Magistrala

-The following is a set of guidelines to contribute to SuperMQ and its libraries, which are
+The following is a set of guidelines to contribute to Magistrala and its libraries, which are
 hosted on the [Abstract Machines Organization](https://github.com/absmach) on GitHub.

 This project adheres to the [Contributor Covenant 1.2](http://contributor-covenant.org/version/1/2/0).
@@ -13,7 +13,7 @@ Reporting issues are a great way to contribute to the project. We are perpetuall
 thorough bug report.

 Before raising a new issue, check [our issue
-list](https://github.com/absmach/supermq/issues) to determine if it already contains the
+list](https://github.com/absmach/magistrala/issues) to determine if it already contains the
 problem that you are facing.

 A good bug report shouldn't leave others needing to chase you for more information. Please be as detailed as possible. The following questions might serve as a template for writing a detailed
@@ -41,9 +41,9 @@ To contribute to the project, [fork](https://help.github.com/articles/fork-a-rep
 clone your fork repository, and configure the remotes:

 ```
-git clone https://github.com/<your-username>/supermq.git
-cd supermq
-git remote add upstream https://github.com/absmach/supermq.git
+git clone https://github.com/<your-username>/magistrala.git
+cd magistrala
+git remote add upstream https://github.com/absmach/magistrala.git
 ```

 If your cloned repository is behind the upstream commits, then get the latest changes from upstream:
@@ -53,11 +53,11 @@ git checkout main
 git pull --rebase upstream main
 ```

-Create a new topic branch from `main` using the naming convention `SMQ-[issue-number]`
+Create a new topic branch from `main` using the naming convention `MG-[issue-number]`
 to help us keep track of your contribution scope:

 ```
-git checkout -b SMQ-[issue-number]
+git checkout -b MG-[issue-number]
 ```

 Commit your changes in logical chunks. When you are ready to commit, make sure
@@ -80,7 +80,7 @@ git pull --rebase upstream main
 Push your topic branch up to your fork:

 ```
-git push origin SMQ-[issue-number]
+git push origin MG-[issue-number]
 ```

 [Open a Pull Request](https://help.github.com/articles/using-pull-requests/) with a clear title
@@ -176,7 +176,7 @@

   END OF TERMS AND CONDITIONS

-   Copyright 2015-2026 SuperMQ
+   Copyright 2015-2026 Magistrala

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -1,6 +1,6 @@
-# SuperMQ Maintainers
+# Magistrala Maintainers

-SuperMQ follows a BDFL model for dead-lock situations; day-to-day decisions happen through discussion and pull requests.
+Magistrala follows a BDFL model for dead-lock situations; day-to-day decisions happen through discussion and pull requests.

 ## BDFL

@@ -1,16 +1,18 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-SMQ_DOCKER_IMAGE_NAME_PREFIX ?= supermq
+override MG_DOCKER_IMAGE_NAME_PREFIX := ghcr.io/absmach/magistrala
+MG_DOCKER_VOLUME_NAME_PREFIX ?= magistrala
 BUILD_DIR ?= build
-SERVICES = auth users clients groups channels domains http coap cli mqtt journal notifications
-TEST_API_SERVICES = journal auth certs http clients users channels groups domains
+SERVICES = auth users clients groups channels domains notifications certs re postgres-writer postgres-reader timescale-writer timescale-reader cli alarms reports bootstrap provision journal fluxmq
+TEST_API_SERVICES = journal auth certs clients users channels groups domains
 TEST_API = $(addprefix test_api_,$(TEST_API_SERVICES))
 DOCKERS = $(addprefix docker_,$(SERVICES))
 DOCKERS_DEV = $(addprefix docker_dev_,$(SERVICES))
 CGO_ENABLED ?= 0
 GOARCH ?= amd64
 GOOS ?= linux
+DETECTED_ARCH := $(shell uname -m)
 VERSION ?= $(shell git describe --abbrev=0 --tags 2>/dev/null || echo 'unknown')
 COMMIT ?= $(shell git rev-parse HEAD)
 TIME ?= $(shell date +%F_%T)
@@ -23,29 +25,31 @@ DOCKER_COMPOSE_COMMANDS_SUPPORTED := up down config restart
 DEFAULT_DOCKER_COMPOSE_COMMAND  := up
 GRPC_MTLS_CERT_FILES_EXISTS = 0
 MOCKERY = $(GOBIN)/mockery
-MOCKERY_VERSION=3.5.5
+MOCKERY_VERSION=3.6.4
 PKG_PROTO_GEN_OUT_DIR=api/grpc
 INTERNAL_PROTO_DIR=internal/proto
 INTERNAL_PROTO_FILES := $(shell find $(INTERNAL_PROTO_DIR) -name "*.proto" | sed 's|$(INTERNAL_PROTO_DIR)/||')

-ifneq ($(SMQ_MESSAGE_BROKER_TYPE),)
-	SMQ_MESSAGE_BROKER_TYPE := $(SMQ_MESSAGE_BROKER_TYPE)
+ifneq ($(MG_MESSAGE_BROKER_TYPE),)
+	MG_MESSAGE_BROKER_TYPE := $(MG_MESSAGE_BROKER_TYPE)
 else
-	SMQ_MESSAGE_BROKER_TYPE=msg_nats
+	MG_MESSAGE_BROKER_TYPE=msg_fluxmq
 endif

-ifneq ($(SMQ_ES_TYPE),)
-	SMQ_ES_TYPE := $(SMQ_ES_TYPE)
+ifneq ($(MG_ES_TYPE),)
+	MG_ES_TYPE := $(MG_ES_TYPE)
 else
-	SMQ_ES_TYPE=es_nats
+	MG_ES_TYPE=es_fluxmq
 endif

+BUILD_TAGS := $(strip $(MG_MESSAGE_BROKER_TYPE) $(MG_ES_TYPE))
+
 define compile_service
 	CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) GOARM=$(GOARM) \
-	go build -tags $(SMQ_MESSAGE_BROKER_TYPE) -tags $(SMQ_ES_TYPE) -ldflags "-s -w \
-	-X 'github.com/absmach/supermq.BuildTime=$(TIME)' \
-	-X 'github.com/absmach/supermq.Version=$(VERSION)' \
-	-X 'github.com/absmach/supermq.Commit=$(COMMIT)'" \
+	go build -tags "$(BUILD_TAGS)" -ldflags "-s -w \
+	-X 'github.com/absmach/magistrala.BuildTime=$(TIME)' \
+	-X 'github.com/absmach/magistrala.Version=$(VERSION)' \
+	-X 'github.com/absmach/magistrala.Commit=$(COMMIT)'" \
 	-o ${BUILD_DIR}/$(1) cmd/$(1)/main.go
 endef

@@ -60,7 +64,8 @@ define make_docker
 		--build-arg VERSION=$(VERSION) \
 		--build-arg COMMIT=$(COMMIT) \
 		--build-arg TIME=$(TIME) \
-		--tag=$(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
+		--build-arg BUILD_TAGS="$(BUILD_TAGS)" \
+		--tag=$(MG_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
 		-f docker/Dockerfile .
 endef

@@ -70,14 +75,53 @@ define make_docker_dev
 	docker build \
 		--no-cache \
 		--build-arg SVC=$(svc) \
-		--tag=$(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
+		--tag=$(MG_DOCKER_IMAGE_NAME_PREFIX)/$(svc) \
 		-f docker/Dockerfile.dev ./build
 endef

-ADDON_SERVICES = journal certs
+define run_with_arch_detection
+	@echo "Detecting architecture..."
+	@if [ "$(DETECTED_ARCH)" = "arm64" ] || [ "$(DETECTED_ARCH)" = "aarch64" ]; then \
+		echo "ARM64 architecture detected."; \
+		git checkout $(1); \
+		GOARCH=arm64 $(MAKE) dockers; \
+		for svc in $(SERVICES); do \
+				docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest; \
+		done; \
+		sed -i.bak 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=latest/' docker/.env && rm -f docker/.env.bak; \
+		docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	else \
+		echo "x86_64 architecture detected."; \
+		git checkout $(1); \
+		sed -i.bak 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=$(2)/' docker/.env && rm -f docker/.env.bak; \
+		docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	fi
+endef
+
+ADDON_SERVICES = bootstrap provision postgres-writer postgres-reader

 EXTERNAL_SERVICES = prometheus

+# Detect OS and architecture for cross-platform compatibility
+UNAME_S := $(shell uname -s)
+UNAME_M := $(shell uname -m)
+
+# macOS BSD sed vs GNU sed compatibility
+ifeq ($(UNAME_S),Darwin)
+	SED_INPLACE := sed -i ''
+else
+	SED_INPLACE := sed -i
+endif
+
+# Apple Silicon (arm64) Docker platform compatibility
+# Pre-built images are amd64 only, so we need to use emulation on Apple Silicon
+ifeq ($(UNAME_S),Darwin)
+ifeq ($(UNAME_M),arm64)
+	DOCKER_PLATFORM := DOCKER_DEFAULT_PLATFORM=linux/amd64
+endif
+endif
+DOCKER_PLATFORM ?=
+
 ifneq ($(filter run%,$(firstword $(MAKECMDGOALS))),)
  temp_args := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS))
  DOCKER_COMPOSE_COMMAND := $(if $(filter $(DOCKER_COMPOSE_COMMANDS_SUPPORTED),$(temp_args)), $(filter $(DOCKER_COMPOSE_COMMANDS_SUPPORTED),$(temp_args)), $(DEFAULT_DOCKER_COMPOSE_COMMAND))
@@ -100,7 +144,7 @@ FILTERED_SERVICES = $(filter-out $(RUN_ADDON_ARGS), $(SERVICES))

 all: $(SERVICES)

-.PHONY: all $(SERVICES) dockers dockers_dev latest release run_latest run_stable run_addons grpc_mtls_certs check_mtls check_certs test_api mocks
+.PHONY: all $(SERVICES) dockers dockers_dev latest release run_latest run_tls run_stable run_addons grpc_mtls_certs check_mtls check_certs test_api mocks

 clean:
 	rm -rf ${BUILD_DIR}
@@ -111,12 +155,12 @@ cleandocker:

 ifdef pv
 	# Remove unused volumes
-	docker volume ls -f name=$(SMQ_DOCKER_IMAGE_NAME_PREFIX) -f dangling=true -q | xargs -r docker volume rm
+	docker volume ls -f name=$(MG_DOCKER_VOLUME_NAME_PREFIX) -f dangling=true -q | xargs -r docker volume rm
 endif

 install:
 	for file in $(BUILD_DIR)/*; do \
-		cp $$file $(GOBIN)/supermq-`basename $$file`; \
+		cp $$file $(GOBIN)/magistrala-`basename $$file`; \
 	done

 mocks: $(MOCKERY)
@@ -124,11 +168,8 @@ mocks: $(MOCKERY)

 $(MOCKERY):
 	@mkdir -p $(GOBIN)
-	@mkdir -p mockery
-	@echo ">> downloading mockery $(MOCKERY_VERSION)..."
-	@curl -sL https://github.com/vektra/mockery/releases/download/v$(MOCKERY_VERSION)/mockery_$(MOCKERY_VERSION)_Linux_x86_64.tar.gz | tar -xz -C mockery
-	@mv mockery/mockery $(GOBIN)
-	@rm -r mockery
+	@echo ">> installing mockery $(MOCKERY_VERSION)..."
+	@go install github.com/vektra/mockery/v3@v$(MOCKERY_VERSION)

 DIRS = consumers readers postgres internal
 test: mocks
@@ -144,34 +185,18 @@ define test_api_service

 	@if [ -z "$(USER_TOKEN)" ]; then \
 		echo "USER_TOKEN is not set"; \
-		echo "Please set it to a valid token"; \
-		exit 1; \
+			echo "Please set it to a valid token"; \
+			exit 1; \
 	fi

-	@if [ "$(svc)" = "http" ] && [ -z "$(CLIENT_SECRET)" ]; then \
-		echo "CLIENT_SECRET is not set"; \
-		echo "Please set it to a valid secret"; \
-		exit 1; \
-	fi
-
-	@if [ "$(svc)" = "http" ]; then \
-		uvx schemathesis run apidocs/openapi/$(svc).yaml \
-		--checks all \
-		--url $(2) \
-		--header "Authorization: Client $(CLIENT_SECRET)" \
-		--suppress-health-check=filter_too_much \
-		--exclude-checks=positive_data_acceptance \
-		--phases=examples,stateful; \
-	else \
-		uvx schemathesis run apidocs/openapi/$(svc).yaml \
-		--checks all \
-		--url $(2) \
-		--header "Authorization: Bearer $(USER_TOKEN)" \
-		--suppress-health-check=filter_too_much \
-		--exclude-checks=positive_data_acceptance \
-		--exclude-operation-id=requestPasswordReset \
-		--phases=examples,stateful; \
-	fi
+	@uvx schemathesis run apidocs/openapi/$(svc).yaml \
+	--checks all \
+	--url $(2) \
+	--header "Authorization: Bearer $(USER_TOKEN)" \
+	--suppress-health-check=filter_too_much \
+	--exclude-checks=positive_data_acceptance \
+	--exclude-operation-id=requestPasswordReset \
+	--phases=examples,stateful
 endef

 test_api_users: TEST_API_URL := http://localhost:9002
@@ -179,7 +204,6 @@ test_api_clients: TEST_API_URL := http://localhost:9006
 test_api_domains: TEST_API_URL := http://localhost:9003
 test_api_channels: TEST_API_URL := http://localhost:9005
 test_api_groups: TEST_API_URL := http://localhost:9004
-test_api_http: TEST_API_URL := http://localhost:8008
 test_api_auth: TEST_API_URL := http://localhost:9001
 test_api_certs: TEST_API_URL := http://localhost:9019
 test_api_journal: TEST_API_URL := http://localhost:9021
@@ -206,7 +230,7 @@ dockers_dev: $(DOCKERS_DEV)

 define docker_push
 	for svc in $(SERVICES); do \
-		docker push $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(1); \
+		docker push $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(1); \
 	done
 endef

@@ -219,10 +243,10 @@ latest: dockers
 publish_arch:
 	$(MAKE) dockers GOOS=$(GOOS) GOARCH=$(GOARCH) GOARM=$(GOARM)
 	for svc in $(SERVICES); do \
-		docker tag $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
-		docker tag $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
-		docker push $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
-		docker push $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
+		docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
+		docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
+		docker push $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(VERSION)-$(GOARCH); \
+		docker push $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:latest-$(GOARCH); \
 	done

 release:
@@ -230,7 +254,7 @@ release:
 	git checkout $(version)
 	$(MAKE) dockers
 	for svc in $(SERVICES); do \
-		docker tag $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(SMQ_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(version); \
+		docker tag $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc $(MG_DOCKER_IMAGE_NAME_PREFIX)/$$svc:$(version); \
 	done
 	$(call docker_push,$(version))

@@ -265,30 +289,33 @@ endif
 endif
 endif

-fetch_certs:
-	@./scripts/certs.sh
-
 run_latest: check_certs
-	git checkout main
-	sed -i 's/^SMQ_RELEASE_TAG=.*/SMQ_RELEASE_TAG=latest/' docker/.env
-	docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+	$(SED_INPLACE) 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=latest/' docker/.env
+	$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+
+run_tls:
+	@test -n "$(host)" || (echo "Usage: make run_tls host=example.com [email=admin@example.com] [letsencrypt=false] [staging=true] [force=true]" && exit 2)
+	@if [ "$(or $(letsencrypt),true)" != "false" ] && [ -z "$(email)" ]; then echo "Usage: make run_tls host=example.com email=admin@example.com [letsencrypt=false] [staging=true] [force=true]"; exit 2; fi
+	MG_PUBLIC_HOST="$(host)" \
+	MG_LETSENCRYPT_ENABLED="$(or $(letsencrypt),true)" \
+	MG_LETSENCRYPT_EMAIL="$(email)" \
+	MG_LETSENCRYPT_STAGING="$(or $(staging),false)" \
+	MG_LETSENCRYPT_FORCE_RENEWAL="$(or $(force),false)" \
+	DOCKER_PROJECT="$(DOCKER_PROJECT)" \
+	./docker/setup-tls.sh

 run_stable: check_certs
 	$(eval version = $(shell git describe --abbrev=0 --tags))
 	git checkout $(version)
-	sed -i 's/^SMQ_RELEASE_TAG=.*/SMQ_RELEASE_TAG=$(version)/' docker/.env
-	docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+	$(SED_INPLACE) 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=$(version)/' docker/.env
+	$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)

 run_addons: check_certs
 	$(foreach SVC,$(RUN_ADDON_ARGS),$(if $(filter $(SVC),$(ADDON_SERVICES) $(EXTERNAL_SERVICES)),,$(error Invalid Service $(SVC))))
-	@docker compose -f docker/docker-compose.yaml --env-file ./docker/.env -p $(DOCKER_PROJECT) up -d auth domains jaeger
+	@$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file ./docker/.env -p $(DOCKER_PROJECT) up -d auth domains jaeger
 	@for SVC in $(RUN_ADDON_ARGS); do \
-		if [ "$$SVC" = "certs" ]; then \
-			docker compose -f docker/addons/$$SVC/docker-compose.yaml -f docker/certs-docker-compose-override.yaml --env-file ./docker/.env --env-file ./docker/addons/$$SVC/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args) & \
-		else \
-			SMQ_ADDONS_CERTS_PATH_PREFIX="../."  docker compose -f docker/addons/$$SVC/docker-compose.yaml -p $(DOCKER_PROJECT) --env-file ./docker/.env $(DOCKER_COMPOSE_COMMAND) $(args) & \
-		fi; \
+		MG_ADDONS_CERTS_PATH_PREFIX="../" $(DOCKER_PLATFORM) docker compose -f docker/addons/$$SVC/docker-compose.yaml -p $(DOCKER_PROJECT) --env-file ./docker/.env $(DOCKER_COMPOSE_COMMAND) $(args) & \
 	done

 run_live: check_certs
-	GOPATH=$(go env GOPATH) docker compose  -f docker/docker-compose.yaml -f docker/docker-compose-live.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+	GOPATH=$(go env GOPATH) $(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml -f docker/docker-compose-live.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
@@ -1,139 +1,213 @@
 <div align="center">

-# SuperMQ
-  
-### Planetary event-driven infrastructure
-  
-**Made with ❤️ by [Abstract Machines](https://absmach.eu/)**
+# Magistrala

-[![Build Status](https://github.com/absmach/supermq/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/absmach/supermq/actions/workflows/build.yaml)
-[![Go Report Card](https://goreportcard.com/badge/github.com/absmach/supermq)](https://goreportcard.com/report/github.com/absmach/supermq)
-[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/absmach/supermq)
-[![Check License Header](https://github.com/absmach/supermq/actions/workflows/check-license.yaml/badge.svg?branch=main)](https://github.com/absmach/supermq/actions/workflows/check-license.yaml)
-[![Check Generated Files](https://github.com/absmach/supermq/actions/workflows/check-generated-files.yaml/badge.svg?branch=main)](https://github.com/absmach/supermq/actions/workflows/check-generated-files.yaml)
-[![Coverage](https://codecov.io/gh/absmach/supermq/graph/badge.svg?token=nPCEr5nW8S)](https://codecov.io/gh/absmach/supermq)
+### A Modern IoT Platform Framework for Scalable IoT
+
+**Made with ❤ by [Abstract Machines](https://absmach.eu/)**
+
+[![Build Status](https://github.com/absmach/magistrala/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/build.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/absmach/magistrala)](https://goreportcard.com/report/github.com/absmach/magistrala)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/absmach/magistrala)
+[![Check License Header](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml)
+[![Check Generated Files](https://github.com/absmach/magistrala/actions/workflows/check-generated-files.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-generated-files.yaml)
+[![Coverage](https://codecov.io/gh/absmach/magistrala/graph/badge.svg?token=nPCEr5nW8S)](https://codecov.io/gh/absmach/magistrala)
 [![License](https://img.shields.io/badge/license-Apache%20v2.0-blue.svg)](LICENSE)
 [![Matrix](https://img.shields.io/matrix/supermq%3Amatrix.org?label=Chat&style=flat&logo=matrix&logoColor=white)](https://matrix.to/#/#supermq:matrix.org)
-  
-### [Guide](https://docs.supermq.absmach.eu) | [Contributing](CONTRIBUTING.md) | [Website](https://absmach.eu/) | [Chat](https://matrix.to/#/#supermq:matrix.org)

+[Guide](https://magistrala.absmach.eu/docs/) | [Contributing](CONTRIBUTING.md) | [Website](https://absmach.eu/) | [Chat](https://matrix.to/#/#supermq:matrix.org)
 </div>

-## Introduction 📖
+## Introduction 🌍

-SuperMQ is a distributed, highly scalable, and secure open-source cloud platform for messaging and event-driven architecture (EDA). It is a planetarily distributed, highly scalable, and secure platform that serves as a robust foundation for building advanced real-time and reactive systems.
+Magistrala is an open-source IoT platform built for engineers who need full control over their messaging, device management, and data pipelines.

-## Why SuperMQ Stands Out 🚀
+It is built on top of [FluxMQ](https://github.com/absmach/fluxmq), a modern message broker designed for both messaging and event streams. Magistrala provides everything around it: identity, access control, device provisioning, data processing, and observability.

-SuperMQ bridges the gap between various network protocols (HTTP, MQTT, WebSocket, CoAP, and more) to provide a seamless messaging experience. Whether you're working on IoT solutions, real-time data pipelines, or event-driven systems, SuperMQ has you covered. 🌐✨
+IoT systems usually involve brokers, databases, rule engines, and custom services. Magistrala does not pretend those pieces disappear. It provides a coherent framework for integrating them into a single system with a consistent model for identity, access control, messaging, and observability.

-## Key Features 🌟
+**What it is:**
+- An event-driven IoT middleware platform
+- A unified control plane for devices, users, and data
+- A foundation for building scalable IoT systems

- **Multi-Protocol Connectivity**: HTTP, MQTT, WebSocket, CoAP, and more! 🌉
- **Secure by Design**: Mutual TLS (mTLS) with X.509 Certificates, JWT support, and multi-protocol authorization. 🔒
- **Fine-Grained Access Control**: Support for ABAC and RBAC policies. 📜
- **Multi-Tenant**: Manage multiple domains seamlessly. 🏢
- **Multi-User**: Unlimited organizational hierarchies for user management. 👥
- **Application Management**: Group and share messaging clients for streamlined operations. 📱
- **Ease of Use**: Simple and powerful communication channel management, grouping, and sharing. ✨
- **Personal Access Tokens (PATs)**: Scoped and revocable tokens for enhanced security. 🔑
- **Observability**: Integrated logging and instrumentation with Prometheus and OpenTelemetry. 📈
- **Event Sourcing**: Build robust and scalable architectures. ⚡
- **Edge and IoT Ready**: Supports MQTT and CoAP protocols for seamless IoT gateway and sensor communication and management. 🌍
- **Developer-Friendly**: SDKs, CLI tools, and comprehensive documentation to get you started. 👩‍💻👨‍💻
- **Production-Ready**: Container-based deployment using Docker and Kubernetes. 🐳☸️
+**What it is not:**
+- Not just an MQTT broker
+- Not a black-box SaaS
+- Not tied to a single cloud or vendor

-## Installation 🛠️
+---

-There are multiple ways to run SuperMQ.
-First, clone the repository and position to it:
+## 🧩 IoT Platform Framework
+
+We call Magistrala a **framework**, not just a platform.
+
+It is extremely flexible and lets you build systems the way you want — from simple prototypes to complex, large-scale deployments — without forcing you into rigid patterns.
+
+At the same time, it avoids the typical complexity of many IoT platforms, where you need to learn an entirely new set of concepts before you can even get started.
+
+Magistrala is built around a small number of core concepts:
+- users
+- clients (devices)
+- channels
+- messages
+- policies
+
+Most engineers are already familiar with these ideas, so you can start building immediately.
+
+You can keep things simple:
+- connect devices
+- send messages
+- store data
+
+Or you can go deeper:
+- define complex access control policies
+- build event-driven pipelines
+- integrate custom processing and automation
+
+Magistrala scales with your needs — simple when you want it, powerful when you need it.
+
+---
+
+## 🚀 Key Benefits
+
+- **A Coherent System, Not a Mess of Integrations**
+  Build IoT systems from multiple components without ending up with fragmented security, messaging, and operations.
+
+- **Event-Driven at the Core**
+  Everything is built around events — enabling real-time processing, streaming, and scalable data flows.
+
+- **Protocol-Native, Not Forced Abstractions**
+  MQTT, HTTP, WebSocket, and CoAP are treated as first-class citizens, each with their own semantics.
+
+- **Security Built Into the Model**
+  Identity, authentication, and authorization are part of the system design — not bolted on later.
+
+- **Flexible by Design**
+  Start simple or build complex systems — without changing platforms or rewriting your architecture.
+
+- **Runs Where You Need It**
+  Cloud, edge, or hybrid — no vendor lock-in, no hidden dependencies.
+---
+## ✨ Features
+
+Magistrala provides a complete set of building blocks for IoT systems — from device connectivity to data processing and observability — without forcing a rigid architecture.
+
+### 🔐 Identity & Access
+
+- Multi-tenant domains for isolating environments
+- Users, roles, and organizational hierarchies
+- Fine-grained access control (ABAC + RBAC)
+- Mutual TLS (X.509) and JWT-based authentication
+- Personal Access Tokens (PATs) with scoping and revocation
+
+### 🔌 Connectivity
+
+- Native support for MQTT, HTTP, WebSocket, and CoAP
+- Consistent authentication and authorization across protocols
+- Designed for both cloud services and constrained devices
+
+### 📦 Device & Application Model
+
+- Device (client) provisioning and lifecycle management
+- Channels for grouping and controlling message flow
+- Application-level grouping and sharing of clients
+- Simple but flexible communication model
+
+### ⚙️ Processing & Automation
+
+- Rules engine for message processing and routing
+- Alarms and triggers for reacting to events
+- Scheduled actions for time-based workflows
+- Event-driven architecture as the foundation
+
+### 📊 Observability
+
+- Audit logs for tracking system activity
+- Metrics and tracing via Prometheus and OpenTelemetry
+- Built-in visibility into system behavior and data flows
+
+### 🚀 Deployment & Operations
+
+- Container-native (Docker, Kubernetes)
+- Designed for cloud, edge, and hybrid deployments
+- Works with external storage and processing systems
+- Scales from small setups to production environments
+
+### 🧑‍💻 Developer Experience
+
+- CLI and SDKs for fast integration
+- Straightforward APIs and concepts
+- Documentation focused on getting you running quickly
+---
+
+## Installation

 ```bash
-git clone https://github.com/absmach/supermq.git
-cd supermq
-```
-
-To run the latest stable (tagged) version, use:
-
-```bash
-# Run with latest stable tagged version
-make run_stable
-```
-
-To run the latest version, use:
-
-```bash
-# Run with latest development version (from main branch)
+git clone https://github.com/absmach/magistrala.git
+cd magistrala
 make run_latest
 ```

-The `make run_stable` command will:
- Checkout the repository to the latest git tag
- Update the version in the environment configuration
- Start the services with the stable release
+---

-**Note:** After running `make run_stable`, you'll be on a detached HEAD state. To return to your working branch:
+## Upgrade from v0.19.0 to v0.20.0
+
+Before upgrading, back up the Domains, Rules Engine, Reports, Alarms, Auth, and SpiceDB databases.
+
+v0.20.0 adds new domain admin actions for alarms and reports, and it requires existing rules and reports to have their built-in admin roles backfilled. The service database migrations run when the v0.20.0 services start, then the role backfill scripts must be run once.
+
+For the default Docker Compose setup:

 ```bash
-git checkout main
+cd docker
+
+docker compose up -d \
+  spicedb-db spicedb-migrate spicedb \
+  auth-db auth \
+  domains-db domains \
+  re-db re \
+  reports-db reports \
+  alarms-db alarms
 ```

-To manually run SuperMQ, clone the repository and start all core services:
+Wait until the services are running. The `auth` service must start successfully because it loads the SpiceDB schema.
+
+From the repository root, run the backfills:

 ```bash
-docker compose -f docker/docker-compose.yaml --env-file docker/.env up
+go run ./scripts/re-backfill-roles/
+go run ./scripts/reports-backfill-roles/
 ```

-### Usage 📤📥
+The scripts are idempotent. If they are interrupted, fix the issue and run them again.

-**Using the CLI :**
+Expected successful summaries:
+
+```text
+backfill finished processed=<number> skipped=<number> failed=0
+```
+
+After the backfills finish, verify that the services are still running:
+
+```bash
+cd docker
+docker compose ps re reports alarms domains auth spicedb
+```
+
+For non-default deployments, make sure the database and SpiceDB connection settings used by the backfill scripts match your environment before running them.
+
+---
+
+## Usage

 ```bash
 make cli
-./build/supermq-cli status
+./build/cli health <service>
 ```

-This command retrieves the status of the SuperMQ server and outputs it to the console.
+---

-**Using HTTP with Curl :**
+## License

-```bash
-curl -X GET http://localhost:8080/status
-```
-
-This request fetches the server status over HTTP and provides a JSON response.
-
-See our [CLI documentation](https://docs.supermq.absmach.eu/cli) for more details.
-
-## Documentation 📚
-
-The official documentation is hosted at [SuperMQ docs page](https://docs.supermq.absmach.eu/).
-
-Documentation is auto-generated, check out the instructions in the [docs repository](https://github.com/absmach/supermq-docs).
-If you spot an error or a need for corrections, please let us know - or even better: send us a PR! 💌
-
-## Community and Contributing 🤝
-
-Thank you for your interest in SuperMQ and the desire to contribute!
-
-1. Take a look at our [open issues](https://github.com/absmach/supermq/issues). The [good-first-issue](https://github.com/absmach/supermq/labels/good-first-issue) label is specifically for issues that are great for getting started.
-2. Checkout the [contribution guide](CONTRIBUTING.md) to learn more about our style and conventions.
-3. Make your changes compatible to our workflow.
-
-Join our community:
-
- [Matrix Room](https://matrix.to/#/#supermq\:matrix.org)
-
-## Professional Support 💼
-
-Need help deploying SuperMQ or integrating it into your system? Reach out to **[Abstract Machines](https://absmach.eu/)** for professional support and guidance.
-
-## License 📜
-
-SuperMQ is open-source software licensed under the [Apache License 2.0](LICENSE). Contributions are welcome!
-
-## Acknowledgments 🙌
-
-Special thanks to the amazing contributors who make SuperMQ possible. Check out the [MAINTAINERS](MAINTAINERS) file to see the team behind the magic.
-
-Ready to build the future of messaging and event-driven systems? Let's get started! 🚀
+Apache-2.0
@@ -0,0 +1,197 @@
+# Alarms
+
+The Alarms service stores, manages and exposes alarms raised by rules and device activity. It consumes alarm events from the message broker, persists them to PostgreSQL, and provides an HTTP API for listing, viewing, updating, and deleting alarms with full authn/authz, metrics, and tracing support.
+
+## Configuration
+
+The service is configured using the following environment variables (values shown are from [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env) as consumed by [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml)):
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_ALARMS_LOG_LEVEL` | Log level for the service | `debug` |
+| `MG_ALARMS_HTTP_HOST` | HTTP host to bind | `alarms` |
+| `MG_ALARMS_HTTP_PORT` | HTTP port to bind | `8050` |
+| `MG_ALARMS_HTTP_SERVER_CERT` | Path to PEM-encoded HTTPS server certificate | "" |
+| `MG_ALARMS_HTTP_SERVER_KEY` | Path to PEM-encoded HTTPS server key | "" |
+| `MG_ALARMS_DB_HOST` | PostgreSQL host | `alarms-db` |
+| `MG_ALARMS_DB_PORT` | PostgreSQL port | `5432` |
+| `MG_ALARMS_DB_USER` | PostgreSQL user | `magistrala` |
+| `MG_ALARMS_DB_PASS` | PostgreSQL password | `magistrala` |
+| `MG_ALARMS_DB_NAME` | PostgreSQL database name | `alarms` |
+| `MG_ALARMS_DB_SSL_MODE` | PostgreSQL SSL mode | `disable` |
+| `MG_ALARMS_DB_SSL_CERT` | PostgreSQL SSL client cert | "" |
+| `MG_ALARMS_DB_SSL_KEY` | PostgreSQL SSL client key | "" |
+| `MG_ALARMS_DB_SSL_ROOT_CERT` | PostgreSQL SSL root cert | "" |
+| `MG_ALARMS_INSTANCE_ID` | Instance ID for tracing/health | "" |
+| `MG_MESSAGE_BROKER_URL` | Message broker URL for alarm ingestion | `nats://nats:4222` |
+| `MG_JAEGER_URL` | Jaeger collector endpoint | `http://jaeger:4318/v1/traces` |
+| `MG_JAEGER_TRACE_RATIO` | Trace sampling ratio | `1.0` |
+| `MG_AUTH_GRPC_URL` | Auth gRPC endpoint | `auth:7001` |
+| `MG_AUTH_GRPC_TIMEOUT` | Auth gRPC timeout | `300s` |
+| `MG_AUTH_GRPC_CLIENT_CERT` | Auth gRPC client cert path | `${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}` |
+| `MG_AUTH_GRPC_CLIENT_KEY` | Auth gRPC client key path | `${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}` |
+| `MG_AUTH_GRPC_SERVER_CA_CERTS` | Auth gRPC server CA path | `${GRPC_MTLS:+./ssl/certs/ca.crt}` |
+| `MG_DOMAINS_GRPC_URL` | Domains gRPC endpoint | `domains:7003` |
+| `MG_DOMAINS_GRPC_TIMEOUT` | Domains gRPC timeout | `300s` |
+| `MG_DOMAINS_GRPC_CLIENT_CERT` | Domains gRPC client cert path | `${GRPC_MTLS:+./ssl/certs/domains-grpc-client.crt}` |
+| `MG_DOMAINS_GRPC_CLIENT_KEY` | Domains gRPC client key path | `${GRPC_MTLS:+./ssl/certs/domains-grpc-client.key}` |
+| `MG_DOMAINS_GRPC_SERVER_CA_CERTS` | Domains gRPC server CA path | `${GRPC_MTLS:+./ssl/certs/ca.crt}` |
+| `MG_ALLOW_UNVERIFIED_USER` | Allow unverified users to access | `true` |
+
+## Features
+
+- **Alarm ingestion**: Consumes alarms from the message broker and persists them to PostgreSQL.
+- **Stateful updates**: Updates assignee, acknowledgment, resolution, and metadata fields.
+- **Filtering and paging**: Lists alarms by domain, rule, channel, client, subtopic, status, severity, and time range.
+- **Observability**: `/metrics` Prometheus endpoint and Jaeger tracing support.
+- **Auth and authorization**: Authn/authz enforced via gRPC auth and domains services.
+
+## Architecture
+
+### Runtime flow
+
+1. The message broker publishes alarm events under the `alarms.>` subject.
+2. The Alarms consumer decodes the event payload, enriches it with message metadata, validates it, and calls `CreateAlarm`.
+3. The repository writes to PostgreSQL while deduplicating repeated active alarms with the same severity.
+4. The HTTP API exposes list/view/update/delete operations with authn/authz, metrics, and tracing middleware.
+
+### Components
+
+- **HTTP API**: `alarms/api` exposes REST endpoints and health/metrics handlers.
+- **Service layer**: `alarms/service.go` validates requests and coordinates repository operations.
+- **Repository**: `alarms/postgres/alarms.go` implements persistence and filtering.
+- **Consumer**: `alarms/consumer` processes broker messages and creates alarms.
+- **Message broker**: `alarms/brokers` uses NATS JetStream with stream `alarms` and subject `alarms.>`.
+- **Migrations**: `alarms/postgres/init.go` defines the alarms schema and indexes.
+
+### Alarms table
+
+Defined in `alarms/postgres/init.go`:
+
+| Column | Type | Description |
+| --- | --- | --- |
+| `id` | `VARCHAR(36)` | Alarm UUID (primary key) |
+| `rule_id` | `VARCHAR(36)` | Rule ID that triggered the alarm |
+| `domain_id` | `VARCHAR(36)` | Domain ID |
+| `channel_id` | `VARCHAR(36)` | Channel ID |
+| `subtopic` | `TEXT` | Subtopic associated with the alarm |
+| `client_id` | `VARCHAR(36)` | Client ID |
+| `measurement` | `TEXT` | Measurement name |
+| `value` | `TEXT` | Measured value |
+| `unit` | `TEXT` | Measurement unit |
+| `threshold` | `TEXT` | Threshold value |
+| `cause` | `TEXT` | Cause/description |
+| `status` | `SMALLINT` | 0 = active, 1 = cleared |
+| `severity` | `SMALLINT` | Severity (0-100) |
+| `assignee_id` | `VARCHAR(36)` | Assignee ID |
+| `created_at` | `TIMESTAMPTZ` | Creation timestamp |
+| `updated_at` | `TIMESTAMPTZ` | Last update timestamp |
+| `updated_by` | `VARCHAR(36)` | User who updated |
+| `assigned_at` | `TIMESTAMPTZ` | When assigned |
+| `assigned_by` | `VARCHAR(36)` | Who assigned |
+| `acknowledged_at` | `TIMESTAMPTZ` | When acknowledged |
+| `acknowledged_by` | `VARCHAR(36)` | Who acknowledged |
+| `resolved_at` | `TIMESTAMPTZ` | When resolved |
+| `resolved_by` | `VARCHAR(36)` | Who resolved |
+| `metadata` | `JSONB` | Custom metadata |
+
+Index: `idx_alarms_state (domain_id, rule_id, channel_id, subtopic, client_id, measurement, created_at DESC)`
+
+## Deployment
+
+### Build and run locally
+
+```bash
+make alarms
+
+MG_ALARMS_LOG_LEVEL=debug \
+MG_ALARMS_HTTP_PORT=8050 \
+MG_ALARMS_DB_HOST=localhost \
+MG_ALARMS_DB_PORT=5432 \
+MG_ALARMS_DB_USER=magistrala \
+MG_ALARMS_DB_PASS=magistrala \
+MG_ALARMS_DB_NAME=alarms \
+MG_MESSAGE_BROKER_URL=nats://localhost:4222 \
+MG_AUTH_GRPC_URL=localhost:7001 \
+MG_AUTH_GRPC_TIMEOUT=300s \
+MG_DOMAINS_GRPC_URL=localhost:7003 \
+MG_DOMAINS_GRPC_TIMEOUT=300s \
+./build/alarms
+```
+
+### Docker Compose
+
+The service is available as a Docker container. Refer to [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml) for the `alarms` and `alarms-db` services and their environment variables. For a full local stack, make sure the auth, domains, and message broker services are also running.
+
+```bash
+docker compose -f docker/docker-compose.yaml up alarms alarms-db
+```
+
+### Health check
+
+```bash
+curl -X GET http://localhost:8050/health \
+  -H "accept: application/health+json"
+```
+
+## Testing
+
+```bash
+go test ./alarms/...
+```
+
+## Usage
+
+The Alarms service supports the following operations:
+
+| Operation | Method & Path | Description |
+| --- | --- | --- |
+| `listAlarms` | `GET /{domainID}/alarms` | List alarms with filters |
+| `viewAlarm` | `GET /{domainID}/alarms/{alarmID}` | Retrieve a single alarm |
+| `updateAlarm` | `PUT /{domainID}/alarms/{alarmID}` | Update alarm status/assignee/metadata |
+| `deleteAlarm` | `DELETE /{domainID}/alarms/{alarmID}` | Delete an alarm |
+| `health` | `GET /health` | Service health check |
+
+Alarm creation is driven by message broker events and is not exposed as an HTTP endpoint.
+
+### Example: List alarms
+
+```bash
+curl -X GET "http://localhost:8050/<domainID>/alarms?limit=10&offset=0&status=active&severity=50" \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: View an alarm
+
+```bash
+curl -X GET http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Update an alarm
+
+```bash
+curl -X PUT http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "status": "cleared",
+    "assignee_id": "<userID>",
+    "severity": 40,
+    "metadata": { "note": "cleared after inspection" }
+  }'
+```
+
+### Example: Delete an alarm
+
+```bash
+curl -X DELETE http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Health check
+
+```bash
+curl -X GET http://localhost:8050/health \
+  -H "accept: application/health+json"
+```
@@ -0,0 +1,123 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/absmach/magistrala/pkg/authn"
+)
+
+const SeverityMax uint8 = 100
+
+var ErrInvalidSeverity = errors.New("invalid severity. Must be between 0 and 100")
+
+type Metadata map[string]any
+
+// Alarm represents an alarm instance.
+type Alarm struct {
+	ID             string    `json:"id"`
+	RuleID         string    `json:"rule_id"`
+	DomainID       string    `json:"domain_id"`
+	ChannelID      string    `json:"channel_id"`
+	ClientID       string    `json:"client_id"`
+	Subtopic       string    `json:"subtopic"`
+	Status         Status    `json:"status"`
+	Measurement    string    `json:"measurement"`
+	Value          string    `json:"value"`
+	Unit           string    `json:"unit"`
+	Threshold      string    `json:"threshold"`
+	Cause          string    `json:"cause"`
+	Severity       uint8     `json:"severity"`
+	AssigneeID     string    `json:"assignee_id"`
+	CreatedAt      time.Time `json:"created_at"`
+	UpdatedAt      time.Time `json:"updated_at"`
+	UpdatedBy      string    `json:"updated_by"`
+	AssignedAt     time.Time `json:"assigned_at,omitempty"`
+	AssignedBy     string    `json:"assigned_by,omitempty"`
+	AcknowledgedAt time.Time `json:"acknowledged_at,omitempty"`
+	AcknowledgedBy string    `json:"acknowledged_by,omitempty"`
+	ResolvedAt     time.Time `json:"resolved_at,omitempty"`
+	ResolvedBy     string    `json:"resolved_by,omitempty"`
+	Metadata       Metadata  `json:"metadata,omitempty"`
+}
+
+type AlarmsPage struct {
+	Offset uint64  `json:"offset"`
+	Limit  uint64  `json:"limit"`
+	Total  uint64  `json:"total"`
+	Alarms []Alarm `json:"alarms"`
+}
+
+type PageMetadata struct {
+	Offset         uint64    `json:"offset"          db:"offset"`
+	Limit          uint64    `json:"limit"           db:"limit"`
+	DomainID       string    `json:"domain_id"       db:"domain_id"`
+	RuleID         string    `json:"rule_id"         db:"rule_id"`
+	ChannelID      string    `json:"channel_id"      db:"channel_id"`
+	ClientID       string    `json:"client_id"       db:"client_id"`
+	Subtopic       string    `json:"subtopic"        db:"subtopic"`
+	Measurement    string    `json:"measurement"     db:"measurement"`
+	Dir            string    `json:"dir"             db:"dir"`
+	Order          string    `json:"order"           db:"order"`
+	Status         Status    `json:"status"          db:"status"`
+	CreatedFrom    time.Time `json:"created_from"    db:"created_from"`
+	CreatedTo      time.Time `json:"created_to"      db:"created_to"`
+	AssigneeID     string    `json:"assignee_id"     db:"assignee_id"`
+	Severity       uint8     `json:"severity"        db:"severity"`
+	UpdatedBy      string    `json:"updated_by"      db:"updated_by"`
+	AssignedBy     string    `json:"assigned_by"     db:"assigned_by"`
+	AcknowledgedBy string    `json:"acknowledged_by" db:"acknowledged_by"`
+	ResolvedBy     string    `json:"resolved_by"     db:"resolved_by"`
+	UserID         string    `json:"user_id"         db:"user_id"`
+}
+
+func (a Alarm) Validate() error {
+	if a.RuleID == "" {
+		return errors.New("rule_id is required")
+	}
+	if a.DomainID == "" {
+		return errors.New("domain_id is required")
+	}
+	if a.ChannelID == "" {
+		return errors.New("channel_id is required")
+	}
+	if a.ClientID == "" {
+		return errors.New("client_id is required")
+	}
+	if a.Measurement == "" {
+		return errors.New("measurement is required")
+	}
+	if a.Value == "" {
+		return errors.New("value is required")
+	}
+	if a.Cause == "" {
+		return errors.New("cause is required")
+	}
+	if a.Severity > SeverityMax {
+		return ErrInvalidSeverity
+	}
+
+	return nil
+}
+
+// Service specifies an API that must be fulfilled by the domain service.
+type Service interface {
+	CreateAlarm(ctx context.Context, alarm Alarm) error
+	UpdateAlarm(ctx context.Context, session authn.Session, alarm Alarm) (Alarm, error)
+	ViewAlarm(ctx context.Context, session authn.Session, id string) (Alarm, error)
+	ListAlarms(ctx context.Context, session authn.Session, pm PageMetadata) (AlarmsPage, error)
+	DeleteAlarm(ctx context.Context, session authn.Session, id string) error
+}
+
+type Repository interface {
+	CreateAlarm(ctx context.Context, alarm Alarm) (Alarm, error)
+	UpdateAlarm(ctx context.Context, alarm Alarm) (Alarm, error)
+	ViewAlarm(ctx context.Context, alarmID, domainID string) (Alarm, error)
+	ListAllAlarms(ctx context.Context, pm PageMetadata) (AlarmsPage, error)
+	ListUserAlarms(ctx context.Context, userID string, pm PageMetadata) (AlarmsPage, error)
+	DeleteAlarm(ctx context.Context, id string) error
+}
@@ -0,0 +1,173 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/internal/testsutil"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateAlarms(t *testing.T) {
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: nil,
+		},
+		{
+			desc: "missing rule_id",
+			alarm: alarms.Alarm{
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("rule_id is required"),
+		},
+		{
+			desc: "missing domain_id",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("domain_id is required"),
+		},
+		{
+			desc: "missing channel_id",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("channel_id is required"),
+		},
+		{
+			desc: "missing client_id",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("client_id is required"),
+		},
+		{
+			desc: "missing measurement",
+			alarm: alarms.Alarm{
+				RuleID:    testsutil.GenerateUUID(t),
+				DomainID:  testsutil.GenerateUUID(t),
+				ChannelID: testsutil.GenerateUUID(t),
+				ClientID:  testsutil.GenerateUUID(t),
+				Subtopic:  "subtopic",
+				Value:     "value",
+				Unit:      "unit",
+				Cause:     "cause",
+				Severity:  100,
+			},
+			err: errors.New("measurement is required"),
+		},
+		{
+			desc: "missing value",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: errors.New("value is required"),
+		},
+		{
+			desc: "missing cause",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Severity:    100,
+			},
+			err: errors.New("cause is required"),
+		},
+		{
+			desc: "higher severity",
+			alarm: alarms.Alarm{
+				RuleID:      testsutil.GenerateUUID(t),
+				DomainID:    testsutil.GenerateUUID(t),
+				ChannelID:   testsutil.GenerateUUID(t),
+				ClientID:    testsutil.GenerateUUID(t),
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    alarms.SeverityMax + 1,
+			},
+			err: alarms.ErrInvalidSeverity,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			err := tc.alarm.Validate()
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		})
+	}
+}
@@ -0,0 +1,104 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+	"github.com/go-kit/kit/endpoint"
+)
+
+func updateAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(updateAlarmReq)
+		if err := req.validate(); err != nil {
+			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmRes{}, svcerr.ErrAuthorization
+		}
+
+		alarm, err := svc.UpdateAlarm(ctx, session, req.Alarm)
+		if err != nil {
+			return alarmRes{}, err
+		}
+
+		return alarmRes{
+			Alarm: alarm,
+		}, nil
+	}
+}
+
+func viewAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(alarmReq)
+		if err := req.validate(); err != nil {
+			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmRes{}, svcerr.ErrAuthorization
+		}
+
+		alarm, err := svc.ViewAlarm(ctx, session, req.ID)
+		if err != nil {
+			return alarmRes{}, err
+		}
+
+		return alarmRes{
+			Alarm: alarm,
+		}, nil
+	}
+}
+
+func listAlarmsEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(listAlarmsReq)
+		if err := req.validate(); err != nil {
+			return alarmsPageRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmsPageRes{}, svcerr.ErrAuthorization
+		}
+
+		alarms, err := svc.ListAlarms(ctx, session, req.PageMetadata)
+		if err != nil {
+			return alarmsPageRes{}, err
+		}
+
+		return alarmsPageRes{
+			AlarmsPage: alarms,
+		}, nil
+	}
+}
+
+func deleteAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request any) (any, error) {
+		req := request.(alarmReq)
+		if err := req.validate(); err != nil {
+			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+
+		session, ok := ctx.Value(authn.SessionKey).(authn.Session)
+		if !ok {
+			return alarmRes{}, svcerr.ErrAuthorization
+		}
+
+		if err := svc.DeleteAlarm(ctx, session, req.ID); err != nil {
+			return alarmRes{}, err
+		}
+
+		return alarmRes{deleted: true}, nil
+	}
+}
@@ -0,0 +1,59 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"errors"
+
+	"github.com/absmach/magistrala/alarms"
+	api "github.com/absmach/magistrala/api/http"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+)
+
+type alarmReq struct {
+	alarms.Alarm `json:",inline"`
+}
+
+func (req alarmReq) validate() error {
+	if req.Alarm.ID == "" {
+		return errors.New("missing alarm id")
+	}
+
+	return nil
+}
+
+type updateAlarmReq struct {
+	alarms.Alarm `json:",inline"`
+}
+
+func (req updateAlarmReq) validate() error {
+	if req.Alarm.ID == "" {
+		return errors.New("missing alarm id")
+	}
+	if req.Alarm.AssigneeID == "" && req.Alarm.AcknowledgedBy == "" && req.Alarm.ResolvedBy == "" && len(req.Alarm.Metadata) == 0 {
+		return errors.New("at least one of assignee_id, acknowledged_by, resolved_by, or metadata must be set")
+	}
+
+	return nil
+}
+
+type listAlarmsReq struct {
+	alarms.PageMetadata
+}
+
+func (req listAlarmsReq) validate() error {
+	if req.Limit > api.MaxLimitSize || req.Limit < 1 {
+		return apiutil.ErrLimitSize
+	}
+
+	if req.Order != "" && req.Order != api.UpdatedAtOrder && req.Order != api.CreatedAtOrder {
+		return apiutil.ErrInvalidOrder
+	}
+
+	if req.Dir != api.AscDir && req.Dir != api.DescDir {
+		return apiutil.ErrInvalidDirection
+	}
+
+	return nil
+}
@@ -0,0 +1,70 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/alarms"
+)
+
+var (
+	_ magistrala.Response = (*alarmRes)(nil)
+	_ magistrala.Response = (*alarmsPageRes)(nil)
+)
+
+type alarmRes struct {
+	alarms.Alarm `json:",inline"`
+	created      bool
+	deleted      bool
+}
+
+func (res alarmRes) Headers() map[string]string {
+	switch {
+	case res.created:
+		return map[string]string{
+			"Location": fmt.Sprintf("/%s/alarms/%s", res.DomainID, res.ID),
+		}
+	default:
+		return map[string]string{}
+	}
+}
+
+func (res alarmRes) Code() int {
+	switch {
+	case res.created:
+		return http.StatusCreated
+	case res.deleted:
+		return http.StatusNoContent
+	default:
+		return http.StatusOK
+	}
+}
+
+func (res alarmRes) Empty() bool {
+	switch {
+	case res.deleted:
+		return true
+	default:
+		return false
+	}
+}
+
+type alarmsPageRes struct {
+	alarms.AlarmsPage `json:",inline"`
+}
+
+func (res alarmsPageRes) Headers() map[string]string {
+	return map[string]string{}
+}
+
+func (res alarmsPageRes) Code() int {
+	return http.StatusOK
+}
+
+func (res alarmsPageRes) Empty() bool {
+	return false
+}
@@ -0,0 +1,209 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"math"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/alarms"
+	api "github.com/absmach/magistrala/api/http"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	smqauthn "github.com/absmach/magistrala/pkg/authn"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/go-chi/chi/v5"
+	kithttp "github.com/go-kit/kit/transport/http"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+)
+
+func MakeHandler(svc alarms.Service, logger *slog.Logger, idp magistrala.IDProvider, instanceID string, authn smqauthn.AuthNMiddleware) http.Handler {
+	opts := []kithttp.ServerOption{
+		kithttp.ServerErrorEncoder(apiutil.LoggingErrorEncoder(logger, api.EncodeError)),
+	}
+
+	mux := chi.NewRouter()
+
+	mux.Route("/{domainID}/alarms", func(r chi.Router) {
+		r.Group(func(r chi.Router) {
+			r.Use(authn.WithOptions(smqauthn.WithDomainCheck(true)).Middleware())
+			r.Use(api.RequestIDMiddleware(idp))
+
+			r.Get("/", otelhttp.NewHandler(kithttp.NewServer(
+				listAlarmsEndpoint(svc),
+				decodeListAlarmsReq,
+				api.EncodeResponse,
+				opts...,
+			), "list_alarms").ServeHTTP)
+			r.Route("/{alarmID}", func(r chi.Router) {
+				r.Get("/", otelhttp.NewHandler(kithttp.NewServer(
+					viewAlarmEndpoint(svc),
+					decodeAlarmReq,
+					api.EncodeResponse,
+					opts...,
+				), "get_alarm").ServeHTTP)
+				r.Put("/", otelhttp.NewHandler(kithttp.NewServer(
+					updateAlarmEndpoint(svc),
+					decodeUpdateAlarmReq,
+					api.EncodeResponse,
+					opts...,
+				), "update_alarm").ServeHTTP)
+				r.Delete("/", otelhttp.NewHandler(kithttp.NewServer(
+					deleteAlarmEndpoint(svc),
+					decodeAlarmReq,
+					api.EncodeResponse,
+					opts...,
+				), "delete_alarm").ServeHTTP)
+			})
+		})
+	})
+
+	mux.Get("/health", magistrala.Health("alarms", instanceID))
+	mux.Handle("/metrics", promhttp.Handler())
+
+	return mux
+}
+
+func decodeListAlarmsReq(_ context.Context, r *http.Request) (any, error) {
+	offset, err := apiutil.ReadNumQuery[uint64](r, api.OffsetKey, api.DefOffset)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	limit, err := apiutil.ReadNumQuery[uint64](r, api.LimitKey, api.DefLimit)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	domainID, err := apiutil.ReadStringQuery(r, "domain_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	channelID, err := apiutil.ReadStringQuery(r, "channel_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	clientID, err := apiutil.ReadStringQuery(r, "client_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	subtopic, err := apiutil.ReadStringQuery(r, "subtopic", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	ruleID, err := apiutil.ReadStringQuery(r, "rule_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	s, err := apiutil.ReadStringQuery(r, api.StatusKey, alarms.All)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	status, err := alarms.ToStatus(s)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	assigneeID, err := apiutil.ReadStringQuery(r, "assignee_id", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	serverity, err := apiutil.ReadNumQuery(r, "severity", uint64(math.MaxUint8))
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	updatedBy, err := apiutil.ReadStringQuery(r, "updated_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	assignedBy, err := apiutil.ReadStringQuery(r, "assigned_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	acknowledgedBy, err := apiutil.ReadStringQuery(r, "acknowledged_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	resolvedBy, err := apiutil.ReadStringQuery(r, "resolved_by", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	cfrom, err := apiutil.ReadStringQuery(r, "created_from", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	cto, err := apiutil.ReadStringQuery(r, "created_to", "")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	order, err := apiutil.ReadStringQuery(r, api.OrderKey, api.DefOrder)
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+	dir, err := apiutil.ReadStringQuery(r, api.DirKey, "desc")
+	if err != nil {
+		return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+	}
+
+	var createdFrom, createdTo time.Time
+	if cfrom != "" {
+		if createdFrom, err = time.Parse(time.RFC3339, cfrom); err != nil {
+			return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+	}
+	if cto != "" {
+		if createdTo, err = time.Parse(time.RFC3339, cto); err != nil {
+			return listAlarmsReq{}, errors.Wrap(apiutil.ErrValidation, err)
+		}
+	}
+
+	return listAlarmsReq{
+		PageMetadata: alarms.PageMetadata{
+			Offset:         offset,
+			Limit:          limit,
+			DomainID:       domainID,
+			ChannelID:      channelID,
+			ClientID:       clientID,
+			Subtopic:       subtopic,
+			RuleID:         ruleID,
+			Status:         status,
+			AssigneeID:     assigneeID,
+			ResolvedBy:     resolvedBy,
+			Severity:       uint8(serverity),
+			UpdatedBy:      updatedBy,
+			AcknowledgedBy: acknowledgedBy,
+			AssignedBy:     assignedBy,
+			CreatedFrom:    createdFrom,
+			CreatedTo:      createdTo,
+			Dir:            dir,
+			Order:          order,
+		},
+	}, nil
+}
+
+func decodeAlarmReq(_ context.Context, r *http.Request) (any, error) {
+	return alarmReq{
+		Alarm: alarms.Alarm{
+			ID: chi.URLParam(r, "alarmID"),
+		},
+	}, nil
+}
+
+func decodeUpdateAlarmReq(_ context.Context, r *http.Request) (any, error) {
+	if !strings.Contains(r.Header.Get("Content-Type"), api.ContentType) {
+		return updateAlarmReq{}, apiutil.ErrUnsupportedContentType
+	}
+
+	req := updateAlarmReq{}
+	if err := json.NewDecoder(r.Body).Decode(&req.Alarm); err != nil {
+		return updateAlarmReq{}, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
+	}
+
+	req.Alarm.ID = chi.URLParam(r, "alarmID")
+
+	return req, nil
+}
@@ -0,0 +1,53 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build msg_fluxmq
+// +build msg_fluxmq
+
+package brokers
+
+import (
+	"context"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/pkg/messaging"
+	broker "github.com/absmach/magistrala/pkg/messaging/fluxmq"
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+const (
+	AllTopic = "alarms/#"
+
+	prefix = "alarms"
+)
+
+var cfg = jetstream.StreamConfig{
+	Name:              "alarms",
+	Description:       "Magistrala stream alarms",
+	Subjects:          []string{"alarms/#"},
+	Retention:         jetstream.LimitsPolicy,
+	MaxMsgsPerSubject: 1e6,
+	MaxAge:            time.Hour * 24,
+	MaxMsgSize:        1024 * 1024,
+	Discard:           jetstream.DiscardOld,
+	Storage:           jetstream.FileStorage,
+}
+
+func NewPubSub(ctx context.Context, url string, logger *slog.Logger) (messaging.PubSub, error) {
+	pb, err := broker.NewPubSub(ctx, url, logger, broker.Prefix(prefix), broker.JSStreamConfig(cfg), broker.ConnectionName("alarms-msg-pubsub"))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
+
+func NewPublisher(ctx context.Context, url string) (messaging.Publisher, error) {
+	pb, err := broker.NewPublisher(ctx, url, broker.Prefix(prefix), broker.JSStreamConfig(cfg), broker.ConnectionName("alarms-msg-pub"))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
@@ -0,0 +1,53 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !msg_fluxmq && !msg_rabbitmq && !rabbitmq
+// +build !msg_fluxmq,!msg_rabbitmq,!rabbitmq
+
+package brokers
+
+import (
+	"context"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/pkg/messaging"
+	broker "github.com/absmach/magistrala/pkg/messaging/nats"
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+const (
+	AllTopic = "alarms/#"
+
+	prefix = "alarms"
+)
+
+var cfg = jetstream.StreamConfig{
+	Name:              "alarms",
+	Description:       "Magistrala stream alarms",
+	Subjects:          []string{"alarms.>"},
+	Retention:         jetstream.LimitsPolicy,
+	MaxMsgsPerSubject: 1e6,
+	MaxAge:            time.Hour * 24,
+	MaxMsgSize:        1024 * 1024,
+	Discard:           jetstream.DiscardOld,
+	Storage:           jetstream.FileStorage,
+}
+
+func NewPubSub(ctx context.Context, url string, logger *slog.Logger) (messaging.PubSub, error) {
+	pb, err := broker.NewPubSub(ctx, url, logger, broker.Prefix(prefix), broker.JSStreamConfig(cfg))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
+
+func NewPublisher(ctx context.Context, url string) (messaging.Publisher, error) {
+	pb, err := broker.NewPublisher(ctx, url, broker.Prefix(prefix), broker.JSStreamConfig(cfg))
+	if err != nil {
+		return nil, err
+	}
+
+	return pb, nil
+}
@@ -0,0 +1,56 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package consumer
+
+import (
+	"bytes"
+	"context"
+	"encoding/gob"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/absmach/magistrala/pkg/messaging"
+)
+
+var errFailedToDecode = errors.New("failed to decode alarm")
+
+type handler struct {
+	svc    alarms.Service
+	logger *slog.Logger
+}
+
+func NewHandler(svc alarms.Service, logger *slog.Logger) messaging.MessageHandler {
+	return &handler{svc: svc, logger: logger}
+}
+
+func (h handler) Handle(msg *messaging.Message) (err error) {
+	if msg == nil {
+		return errors.New("message is empty")
+	}
+	if msg.GetPayload() == nil {
+		return errors.New("message payload is empty")
+	}
+
+	var alarm alarms.Alarm
+	if err := gob.NewDecoder(bytes.NewReader(msg.GetPayload())).Decode(&alarm); err != nil {
+		return messaging.NewError(errors.Wrap(errFailedToDecode, err), messaging.Term)
+	}
+	alarm.DomainID = msg.GetDomain()
+	alarm.ChannelID = msg.GetChannel()
+	alarm.ClientID = msg.ClientIdentity()
+	alarm.Subtopic = msg.GetSubtopic()
+	alarm.CreatedAt = time.Unix(0, int64(msg.GetCreated()))
+
+	if err := alarm.Validate(); err != nil {
+		return err
+	}
+
+	return h.svc.CreateAlarm(context.Background(), alarm)
+}
+
+func (h handler) Cancel() error {
+	return nil
+}
@@ -0,0 +1,6 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Package alarms contains domain concept definitions needed to support
+// Alarms service feature, i.e. create, read, update, and delete alarms.
+package alarms
@@ -0,0 +1,172 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/operations"
+	"github.com/absmach/magistrala/auth"
+	"github.com/absmach/magistrala/pkg/authn"
+	smqauthz "github.com/absmach/magistrala/pkg/authz"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+	"github.com/absmach/magistrala/pkg/permissions"
+	"github.com/absmach/magistrala/pkg/policies"
+)
+
+var (
+	errDomainUpdateAlarms = errors.New("not authorized to update alarms in domain")
+	errDomainDeleteAlarms = errors.New("not authorized to delete alarms in domain")
+	errDomainViewAlarms   = errors.New("not authorized to view alarms in domain")
+)
+
+type authorizationMiddleware struct {
+	svc         alarms.Service
+	authz       smqauthz.Authorization
+	entitiesOps permissions.EntitiesOperations[permissions.Operation]
+}
+
+var _ alarms.Service = (*authorizationMiddleware)(nil)
+
+func NewAuthorizationMiddleware(svc alarms.Service, authz smqauthz.Authorization, entitiesOps permissions.EntitiesOperations[permissions.Operation]) (alarms.Service, error) {
+	if err := entitiesOps.Validate(); err != nil {
+		return nil, err
+	}
+
+	return &authorizationMiddleware{
+		svc:         svc,
+		authz:       authz,
+		entitiesOps: entitiesOps,
+	}, nil
+}
+
+func (am *authorizationMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	return am.svc.CreateAlarm(ctx, alarm)
+}
+
+func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	if len(alarm.Metadata) > 0 {
+		if err := am.authorize(ctx, operations.OpUpdateAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	if alarm.AssigneeID != "" {
+		if err := am.authorize(ctx, operations.OpAssignAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+		domainUserID := auth.EncodeDomainUserID(session.DomainID, alarm.AssigneeID)
+		if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
+			Domain:      session.DomainID,
+			SubjectType: policies.UserType,
+			SubjectKind: policies.UsersKind,
+			Subject:     domainUserID,
+			Permission:  policies.MembershipPermission,
+			ObjectType:  policies.DomainType,
+			Object:      session.DomainID,
+		}, nil); err != nil {
+			return alarms.Alarm{}, err
+		}
+	}
+
+	if alarm.AcknowledgedBy != "" {
+		if err := am.authorize(ctx, operations.OpAcknowledgeAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	if alarm.ResolvedBy != "" {
+		if err := am.authorize(ctx, operations.OpResolveAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	return am.svc.UpdateAlarm(ctx, session, alarm)
+}
+
+func (am *authorizationMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	if err := am.authorize(ctx, operations.OpDeleteAlarm, session, policies.DomainType, session.DomainID); err != nil {
+		return errors.Wrap(errDomainDeleteAlarms, err)
+	}
+
+	return am.svc.DeleteAlarm(ctx, session, id)
+}
+
+func (am *authorizationMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	if pm.DomainID == "" {
+		pm.DomainID = session.DomainID
+	}
+
+	switch err := am.checkSuperAdmin(ctx, session); {
+	case err == nil:
+		session.SuperAdmin = true
+	case errors.Contains(err, svcerr.ErrSuperAdminAction):
+	default:
+		return alarms.AlarmsPage{}, err
+	}
+
+	return am.svc.ListAlarms(ctx, session, pm)
+}
+
+func (am *authorizationMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	if err := am.authorize(ctx, operations.OpViewAlarm, session, policies.DomainType, session.DomainID); err != nil {
+		return alarms.Alarm{}, errors.Wrap(errDomainViewAlarms, err)
+	}
+
+	return am.svc.ViewAlarm(ctx, session, id)
+}
+
+func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions.Operation, session authn.Session, objType, obj string) error {
+	perm, err := am.entitiesOps.GetPermission(operations.EntityType, op)
+	if err != nil {
+		return err
+	}
+
+	pr := smqauthz.PolicyReq{
+		Domain:      session.DomainID,
+		SubjectType: policies.UserType,
+		SubjectKind: policies.UsersKind,
+		Subject:     session.DomainUserID,
+		Object:      obj,
+		ObjectType:  objType,
+		Permission:  perm.String(),
+	}
+
+	var pat *smqauthz.PATReq
+	if session.PatID != "" {
+		opName := am.entitiesOps.OperationName(operations.EntityType, op)
+		pat = &smqauthz.PATReq{
+			UserID:     session.UserID,
+			PatID:      session.PatID,
+			EntityID:   auth.AnyIDs,
+			EntityType: auth.RulesType.String(),
+			Operation:  opName,
+			Domain:     session.DomainID,
+		}
+	}
+
+	if err := am.authz.Authorize(ctx, pr, pat); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
+	if session.Role != authn.SuperAdminRole {
+		return svcerr.ErrSuperAdminAction
+	}
+	if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
+		SubjectType: policies.UserType,
+		Subject:     session.UserID,
+		Permission:  policies.AdminPermission,
+		ObjectType:  policies.PlatformType,
+		Object:      policies.MagistralaObject,
+	}, nil); err != nil {
+		return err
+	}
+	return nil
+}
@@ -0,0 +1,6 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Package middleware provides middleware for the alarms service.
+// This is logging, metrics, and tracing middleware.
+package middleware
@@ -0,0 +1,155 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/go-chi/chi/v5/middleware"
+)
+
+type loggingMiddleware struct {
+	logger  *slog.Logger
+	service alarms.Service
+}
+
+var _ alarms.Service = (*loggingMiddleware)(nil)
+
+func NewLoggingMiddleware(logger *slog.Logger, service alarms.Service) alarms.Service {
+	return &loggingMiddleware{
+		logger:  logger,
+		service: service,
+	}
+}
+
+func (lm *loggingMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.Group("alarm",
+				slog.String("rule_id", alarm.RuleID),
+				slog.String("domain_id", alarm.DomainID),
+				slog.String("channel_id", alarm.ChannelID),
+				slog.String("client_id", alarm.ClientID),
+				slog.String("subtopic", alarm.Subtopic),
+				slog.String("measurement", alarm.Measurement),
+				slog.String("value", alarm.Value),
+				slog.String("unit", alarm.Unit),
+				slog.Uint64("status", uint64(alarm.Status)),
+				slog.Uint64("severity", uint64(alarm.Severity)),
+				slog.String("threshold", alarm.Threshold),
+				slog.String("cause", alarm.Cause),
+			),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("Create alarm failed", args...)
+			return
+		}
+		if alarm.ID != "" {
+			lm.logger.Info("Create alarm completed successfully", args...)
+		}
+	}(time.Now())
+
+	return lm.service.CreateAlarm(ctx, alarm)
+}
+
+func (lm *loggingMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (dba alarms.Alarm, err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.Group("alarm",
+				slog.String("id", dba.ID),
+				slog.String("rule_id", dba.RuleID),
+				slog.String("domain_id", dba.DomainID),
+				slog.String("channel_id", dba.ChannelID),
+				slog.String("client_id", dba.ClientID),
+				slog.String("subtopic", dba.Subtopic),
+				slog.String("measurement", dba.Measurement),
+				slog.String("value", dba.Value),
+				slog.String("unit", dba.Unit),
+				slog.String("status", dba.Status.String()),
+				slog.Uint64("severity", uint64(dba.Severity)),
+				slog.String("threshold", dba.Threshold),
+				slog.String("cause", dba.Cause),
+			),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("Update alarm failed", args...)
+			return
+		}
+		lm.logger.Info("Update alarm completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.UpdateAlarm(ctx, session, alarm)
+}
+
+func (lm *loggingMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (dba alarms.Alarm, err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.String("id", id),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("View alarm failed", args...)
+			return
+		}
+		lm.logger.Info("View alarm completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.ViewAlarm(ctx, session, id)
+}
+
+func (lm *loggingMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (dbp alarms.AlarmsPage, err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.Int("offset", int(pm.Offset)),
+			slog.Int("limit", int(pm.Limit)),
+			slog.String("rule_id", pm.RuleID),
+			slog.String("domain_id", pm.DomainID),
+			slog.String("channel_id", pm.ChannelID),
+			slog.String("client_id", pm.ClientID),
+			slog.String("subtopic", pm.Subtopic),
+			slog.String("status", pm.Status.String()),
+			slog.Uint64("severity", uint64(pm.Severity)),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("List alarms failed", args...)
+			return
+		}
+		lm.logger.Info("List alarms completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.ListAlarms(ctx, session, pm)
+}
+
+func (lm *loggingMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) (err error) {
+	defer func(begin time.Time) {
+		args := []any{
+			slog.String("duration", time.Since(begin).String()),
+			slog.String("request_id", middleware.GetReqID(ctx)),
+			slog.String("id", id),
+		}
+		if err != nil {
+			args = append(args, slog.Any("error", err))
+			lm.logger.Warn("Delete alarm failed", args...)
+			return
+		}
+		lm.logger.Info("Delete alarm completed successfully", args...)
+	}(time.Now())
+
+	return lm.service.DeleteAlarm(ctx, session, id)
+}
@@ -0,0 +1,74 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/go-kit/kit/metrics"
+)
+
+type metricsMiddleware struct {
+	counter metrics.Counter
+	latency metrics.Histogram
+	service alarms.Service
+}
+
+var _ alarms.Service = (*metricsMiddleware)(nil)
+
+func NewMetricsMiddleware(counter metrics.Counter, latency metrics.Histogram, service alarms.Service) alarms.Service {
+	return &metricsMiddleware{
+		counter: counter,
+		latency: latency,
+		service: service,
+	}
+}
+
+func (mm *metricsMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "create_alarm").Add(1)
+		mm.latency.With("method", "create_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.CreateAlarm(ctx, alarm)
+}
+
+func (mm *metricsMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "update_alarm").Add(1)
+		mm.latency.With("method", "update_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.UpdateAlarm(ctx, session, alarm)
+}
+
+func (mm *metricsMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "get_alarm").Add(1)
+		mm.latency.With("method", "get_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.ViewAlarm(ctx, session, id)
+}
+
+func (mm *metricsMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "list_alarms").Add(1)
+		mm.latency.With("method", "list_alarms").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.ListAlarms(ctx, session, pm)
+}
+
+func (mm *metricsMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	defer func(begin time.Time) {
+		mm.counter.With("method", "delete_alarm").Add(1)
+		mm.latency.With("method", "delete_alarm").Observe(time.Since(begin).Seconds())
+	}(time.Now())
+
+	return mm.service.DeleteAlarm(ctx, session, id)
+}
@@ -0,0 +1,84 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	smqTracing "github.com/absmach/magistrala/pkg/tracing"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+)
+
+type tracingMiddleware struct {
+	tracer trace.Tracer
+	svc    alarms.Service
+}
+
+var _ alarms.Service = (*tracingMiddleware)(nil)
+
+func NewTracingMiddleware(tracer trace.Tracer, svc alarms.Service) alarms.Service {
+	return &tracingMiddleware{
+		tracer: tracer,
+		svc:    svc,
+	}
+}
+
+func (tm *tracingMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "create_alarm", trace.WithAttributes(
+		attribute.String("rule_id", alarm.RuleID),
+		attribute.String("measurement", alarm.Measurement),
+		attribute.String("value", alarm.Value),
+		attribute.String("unit", alarm.Unit),
+		attribute.String("cause", alarm.Cause),
+		attribute.String("status", alarm.Status.String()),
+	))
+	defer span.End()
+
+	return tm.svc.CreateAlarm(ctx, alarm)
+}
+
+func (tm *tracingMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "update_alarm", trace.WithAttributes(
+		attribute.String("rule_id", alarm.RuleID),
+		attribute.String("measurement", alarm.Measurement),
+		attribute.String("value", alarm.Value),
+		attribute.String("unit", alarm.Unit),
+		attribute.String("cause", alarm.Cause),
+		attribute.String("status", alarm.Status.String()),
+	))
+	defer span.End()
+
+	return tm.svc.UpdateAlarm(ctx, session, alarm)
+}
+
+func (tm *tracingMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "get_alarm", trace.WithAttributes(
+		attribute.String("id", id),
+	))
+	defer span.End()
+
+	return tm.svc.ViewAlarm(ctx, session, id)
+}
+
+func (tm *tracingMiddleware) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "list_alarms", trace.WithAttributes(
+		attribute.Int("offset", int(pm.Offset)),
+		attribute.Int("limit", int(pm.Limit)),
+	))
+	defer span.End()
+
+	return tm.svc.ListAlarms(ctx, session, pm)
+}
+
+func (tm *tracingMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	ctx, span := smqTracing.StartSpan(ctx, tm.tracer, "delete_alarm", trace.WithAttributes(
+		attribute.String("id", id),
+	))
+	defer span.End()
+
+	return tm.svc.DeleteAlarm(ctx, session, id)
+}
@@ -0,0 +1,442 @@
+// Copyright (c) Abstract Machines
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewRepository creates a new instance of Repository. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewRepository(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Repository {
+	mock := &Repository{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// Repository is an autogenerated mock type for the Repository type
+type Repository struct {
+	mock.Mock
+}
+
+type Repository_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *Repository) EXPECT() *Repository_Expecter {
+	return &Repository_Expecter{mock: &_m.Mock}
+}
+
+// CreateAlarm provides a mock function for the type Repository
+func (_mock *Repository) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, alarm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, alarm)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, alarms.Alarm) error); ok {
+		r1 = returnFunc(ctx, alarm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_CreateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateAlarm'
+type Repository_CreateAlarm_Call struct {
+	*mock.Call
+}
+
+// CreateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarm alarms.Alarm
+func (_e *Repository_Expecter) CreateAlarm(ctx interface{}, alarm interface{}) *Repository_CreateAlarm_Call {
+	return &Repository_CreateAlarm_Call{Call: _e.mock.On("CreateAlarm", ctx, alarm)}
+}
+
+func (_c *Repository_CreateAlarm_Call) Run(run func(ctx context.Context, alarm alarms.Alarm)) *Repository_CreateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.Alarm
+		if args[1] != nil {
+			arg1 = args[1].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_CreateAlarm_Call) Return(alarm1 alarms.Alarm, err error) *Repository_CreateAlarm_Call {
+	_c.Call.Return(alarm1, err)
+	return _c
+}
+
+func (_c *Repository_CreateAlarm_Call) RunAndReturn(run func(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error)) *Repository_CreateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteAlarm provides a mock function for the type Repository
+func (_mock *Repository) DeleteAlarm(ctx context.Context, id string) error {
+	ret := _mock.Called(ctx, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAlarm")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) error); ok {
+		r0 = returnFunc(ctx, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// Repository_DeleteAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAlarm'
+type Repository_DeleteAlarm_Call struct {
+	*mock.Call
+}
+
+// DeleteAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - id string
+func (_e *Repository_Expecter) DeleteAlarm(ctx interface{}, id interface{}) *Repository_DeleteAlarm_Call {
+	return &Repository_DeleteAlarm_Call{Call: _e.mock.On("DeleteAlarm", ctx, id)}
+}
+
+func (_c *Repository_DeleteAlarm_Call) Run(run func(ctx context.Context, id string)) *Repository_DeleteAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_DeleteAlarm_Call) Return(err error) *Repository_DeleteAlarm_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *Repository_DeleteAlarm_Call) RunAndReturn(run func(ctx context.Context, id string) error) *Repository_DeleteAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListAllAlarms provides a mock function for the type Repository
+func (_mock *Repository) ListAllAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListAllAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ListAllAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListAllAlarms'
+type Repository_ListAllAlarms_Call struct {
+	*mock.Call
+}
+
+// ListAllAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - pm alarms.PageMetadata
+func (_e *Repository_Expecter) ListAllAlarms(ctx interface{}, pm interface{}) *Repository_ListAllAlarms_Call {
+	return &Repository_ListAllAlarms_Call{Call: _e.mock.On("ListAllAlarms", ctx, pm)}
+}
+
+func (_c *Repository_ListAllAlarms_Call) Run(run func(ctx context.Context, pm alarms.PageMetadata)) *Repository_ListAllAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.PageMetadata
+		if args[1] != nil {
+			arg1 = args[1].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ListAllAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListAllAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Repository_ListAllAlarms_Call) RunAndReturn(run func(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListAllAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListUserAlarms provides a mock function for the type Repository
+func (_mock *Repository) ListUserAlarms(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, userID, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListUserAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, userID, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, userID, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, userID, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ListUserAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListUserAlarms'
+type Repository_ListUserAlarms_Call struct {
+	*mock.Call
+}
+
+// ListUserAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - userID string
+//   - pm alarms.PageMetadata
+func (_e *Repository_Expecter) ListUserAlarms(ctx interface{}, userID interface{}, pm interface{}) *Repository_ListUserAlarms_Call {
+	return &Repository_ListUserAlarms_Call{Call: _e.mock.On("ListUserAlarms", ctx, userID, pm)}
+}
+
+func (_c *Repository_ListUserAlarms_Call) Run(run func(ctx context.Context, userID string, pm alarms.PageMetadata)) *Repository_ListUserAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 alarms.PageMetadata
+		if args[2] != nil {
+			arg2 = args[2].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ListUserAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListUserAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Repository_ListUserAlarms_Call) RunAndReturn(run func(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListUserAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateAlarm provides a mock function for the type Repository
+func (_mock *Repository) UpdateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, alarm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, alarm)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, alarms.Alarm) error); ok {
+		r1 = returnFunc(ctx, alarm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_UpdateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAlarm'
+type Repository_UpdateAlarm_Call struct {
+	*mock.Call
+}
+
+// UpdateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarm alarms.Alarm
+func (_e *Repository_Expecter) UpdateAlarm(ctx interface{}, alarm interface{}) *Repository_UpdateAlarm_Call {
+	return &Repository_UpdateAlarm_Call{Call: _e.mock.On("UpdateAlarm", ctx, alarm)}
+}
+
+func (_c *Repository_UpdateAlarm_Call) Run(run func(ctx context.Context, alarm alarms.Alarm)) *Repository_UpdateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.Alarm
+		if args[1] != nil {
+			arg1 = args[1].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_UpdateAlarm_Call) Return(alarm1 alarms.Alarm, err error) *Repository_UpdateAlarm_Call {
+	_c.Call.Return(alarm1, err)
+	return _c
+}
+
+func (_c *Repository_UpdateAlarm_Call) RunAndReturn(run func(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error)) *Repository_UpdateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ViewAlarm provides a mock function for the type Repository
+func (_mock *Repository) ViewAlarm(ctx context.Context, alarmID string, domainID string) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, alarmID, domainID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ViewAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, alarmID, domainID)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, alarmID, domainID)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = returnFunc(ctx, alarmID, domainID)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ViewAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ViewAlarm'
+type Repository_ViewAlarm_Call struct {
+	*mock.Call
+}
+
+// ViewAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarmID string
+//   - domainID string
+func (_e *Repository_Expecter) ViewAlarm(ctx interface{}, alarmID interface{}, domainID interface{}) *Repository_ViewAlarm_Call {
+	return &Repository_ViewAlarm_Call{Call: _e.mock.On("ViewAlarm", ctx, alarmID, domainID)}
+}
+
+func (_c *Repository_ViewAlarm_Call) Run(run func(ctx context.Context, alarmID string, domainID string)) *Repository_ViewAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ViewAlarm_Call) Return(alarm alarms.Alarm, err error) *Repository_ViewAlarm_Call {
+	_c.Call.Return(alarm, err)
+	return _c
+}
+
+func (_c *Repository_ViewAlarm_Call) RunAndReturn(run func(ctx context.Context, alarmID string, domainID string) (alarms.Alarm, error)) *Repository_ViewAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
@@ -0,0 +1,380 @@
+// Copyright (c) Abstract Machines
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/pkg/authn"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewService creates a new instance of Service. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Service {
+	mock := &Service{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// Service is an autogenerated mock type for the Service type
+type Service struct {
+	mock.Mock
+}
+
+type Service_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *Service) EXPECT() *Service_Expecter {
+	return &Service_Expecter{mock: &_m.Mock}
+}
+
+// CreateAlarm provides a mock function for the type Service
+func (_mock *Service) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
+	ret := _mock.Called(ctx, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateAlarm")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, alarms.Alarm) error); ok {
+		r0 = returnFunc(ctx, alarm)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// Service_CreateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateAlarm'
+type Service_CreateAlarm_Call struct {
+	*mock.Call
+}
+
+// CreateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - alarm alarms.Alarm
+func (_e *Service_Expecter) CreateAlarm(ctx interface{}, alarm interface{}) *Service_CreateAlarm_Call {
+	return &Service_CreateAlarm_Call{Call: _e.mock.On("CreateAlarm", ctx, alarm)}
+}
+
+func (_c *Service_CreateAlarm_Call) Run(run func(ctx context.Context, alarm alarms.Alarm)) *Service_CreateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 alarms.Alarm
+		if args[1] != nil {
+			arg1 = args[1].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_CreateAlarm_Call) Return(err error) *Service_CreateAlarm_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *Service_CreateAlarm_Call) RunAndReturn(run func(ctx context.Context, alarm alarms.Alarm) error) *Service_CreateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteAlarm provides a mock function for the type Service
+func (_mock *Service) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
+	ret := _mock.Called(ctx, session, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAlarm")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, string) error); ok {
+		r0 = returnFunc(ctx, session, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// Service_DeleteAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAlarm'
+type Service_DeleteAlarm_Call struct {
+	*mock.Call
+}
+
+// DeleteAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - id string
+func (_e *Service_Expecter) DeleteAlarm(ctx interface{}, session interface{}, id interface{}) *Service_DeleteAlarm_Call {
+	return &Service_DeleteAlarm_Call{Call: _e.mock.On("DeleteAlarm", ctx, session, id)}
+}
+
+func (_c *Service_DeleteAlarm_Call) Run(run func(ctx context.Context, session authn.Session, id string)) *Service_DeleteAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_DeleteAlarm_Call) Return(err error) *Service_DeleteAlarm_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *Service_DeleteAlarm_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, id string) error) *Service_DeleteAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListAlarms provides a mock function for the type Service
+func (_mock *Service) ListAlarms(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, session, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, session, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, session, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authn.Session, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, session, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Service_ListAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListAlarms'
+type Service_ListAlarms_Call struct {
+	*mock.Call
+}
+
+// ListAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - pm alarms.PageMetadata
+func (_e *Service_Expecter) ListAlarms(ctx interface{}, session interface{}, pm interface{}) *Service_ListAlarms_Call {
+	return &Service_ListAlarms_Call{Call: _e.mock.On("ListAlarms", ctx, session, pm)}
+}
+
+func (_c *Service_ListAlarms_Call) Run(run func(ctx context.Context, session authn.Session, pm alarms.PageMetadata)) *Service_ListAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 alarms.PageMetadata
+		if args[2] != nil {
+			arg2 = args[2].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_ListAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Service_ListAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Service_ListAlarms_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Service_ListAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateAlarm provides a mock function for the type Service
+func (_mock *Service) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, session, alarm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.Alarm) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, session, alarm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, alarms.Alarm) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, session, alarm)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authn.Session, alarms.Alarm) error); ok {
+		r1 = returnFunc(ctx, session, alarm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Service_UpdateAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAlarm'
+type Service_UpdateAlarm_Call struct {
+	*mock.Call
+}
+
+// UpdateAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - alarm alarms.Alarm
+func (_e *Service_Expecter) UpdateAlarm(ctx interface{}, session interface{}, alarm interface{}) *Service_UpdateAlarm_Call {
+	return &Service_UpdateAlarm_Call{Call: _e.mock.On("UpdateAlarm", ctx, session, alarm)}
+}
+
+func (_c *Service_UpdateAlarm_Call) Run(run func(ctx context.Context, session authn.Session, alarm alarms.Alarm)) *Service_UpdateAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 alarms.Alarm
+		if args[2] != nil {
+			arg2 = args[2].(alarms.Alarm)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_UpdateAlarm_Call) Return(alarm1 alarms.Alarm, err error) *Service_UpdateAlarm_Call {
+	_c.Call.Return(alarm1, err)
+	return _c
+}
+
+func (_c *Service_UpdateAlarm_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error)) *Service_UpdateAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ViewAlarm provides a mock function for the type Service
+func (_mock *Service) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
+	ret := _mock.Called(ctx, session, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ViewAlarm")
+	}
+
+	var r0 alarms.Alarm
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, string) (alarms.Alarm, error)); ok {
+		return returnFunc(ctx, session, id)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authn.Session, string) alarms.Alarm); ok {
+		r0 = returnFunc(ctx, session, id)
+	} else {
+		r0 = ret.Get(0).(alarms.Alarm)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authn.Session, string) error); ok {
+		r1 = returnFunc(ctx, session, id)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Service_ViewAlarm_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ViewAlarm'
+type Service_ViewAlarm_Call struct {
+	*mock.Call
+}
+
+// ViewAlarm is a helper method to define mock.On call
+//   - ctx context.Context
+//   - session authn.Session
+//   - id string
+func (_e *Service_Expecter) ViewAlarm(ctx interface{}, session interface{}, id interface{}) *Service_ViewAlarm_Call {
+	return &Service_ViewAlarm_Call{Call: _e.mock.On("ViewAlarm", ctx, session, id)}
+}
+
+func (_c *Service_ViewAlarm_Call) Run(run func(ctx context.Context, session authn.Session, id string)) *Service_ViewAlarm_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authn.Session
+		if args[1] != nil {
+			arg1 = args[1].(authn.Session)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Service_ViewAlarm_Call) Return(alarm alarms.Alarm, err error) *Service_ViewAlarm_Call {
+	_c.Call.Return(alarm, err)
+	return _c
+}
+
+func (_c *Service_ViewAlarm_Call) RunAndReturn(run func(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error)) *Service_ViewAlarm_Call {
+	_c.Call.Return(run)
+	return _c
+}
@@ -0,0 +1,52 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package operations
+
+import "github.com/absmach/magistrala/pkg/permissions"
+
+const EntityType = "alarm"
+
+// Alarm Operations.
+const (
+	OpViewAlarm permissions.Operation = iota
+	OpDeleteAlarm
+	OpListAlarms
+	OpAssignAlarm
+	OpAcknowledgeAlarm
+	OpResolveAlarm
+	OpUpdateAlarm
+)
+
+func OperationDetails() map[permissions.Operation]permissions.OperationDetails {
+	return map[permissions.Operation]permissions.OperationDetails{
+		OpViewAlarm: {
+			Name:               "view",
+			PermissionRequired: true,
+		},
+		OpDeleteAlarm: {
+			Name:               "delete",
+			PermissionRequired: true,
+		},
+		OpListAlarms: {
+			Name:               "list",
+			PermissionRequired: true,
+		},
+		OpAssignAlarm: {
+			Name:               "alarm_assign",
+			PermissionRequired: true,
+		},
+		OpAcknowledgeAlarm: {
+			Name:               "alarm_acknowledge",
+			PermissionRequired: true,
+		},
+		OpResolveAlarm: {
+			Name:               "alarm_resolve",
+			PermissionRequired: true,
+		},
+		OpUpdateAlarm: {
+			Name:               "update",
+			PermissionRequired: true,
+		},
+	}
+}
@@ -0,0 +1,536 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"math"
+	"strings"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	api "github.com/absmach/magistrala/api/http"
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	"github.com/absmach/magistrala/pkg/postgres"
+	"github.com/jmoiron/sqlx"
+)
+
+const alarmColumns = `alarms.id, alarms.rule_id, alarms.domain_id, alarms.channel_id, alarms.client_id, alarms.subtopic, alarms.measurement, alarms.value, alarms.unit,
+alarms.threshold, alarms.cause, alarms.status, alarms.severity, alarms.assignee_id, alarms.created_at, alarms.updated_at, alarms.updated_by, alarms.assigned_at,
+alarms.assigned_by, alarms.acknowledged_at, alarms.acknowledged_by, alarms.resolved_at, alarms.resolved_by, alarms.metadata`
+
+type repository struct {
+	db *sqlx.DB
+}
+
+var _ alarms.Repository = (*repository)(nil)
+
+func NewAlarmsRepo(db *sqlx.DB) alarms.Repository {
+	return &repository{db: db}
+}
+
+func (r *repository) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	query := `
+	WITH existing AS (
+		SELECT status, severity
+		FROM alarms
+		WHERE domain_id = :domain_id
+			AND rule_id = :rule_id
+			AND channel_id = :channel_id
+			AND client_id = :client_id
+			AND subtopic = :subtopic
+			AND measurement = :measurement
+			AND created_at <= :created_at
+		ORDER BY created_at DESC
+		LIMIT 1
+	)
+	INSERT INTO alarms (
+		id, rule_id, domain_id, channel_id, client_id, subtopic, measurement,
+		value, unit, threshold, cause, status, severity, assignee_id,
+		created_at, updated_at, updated_by, assigned_at, assigned_by,
+		acknowledged_at, acknowledged_by, resolved_at, resolved_by, metadata
+	)
+	SELECT
+		:id, :rule_id, :domain_id, :channel_id, :client_id, :subtopic, :measurement,
+		:value, :unit, :threshold, :cause, :status, :severity, :assignee_id,
+		:created_at, :updated_at, :updated_by, :assigned_at, :assigned_by,
+		:acknowledged_at, :acknowledged_by, :resolved_at, :resolved_by, :metadata
+	WHERE (
+		EXISTS (
+			SELECT 1 FROM existing
+			WHERE existing.status IS DISTINCT FROM :status
+			OR (:status = 0 AND existing.status = 0 AND existing.severity IS DISTINCT FROM :severity)
+		)
+		OR (
+			NOT EXISTS (SELECT 1 FROM existing) AND :status = 0
+		)
+	)
+	RETURNING
+		id, rule_id, domain_id, channel_id, client_id, subtopic, measurement,
+		value, unit, threshold, cause, status, severity, created_at,
+		assignee_id, updated_at, updated_by, assigned_at, assigned_by,
+		acknowledged_at, acknowledged_by, resolved_at, resolved_by, metadata
+	;
+	`
+	dba, err := toDBAlarm(alarm)
+	if err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrCreateEntity, err)
+	}
+	row, err := r.db.NamedQueryContext(ctx, query, dba)
+	if err != nil {
+		return alarms.Alarm{}, postgres.HandleError(repoerr.ErrCreateEntity, err)
+	}
+	defer row.Close()
+
+	if !row.Next() {
+		return alarms.Alarm{}, repoerr.ErrNotFound
+	}
+
+	dba = dbAlarm{}
+	if err := row.StructScan(&dba); err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrCreateEntity, err)
+	}
+
+	return toAlarm(dba)
+}
+
+func (r *repository) UpdateAlarm(ctx context.Context, alarm alarms.Alarm) (alarms.Alarm, error) {
+	var query []string
+	var upq string
+	if alarm.Status != 0 {
+		query = append(query, "status = :status,")
+	}
+	if alarm.AssigneeID != "" {
+		query = append(query, "assignee_id = :assignee_id,")
+	}
+	if !alarm.AssignedAt.IsZero() {
+		query = append(query, "assigned_at = :assigned_at,")
+	}
+	if alarm.AssignedBy != "" {
+		query = append(query, "assigned_by = :assigned_by,")
+	}
+	if alarm.AcknowledgedBy != "" {
+		query = append(query, "acknowledged_by = :acknowledged_by,")
+	}
+	if !alarm.AcknowledgedAt.IsZero() {
+		query = append(query, "acknowledged_at = :acknowledged_at,")
+	}
+	if alarm.ResolvedBy != "" {
+		query = append(query, "resolved_by = :resolved_by,")
+	}
+	if !alarm.ResolvedAt.IsZero() {
+		query = append(query, "resolved_at = :resolved_at,")
+	}
+	if alarm.Metadata != nil {
+		query = append(query, "metadata = :metadata,")
+	}
+	if len(query) > 0 {
+		upq = strings.Join(query, " ")
+	}
+
+	q := fmt.Sprintf(`UPDATE alarms SET %s updated_by = :updated_by, updated_at = :updated_at WHERE id = :id
+		RETURNING id, rule_id, domain_id, channel_id, client_id, subtopic, measurement, value, unit, threshold,
+		cause, status, severity, assignee_id, assigned_at, assigned_by, acknowledged_at, acknowledged_by,
+		resolved_by, resolved_at, metadata, created_at, updated_by, updated_at;`, upq)
+
+	dba, err := toDBAlarm(alarm)
+	if err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrUpdateEntity, err)
+	}
+	row, err := r.db.NamedQueryContext(ctx, q, dba)
+	if err != nil {
+		return alarms.Alarm{}, postgres.HandleError(repoerr.ErrUpdateEntity, err)
+	}
+	defer row.Close()
+
+	if !row.Next() {
+		return alarms.Alarm{}, repoerr.ErrNotFound
+	}
+
+	dba = dbAlarm{}
+	if err := row.StructScan(&dba); err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrUpdateEntity, err)
+	}
+
+	return toAlarm(dba)
+}
+
+func (r *repository) ViewAlarm(ctx context.Context, alarmID, domainID string) (alarms.Alarm, error) {
+	query := `SELECT * FROM alarms WHERE id = :id AND domain_id = :domain_id;`
+	row, err := r.db.NamedQueryContext(ctx, query, map[string]any{
+		"id": alarmID, "domain_id": domainID,
+	})
+	if err != nil {
+		return alarms.Alarm{}, postgres.HandleError(repoerr.ErrViewEntity, err)
+	}
+	defer row.Close()
+
+	if !row.Next() {
+		return alarms.Alarm{}, repoerr.ErrNotFound
+	}
+
+	dba := dbAlarm{}
+	if err := row.StructScan(&dba); err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	alarm, err := toAlarm(dba)
+	if err != nil {
+		return alarms.Alarm{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	return alarm, nil
+}
+
+func (r *repository) ListAllAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	query, err := pageQuery(pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	comQuery := fmt.Sprintf(`SELECT %s FROM alarms %s`, alarmColumns, query)
+
+	return r.alarmsPage(ctx, comQuery, pm)
+}
+
+func (r *repository) ListUserAlarms(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	clauses := []string{
+		`(
+			EXISTS (
+				SELECT 1
+				FROM rules_roles rr
+				JOIN rules_role_members rrm ON rrm.role_id = rr.id
+				WHERE rr.entity_id = alarms.rule_id AND rrm.member_id = :user_id
+			)
+			OR EXISTS (
+				SELECT 1
+				FROM domains_roles dr
+				JOIN domains_role_members drm ON drm.role_id = dr.id
+				JOIN domains_role_actions dra ON dra.role_id = dr.id
+				WHERE dr.entity_id = alarms.domain_id
+					AND drm.member_id = :user_id
+					AND dra.action LIKE 'alarm%'
+			)
+		)`,
+	}
+
+	clauses = append(clauses, pageQueryConditions(pm)...)
+	query := fmt.Sprintf("WHERE %s", strings.Join(clauses, " AND "))
+	pm.UserID = userID
+	comQuery := fmt.Sprintf(`SELECT DISTINCT %s FROM alarms %s`, alarmColumns, query)
+
+	return r.alarmsPage(ctx, comQuery, pm)
+}
+
+func (r *repository) alarmsPage(ctx context.Context, comQuery string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	dir := api.DescDir
+	if pm.Dir == api.AscDir {
+		dir = api.AscDir
+	}
+
+	var orderClause string
+	switch pm.Order {
+	case api.CreatedAtOrder:
+		orderClause = fmt.Sprintf("ORDER BY created_at %s, id %s", dir, dir)
+	default:
+		orderClause = fmt.Sprintf("ORDER BY COALESCE(updated_at, created_at) %s, id %s", dir, dir)
+	}
+
+	q := fmt.Sprintf(`SELECT * FROM (%s) AS sub_query %s LIMIT :limit OFFSET :offset;`, comQuery, orderClause)
+	cq := fmt.Sprintf(`SELECT COUNT(*) AS total_count FROM (%s) AS sub_query;`, comQuery)
+
+	rows, err := r.db.NamedQueryContext(ctx, q, pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+	defer rows.Close()
+
+	var items []alarms.Alarm
+	for rows.Next() {
+		dba := dbAlarm{}
+		if err := rows.StructScan(&dba); err != nil {
+			return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+		}
+
+		a, err := toAlarm(dba)
+		if err != nil {
+			return alarms.AlarmsPage{}, err
+		}
+
+		items = append(items, a)
+	}
+
+	total, err := postgres.Total(ctx, r.db, cq, pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	return alarms.AlarmsPage{
+		Total:  total,
+		Offset: pm.Offset,
+		Limit:  pm.Limit,
+		Alarms: items,
+	}, nil
+}
+
+func (r *repository) DeleteAlarm(ctx context.Context, id string) error {
+	query := `DELETE FROM alarms WHERE id = :id;`
+	result, err := r.db.NamedExecContext(ctx, query, map[string]any{"id": id})
+	if err != nil {
+		return errors.Wrap(repoerr.ErrRemoveEntity, err)
+	}
+
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return errors.Wrap(repoerr.ErrRemoveEntity, err)
+	}
+
+	if rowsAffected == 0 {
+		return repoerr.ErrNotFound
+	}
+
+	return nil
+}
+
+type dbAlarm struct {
+	ID             string        `db:"id"`
+	RuleID         string        `db:"rule_id"`
+	DomainID       string        `db:"domain_id"`
+	ChannelID      string        `db:"channel_id"`
+	ClientID       string        `db:"client_id"`
+	Subtopic       string        `db:"subtopic"`
+	Measurement    string        `db:"measurement"`
+	Value          string        `db:"value"`
+	Unit           string        `db:"unit"`
+	Cause          string        `db:"cause"`
+	Threshold      string        `db:"threshold"`
+	Status         alarms.Status `db:"status"`
+	Severity       uint8         `db:"severity"`
+	AssigneeID     string        `db:"assignee_id"`
+	CreatedAt      time.Time     `db:"created_at"`
+	UpdatedAt      sql.NullTime  `db:"updated_at,omitempty"`
+	UpdatedBy      *string       `db:"updated_by,omitempty"`
+	AssignedAt     sql.NullTime  `db:"assigned_at,omitempty"`
+	AssignedBy     *string       `db:"assigned_by,omitempty"`
+	AcknowledgedAt sql.NullTime  `db:"acknowledged_at,omitempty"`
+	AcknowledgedBy *string       `db:"acknowledged_by,omitempty"`
+	ResolvedAt     sql.NullTime  `db:"resolved_at,omitempty"`
+	ResolvedBy     *string       `db:"resolved_by,omitempty"`
+	Metadata       []byte        `db:"metadata,omitempty"`
+}
+
+func toDBAlarm(a alarms.Alarm) (dbAlarm, error) {
+	if a.CreatedAt.IsZero() {
+		a.CreatedAt = time.Now()
+	}
+	var updatedBy *string
+	if a.UpdatedBy != "" {
+		updatedBy = &a.UpdatedBy
+	}
+	var updatedAt sql.NullTime
+	if a.UpdatedAt != (time.Time{}) {
+		updatedAt = sql.NullTime{Time: a.UpdatedAt, Valid: true}
+	}
+
+	var acknowledgedBy *string
+	if a.AcknowledgedBy != "" {
+		acknowledgedBy = &a.AcknowledgedBy
+	}
+	var acknowledgedAt sql.NullTime
+	if a.AcknowledgedAt != (time.Time{}) {
+		acknowledgedAt = sql.NullTime{Time: a.AcknowledgedAt, Valid: true}
+	}
+
+	var resolvedBy *string
+	if a.ResolvedBy != "" {
+		resolvedBy = &a.ResolvedBy
+	}
+	var resolvedAt sql.NullTime
+	if a.ResolvedAt != (time.Time{}) {
+		resolvedAt = sql.NullTime{Time: a.ResolvedAt, Valid: true}
+	}
+
+	var assignedBy *string
+	if a.AssignedBy != "" {
+		assignedBy = &a.AssignedBy
+	}
+	var assignedAt sql.NullTime
+	if a.AssignedAt != (time.Time{}) {
+		assignedAt = sql.NullTime{Time: a.AssignedAt, Valid: true}
+	}
+
+	metadata := []byte("{}")
+	if len(a.Metadata) > 0 {
+		b, err := json.Marshal(a.Metadata)
+		if err != nil {
+			return dbAlarm{}, errors.Wrap(repoerr.ErrMalformedEntity, err)
+		}
+		metadata = b
+	}
+
+	return dbAlarm{
+		ID:             a.ID,
+		RuleID:         a.RuleID,
+		DomainID:       a.DomainID,
+		ChannelID:      a.ChannelID,
+		ClientID:       a.ClientID,
+		Subtopic:       a.Subtopic,
+		Measurement:    a.Measurement,
+		Value:          a.Value,
+		Unit:           a.Unit,
+		Cause:          a.Cause,
+		Threshold:      a.Threshold,
+		Status:         a.Status,
+		Severity:       a.Severity,
+		AssigneeID:     a.AssigneeID,
+		CreatedAt:      a.CreatedAt,
+		UpdatedAt:      updatedAt,
+		UpdatedBy:      updatedBy,
+		AssignedAt:     assignedAt,
+		AssignedBy:     assignedBy,
+		AcknowledgedAt: acknowledgedAt,
+		AcknowledgedBy: acknowledgedBy,
+		ResolvedAt:     resolvedAt,
+		ResolvedBy:     resolvedBy,
+		Metadata:       metadata,
+	}, nil
+}
+
+func toAlarm(dbr dbAlarm) (alarms.Alarm, error) {
+	var updatedBy string
+	if dbr.UpdatedBy != nil {
+		updatedBy = *dbr.UpdatedBy
+	}
+	var updatedAt time.Time
+	if dbr.UpdatedAt.Valid {
+		updatedAt = dbr.UpdatedAt.Time
+	}
+
+	var assignedBy string
+	if dbr.AssignedBy != nil {
+		assignedBy = *dbr.AssignedBy
+	}
+	var assignedAt time.Time
+	if dbr.AssignedAt.Valid {
+		assignedAt = dbr.AssignedAt.Time
+	}
+
+	var acknowledgedBy string
+	if dbr.AcknowledgedBy != nil {
+		acknowledgedBy = *dbr.AcknowledgedBy
+	}
+	var acknowledgedAt time.Time
+	if dbr.AcknowledgedAt.Valid {
+		acknowledgedAt = dbr.AcknowledgedAt.Time
+	}
+
+	var resolvedBy string
+	if dbr.ResolvedBy != nil {
+		resolvedBy = *dbr.ResolvedBy
+	}
+	var resolvedAt time.Time
+	if dbr.ResolvedAt.Valid {
+		resolvedAt = dbr.ResolvedAt.Time
+	}
+
+	var metadata map[string]any
+	if len(dbr.Metadata) > 0 {
+		err := json.Unmarshal(dbr.Metadata, &metadata)
+		if err != nil {
+			return alarms.Alarm{}, errors.Wrap(repoerr.ErrMalformedEntity, err)
+		}
+	}
+
+	return alarms.Alarm{
+		ID:             dbr.ID,
+		RuleID:         dbr.RuleID,
+		DomainID:       dbr.DomainID,
+		ChannelID:      dbr.ChannelID,
+		ClientID:       dbr.ClientID,
+		Subtopic:       dbr.Subtopic,
+		Measurement:    dbr.Measurement,
+		Value:          dbr.Value,
+		Unit:           dbr.Unit,
+		Threshold:      dbr.Threshold,
+		Cause:          dbr.Cause,
+		Status:         dbr.Status,
+		Severity:       dbr.Severity,
+		AssigneeID:     dbr.AssigneeID,
+		CreatedAt:      dbr.CreatedAt,
+		UpdatedAt:      updatedAt,
+		UpdatedBy:      updatedBy,
+		AssignedAt:     assignedAt,
+		AssignedBy:     assignedBy,
+		AcknowledgedAt: acknowledgedAt,
+		AcknowledgedBy: acknowledgedBy,
+		ResolvedAt:     resolvedAt,
+		ResolvedBy:     resolvedBy,
+		Metadata:       metadata,
+	}, nil
+}
+
+func pageQuery(pm alarms.PageMetadata) (string, error) {
+	query := pageQueryConditions(pm)
+
+	var emq string
+	if len(query) > 0 {
+		emq = fmt.Sprintf("WHERE %s", strings.Join(query, " AND "))
+	}
+
+	return emq, nil
+}
+
+func pageQueryConditions(pm alarms.PageMetadata) []string {
+	var query []string
+	if pm.DomainID != "" {
+		query = append(query, "alarms.domain_id = :domain_id")
+	}
+	if pm.RuleID != "" {
+		query = append(query, "alarms.rule_id = :rule_id")
+	}
+	if pm.ChannelID != "" {
+		query = append(query, "alarms.channel_id = :channel_id")
+	}
+	if pm.Subtopic != "" {
+		query = append(query, "alarms.subtopic = :subtopic")
+	}
+	if pm.ClientID != "" {
+		query = append(query, "alarms.client_id = :client_id")
+	}
+	if pm.Measurement != "" {
+		query = append(query, "alarms.measurement = :measurement")
+	}
+	if pm.Status != alarms.AllStatus {
+		query = append(query, "alarms.status = :status")
+	}
+	if pm.Severity != math.MaxUint8 {
+		query = append(query, "alarms.severity = :severity")
+	}
+	if pm.AssigneeID != "" {
+		query = append(query, "alarms.assignee_id = :assignee_id")
+	}
+	if pm.UpdatedBy != "" {
+		query = append(query, "alarms.updated_by = :updated_by")
+	}
+	if pm.ResolvedBy != "" {
+		query = append(query, "alarms.resolved_by = :resolved_by")
+	}
+	if pm.AcknowledgedBy != "" {
+		query = append(query, "alarms.acknowledged_by = :acknowledged_by")
+	}
+	if pm.AssignedBy != "" {
+		query = append(query, "alarms.assigned_by = :assigned_by")
+	}
+	if !pm.CreatedFrom.IsZero() {
+		query = append(query, "alarms.created_at >= :created_from")
+	}
+	if !pm.CreatedTo.IsZero() {
+		query = append(query, "alarms.created_at <= :created_to")
+	}
+	return query
+}
@@ -0,0 +1,690 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres_test
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/0x6flab/namegenerator"
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/postgres"
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	"github.com/absmach/magistrala/pkg/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	namegen    = namegenerator.NewGenerator()
+	idProvider = uuid.New()
+)
+
+func TestCreateAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Subtopic:    namegen.Generate(),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc:  "valid alarm",
+			alarm: alarm,
+			err:   nil,
+		},
+		{
+			desc:  "duplicate alarm",
+			alarm: alarm,
+			err:   repoerr.ErrNotFound,
+		},
+		{
+			desc: "missing rule id",
+			alarm: alarms.Alarm{
+				ID:          generateUUID(t),
+				DomainID:    generateUUID(t),
+				ChannelID:   generateUUID(t),
+				ClientID:    generateUUID(t),
+				Subtopic:    namegen.Generate(),
+				Measurement: namegen.Generate(),
+				Value:       namegen.Generate(),
+				Unit:        namegen.Generate(),
+				Threshold:   namegen.Generate(),
+				Cause:       namegen.Generate(),
+				Status:      0,
+				AssigneeID:  generateUUID(t),
+				CreatedAt:   time.Now().UTC(),
+
+				Metadata: map[string]any{
+					"key": "value",
+				},
+			},
+			err: repoerr.ErrCreateEntity,
+		},
+		{
+			desc: "invalid alarm",
+			alarm: alarms.Alarm{
+				ID:          generateUUID(t),
+				DomainID:    generateUUID(t),
+				ChannelID:   generateUUID(t),
+				ClientID:    generateUUID(t),
+				Subtopic:    namegen.Generate(),
+				Measurement: namegen.Generate(),
+				Value:       namegen.Generate(),
+				Unit:        namegen.Generate(),
+				Threshold:   namegen.Generate(),
+				Cause:       namegen.Generate(),
+				Status:      0,
+				AssigneeID:  generateUUID(t),
+				CreatedAt:   time.Now().UTC(),
+
+				Metadata: map[string]any{
+					"key": make(chan int),
+				},
+			},
+			err: repoerr.ErrCreateEntity,
+		},
+		{
+			desc:  "empty alarm",
+			alarm: alarms.Alarm{},
+			err:   repoerr.ErrCreateEntity,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarm, err := repo.CreateAlarm(context.Background(), tc.alarm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.alarm.RuleID, alarm.RuleID)
+			assert.Equal(t, tc.alarm.Measurement, alarm.Measurement)
+			assert.Equal(t, tc.alarm.Value, alarm.Value)
+			assert.Equal(t, tc.alarm.Unit, alarm.Unit)
+			assert.Equal(t, tc.alarm.Cause, alarm.Cause)
+			assert.Equal(t, tc.alarm.Status, alarm.Status)
+			assert.Equal(t, tc.alarm.DomainID, alarm.DomainID)
+			assert.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
+			assert.Equal(t, tc.alarm.Metadata, alarm.Metadata)
+		})
+	}
+}
+
+func TestUpdateAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+	alarm, err := repo.CreateAlarm(context.Background(), alarm)
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				ID:             alarm.ID,
+				Status:         alarms.ClearedStatus,
+				DomainID:       alarm.DomainID,
+				AssigneeID:     generateUUID(t),
+				AssignedBy:     generateUUID(t),
+				AssignedAt:     time.Now().UTC(),
+				AcknowledgedBy: generateUUID(t),
+				AcknowledgedAt: time.Now().UTC(),
+				CreatedAt:      alarm.CreatedAt,
+				UpdatedAt:      time.Now().UTC(),
+				UpdatedBy:      generateUUID(t),
+				ResolvedAt:     time.Now().UTC(),
+				ResolvedBy:     generateUUID(t),
+				Metadata: map[string]any{
+					"key": "value",
+				},
+			},
+			err: nil,
+		},
+		{
+			desc: "non existing alarm",
+			alarm: alarms.Alarm{
+				ID: generateUUID(t),
+			},
+			err: repoerr.ErrNotFound,
+		},
+		{
+			desc: "invalid alarm",
+			alarm: alarms.Alarm{
+				ID:         alarm.ID,
+				RuleID:     generateUUID(t),
+				Status:     0,
+				DomainID:   generateUUID(t),
+				AssigneeID: strings.Repeat("a", 40),
+				CreatedAt:  time.Now().UTC(),
+				Metadata: map[string]any{
+					"key": "value",
+				},
+			},
+			err: repoerr.ErrMalformedEntity,
+		},
+		{
+			desc:  "empty alarm",
+			alarm: alarms.Alarm{},
+			err:   repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarm, err := repo.UpdateAlarm(context.Background(), tc.alarm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.alarm.Status, alarm.Status)
+			assert.Equal(t, tc.alarm.DomainID, alarm.DomainID)
+			assert.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
+			assert.Equal(t, tc.alarm.UpdatedBy, alarm.UpdatedBy)
+			assert.Equal(t, tc.alarm.ResolvedBy, alarm.ResolvedBy)
+			assert.Equal(t, tc.alarm.AcknowledgedBy, alarm.AcknowledgedBy)
+			assert.Equal(t, tc.alarm.Metadata, alarm.Metadata)
+		})
+	}
+}
+
+func TestViewAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+	alarm, err := repo.CreateAlarm(context.Background(), alarm)
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+
+	cases := []struct {
+		desc     string
+		id       string
+		domainID string
+		err      error
+	}{
+		{
+			desc:     "valid alarm",
+			id:       alarm.ID,
+			domainID: alarm.DomainID,
+			err:      nil,
+		},
+		{
+			desc:     "non existing alarm id",
+			id:       generateUUID(t),
+			domainID: alarm.DomainID,
+			err:      repoerr.ErrNotFound,
+		},
+		{
+			desc:     "non existing domain id",
+			id:       alarm.ID,
+			domainID: generateUUID(t),
+			err:      repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarm, err := repo.ViewAlarm(context.Background(), tc.id, tc.domainID)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.id, alarm.ID)
+		})
+	}
+}
+
+func TestListAlarms(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+	repo := postgres.NewAlarmsRepo(db)
+	items := make([]alarms.Alarm, 1000)
+	for i := range 1000 {
+		items[i] = alarms.Alarm{
+			ID:          generateUUID(t),
+			RuleID:      generateUUID(t),
+			DomainID:    generateUUID(t),
+			ChannelID:   generateUUID(t),
+			ClientID:    generateUUID(t),
+			Measurement: namegen.Generate(),
+			Value:       namegen.Generate(),
+			Unit:        namegen.Generate(),
+			Threshold:   namegen.Generate(),
+			Cause:       namegen.Generate(),
+			Status:      0,
+			AssigneeID:  generateUUID(t),
+			CreatedAt:   time.Now().UTC(),
+			Metadata: map[string]any{
+				"key": "value",
+			},
+		}
+		alarm, err := repo.CreateAlarm(context.Background(), items[i])
+		require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		items[i].ID = alarm.ID
+	}
+
+	cases := []struct {
+		desc     string
+		pm       alarms.PageMetadata
+		response []alarms.Alarm
+		err      error
+	}{
+		{
+			desc: "valid page",
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  10,
+			},
+			response: items[:10],
+			err:      nil,
+		},
+		{
+			desc: "offset and limit",
+			pm: alarms.PageMetadata{
+				Offset: 10,
+				Limit:  50,
+			},
+			response: items[10:60],
+			err:      nil,
+		},
+		{
+			desc:     "empty page",
+			pm:       alarms.PageMetadata{},
+			response: []alarms.Alarm{},
+			err:      nil,
+		},
+		{
+			desc: "invalid page",
+			pm: alarms.PageMetadata{
+				Offset: 1000,
+				Limit:  10,
+			},
+			response: []alarms.Alarm{},
+			err:      nil,
+		},
+		{
+			desc: "invalid assignee id",
+			pm: alarms.PageMetadata{
+				Offset:     0,
+				Limit:      10,
+				AssigneeID: generateUUID(t),
+			},
+			response: []alarms.Alarm{},
+			err:      nil,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			alarms, err := repo.ListAllAlarms(context.Background(), tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.Equal(t, len(tc.response), len(alarms.Alarms))
+		})
+	}
+}
+
+func TestListUserAlarms(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM domains_role_actions")
+		require.Nil(t, err, fmt.Sprintf("clean domains_role_actions unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM domains_role_members")
+		require.Nil(t, err, fmt.Sprintf("clean domains_role_members unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM domains_roles")
+		require.Nil(t, err, fmt.Sprintf("clean domains_roles unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM domains")
+		require.Nil(t, err, fmt.Sprintf("clean domains unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM rules")
+		require.Nil(t, err, fmt.Sprintf("clean rules unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	domainID := generateUUID(t)
+	domainRoute := generateUUID(t)
+	userID := generateUUID(t)
+	otherUserID := generateUUID(t)
+	adminUserID := generateUUID(t)
+	domainUserID := generateUUID(t)
+
+	_, err := db.Exec(`INSERT INTO domains (id, name, route, status) VALUES ($1, $2, $3, $4)`, domainID, namegen.Generate(), domainRoute, 0)
+	require.Nil(t, err, fmt.Sprintf("insert domains unexpected error: %s", err))
+
+	// Create 10 rules and 10 alarms referencing them.
+	// Assign userID to the first 6 rules via role membership.
+	var ruleIDs []string
+	var createdAlarms []alarms.Alarm
+	for i := range 10 {
+		ruleID := generateUUID(t)
+		_, err := db.Exec(`INSERT INTO rules (id, name, domain_id, status, logic_type, logic_value) VALUES ($1, $2, $3, 0, 0, '')`,
+			ruleID, fmt.Sprintf("rule-%d", i), domainID)
+		require.Nil(t, err, fmt.Sprintf("insert rule unexpected error: %s", err))
+		ruleIDs = append(ruleIDs, ruleID)
+
+		alarm := alarms.Alarm{
+			ID:          generateUUID(t),
+			RuleID:      ruleID,
+			DomainID:    domainID,
+			ChannelID:   generateUUID(t),
+			ClientID:    generateUUID(t),
+			Measurement: namegen.Generate(),
+			Value:       namegen.Generate(),
+			Unit:        namegen.Generate(),
+			Threshold:   namegen.Generate(),
+			Cause:       namegen.Generate(),
+			Status:      0,
+			AssigneeID:  generateUUID(t),
+			CreatedAt:   time.Now().UTC().Add(time.Duration(i) * time.Minute),
+		}
+		alarm, err = repo.CreateAlarm(context.Background(), alarm)
+		require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		createdAlarms = append(createdAlarms, alarm)
+	}
+
+	// Assign userID to the first 6 rules via rules_roles + rules_role_members.
+	userRoleIDs := make([]string, 6)
+	for i := range 6 {
+		roleID := generateUUID(t)
+		userRoleIDs[i] = roleID
+		_, err := db.Exec(`INSERT INTO rules_roles (id, name, entity_id) VALUES ($1, $2, $3)`, roleID, "admin", ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_roles unexpected error: %s", err))
+		_, err = db.Exec(`INSERT INTO rules_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, roleID, userID, ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_role_members unexpected error: %s", err))
+	}
+
+	for i := range 10 {
+		var roleID string
+		if i < 6 {
+			roleID = userRoleIDs[i]
+		} else {
+			roleID = generateUUID(t)
+			_, err := db.Exec(`INSERT INTO rules_roles (id, name, entity_id) VALUES ($1, $2, $3)`, roleID, "admin", ruleIDs[i])
+			require.Nil(t, err, fmt.Sprintf("insert rules_roles unexpected error: %s", err))
+		}
+		_, err := db.Exec(`INSERT INTO rules_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, roleID, adminUserID, ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_role_members unexpected error: %s", err))
+	}
+
+	domainRoleID := generateUUID(t)
+	_, err = db.Exec(`INSERT INTO domains_roles (id, name, entity_id) VALUES ($1, $2, $3)`, domainRoleID, "admin", domainID)
+	require.Nil(t, err, fmt.Sprintf("insert domains_roles unexpected error: %s", err))
+	_, err = db.Exec(`INSERT INTO domains_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, domainRoleID, domainUserID, domainID)
+	require.Nil(t, err, fmt.Sprintf("insert domains_role_members unexpected error: %s", err))
+	_, err = db.Exec(`INSERT INTO domains_role_actions (role_id, action) VALUES ($1, $2)`, domainRoleID, "alarm_read")
+	require.Nil(t, err, fmt.Sprintf("insert domains_role_actions unexpected error: %s", err))
+
+	_ = createdAlarms
+
+	cases := []struct {
+		desc   string
+		userID string
+		pm     alarms.PageMetadata
+		count  int
+		err    error
+	}{
+		{
+			desc:   "list user alarms returns only accessible alarms",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 6,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with limit",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  3,
+			},
+			count: 3,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with offset",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 4,
+				Limit:  100,
+			},
+			count: 2,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with domain filter",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				DomainID: domainID,
+				Offset:   0,
+				Limit:    100,
+			},
+			count: 6,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with non-existing domain returns 0",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				DomainID: generateUUID(t),
+				Offset:   0,
+				Limit:    100,
+			},
+			count: 0,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for user with no role assignments returns 0",
+			userID: otherUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 0,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for admin user with role on all rules returns all alarms",
+			userID: adminUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 10,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for user with domain-level rule access returns all alarms",
+			userID: domainUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 10,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms ordered by created_at ascending",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+				Order:  "created_at",
+				Dir:    "asc",
+			},
+			count: 6,
+			err:   nil,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			page, err := repo.ListUserAlarms(context.Background(), tc.userID, tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+				return
+			}
+			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.Equal(t, tc.count, len(page.Alarms), fmt.Sprintf("%s: expected %d alarms, got %d", tc.desc, tc.count, len(page.Alarms)))
+		})
+	}
+}
+
+func TestDeleteAlarm(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	alarm := alarms.Alarm{
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
+		Measurement: namegen.Generate(),
+		Value:       namegen.Generate(),
+		Unit:        namegen.Generate(),
+		Threshold:   namegen.Generate(),
+		Cause:       namegen.Generate(),
+		Status:      0,
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
+		Metadata: map[string]any{
+			"key": "value",
+		},
+	}
+	alarm, err := repo.CreateAlarm(context.Background(), alarm)
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+
+	cases := []struct {
+		desc string
+		id   string
+		err  error
+	}{
+		{
+			desc: "valid alarm",
+			id:   alarm.ID,
+			err:  nil,
+		},
+		{
+			desc: "non existing alarm",
+			id:   generateUUID(t),
+			err:  repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			err := repo.DeleteAlarm(context.Background(), tc.id)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		})
+	}
+}
+
+func generateUUID(t *testing.T) string {
+	ulid, err := idProvider.ID()
+	require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+	return ulid
+}
@@ -0,0 +1,65 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres
+
+import (
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	rpostgres "github.com/absmach/magistrala/re/postgres"
+	_ "github.com/jackc/pgx/v5/stdlib" // required for SQL access
+	migrate "github.com/rubenv/sql-migrate"
+)
+
+// Migration of Alarms service.
+func Migration() (*migrate.MemoryMigrationSource, error) {
+	alarmsMigration := &migrate.MemoryMigrationSource{
+		Migrations: []*migrate.Migration{
+			{
+				Id: "alarms_01",
+				// VARCHAR(36) for columns with IDs as UUIDS have a maximum of 36 characters
+				Up: []string{
+					`CREATE TABLE IF NOT EXISTS alarms (
+						id         	    VARCHAR(36) PRIMARY KEY,
+						rule_id		    VARCHAR(36) NOT NULL CHECK (length(rule_id) > 0),
+						domain_id	    VARCHAR(36) NOT NULL,
+						channel_id	    VARCHAR(36) NOT NULL,
+						subtopic        TEXT NOT NULL,
+						client_id	    VARCHAR(36) NOT NULL,
+						measurement	    TEXT NOT NULL,
+						value		    TEXT NOT NULL,
+						unit		    TEXT NOT NULL,
+						threshold	    TEXT NOT NULL,
+						cause	    	TEXT NOT NULL,
+						status          SMALLINT NOT NULL DEFAULT 0 CHECK (status >= 0),
+						severity        SMALLINT NOT NULL DEFAULT 0 CHECK (severity >= 0),
+						assignee_id	    VARCHAR(36),
+						created_at	    TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
+						updated_at	    TIMESTAMPTZ NULL,
+						updated_by	    VARCHAR(36) NULL,
+						assigned_at	    TIMESTAMPTZ NULL,
+						assigned_by	    VARCHAR(36) NULL,
+						acknowledged_at	TIMESTAMPTZ NULL,
+						acknowledged_by	VARCHAR(36) NULL,
+						resolved_at	    TIMESTAMPTZ NULL,
+						resolved_by	    VARCHAR(36) NULL,
+						metadata	    JSONB
+					);`,
+					"CREATE INDEX IF NOT EXISTS idx_alarms_state ON alarms (domain_id, rule_id, channel_id, subtopic, client_id, measurement, created_at DESC);",
+				},
+				Down: []string{
+					`DROP TABLE IF EXISTS alarms`,
+				},
+			},
+		},
+	}
+
+	rulesMigration, err := rpostgres.Migration()
+	if err != nil {
+		return &migrate.MemoryMigrationSource{}, errors.Wrap(repoerr.ErrRoleMigration, err)
+	}
+
+	alarmsMigration.Migrations = append(alarmsMigration.Migrations, rulesMigration.Migrations...)
+
+	return alarmsMigration, nil
+}
@@ -0,0 +1,97 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package postgres_test
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+	"testing"
+	"time"
+
+	apostgres "github.com/absmach/magistrala/alarms/postgres"
+	"github.com/absmach/magistrala/pkg/postgres"
+	"github.com/jmoiron/sqlx"
+	dockertest "github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+	"go.opentelemetry.io/otel"
+)
+
+var (
+	db       *sqlx.DB
+	database postgres.Database
+	tracer   = otel.Tracer("repo_tests")
+)
+
+func TestMain(m *testing.M) {
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		log.Fatalf("Could not connect to docker: %s", err)
+	}
+
+	container, err := pool.RunWithOptions(&dockertest.RunOptions{
+		Repository: "postgres",
+		Tag:        "16.2-alpine",
+		Env: []string{
+			"POSTGRES_USER=test",
+			"POSTGRES_PASSWORD=test",
+			"POSTGRES_DB=test",
+			"listen_addresses = '*'",
+		},
+	}, func(config *docker.HostConfig) {
+		config.AutoRemove = true
+		config.RestartPolicy = docker.RestartPolicy{Name: "no"}
+	})
+	if err != nil {
+		log.Fatalf("Could not start container: %s", err)
+	}
+
+	port := container.GetPort("5432/tcp")
+
+	// exponential backoff-retry, because the application in the container might not be ready to accept connections yet
+	pool.MaxWait = 120 * time.Second
+	if err := pool.Retry(func() error {
+		url := fmt.Sprintf("host=localhost port=%s user=test dbname=test password=test sslmode=disable", port)
+		db, err := sql.Open("pgx", url)
+		if err != nil {
+			return err
+		}
+		return db.Ping()
+	}); err != nil {
+		log.Fatalf("Could not connect to docker: %s", err)
+	}
+
+	dbConfig := postgres.Config{
+		Host:        "localhost",
+		Port:        port,
+		User:        "test",
+		Pass:        "test",
+		Name:        "test",
+		SSLMode:     "disable",
+		SSLCert:     "",
+		SSLKey:      "",
+		SSLRootCert: "",
+	}
+
+	migration, err := apostgres.Migration()
+	if err != nil {
+		log.Fatalf("Could not get migration: %s", err)
+	}
+	if db, err = postgres.Setup(dbConfig, *migration); err != nil {
+		log.Fatalf("Could not setup test DB connection: %s", err)
+	}
+
+	database = postgres.NewDatabase(db, dbConfig, tracer)
+
+	code := m.Run()
+
+	// Defers will not be run when using os.Exit
+	db.Close()
+	if err := pool.Purge(container); err != nil {
+		log.Fatalf("Could not purge container: %s", err)
+	}
+
+	os.Exit(code)
+}
@@ -0,0 +1,70 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms
+
+import (
+	"context"
+	"time"
+
+	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/pkg/authn"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+)
+
+type service struct {
+	idp  magistrala.IDProvider
+	repo Repository
+}
+
+var _ Service = (*service)(nil)
+
+func NewService(idp magistrala.IDProvider, repo Repository) Service {
+	return &service{
+		idp:  idp,
+		repo: repo,
+	}
+}
+
+func (s *service) CreateAlarm(ctx context.Context, alarm Alarm) error {
+	id, err := s.idp.ID()
+	if err != nil {
+		return err
+	}
+	alarm.ID = id
+	if alarm.CreatedAt.IsZero() {
+		alarm.CreatedAt = time.Now()
+	}
+
+	if err := alarm.Validate(); err != nil {
+		return err
+	}
+
+	if _, err = s.repo.CreateAlarm(ctx, alarm); err != nil && err != repoerr.ErrNotFound {
+		return err
+	}
+
+	return nil
+}
+
+func (s *service) ViewAlarm(ctx context.Context, session authn.Session, alarmID string) (Alarm, error) {
+	return s.repo.ViewAlarm(ctx, alarmID, session.DomainID)
+}
+
+func (s *service) ListAlarms(ctx context.Context, session authn.Session, pm PageMetadata) (AlarmsPage, error) {
+	if session.SuperAdmin {
+		return s.repo.ListAllAlarms(ctx, pm)
+	}
+	return s.repo.ListUserAlarms(ctx, session.UserID, pm)
+}
+
+func (s *service) DeleteAlarm(ctx context.Context, session authn.Session, alarmID string) error {
+	return s.repo.DeleteAlarm(ctx, alarmID)
+}
+
+func (s *service) UpdateAlarm(ctx context.Context, session authn.Session, alarm Alarm) (Alarm, error) {
+	alarm.UpdatedAt = time.Now()
+	alarm.UpdatedBy = session.UserID
+
+	return s.repo.UpdateAlarm(ctx, alarm)
+}
@@ -0,0 +1,254 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/mocks"
+	"github.com/absmach/magistrala/pkg/authn"
+	"github.com/absmach/magistrala/pkg/errors"
+	repoerr "github.com/absmach/magistrala/pkg/errors/repository"
+	"github.com/absmach/magistrala/pkg/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+var idp = uuid.New()
+
+func newService(t *testing.T, repo *mocks.Repository) alarms.Service {
+	return alarms.NewService(idp, repo)
+}
+
+func TestCreateAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+	ts := time.Now()
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				RuleID:      "rule-id",
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+				CreatedAt:   ts,
+			},
+			err: nil,
+		},
+		{
+			desc: "missing rule_id",
+			alarm: alarms.Alarm{
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+				CreatedAt:   ts,
+			},
+			err: errors.New("rule_id is required"),
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			repoCall := repo.On("CreateAlarm", context.Background(), mock.Anything).Return(tc.alarm, tc.err)
+			err := svc.CreateAlarm(context.Background(), tc.alarm)
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestViewAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc     string
+		id       string
+		domainID string
+		err      error
+	}{
+		{
+			desc:     "valid alarm",
+			id:       "alarm-id",
+			domainID: "domain-id",
+			err:      nil,
+		},
+		{
+			desc:     "non existing alarm id",
+			id:       "alarm-id",
+			domainID: "domain-id",
+			err:      repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.domainID}
+			repoCall := repo.On("ViewAlarm", context.Background(), tc.id, tc.domainID).Return(alarms.Alarm{}, tc.err)
+			_, err := svc.ViewAlarm(context.Background(), s, tc.id)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestUpdateAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc  string
+		alarm alarms.Alarm
+		err   error
+	}{
+		{
+			desc: "valid alarm",
+			alarm: alarms.Alarm{
+				RuleID:      "rule-id",
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: nil,
+		},
+		{
+			desc: "non existing alarm",
+			alarm: alarms.Alarm{
+				RuleID:      "rule-id",
+				DomainID:    "domain-id",
+				ChannelID:   "channel-id",
+				ClientID:    "client-id",
+				Subtopic:    "subtopic",
+				Measurement: "measurement",
+				Value:       "value",
+				Unit:        "unit",
+				Cause:       "cause",
+				Severity:    100,
+			},
+			err: repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.alarm.DomainID}
+			repoCall := repo.On("UpdateAlarm", context.Background(), mock.Anything).Return(tc.alarm, tc.err)
+			_, err := svc.UpdateAlarm(context.Background(), s, tc.alarm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestListAlarms(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc string
+		pm   alarms.PageMetadata
+		page alarms.AlarmsPage
+		err  error
+	}{
+		{
+			desc: "valid page",
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  10,
+			},
+			page: alarms.AlarmsPage{
+				Offset: 0,
+				Limit:  10,
+				Total:  10,
+				Alarms: []alarms.Alarm{},
+			},
+			err: nil,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.pm.DomainID}
+			repoCall := repo.On("ListUserAlarms", context.Background(), s.UserID, tc.pm).Return(tc.page, tc.err)
+			_, err := svc.ListAlarms(context.Background(), s, tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
+
+func TestDeleteAlarm(t *testing.T) {
+	repo := new(mocks.Repository)
+	svc := newService(t, repo)
+
+	cases := []struct {
+		desc string
+		id   string
+		err  error
+	}{
+		{
+			desc: "valid alarm",
+			id:   "alarm-id",
+			err:  nil,
+		},
+		{
+			desc: "non existing alarm",
+			id:   "alarm-id",
+			err:  repoerr.ErrNotFound,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			s := authn.Session{DomainID: tc.id}
+			repoCall := repo.On("DeleteAlarm", context.Background(), tc.id).Return(tc.err)
+			err := svc.DeleteAlarm(context.Background(), s, tc.id)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+
+				return
+			}
+			repoCall.Unset()
+		})
+	}
+}
@@ -0,0 +1,70 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package alarms
+
+import (
+	"encoding/json"
+	"strings"
+
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+)
+
+type Status uint8
+
+const (
+	ActiveStatus Status = iota
+	ClearedStatus
+
+	// AllStatus is used for querying purposes to list alarms irrespective
+	// of their status. It is never stored in the database as the actual
+	// Alarm status and should always be the largest value in this enumeration.
+	AllStatus
+)
+
+const (
+	Active  = "active"
+	Cleared = "cleared"
+	Unknown = "unknown"
+	All     = "all"
+)
+
+// String converts alarm status to string literal.
+func (s Status) String() string {
+	switch s {
+	case ActiveStatus:
+		return Active
+	case ClearedStatus:
+		return Cleared
+	default:
+		return Unknown
+	}
+}
+
+// ToStatus converts string value to a valid Alarm status.
+func ToStatus(status string) (Status, error) {
+	switch strings.ToLower(status) {
+	case Active:
+		return ActiveStatus, nil
+	case Cleared:
+		return ClearedStatus, nil
+	case All:
+		return AllStatus, nil
+	default:
+		return Status(0), svcerr.ErrInvalidStatus
+	}
+}
+
+// Custom Marshaller for Alarm.
+func (s Status) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.String())
+}
+
+// Custom Unmarshaler for Alarm.
+func (s *Status) UnmarshalJSON(data []byte) error {
+	str := strings.Trim(string(data), "\"")
+	val, err := ToStatus(str)
+	*s = val
+
+	return err
+}
@@ -1,7 +1,7 @@
 // Copyright (c) Abstract Machines
 // SPDX-License-Identifier: Apache-2.0

-package supermq
+package magistrala

 // Response contains HTTP response specific methods.
 type Response interface {
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: auth/v1/auth.proto

@@ -70,11 +70,11 @@ func (x *AuthNReq) GetToken() string {

 type AuthNRes struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
-	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`                                 // token id
-	UserId        string                 `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`           // user id
-	UserRole      uint32                 `protobuf:"varint,3,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"`    // user role
-	Verified      bool                   `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"`                    // verified user
-	TokenType     uint32                 `protobuf:"varint,5,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"` // token type
+	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	UserId        string                 `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	UserRole      uint32                 `protobuf:"varint,3,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"`
+	Verified      bool                   `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"`
+	TokenType     uint32                 `protobuf:"varint,5,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -146,16 +146,15 @@ func (x *AuthNRes) GetTokenType() uint32 {

 type PolicyReq struct {
 	state           protoimpl.MessageState `protogen:"open.v1"`
-	TokenType       uint32                 `protobuf:"varint,1,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`                  // Token type
-	Domain          string                 `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`                                          // Domain
-	SubjectType     string                 `protobuf:"bytes,3,opt,name=subject_type,json=subjectType,proto3" json:"subject_type,omitempty"`             // Client or User
-	SubjectKind     string                 `protobuf:"bytes,4,opt,name=subject_kind,json=subjectKind,proto3" json:"subject_kind,omitempty"`             // ID or Token
-	SubjectRelation string                 `protobuf:"bytes,5,opt,name=subject_relation,json=subjectRelation,proto3" json:"subject_relation,omitempty"` // Subject relation
-	Subject         string                 `protobuf:"bytes,6,opt,name=subject,proto3" json:"subject,omitempty"`                                        // Subject value
-	Relation        string                 `protobuf:"bytes,7,opt,name=relation,proto3" json:"relation,omitempty"`                                      // Relation to filter
-	Permission      string                 `protobuf:"bytes,8,opt,name=permission,proto3" json:"permission,omitempty"`                                  // Action
-	Object          string                 `protobuf:"bytes,9,opt,name=object,proto3" json:"object,omitempty"`                                          // Object ID
-	ObjectType      string                 `protobuf:"bytes,10,opt,name=object_type,json=objectType,proto3" json:"object_type,omitempty"`               // Client, User, Group
+	Domain          string                 `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	SubjectType     string                 `protobuf:"bytes,2,opt,name=subject_type,json=subjectType,proto3" json:"subject_type,omitempty"`
+	SubjectKind     string                 `protobuf:"bytes,3,opt,name=subject_kind,json=subjectKind,proto3" json:"subject_kind,omitempty"`
+	SubjectRelation string                 `protobuf:"bytes,4,opt,name=subject_relation,json=subjectRelation,proto3" json:"subject_relation,omitempty"`
+	Subject         string                 `protobuf:"bytes,5,opt,name=subject,proto3" json:"subject,omitempty"`
+	Relation        string                 `protobuf:"bytes,6,opt,name=relation,proto3" json:"relation,omitempty"`
+	Permission      string                 `protobuf:"bytes,7,opt,name=permission,proto3" json:"permission,omitempty"`
+	Object          string                 `protobuf:"bytes,8,opt,name=object,proto3" json:"object,omitempty"`
+	ObjectType      string                 `protobuf:"bytes,9,opt,name=object_type,json=objectType,proto3" json:"object_type,omitempty"`
 	unknownFields   protoimpl.UnknownFields
 	sizeCache       protoimpl.SizeCache
 }
@@ -190,13 +189,6 @@ func (*PolicyReq) Descriptor() ([]byte, []int) {
 	return file_auth_v1_auth_proto_rawDescGZIP(), []int{2}
 }

-func (x *PolicyReq) GetTokenType() uint32 {
-	if x != nil {
-		return x.TokenType
-	}
-	return 0
-}
-
 func (x *PolicyReq) GetDomain() string {
 	if x != nil {
 		return x.Domain
@@ -261,15 +253,15 @@ func (x *PolicyReq) GetObjectType() string {
 }

 type PATReq struct {
-	state            protoimpl.MessageState `protogen:"open.v1"`
-	UserId           string                 `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`                                 // User id (PAT)
-	PatId            string                 `protobuf:"bytes,2,opt,name=pat_id,json=patId,proto3" json:"pat_id,omitempty"`                                    // Pat id
-	EntityType       uint32                 `protobuf:"varint,3,opt,name=entity_type,json=entityType,proto3" json:"entity_type,omitempty"`                    // Entity type (PAT)
-	OptionalDomainId string                 `protobuf:"bytes,4,opt,name=optional_domain_id,json=optionalDomainId,proto3" json:"optional_domain_id,omitempty"` // Optional domain id (PAT)
-	Operation        uint32                 `protobuf:"varint,5,opt,name=operation,proto3" json:"operation,omitempty"`                                        // Operation (PAT)
-	EntityId         string                 `protobuf:"bytes,6,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`                           // EntityID (PAT)
-	unknownFields    protoimpl.UnknownFields
-	sizeCache        protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	PatId         string                 `protobuf:"bytes,1,opt,name=pat_id,json=patId,proto3" json:"pat_id,omitempty"`
+	Domain        string                 `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
+	Operation     string                 `protobuf:"bytes,3,opt,name=operation,proto3" json:"operation,omitempty"`
+	UserId        string                 `protobuf:"bytes,4,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	EntityId      string                 `protobuf:"bytes,5,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
+	EntityType    string                 `protobuf:"bytes,6,opt,name=entity_type,json=entityType,proto3" json:"entity_type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *PATReq) Reset() {
@@ -302,13 +294,6 @@ func (*PATReq) Descriptor() ([]byte, []int) {
 	return file_auth_v1_auth_proto_rawDescGZIP(), []int{3}
 }

-func (x *PATReq) GetUserId() string {
-	if x != nil {
-		return x.UserId
-	}
-	return ""
-}
-
 func (x *PATReq) GetPatId() string {
 	if x != nil {
 		return x.PatId
@@ -316,25 +301,25 @@ func (x *PATReq) GetPatId() string {
 	return ""
 }

-func (x *PATReq) GetEntityType() uint32 {
+func (x *PATReq) GetDomain() string {
 	if x != nil {
-		return x.EntityType
-	}
-	return 0
-}
-
-func (x *PATReq) GetOptionalDomainId() string {
-	if x != nil {
-		return x.OptionalDomainId
+		return x.Domain
 	}
 	return ""
 }

-func (x *PATReq) GetOperation() uint32 {
+func (x *PATReq) GetOperation() string {
 	if x != nil {
 		return x.Operation
 	}
-	return 0
+	return ""
+}
+
+func (x *PATReq) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
 }

 func (x *PATReq) GetEntityId() string {
@@ -344,13 +329,17 @@ func (x *PATReq) GetEntityId() string {
 	return ""
 }

+func (x *PATReq) GetEntityType() string {
+	if x != nil {
+		return x.EntityType
+	}
+	return ""
+}
+
 type AuthZReq struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// Types that are valid to be assigned to AuthType:
-	//
-	//	*AuthZReq_Policy
-	//	*AuthZReq_Pat
-	AuthType      isAuthZReq_AuthType `protobuf_oneof:"auth_type"`
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	PolicyReq     *PolicyReq             `protobuf:"bytes,1,opt,name=policy_req,json=policyReq,proto3" json:"policy_req,omitempty"`
+	PatReq        *PATReq                `protobuf:"bytes,2,opt,name=pat_req,json=patReq,proto3,oneof" json:"pat_req,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -385,47 +374,20 @@ func (*AuthZReq) Descriptor() ([]byte, []int) {
 	return file_auth_v1_auth_proto_rawDescGZIP(), []int{4}
 }

-func (x *AuthZReq) GetAuthType() isAuthZReq_AuthType {
+func (x *AuthZReq) GetPolicyReq() *PolicyReq {
 	if x != nil {
-		return x.AuthType
+		return x.PolicyReq
 	}
 	return nil
 }

-func (x *AuthZReq) GetPolicy() *PolicyReq {
+func (x *AuthZReq) GetPatReq() *PATReq {
 	if x != nil {
-		if x, ok := x.AuthType.(*AuthZReq_Policy); ok {
-			return x.Policy
-		}
+		return x.PatReq
 	}
 	return nil
 }

-func (x *AuthZReq) GetPat() *PATReq {
-	if x != nil {
-		if x, ok := x.AuthType.(*AuthZReq_Pat); ok {
-			return x.Pat
-		}
-	}
-	return nil
-}
-
-type isAuthZReq_AuthType interface {
-	isAuthZReq_AuthType()
-}
-
-type AuthZReq_Policy struct {
-	Policy *PolicyReq `protobuf:"bytes,1,opt,name=policy,proto3,oneof"` // Policy-based authorization
-}
-
-type AuthZReq_Pat struct {
-	Pat *PATReq `protobuf:"bytes,2,opt,name=pat,proto3,oneof"` // PAT authorization
-}
-
-func (*AuthZReq_Policy) isAuthZReq_AuthType() {}
-
-func (*AuthZReq_Pat) isAuthZReq_AuthType() {}
-
 type AuthZRes struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Authorized    bool                   `protobuf:"varint,1,opt,name=authorized,proto3" json:"authorized,omitempty"`
@@ -491,35 +453,34 @@ const file_auth_v1_auth_proto_rawDesc = "" +
 	"\tuser_role\x18\x03 \x01(\rR\buserRole\x12\x1a\n" +
 	"\bverified\x18\x04 \x01(\bR\bverified\x12\x1d\n" +
 	"\n" +
-	"token_type\x18\x05 \x01(\rR\ttokenType\"\xc2\x02\n" +
-	"\tPolicyReq\x12\x1d\n" +
+	"token_type\x18\x05 \x01(\rR\ttokenType\"\xa3\x02\n" +
+	"\tPolicyReq\x12\x16\n" +
+	"\x06domain\x18\x01 \x01(\tR\x06domain\x12!\n" +
+	"\fsubject_type\x18\x02 \x01(\tR\vsubjectType\x12!\n" +
+	"\fsubject_kind\x18\x03 \x01(\tR\vsubjectKind\x12)\n" +
+	"\x10subject_relation\x18\x04 \x01(\tR\x0fsubjectRelation\x12\x18\n" +
+	"\asubject\x18\x05 \x01(\tR\asubject\x12\x1a\n" +
+	"\brelation\x18\x06 \x01(\tR\brelation\x12\x1e\n" +
 	"\n" +
-	"token_type\x18\x01 \x01(\rR\ttokenType\x12\x16\n" +
-	"\x06domain\x18\x02 \x01(\tR\x06domain\x12!\n" +
-	"\fsubject_type\x18\x03 \x01(\tR\vsubjectType\x12!\n" +
-	"\fsubject_kind\x18\x04 \x01(\tR\vsubjectKind\x12)\n" +
-	"\x10subject_relation\x18\x05 \x01(\tR\x0fsubjectRelation\x12\x18\n" +
-	"\asubject\x18\x06 \x01(\tR\asubject\x12\x1a\n" +
-	"\brelation\x18\a \x01(\tR\brelation\x12\x1e\n" +
-	"\n" +
-	"permission\x18\b \x01(\tR\n" +
+	"permission\x18\a \x01(\tR\n" +
 	"permission\x12\x16\n" +
-	"\x06object\x18\t \x01(\tR\x06object\x12\x1f\n" +
-	"\vobject_type\x18\n" +
-	" \x01(\tR\n" +
-	"objectType\"\xc2\x01\n" +
-	"\x06PATReq\x12\x17\n" +
-	"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x15\n" +
-	"\x06pat_id\x18\x02 \x01(\tR\x05patId\x12\x1f\n" +
-	"\ventity_type\x18\x03 \x01(\rR\n" +
-	"entityType\x12,\n" +
-	"\x12optional_domain_id\x18\x04 \x01(\tR\x10optionalDomainId\x12\x1c\n" +
-	"\toperation\x18\x05 \x01(\rR\toperation\x12\x1b\n" +
-	"\tentity_id\x18\x06 \x01(\tR\bentityId\"j\n" +
-	"\bAuthZReq\x12,\n" +
-	"\x06policy\x18\x01 \x01(\v2\x12.auth.v1.PolicyReqH\x00R\x06policy\x12#\n" +
-	"\x03pat\x18\x02 \x01(\v2\x0f.auth.v1.PATReqH\x00R\x03patB\v\n" +
-	"\tauth_type\":\n" +
+	"\x06object\x18\b \x01(\tR\x06object\x12\x1f\n" +
+	"\vobject_type\x18\t \x01(\tR\n" +
+	"objectType\"\xac\x01\n" +
+	"\x06PATReq\x12\x15\n" +
+	"\x06pat_id\x18\x01 \x01(\tR\x05patId\x12\x16\n" +
+	"\x06domain\x18\x02 \x01(\tR\x06domain\x12\x1c\n" +
+	"\toperation\x18\x03 \x01(\tR\toperation\x12\x17\n" +
+	"\auser_id\x18\x04 \x01(\tR\x06userId\x12\x1b\n" +
+	"\tentity_id\x18\x05 \x01(\tR\bentityId\x12\x1f\n" +
+	"\ventity_type\x18\x06 \x01(\tR\n" +
+	"entityType\"x\n" +
+	"\bAuthZReq\x121\n" +
+	"\n" +
+	"policy_req\x18\x01 \x01(\v2\x12.auth.v1.PolicyReqR\tpolicyReq\x12-\n" +
+	"\apat_req\x18\x02 \x01(\v2\x0f.auth.v1.PATReqH\x00R\x06patReq\x88\x01\x01B\n" +
+	"\n" +
+	"\b_pat_req\":\n" +
 	"\bAuthZRes\x12\x1e\n" +
 	"\n" +
 	"authorized\x18\x01 \x01(\bR\n" +
@@ -527,7 +488,7 @@ const file_auth_v1_auth_proto_rawDesc = "" +
 	"\x02id\x18\x02 \x01(\tR\x02id2z\n" +
 	"\vAuthService\x123\n" +
 	"\tAuthorize\x12\x11.auth.v1.AuthZReq\x1a\x11.auth.v1.AuthZRes\"\x00\x126\n" +
-	"\fAuthenticate\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00B-Z+github.com/absmach/supermq/api/grpc/auth/v1b\x06proto3"
+	"\fAuthenticate\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00B0Z.github.com/absmach/magistrala/api/grpc/auth/v1b\x06proto3"

 var (
 	file_auth_v1_auth_proto_rawDescOnce sync.Once
@@ -551,8 +512,8 @@ var file_auth_v1_auth_proto_goTypes = []any{
 	(*AuthZRes)(nil),  // 5: auth.v1.AuthZRes
 }
 var file_auth_v1_auth_proto_depIdxs = []int32{
-	2, // 0: auth.v1.AuthZReq.policy:type_name -> auth.v1.PolicyReq
-	3, // 1: auth.v1.AuthZReq.pat:type_name -> auth.v1.PATReq
+	2, // 0: auth.v1.AuthZReq.policy_req:type_name -> auth.v1.PolicyReq
+	3, // 1: auth.v1.AuthZReq.pat_req:type_name -> auth.v1.PATReq
 	4, // 2: auth.v1.AuthService.Authorize:input_type -> auth.v1.AuthZReq
 	0, // 3: auth.v1.AuthService.Authenticate:input_type -> auth.v1.AuthNReq
 	5, // 4: auth.v1.AuthService.Authorize:output_type -> auth.v1.AuthZRes
@@ -569,10 +530,7 @@ func file_auth_v1_auth_proto_init() {
 	if File_auth_v1_auth_proto != nil {
 		return
 	}
-	file_auth_v1_auth_proto_msgTypes[4].OneofWrappers = []any{
-		(*AuthZReq_Policy)(nil),
-		(*AuthZReq_Pat)(nil),
-	}
+	file_auth_v1_auth_proto_msgTypes[4].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: auth/v1/auth.proto

@@ -31,7 +31,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // AuthService is a service that provides authentication
-// and authorization functionalities for SuperMQ services.
+// and authorization functionalities for Magistrala services.
 type AuthServiceClient interface {
 	Authorize(ctx context.Context, in *AuthZReq, opts ...grpc.CallOption) (*AuthZRes, error)
 	Authenticate(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error)
@@ -70,7 +70,7 @@ func (c *authServiceClient) Authenticate(ctx context.Context, in *AuthNReq, opts
 // for forward compatibility.
 //
 // AuthService is a service that provides authentication
-// and authorization functionalities for SuperMQ services.
+// and authorization functionalities for Magistrala services.
 type AuthServiceServer interface {
 	Authorize(context.Context, *AuthZReq) (*AuthZRes, error)
 	Authenticate(context.Context, *AuthNReq) (*AuthNRes, error)
@@ -85,10 +85,10 @@ type AuthServiceServer interface {
 type UnimplementedAuthServiceServer struct{}

 func (UnimplementedAuthServiceServer) Authorize(context.Context, *AuthZReq) (*AuthZRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authorize not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authorize not implemented")
 }
 func (UnimplementedAuthServiceServer) Authenticate(context.Context, *AuthNReq) (*AuthNRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authenticate not implemented")
 }
 func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {}
 func (UnimplementedAuthServiceServer) testEmbeddedByValue()                     {}
@@ -101,7 +101,7 @@ type UnsafeAuthServiceServer interface {
 }

 func RegisterAuthServiceServer(s grpc.ServiceRegistrar, srv AuthServiceServer) {
-	// If the following call pancis, it indicates UnimplementedAuthServiceServer was
+	// If the following call panics, it indicates UnimplementedAuthServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -0,0 +1,228 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.0
+// source: certs/v1/certs.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type EntityReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SerialNumber  string                 `protobuf:"bytes,1,opt,name=serial_number,json=serialNumber,proto3" json:"serial_number,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *EntityReq) Reset() {
+	*x = EntityReq{}
+	mi := &file_certs_v1_certs_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *EntityReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EntityReq) ProtoMessage() {}
+
+func (x *EntityReq) ProtoReflect() protoreflect.Message {
+	mi := &file_certs_v1_certs_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EntityReq.ProtoReflect.Descriptor instead.
+func (*EntityReq) Descriptor() ([]byte, []int) {
+	return file_certs_v1_certs_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *EntityReq) GetSerialNumber() string {
+	if x != nil {
+		return x.SerialNumber
+	}
+	return ""
+}
+
+type EntityRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	EntityId      string                 `protobuf:"bytes,1,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *EntityRes) Reset() {
+	*x = EntityRes{}
+	mi := &file_certs_v1_certs_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *EntityRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EntityRes) ProtoMessage() {}
+
+func (x *EntityRes) ProtoReflect() protoreflect.Message {
+	mi := &file_certs_v1_certs_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EntityRes.ProtoReflect.Descriptor instead.
+func (*EntityRes) Descriptor() ([]byte, []int) {
+	return file_certs_v1_certs_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *EntityRes) GetEntityId() string {
+	if x != nil {
+		return x.EntityId
+	}
+	return ""
+}
+
+type RevokeReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	EntityId      string                 `protobuf:"bytes,1,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RevokeReq) Reset() {
+	*x = RevokeReq{}
+	mi := &file_certs_v1_certs_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RevokeReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RevokeReq) ProtoMessage() {}
+
+func (x *RevokeReq) ProtoReflect() protoreflect.Message {
+	mi := &file_certs_v1_certs_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RevokeReq.ProtoReflect.Descriptor instead.
+func (*RevokeReq) Descriptor() ([]byte, []int) {
+	return file_certs_v1_certs_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *RevokeReq) GetEntityId() string {
+	if x != nil {
+		return x.EntityId
+	}
+	return ""
+}
+
+var File_certs_v1_certs_proto protoreflect.FileDescriptor
+
+const file_certs_v1_certs_proto_rawDesc = "" +
+	"\n" +
+	"\x14certs/v1/certs.proto\x12\rabsmach.certs\x1a\x1bgoogle/protobuf/empty.proto\"0\n" +
+	"\tEntityReq\x12#\n" +
+	"\rserial_number\x18\x01 \x01(\tR\fserialNumber\"(\n" +
+	"\tEntityRes\x12\x1b\n" +
+	"\tentity_id\x18\x01 \x01(\tR\bentityId\"(\n" +
+	"\tRevokeReq\x12\x1b\n" +
+	"\tentity_id\x18\x01 \x01(\tR\bentityId2\x96\x01\n" +
+	"\fCertsService\x12C\n" +
+	"\vGetEntityID\x12\x18.absmach.certs.EntityReq\x1a\x18.absmach.certs.EntityRes\"\x00\x12A\n" +
+	"\vRevokeCerts\x12\x18.absmach.certs.RevokeReq\x1a\x16.google.protobuf.Empty\"\x00B1Z/github.com/absmach/magistrala/api/grpc/certs/v1b\x06proto3"
+
+var (
+	file_certs_v1_certs_proto_rawDescOnce sync.Once
+	file_certs_v1_certs_proto_rawDescData []byte
+)
+
+func file_certs_v1_certs_proto_rawDescGZIP() []byte {
+	file_certs_v1_certs_proto_rawDescOnce.Do(func() {
+		file_certs_v1_certs_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_certs_v1_certs_proto_rawDesc), len(file_certs_v1_certs_proto_rawDesc)))
+	})
+	return file_certs_v1_certs_proto_rawDescData
+}
+
+var file_certs_v1_certs_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_certs_v1_certs_proto_goTypes = []any{
+	(*EntityReq)(nil),     // 0: absmach.certs.EntityReq
+	(*EntityRes)(nil),     // 1: absmach.certs.EntityRes
+	(*RevokeReq)(nil),     // 2: absmach.certs.RevokeReq
+	(*emptypb.Empty)(nil), // 3: google.protobuf.Empty
+}
+var file_certs_v1_certs_proto_depIdxs = []int32{
+	0, // 0: absmach.certs.CertsService.GetEntityID:input_type -> absmach.certs.EntityReq
+	2, // 1: absmach.certs.CertsService.RevokeCerts:input_type -> absmach.certs.RevokeReq
+	1, // 2: absmach.certs.CertsService.GetEntityID:output_type -> absmach.certs.EntityRes
+	3, // 3: absmach.certs.CertsService.RevokeCerts:output_type -> google.protobuf.Empty
+	2, // [2:4] is the sub-list for method output_type
+	0, // [0:2] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_certs_v1_certs_proto_init() }
+func file_certs_v1_certs_proto_init() {
+	if File_certs_v1_certs_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_certs_v1_certs_proto_rawDesc), len(file_certs_v1_certs_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   3,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_certs_v1_certs_proto_goTypes,
+		DependencyIndexes: file_certs_v1_certs_proto_depIdxs,
+		MessageInfos:      file_certs_v1_certs_proto_msgTypes,
+	}.Build()
+	File_certs_v1_certs_proto = out.File
+	file_certs_v1_certs_proto_goTypes = nil
+	file_certs_v1_certs_proto_depIdxs = nil
+}
@@ -0,0 +1,163 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.0
+// - protoc             v6.33.0
+// source: certs/v1/certs.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	CertsService_GetEntityID_FullMethodName = "/absmach.certs.CertsService/GetEntityID"
+	CertsService_RevokeCerts_FullMethodName = "/absmach.certs.CertsService/RevokeCerts"
+)
+
+// CertsServiceClient is the client API for CertsService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type CertsServiceClient interface {
+	GetEntityID(ctx context.Context, in *EntityReq, opts ...grpc.CallOption) (*EntityRes, error)
+	RevokeCerts(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*emptypb.Empty, error)
+}
+
+type certsServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewCertsServiceClient(cc grpc.ClientConnInterface) CertsServiceClient {
+	return &certsServiceClient{cc}
+}
+
+func (c *certsServiceClient) GetEntityID(ctx context.Context, in *EntityReq, opts ...grpc.CallOption) (*EntityRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(EntityRes)
+	err := c.cc.Invoke(ctx, CertsService_GetEntityID_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certsServiceClient) RevokeCerts(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, CertsService_RevokeCerts_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// CertsServiceServer is the server API for CertsService service.
+// All implementations must embed UnimplementedCertsServiceServer
+// for forward compatibility.
+type CertsServiceServer interface {
+	GetEntityID(context.Context, *EntityReq) (*EntityRes, error)
+	RevokeCerts(context.Context, *RevokeReq) (*emptypb.Empty, error)
+	mustEmbedUnimplementedCertsServiceServer()
+}
+
+// UnimplementedCertsServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedCertsServiceServer struct{}
+
+func (UnimplementedCertsServiceServer) GetEntityID(context.Context, *EntityReq) (*EntityRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetEntityID not implemented")
+}
+func (UnimplementedCertsServiceServer) RevokeCerts(context.Context, *RevokeReq) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method RevokeCerts not implemented")
+}
+func (UnimplementedCertsServiceServer) mustEmbedUnimplementedCertsServiceServer() {}
+func (UnimplementedCertsServiceServer) testEmbeddedByValue()                      {}
+
+// UnsafeCertsServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to CertsServiceServer will
+// result in compilation errors.
+type UnsafeCertsServiceServer interface {
+	mustEmbedUnimplementedCertsServiceServer()
+}
+
+func RegisterCertsServiceServer(s grpc.ServiceRegistrar, srv CertsServiceServer) {
+	// If the following call panics, it indicates UnimplementedCertsServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&CertsService_ServiceDesc, srv)
+}
+
+func _CertsService_GetEntityID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EntityReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertsServiceServer).GetEntityID(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: CertsService_GetEntityID_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertsServiceServer).GetEntityID(ctx, req.(*EntityReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertsService_RevokeCerts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertsServiceServer).RevokeCerts(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: CertsService_RevokeCerts_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertsServiceServer).RevokeCerts(ctx, req.(*RevokeReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// CertsService_ServiceDesc is the grpc.ServiceDesc for CertsService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var CertsService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "absmach.certs.CertsService",
+	HandlerType: (*CertsServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetEntityID",
+			Handler:    _CertsService_GetEntityID_Handler,
+		},
+		{
+			MethodName: "RevokeCerts",
+			Handler:    _CertsService_RevokeCerts_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "certs/v1/certs.proto",
+}
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: channels/v1/channels.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -333,7 +333,7 @@ const file_channels_v1_channels_proto_rawDesc = "" +
 	"\x17RemoveClientConnections\x12'.channels.v1.RemoveClientConnectionsReq\x1a'.channels.v1.RemoveClientConnectionsRes\"\x00\x12|\n" +
 	"\x1cUnsetParentGroupFromChannels\x12,.channels.v1.UnsetParentGroupFromChannelsReq\x1a,.channels.v1.UnsetParentGroupFromChannelsRes\"\x00\x12N\n" +
 	"\x0eRetrieveEntity\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00\x12T\n" +
-	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B1Z/github.com/absmach/supermq/api/grpc/channels/v1b\x06proto3"
+	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B4Z2github.com/absmach/magistrala/api/grpc/channels/v1b\x06proto3"

 var (
 	file_channels_v1_channels_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: channels/v1/channels.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -119,19 +119,19 @@ type ChannelsServiceServer interface {
 type UnimplementedChannelsServiceServer struct{}

 func (UnimplementedChannelsServiceServer) Authorize(context.Context, *AuthzReq) (*AuthzRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authorize not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authorize not implemented")
 }
 func (UnimplementedChannelsServiceServer) RemoveClientConnections(context.Context, *RemoveClientConnectionsReq) (*RemoveClientConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RemoveClientConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RemoveClientConnections not implemented")
 }
 func (UnimplementedChannelsServiceServer) UnsetParentGroupFromChannels(context.Context, *UnsetParentGroupFromChannelsReq) (*UnsetParentGroupFromChannelsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UnsetParentGroupFromChannels not implemented")
+	return nil, status.Error(codes.Unimplemented, "method UnsetParentGroupFromChannels not implemented")
 }
 func (UnimplementedChannelsServiceServer) RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntity not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntity not implemented")
 }
 func (UnimplementedChannelsServiceServer) RetrieveIDByRoute(context.Context, *v1.RetrieveIDByRouteReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
 }
 func (UnimplementedChannelsServiceServer) mustEmbedUnimplementedChannelsServiceServer() {}
 func (UnimplementedChannelsServiceServer) testEmbeddedByValue()                         {}
@@ -144,7 +144,7 @@ type UnsafeChannelsServiceServer interface {
 }

 func RegisterChannelsServiceServer(s grpc.ServiceRegistrar, srv ChannelsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedChannelsServiceServer was
+	// If the following call panics, it indicates UnimplementedChannelsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: clients/v1/clients.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -306,7 +306,7 @@ const file_clients_v1_clients_proto_rawDesc = "" +
 	"\x0eAddConnections\x12\x1c.common.v1.AddConnectionsReq\x1a\x1c.common.v1.AddConnectionsRes\"\x00\x12W\n" +
 	"\x11RemoveConnections\x12\x1f.common.v1.RemoveConnectionsReq\x1a\x1f.common.v1.RemoveConnectionsRes\"\x00\x12n\n" +
 	"\x18RemoveChannelConnections\x12'.clients.v1.RemoveChannelConnectionsReq\x1a'.clients.v1.RemoveChannelConnectionsRes\"\x00\x12t\n" +
-	"\x1aUnsetParentGroupFromClient\x12).clients.v1.UnsetParentGroupFromClientReq\x1a).clients.v1.UnsetParentGroupFromClientRes\"\x00B0Z.github.com/absmach/supermq/api/grpc/clients/v1b\x06proto3"
+	"\x1aUnsetParentGroupFromClient\x12).clients.v1.UnsetParentGroupFromClientReq\x1a).clients.v1.UnsetParentGroupFromClientRes\"\x00B3Z1github.com/absmach/magistrala/api/grpc/clients/v1b\x06proto3"

 var (
 	file_clients_v1_clients_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: clients/v1/clients.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -37,7 +37,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // ClientsService is a service that provides clients
-// authorization functionalities for SuperMQ services.
+// authorization functionalities for Magistrala services.
 type ClientsServiceClient interface {
 	// Authorize checks if the client is authorized to perform
 	Authenticate(ctx context.Context, in *AuthnReq, opts ...grpc.CallOption) (*AuthnRes, error)
@@ -132,7 +132,7 @@ func (c *clientsServiceClient) UnsetParentGroupFromClient(ctx context.Context, i
 // for forward compatibility.
 //
 // ClientsService is a service that provides clients
-// authorization functionalities for SuperMQ services.
+// authorization functionalities for Magistrala services.
 type ClientsServiceServer interface {
 	// Authorize checks if the client is authorized to perform
 	Authenticate(context.Context, *AuthnReq) (*AuthnRes, error)
@@ -153,25 +153,25 @@ type ClientsServiceServer interface {
 type UnimplementedClientsServiceServer struct{}

 func (UnimplementedClientsServiceServer) Authenticate(context.Context, *AuthnReq) (*AuthnRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Authenticate not implemented")
 }
 func (UnimplementedClientsServiceServer) RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntity not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntity not implemented")
 }
 func (UnimplementedClientsServiceServer) RetrieveEntities(context.Context, *v1.RetrieveEntitiesReq) (*v1.RetrieveEntitiesRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntities not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntities not implemented")
 }
 func (UnimplementedClientsServiceServer) AddConnections(context.Context, *v1.AddConnectionsReq) (*v1.AddConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method AddConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method AddConnections not implemented")
 }
 func (UnimplementedClientsServiceServer) RemoveConnections(context.Context, *v1.RemoveConnectionsReq) (*v1.RemoveConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RemoveConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RemoveConnections not implemented")
 }
 func (UnimplementedClientsServiceServer) RemoveChannelConnections(context.Context, *RemoveChannelConnectionsReq) (*RemoveChannelConnectionsRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RemoveChannelConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RemoveChannelConnections not implemented")
 }
 func (UnimplementedClientsServiceServer) UnsetParentGroupFromClient(context.Context, *UnsetParentGroupFromClientReq) (*UnsetParentGroupFromClientRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UnsetParentGroupFromClient not implemented")
+	return nil, status.Error(codes.Unimplemented, "method UnsetParentGroupFromClient not implemented")
 }
 func (UnimplementedClientsServiceServer) mustEmbedUnimplementedClientsServiceServer() {}
 func (UnimplementedClientsServiceServer) testEmbeddedByValue()                        {}
@@ -184,7 +184,7 @@ type UnsafeClientsServiceServer interface {
 }

 func RegisterClientsServiceServer(s grpc.ServiceRegistrar, srv ClientsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedClientsServiceServer was
+	// If the following call panics, it indicates UnimplementedClientsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: common/v1/common.proto

@@ -626,7 +626,7 @@ const file_common_v1_common_proto_rawDesc = "" +
 	"\x04type\x18\x04 \x01(\rR\x04type\"I\n" +
 	"\x14RetrieveIDByRouteReq\x12\x14\n" +
 	"\x05route\x18\x01 \x01(\tR\x05route\x12\x1b\n" +
-	"\tdomain_id\x18\x02 \x01(\tR\bdomainIdB/Z-github.com/absmach/supermq/api/grpc/common/v1b\x06proto3"
+	"\tdomain_id\x18\x02 \x01(\tR\bdomainIdB2Z0github.com/absmach/magistrala/api/grpc/common/v1b\x06proto3"

 var (
 	file_common_v1_common_proto_rawDescOnce sync.Once
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: domains/v1/domains.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -126,7 +126,7 @@ const file_domains_v1_domains_proto_rawDesc = "" +
 	"\x0eDomainsService\x12O\n" +
 	"\x15DeleteUserFromDomains\x12\x19.domains.v1.DeleteUserReq\x1a\x19.domains.v1.DeleteUserRes\"\x00\x12N\n" +
 	"\x0eRetrieveStatus\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00\x12T\n" +
-	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B5Z3github.com/absmach/supermq/internal/grpc/domains/v1b\x06proto3"
+	"\x11RetrieveIDByRoute\x12\x1f.common.v1.RetrieveIDByRouteReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B8Z6github.com/absmach/magistrala/internal/grpc/domains/v1b\x06proto3"

 var (
 	file_domains_v1_domains_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: domains/v1/domains.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -33,7 +33,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // DomainsService is a service that provides access to
-// domains functionalities for SuperMQ services.
+// domains functionalities for Magistrala services.
 type DomainsServiceClient interface {
 	DeleteUserFromDomains(ctx context.Context, in *DeleteUserReq, opts ...grpc.CallOption) (*DeleteUserRes, error)
 	RetrieveStatus(ctx context.Context, in *v1.RetrieveEntityReq, opts ...grpc.CallOption) (*v1.RetrieveEntityRes, error)
@@ -83,7 +83,7 @@ func (c *domainsServiceClient) RetrieveIDByRoute(ctx context.Context, in *v1.Ret
 // for forward compatibility.
 //
 // DomainsService is a service that provides access to
-// domains functionalities for SuperMQ services.
+// domains functionalities for Magistrala services.
 type DomainsServiceServer interface {
 	DeleteUserFromDomains(context.Context, *DeleteUserReq) (*DeleteUserRes, error)
 	RetrieveStatus(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error)
@@ -99,13 +99,13 @@ type DomainsServiceServer interface {
 type UnimplementedDomainsServiceServer struct{}

 func (UnimplementedDomainsServiceServer) DeleteUserFromDomains(context.Context, *DeleteUserReq) (*DeleteUserRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteUserFromDomains not implemented")
+	return nil, status.Error(codes.Unimplemented, "method DeleteUserFromDomains not implemented")
 }
 func (UnimplementedDomainsServiceServer) RetrieveStatus(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveStatus not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveStatus not implemented")
 }
 func (UnimplementedDomainsServiceServer) RetrieveIDByRoute(context.Context, *v1.RetrieveIDByRouteReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveIDByRoute not implemented")
 }
 func (UnimplementedDomainsServiceServer) mustEmbedUnimplementedDomainsServiceServer() {}
 func (UnimplementedDomainsServiceServer) testEmbeddedByValue()                        {}
@@ -118,7 +118,7 @@ type UnsafeDomainsServiceServer interface {
 }

 func RegisterDomainsServiceServer(s grpc.ServiceRegistrar, srv DomainsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedDomainsServiceServer was
+	// If the following call panics, it indicates UnimplementedDomainsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -3,14 +3,14 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: groups/v1/groups.proto

 package v1

 import (
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -30,7 +30,7 @@ const file_groups_v1_groups_proto_rawDesc = "" +
 	"\n" +
 	"\x16groups/v1/groups.proto\x12\tgroups.v1\x1a\x16common/v1/common.proto2_\n" +
 	"\rGroupsService\x12N\n" +
-	"\x0eRetrieveEntity\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B/Z-github.com/absmach/supermq/api/grpc/groups/v1b\x06proto3"
+	"\x0eRetrieveEntity\x12\x1c.common.v1.RetrieveEntityReq\x1a\x1c.common.v1.RetrieveEntityRes\"\x00B2Z0github.com/absmach/magistrala/api/grpc/groups/v1b\x06proto3"

 var file_groups_v1_groups_proto_goTypes = []any{
 	(*v1.RetrieveEntityReq)(nil), // 0: common.v1.RetrieveEntityReq
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: groups/v1/groups.proto

@@ -11,7 +11,7 @@ package v1

 import (
 	context "context"
-	v1 "github.com/absmach/supermq/api/grpc/common/v1"
+	v1 "github.com/absmach/magistrala/api/grpc/common/v1"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -31,7 +31,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 //
 // GroupssService is a service that provides groups
-// functionalities for SuperMQ services.
+// functionalities for Magistrala services.
 type GroupsServiceClient interface {
 	RetrieveEntity(ctx context.Context, in *v1.RetrieveEntityReq, opts ...grpc.CallOption) (*v1.RetrieveEntityRes, error)
 }
@@ -59,7 +59,7 @@ func (c *groupsServiceClient) RetrieveEntity(ctx context.Context, in *v1.Retriev
 // for forward compatibility.
 //
 // GroupssService is a service that provides groups
-// functionalities for SuperMQ services.
+// functionalities for Magistrala services.
 type GroupsServiceServer interface {
 	RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error)
 	mustEmbedUnimplementedGroupsServiceServer()
@@ -73,7 +73,7 @@ type GroupsServiceServer interface {
 type UnimplementedGroupsServiceServer struct{}

 func (UnimplementedGroupsServiceServer) RetrieveEntity(context.Context, *v1.RetrieveEntityReq) (*v1.RetrieveEntityRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveEntity not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveEntity not implemented")
 }
 func (UnimplementedGroupsServiceServer) mustEmbedUnimplementedGroupsServiceServer() {}
 func (UnimplementedGroupsServiceServer) testEmbeddedByValue()                       {}
@@ -86,7 +86,7 @@ type UnsafeGroupsServiceServer interface {
 }

 func RegisterGroupsServiceServer(s grpc.ServiceRegistrar, srv GroupsServiceServer) {
-	// If the following call pancis, it indicates UnimplementedGroupsServiceServer was
+	// If the following call panics, it indicates UnimplementedGroupsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -0,0 +1,873 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.0
+// source: readers/v1/readers.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Aggregation defines supported data aggregations.
+type Aggregation int32
+
+const (
+	Aggregation_AGGREGATION_UNSPECIFIED Aggregation = 0
+	Aggregation_AGGREGATION_MAX         Aggregation = 1
+	Aggregation_AGGREGATION_MIN         Aggregation = 2
+	Aggregation_AGGREGATION_SUM         Aggregation = 3
+	Aggregation_AGGREGATION_COUNT       Aggregation = 4
+	Aggregation_AGGREGATION_AVG         Aggregation = 5
+)
+
+// Enum value maps for Aggregation.
+var (
+	Aggregation_name = map[int32]string{
+		0: "AGGREGATION_UNSPECIFIED",
+		1: "AGGREGATION_MAX",
+		2: "AGGREGATION_MIN",
+		3: "AGGREGATION_SUM",
+		4: "AGGREGATION_COUNT",
+		5: "AGGREGATION_AVG",
+	}
+	Aggregation_value = map[string]int32{
+		"AGGREGATION_UNSPECIFIED": 0,
+		"AGGREGATION_MAX":         1,
+		"AGGREGATION_MIN":         2,
+		"AGGREGATION_SUM":         3,
+		"AGGREGATION_COUNT":       4,
+		"AGGREGATION_AVG":         5,
+	}
+)
+
+func (x Aggregation) Enum() *Aggregation {
+	p := new(Aggregation)
+	*p = x
+	return p
+}
+
+func (x Aggregation) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Aggregation) Descriptor() protoreflect.EnumDescriptor {
+	return file_readers_v1_readers_proto_enumTypes[0].Descriptor()
+}
+
+func (Aggregation) Type() protoreflect.EnumType {
+	return &file_readers_v1_readers_proto_enumTypes[0]
+}
+
+func (x Aggregation) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Aggregation.Descriptor instead.
+func (Aggregation) EnumDescriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{0}
+}
+
+type PageMetadata struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Limit         uint64                 `protobuf:"varint,1,opt,name=limit,proto3" json:"limit,omitempty"`
+	Offset        uint64                 `protobuf:"varint,2,opt,name=offset,proto3" json:"offset,omitempty"`
+	Protocol      string                 `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	Name          string                 `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	Value         float64                `protobuf:"fixed64,5,opt,name=value,proto3" json:"value,omitempty"`
+	Publisher     string                 `protobuf:"bytes,6,opt,name=publisher,proto3" json:"publisher,omitempty"`
+	BoolValue     bool                   `protobuf:"varint,7,opt,name=bool_value,json=boolValue,proto3" json:"bool_value,omitempty"`
+	StringValue   string                 `protobuf:"bytes,8,opt,name=string_value,json=stringValue,proto3" json:"string_value,omitempty"`
+	DataValue     string                 `protobuf:"bytes,9,opt,name=data_value,json=dataValue,proto3" json:"data_value,omitempty"`
+	From          float64                `protobuf:"fixed64,10,opt,name=from,proto3" json:"from,omitempty"`
+	To            float64                `protobuf:"fixed64,11,opt,name=to,proto3" json:"to,omitempty"`
+	Subtopic      string                 `protobuf:"bytes,12,opt,name=subtopic,proto3" json:"subtopic,omitempty"`
+	Interval      string                 `protobuf:"bytes,13,opt,name=interval,proto3" json:"interval,omitempty"`
+	Read          bool                   `protobuf:"varint,14,opt,name=read,proto3" json:"read,omitempty"`
+	Aggregation   Aggregation            `protobuf:"varint,15,opt,name=aggregation,proto3,enum=readers.v1.Aggregation" json:"aggregation,omitempty"`
+	Comparator    string                 `protobuf:"bytes,16,opt,name=comparator,proto3" json:"comparator,omitempty"`
+	Format        string                 `protobuf:"bytes,17,opt,name=format,proto3" json:"format,omitempty"`
+	Order         string                 `protobuf:"bytes,18,opt,name=order,proto3" json:"order,omitempty"`
+	Dir           string                 `protobuf:"bytes,19,opt,name=dir,proto3" json:"dir,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PageMetadata) Reset() {
+	*x = PageMetadata{}
+	mi := &file_readers_v1_readers_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PageMetadata) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PageMetadata) ProtoMessage() {}
+
+func (x *PageMetadata) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PageMetadata.ProtoReflect.Descriptor instead.
+func (*PageMetadata) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *PageMetadata) GetLimit() uint64 {
+	if x != nil {
+		return x.Limit
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetOffset() uint64 {
+	if x != nil {
+		return x.Offset
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetValue() float64 {
+	if x != nil {
+		return x.Value
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetPublisher() string {
+	if x != nil {
+		return x.Publisher
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetBoolValue() bool {
+	if x != nil {
+		return x.BoolValue
+	}
+	return false
+}
+
+func (x *PageMetadata) GetStringValue() string {
+	if x != nil {
+		return x.StringValue
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetDataValue() string {
+	if x != nil {
+		return x.DataValue
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetFrom() float64 {
+	if x != nil {
+		return x.From
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetTo() float64 {
+	if x != nil {
+		return x.To
+	}
+	return 0
+}
+
+func (x *PageMetadata) GetSubtopic() string {
+	if x != nil {
+		return x.Subtopic
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetInterval() string {
+	if x != nil {
+		return x.Interval
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetRead() bool {
+	if x != nil {
+		return x.Read
+	}
+	return false
+}
+
+func (x *PageMetadata) GetAggregation() Aggregation {
+	if x != nil {
+		return x.Aggregation
+	}
+	return Aggregation_AGGREGATION_UNSPECIFIED
+}
+
+func (x *PageMetadata) GetComparator() string {
+	if x != nil {
+		return x.Comparator
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetFormat() string {
+	if x != nil {
+		return x.Format
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetOrder() string {
+	if x != nil {
+		return x.Order
+	}
+	return ""
+}
+
+func (x *PageMetadata) GetDir() string {
+	if x != nil {
+		return x.Dir
+	}
+	return ""
+}
+
+type ReadMessagesRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Total         uint64                 `protobuf:"varint,1,opt,name=total,proto3" json:"total,omitempty"`
+	PageMetadata  *PageMetadata          `protobuf:"bytes,2,opt,name=page_metadata,json=pageMetadata,proto3" json:"page_metadata,omitempty"`
+	Messages      []*Message             `protobuf:"bytes,3,rep,name=messages,proto3" json:"messages,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ReadMessagesRes) Reset() {
+	*x = ReadMessagesRes{}
+	mi := &file_readers_v1_readers_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ReadMessagesRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ReadMessagesRes) ProtoMessage() {}
+
+func (x *ReadMessagesRes) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ReadMessagesRes.ProtoReflect.Descriptor instead.
+func (*ReadMessagesRes) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *ReadMessagesRes) GetTotal() uint64 {
+	if x != nil {
+		return x.Total
+	}
+	return 0
+}
+
+func (x *ReadMessagesRes) GetPageMetadata() *PageMetadata {
+	if x != nil {
+		return x.PageMetadata
+	}
+	return nil
+}
+
+func (x *ReadMessagesRes) GetMessages() []*Message {
+	if x != nil {
+		return x.Messages
+	}
+	return nil
+}
+
+type Message struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Payload:
+	//
+	//	*Message_Senml
+	//	*Message_Json
+	Payload       isMessage_Payload `protobuf_oneof:"payload"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Message) Reset() {
+	*x = Message{}
+	mi := &file_readers_v1_readers_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Message) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Message) ProtoMessage() {}
+
+func (x *Message) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Message.ProtoReflect.Descriptor instead.
+func (*Message) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *Message) GetPayload() isMessage_Payload {
+	if x != nil {
+		return x.Payload
+	}
+	return nil
+}
+
+func (x *Message) GetSenml() *SenMLMessage {
+	if x != nil {
+		if x, ok := x.Payload.(*Message_Senml); ok {
+			return x.Senml
+		}
+	}
+	return nil
+}
+
+func (x *Message) GetJson() *JsonMessage {
+	if x != nil {
+		if x, ok := x.Payload.(*Message_Json); ok {
+			return x.Json
+		}
+	}
+	return nil
+}
+
+type isMessage_Payload interface {
+	isMessage_Payload()
+}
+
+type Message_Senml struct {
+	Senml *SenMLMessage `protobuf:"bytes,1,opt,name=senml,proto3,oneof"`
+}
+
+type Message_Json struct {
+	Json *JsonMessage `protobuf:"bytes,2,opt,name=json,proto3,oneof"`
+}
+
+func (*Message_Senml) isMessage_Payload() {}
+
+func (*Message_Json) isMessage_Payload() {}
+
+type BaseMessage struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Channel       string                 `protobuf:"bytes,1,opt,name=channel,proto3" json:"channel,omitempty"`
+	Subtopic      string                 `protobuf:"bytes,2,opt,name=subtopic,proto3" json:"subtopic,omitempty"`
+	Publisher     string                 `protobuf:"bytes,3,opt,name=publisher,proto3" json:"publisher,omitempty"`
+	Protocol      string                 `protobuf:"bytes,4,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *BaseMessage) Reset() {
+	*x = BaseMessage{}
+	mi := &file_readers_v1_readers_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *BaseMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*BaseMessage) ProtoMessage() {}
+
+func (x *BaseMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use BaseMessage.ProtoReflect.Descriptor instead.
+func (*BaseMessage) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *BaseMessage) GetChannel() string {
+	if x != nil {
+		return x.Channel
+	}
+	return ""
+}
+
+func (x *BaseMessage) GetSubtopic() string {
+	if x != nil {
+		return x.Subtopic
+	}
+	return ""
+}
+
+func (x *BaseMessage) GetPublisher() string {
+	if x != nil {
+		return x.Publisher
+	}
+	return ""
+}
+
+func (x *BaseMessage) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+type SenMLMessage struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Base          *BaseMessage           `protobuf:"bytes,1,opt,name=base,proto3" json:"base,omitempty"`
+	Name          string                 `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Unit          string                 `protobuf:"bytes,3,opt,name=unit,proto3" json:"unit,omitempty"`
+	Time          float64                `protobuf:"fixed64,4,opt,name=time,proto3" json:"time,omitempty"`
+	UpdateTime    float64                `protobuf:"fixed64,5,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
+	Value         *float64               `protobuf:"fixed64,6,opt,name=value,proto3,oneof" json:"value,omitempty"`
+	StringValue   *string                `protobuf:"bytes,7,opt,name=string_value,json=stringValue,proto3,oneof" json:"string_value,omitempty"`
+	DataValue     *string                `protobuf:"bytes,8,opt,name=data_value,json=dataValue,proto3,oneof" json:"data_value,omitempty"`
+	BoolValue     *bool                  `protobuf:"varint,9,opt,name=bool_value,json=boolValue,proto3,oneof" json:"bool_value,omitempty"`
+	Sum           *float64               `protobuf:"fixed64,10,opt,name=sum,proto3,oneof" json:"sum,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SenMLMessage) Reset() {
+	*x = SenMLMessage{}
+	mi := &file_readers_v1_readers_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SenMLMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SenMLMessage) ProtoMessage() {}
+
+func (x *SenMLMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SenMLMessage.ProtoReflect.Descriptor instead.
+func (*SenMLMessage) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SenMLMessage) GetBase() *BaseMessage {
+	if x != nil {
+		return x.Base
+	}
+	return nil
+}
+
+func (x *SenMLMessage) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetUnit() string {
+	if x != nil {
+		return x.Unit
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetTime() float64 {
+	if x != nil {
+		return x.Time
+	}
+	return 0
+}
+
+func (x *SenMLMessage) GetUpdateTime() float64 {
+	if x != nil {
+		return x.UpdateTime
+	}
+	return 0
+}
+
+func (x *SenMLMessage) GetValue() float64 {
+	if x != nil && x.Value != nil {
+		return *x.Value
+	}
+	return 0
+}
+
+func (x *SenMLMessage) GetStringValue() string {
+	if x != nil && x.StringValue != nil {
+		return *x.StringValue
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetDataValue() string {
+	if x != nil && x.DataValue != nil {
+		return *x.DataValue
+	}
+	return ""
+}
+
+func (x *SenMLMessage) GetBoolValue() bool {
+	if x != nil && x.BoolValue != nil {
+		return *x.BoolValue
+	}
+	return false
+}
+
+func (x *SenMLMessage) GetSum() float64 {
+	if x != nil && x.Sum != nil {
+		return *x.Sum
+	}
+	return 0
+}
+
+type JsonMessage struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Base          *BaseMessage           `protobuf:"bytes,1,opt,name=base,proto3" json:"base,omitempty"`
+	Created       int64                  `protobuf:"varint,2,opt,name=created,proto3" json:"created,omitempty"`
+	Payload       []byte                 `protobuf:"bytes,3,opt,name=payload,proto3" json:"payload,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *JsonMessage) Reset() {
+	*x = JsonMessage{}
+	mi := &file_readers_v1_readers_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *JsonMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*JsonMessage) ProtoMessage() {}
+
+func (x *JsonMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use JsonMessage.ProtoReflect.Descriptor instead.
+func (*JsonMessage) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *JsonMessage) GetBase() *BaseMessage {
+	if x != nil {
+		return x.Base
+	}
+	return nil
+}
+
+func (x *JsonMessage) GetCreated() int64 {
+	if x != nil {
+		return x.Created
+	}
+	return 0
+}
+
+func (x *JsonMessage) GetPayload() []byte {
+	if x != nil {
+		return x.Payload
+	}
+	return nil
+}
+
+type ReadMessagesReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	ChannelId     string                 `protobuf:"bytes,1,opt,name=channel_id,json=channelId,proto3" json:"channel_id,omitempty"`
+	DomainId      string                 `protobuf:"bytes,2,opt,name=domain_id,json=domainId,proto3" json:"domain_id,omitempty"`
+	PageMetadata  *PageMetadata          `protobuf:"bytes,3,opt,name=page_metadata,json=pageMetadata,proto3" json:"page_metadata,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ReadMessagesReq) Reset() {
+	*x = ReadMessagesReq{}
+	mi := &file_readers_v1_readers_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ReadMessagesReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ReadMessagesReq) ProtoMessage() {}
+
+func (x *ReadMessagesReq) ProtoReflect() protoreflect.Message {
+	mi := &file_readers_v1_readers_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ReadMessagesReq.ProtoReflect.Descriptor instead.
+func (*ReadMessagesReq) Descriptor() ([]byte, []int) {
+	return file_readers_v1_readers_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *ReadMessagesReq) GetChannelId() string {
+	if x != nil {
+		return x.ChannelId
+	}
+	return ""
+}
+
+func (x *ReadMessagesReq) GetDomainId() string {
+	if x != nil {
+		return x.DomainId
+	}
+	return ""
+}
+
+func (x *ReadMessagesReq) GetPageMetadata() *PageMetadata {
+	if x != nil {
+		return x.PageMetadata
+	}
+	return nil
+}
+
+var File_readers_v1_readers_proto protoreflect.FileDescriptor
+
+const file_readers_v1_readers_proto_rawDesc = "" +
+	"\n" +
+	"\x18readers/v1/readers.proto\x12\n" +
+	"readers.v1\"\x8c\x04\n" +
+	"\fPageMetadata\x12\x14\n" +
+	"\x05limit\x18\x01 \x01(\x04R\x05limit\x12\x16\n" +
+	"\x06offset\x18\x02 \x01(\x04R\x06offset\x12\x1a\n" +
+	"\bprotocol\x18\x03 \x01(\tR\bprotocol\x12\x12\n" +
+	"\x04name\x18\x04 \x01(\tR\x04name\x12\x14\n" +
+	"\x05value\x18\x05 \x01(\x01R\x05value\x12\x1c\n" +
+	"\tpublisher\x18\x06 \x01(\tR\tpublisher\x12\x1d\n" +
+	"\n" +
+	"bool_value\x18\a \x01(\bR\tboolValue\x12!\n" +
+	"\fstring_value\x18\b \x01(\tR\vstringValue\x12\x1d\n" +
+	"\n" +
+	"data_value\x18\t \x01(\tR\tdataValue\x12\x12\n" +
+	"\x04from\x18\n" +
+	" \x01(\x01R\x04from\x12\x0e\n" +
+	"\x02to\x18\v \x01(\x01R\x02to\x12\x1a\n" +
+	"\bsubtopic\x18\f \x01(\tR\bsubtopic\x12\x1a\n" +
+	"\binterval\x18\r \x01(\tR\binterval\x12\x12\n" +
+	"\x04read\x18\x0e \x01(\bR\x04read\x129\n" +
+	"\vaggregation\x18\x0f \x01(\x0e2\x17.readers.v1.AggregationR\vaggregation\x12\x1e\n" +
+	"\n" +
+	"comparator\x18\x10 \x01(\tR\n" +
+	"comparator\x12\x16\n" +
+	"\x06format\x18\x11 \x01(\tR\x06format\x12\x14\n" +
+	"\x05order\x18\x12 \x01(\tR\x05order\x12\x10\n" +
+	"\x03dir\x18\x13 \x01(\tR\x03dir\"\x97\x01\n" +
+	"\x0fReadMessagesRes\x12\x14\n" +
+	"\x05total\x18\x01 \x01(\x04R\x05total\x12=\n" +
+	"\rpage_metadata\x18\x02 \x01(\v2\x18.readers.v1.PageMetadataR\fpageMetadata\x12/\n" +
+	"\bmessages\x18\x03 \x03(\v2\x13.readers.v1.MessageR\bmessages\"u\n" +
+	"\aMessage\x120\n" +
+	"\x05senml\x18\x01 \x01(\v2\x18.readers.v1.SenMLMessageH\x00R\x05senml\x12-\n" +
+	"\x04json\x18\x02 \x01(\v2\x17.readers.v1.JsonMessageH\x00R\x04jsonB\t\n" +
+	"\apayload\"}\n" +
+	"\vBaseMessage\x12\x18\n" +
+	"\achannel\x18\x01 \x01(\tR\achannel\x12\x1a\n" +
+	"\bsubtopic\x18\x02 \x01(\tR\bsubtopic\x12\x1c\n" +
+	"\tpublisher\x18\x03 \x01(\tR\tpublisher\x12\x1a\n" +
+	"\bprotocol\x18\x04 \x01(\tR\bprotocol\"\xfb\x02\n" +
+	"\fSenMLMessage\x12+\n" +
+	"\x04base\x18\x01 \x01(\v2\x17.readers.v1.BaseMessageR\x04base\x12\x12\n" +
+	"\x04name\x18\x02 \x01(\tR\x04name\x12\x12\n" +
+	"\x04unit\x18\x03 \x01(\tR\x04unit\x12\x12\n" +
+	"\x04time\x18\x04 \x01(\x01R\x04time\x12\x1f\n" +
+	"\vupdate_time\x18\x05 \x01(\x01R\n" +
+	"updateTime\x12\x19\n" +
+	"\x05value\x18\x06 \x01(\x01H\x00R\x05value\x88\x01\x01\x12&\n" +
+	"\fstring_value\x18\a \x01(\tH\x01R\vstringValue\x88\x01\x01\x12\"\n" +
+	"\n" +
+	"data_value\x18\b \x01(\tH\x02R\tdataValue\x88\x01\x01\x12\"\n" +
+	"\n" +
+	"bool_value\x18\t \x01(\bH\x03R\tboolValue\x88\x01\x01\x12\x15\n" +
+	"\x03sum\x18\n" +
+	" \x01(\x01H\x04R\x03sum\x88\x01\x01B\b\n" +
+	"\x06_valueB\x0f\n" +
+	"\r_string_valueB\r\n" +
+	"\v_data_valueB\r\n" +
+	"\v_bool_valueB\x06\n" +
+	"\x04_sum\"n\n" +
+	"\vJsonMessage\x12+\n" +
+	"\x04base\x18\x01 \x01(\v2\x17.readers.v1.BaseMessageR\x04base\x12\x18\n" +
+	"\acreated\x18\x02 \x01(\x03R\acreated\x12\x18\n" +
+	"\apayload\x18\x03 \x01(\fR\apayload\"\x8c\x01\n" +
+	"\x0fReadMessagesReq\x12\x1d\n" +
+	"\n" +
+	"channel_id\x18\x01 \x01(\tR\tchannelId\x12\x1b\n" +
+	"\tdomain_id\x18\x02 \x01(\tR\bdomainId\x12=\n" +
+	"\rpage_metadata\x18\x03 \x01(\v2\x18.readers.v1.PageMetadataR\fpageMetadata*\x95\x01\n" +
+	"\vAggregation\x12\x1b\n" +
+	"\x17AGGREGATION_UNSPECIFIED\x10\x00\x12\x13\n" +
+	"\x0fAGGREGATION_MAX\x10\x01\x12\x13\n" +
+	"\x0fAGGREGATION_MIN\x10\x02\x12\x13\n" +
+	"\x0fAGGREGATION_SUM\x10\x03\x12\x15\n" +
+	"\x11AGGREGATION_COUNT\x10\x04\x12\x13\n" +
+	"\x0fAGGREGATION_AVG\x10\x052\\\n" +
+	"\x0eReadersService\x12J\n" +
+	"\fReadMessages\x12\x1b.readers.v1.ReadMessagesReq\x1a\x1b.readers.v1.ReadMessagesRes\"\x00B3Z1github.com/absmach/magistrala/api/grpc/readers/v1b\x06proto3"
+
+var (
+	file_readers_v1_readers_proto_rawDescOnce sync.Once
+	file_readers_v1_readers_proto_rawDescData []byte
+)
+
+func file_readers_v1_readers_proto_rawDescGZIP() []byte {
+	file_readers_v1_readers_proto_rawDescOnce.Do(func() {
+		file_readers_v1_readers_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_readers_v1_readers_proto_rawDesc), len(file_readers_v1_readers_proto_rawDesc)))
+	})
+	return file_readers_v1_readers_proto_rawDescData
+}
+
+var file_readers_v1_readers_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_readers_v1_readers_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_readers_v1_readers_proto_goTypes = []any{
+	(Aggregation)(0),        // 0: readers.v1.Aggregation
+	(*PageMetadata)(nil),    // 1: readers.v1.PageMetadata
+	(*ReadMessagesRes)(nil), // 2: readers.v1.ReadMessagesRes
+	(*Message)(nil),         // 3: readers.v1.Message
+	(*BaseMessage)(nil),     // 4: readers.v1.BaseMessage
+	(*SenMLMessage)(nil),    // 5: readers.v1.SenMLMessage
+	(*JsonMessage)(nil),     // 6: readers.v1.JsonMessage
+	(*ReadMessagesReq)(nil), // 7: readers.v1.ReadMessagesReq
+}
+var file_readers_v1_readers_proto_depIdxs = []int32{
+	0, // 0: readers.v1.PageMetadata.aggregation:type_name -> readers.v1.Aggregation
+	1, // 1: readers.v1.ReadMessagesRes.page_metadata:type_name -> readers.v1.PageMetadata
+	3, // 2: readers.v1.ReadMessagesRes.messages:type_name -> readers.v1.Message
+	5, // 3: readers.v1.Message.senml:type_name -> readers.v1.SenMLMessage
+	6, // 4: readers.v1.Message.json:type_name -> readers.v1.JsonMessage
+	4, // 5: readers.v1.SenMLMessage.base:type_name -> readers.v1.BaseMessage
+	4, // 6: readers.v1.JsonMessage.base:type_name -> readers.v1.BaseMessage
+	1, // 7: readers.v1.ReadMessagesReq.page_metadata:type_name -> readers.v1.PageMetadata
+	7, // 8: readers.v1.ReadersService.ReadMessages:input_type -> readers.v1.ReadMessagesReq
+	2, // 9: readers.v1.ReadersService.ReadMessages:output_type -> readers.v1.ReadMessagesRes
+	9, // [9:10] is the sub-list for method output_type
+	8, // [8:9] is the sub-list for method input_type
+	8, // [8:8] is the sub-list for extension type_name
+	8, // [8:8] is the sub-list for extension extendee
+	0, // [0:8] is the sub-list for field type_name
+}
+
+func init() { file_readers_v1_readers_proto_init() }
+func file_readers_v1_readers_proto_init() {
+	if File_readers_v1_readers_proto != nil {
+		return
+	}
+	file_readers_v1_readers_proto_msgTypes[2].OneofWrappers = []any{
+		(*Message_Senml)(nil),
+		(*Message_Json)(nil),
+	}
+	file_readers_v1_readers_proto_msgTypes[4].OneofWrappers = []any{}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_readers_v1_readers_proto_rawDesc), len(file_readers_v1_readers_proto_rawDesc)),
+			NumEnums:      1,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_readers_v1_readers_proto_goTypes,
+		DependencyIndexes: file_readers_v1_readers_proto_depIdxs,
+		EnumInfos:         file_readers_v1_readers_proto_enumTypes,
+		MessageInfos:      file_readers_v1_readers_proto_msgTypes,
+	}.Build()
+	File_readers_v1_readers_proto = out.File
+	file_readers_v1_readers_proto_goTypes = nil
+	file_readers_v1_readers_proto_depIdxs = nil
+}
@@ -0,0 +1,130 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.0
+// - protoc             v6.33.0
+// source: readers/v1/readers.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	ReadersService_ReadMessages_FullMethodName = "/readers.v1.ReadersService/ReadMessages"
+)
+
+// ReadersServiceClient is the client API for ReadersService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+//
+// ReadersService is a service that provides access to
+// readers functionalities for Magistrala services.
+type ReadersServiceClient interface {
+	ReadMessages(ctx context.Context, in *ReadMessagesReq, opts ...grpc.CallOption) (*ReadMessagesRes, error)
+}
+
+type readersServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewReadersServiceClient(cc grpc.ClientConnInterface) ReadersServiceClient {
+	return &readersServiceClient{cc}
+}
+
+func (c *readersServiceClient) ReadMessages(ctx context.Context, in *ReadMessagesReq, opts ...grpc.CallOption) (*ReadMessagesRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ReadMessagesRes)
+	err := c.cc.Invoke(ctx, ReadersService_ReadMessages_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ReadersServiceServer is the server API for ReadersService service.
+// All implementations must embed UnimplementedReadersServiceServer
+// for forward compatibility.
+//
+// ReadersService is a service that provides access to
+// readers functionalities for Magistrala services.
+type ReadersServiceServer interface {
+	ReadMessages(context.Context, *ReadMessagesReq) (*ReadMessagesRes, error)
+	mustEmbedUnimplementedReadersServiceServer()
+}
+
+// UnimplementedReadersServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedReadersServiceServer struct{}
+
+func (UnimplementedReadersServiceServer) ReadMessages(context.Context, *ReadMessagesReq) (*ReadMessagesRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method ReadMessages not implemented")
+}
+func (UnimplementedReadersServiceServer) mustEmbedUnimplementedReadersServiceServer() {}
+func (UnimplementedReadersServiceServer) testEmbeddedByValue()                        {}
+
+// UnsafeReadersServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ReadersServiceServer will
+// result in compilation errors.
+type UnsafeReadersServiceServer interface {
+	mustEmbedUnimplementedReadersServiceServer()
+}
+
+func RegisterReadersServiceServer(s grpc.ServiceRegistrar, srv ReadersServiceServer) {
+	// If the following call panics, it indicates UnimplementedReadersServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&ReadersService_ServiceDesc, srv)
+}
+
+func _ReadersService_ReadMessages_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ReadMessagesReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ReadersServiceServer).ReadMessages(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ReadersService_ReadMessages_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ReadersServiceServer).ReadMessages(ctx, req.(*ReadMessagesReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ReadersService_ServiceDesc is the grpc.ServiceDesc for ReadersService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ReadersService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "readers.v1.ReadersService",
+	HandlerType: (*ReadersServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ReadMessages",
+			Handler:    _ReadersService_ReadMessages_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "readers/v1/readers.proto",
+}
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: token/v1/token.proto

@@ -30,6 +30,7 @@ type IssueReq struct {
 	UserRole      uint32                 `protobuf:"varint,2,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"`
 	Type          uint32                 `protobuf:"varint,3,opt,name=type,proto3" json:"type,omitempty"`
 	Verified      bool                   `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"`
+	Description   string                 `protobuf:"bytes,5,opt,name=description,proto3" json:"description,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -92,6 +93,13 @@ func (x *IssueReq) GetVerified() bool {
 	return false
 }

+func (x *IssueReq) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
 type RefreshReq struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	RefreshToken  string                 `protobuf:"bytes,1,opt,name=refresh_token,json=refreshToken,proto3" json:"refresh_token,omitempty"`
@@ -144,6 +152,58 @@ func (x *RefreshReq) GetVerified() bool {
 	return false
 }

+type RevokeReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	TokenId       string                 `protobuf:"bytes,1,opt,name=token_id,json=tokenId,proto3" json:"token_id,omitempty"`
+	UserId        string                 `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RevokeReq) Reset() {
+	*x = RevokeReq{}
+	mi := &file_token_v1_token_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RevokeReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RevokeReq) ProtoMessage() {}
+
+func (x *RevokeReq) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RevokeReq.ProtoReflect.Descriptor instead.
+func (*RevokeReq) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *RevokeReq) GetTokenId() string {
+	if x != nil {
+		return x.TokenId
+	}
+	return ""
+}
+
+func (x *RevokeReq) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
+}
+
 // If a token is not carrying any information itself, the type
 // field can be used to determine how to validate the token.
 // Also, different tokens can be encoded in different ways.
@@ -158,7 +218,7 @@ type Token struct {

 func (x *Token) Reset() {
 	*x = Token{}
-	mi := &file_token_v1_token_proto_msgTypes[2]
+	mi := &file_token_v1_token_proto_msgTypes[3]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -170,7 +230,7 @@ func (x *Token) String() string {
 func (*Token) ProtoMessage() {}

 func (x *Token) ProtoReflect() protoreflect.Message {
-	mi := &file_token_v1_token_proto_msgTypes[2]
+	mi := &file_token_v1_token_proto_msgTypes[3]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -183,7 +243,7 @@ func (x *Token) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Token.ProtoReflect.Descriptor instead.
 func (*Token) Descriptor() ([]byte, []int) {
-	return file_token_v1_token_proto_rawDescGZIP(), []int{2}
+	return file_token_v1_token_proto_rawDescGZIP(), []int{3}
 }

 func (x *Token) GetAccessToken() string {
@@ -207,29 +267,219 @@ func (x *Token) GetAccessType() string {
 	return ""
 }

+type RevokeRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RevokeRes) Reset() {
+	*x = RevokeRes{}
+	mi := &file_token_v1_token_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RevokeRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RevokeRes) ProtoMessage() {}
+
+func (x *RevokeRes) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RevokeRes.ProtoReflect.Descriptor instead.
+func (*RevokeRes) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{4}
+}
+
+type ListUserRefreshTokensReq struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	UserId        string                 `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListUserRefreshTokensReq) Reset() {
+	*x = ListUserRefreshTokensReq{}
+	mi := &file_token_v1_token_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListUserRefreshTokensReq) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListUserRefreshTokensReq) ProtoMessage() {}
+
+func (x *ListUserRefreshTokensReq) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListUserRefreshTokensReq.ProtoReflect.Descriptor instead.
+func (*ListUserRefreshTokensReq) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *ListUserRefreshTokensReq) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
+}
+
+type ListUserRefreshTokensRes struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	RefreshTokens []*RefreshToken        `protobuf:"bytes,1,rep,name=refresh_tokens,json=refreshTokens,proto3" json:"refresh_tokens,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListUserRefreshTokensRes) Reset() {
+	*x = ListUserRefreshTokensRes{}
+	mi := &file_token_v1_token_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListUserRefreshTokensRes) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListUserRefreshTokensRes) ProtoMessage() {}
+
+func (x *ListUserRefreshTokensRes) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListUserRefreshTokensRes.ProtoReflect.Descriptor instead.
+func (*ListUserRefreshTokensRes) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *ListUserRefreshTokensRes) GetRefreshTokens() []*RefreshToken {
+	if x != nil {
+		return x.RefreshTokens
+	}
+	return nil
+}
+
+type RefreshToken struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Description   string                 `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RefreshToken) Reset() {
+	*x = RefreshToken{}
+	mi := &file_token_v1_token_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RefreshToken) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RefreshToken) ProtoMessage() {}
+
+func (x *RefreshToken) ProtoReflect() protoreflect.Message {
+	mi := &file_token_v1_token_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RefreshToken.ProtoReflect.Descriptor instead.
+func (*RefreshToken) Descriptor() ([]byte, []int) {
+	return file_token_v1_token_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *RefreshToken) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
+func (x *RefreshToken) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
 var File_token_v1_token_proto protoreflect.FileDescriptor

 const file_token_v1_token_proto_rawDesc = "" +
 	"\n" +
-	"\x14token/v1/token.proto\x12\btoken.v1\"p\n" +
+	"\x14token/v1/token.proto\x12\btoken.v1\"\x92\x01\n" +
 	"\bIssueReq\x12\x17\n" +
 	"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x1b\n" +
 	"\tuser_role\x18\x02 \x01(\rR\buserRole\x12\x12\n" +
 	"\x04type\x18\x03 \x01(\rR\x04type\x12\x1a\n" +
-	"\bverified\x18\x04 \x01(\bR\bverified\"M\n" +
+	"\bverified\x18\x04 \x01(\bR\bverified\x12 \n" +
+	"\vdescription\x18\x05 \x01(\tR\vdescription\"M\n" +
 	"\n" +
 	"RefreshReq\x12#\n" +
 	"\rrefresh_token\x18\x01 \x01(\tR\frefreshToken\x12\x1a\n" +
-	"\bverified\x18\x02 \x01(\bR\bverified\"\x87\x01\n" +
+	"\bverified\x18\x02 \x01(\bR\bverified\"?\n" +
+	"\tRevokeReq\x12\x19\n" +
+	"\btoken_id\x18\x01 \x01(\tR\atokenId\x12\x17\n" +
+	"\auser_id\x18\x02 \x01(\tR\x06userId\"\x87\x01\n" +
 	"\x05Token\x12!\n" +
 	"\faccess_token\x18\x01 \x01(\tR\vaccessToken\x12(\n" +
 	"\rrefresh_token\x18\x02 \x01(\tH\x00R\frefreshToken\x88\x01\x01\x12\x1f\n" +
 	"\vaccess_type\x18\x03 \x01(\tR\n" +
 	"accessTypeB\x10\n" +
-	"\x0e_refresh_token2r\n" +
+	"\x0e_refresh_token\"\v\n" +
+	"\tRevokeRes\"3\n" +
+	"\x18ListUserRefreshTokensReq\x12\x17\n" +
+	"\auser_id\x18\x01 \x01(\tR\x06userId\"Y\n" +
+	"\x18ListUserRefreshTokensRes\x12=\n" +
+	"\x0erefresh_tokens\x18\x01 \x03(\v2\x16.token.v1.RefreshTokenR\rrefreshTokens\"@\n" +
+	"\fRefreshToken\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\tR\x02id\x12 \n" +
+	"\vdescription\x18\x02 \x01(\tR\vdescription2\x8b\x02\n" +
 	"\fTokenService\x12.\n" +
 	"\x05Issue\x12\x12.token.v1.IssueReq\x1a\x0f.token.v1.Token\"\x00\x122\n" +
-	"\aRefresh\x12\x14.token.v1.RefreshReq\x1a\x0f.token.v1.Token\"\x00B.Z,github.com/absmach/supermq/api/grpc/token/v1b\x06proto3"
+	"\aRefresh\x12\x14.token.v1.RefreshReq\x1a\x0f.token.v1.Token\"\x00\x124\n" +
+	"\x06Revoke\x12\x13.token.v1.RevokeReq\x1a\x13.token.v1.RevokeRes\"\x00\x12a\n" +
+	"\x15ListUserRefreshTokens\x12\".token.v1.ListUserRefreshTokensReq\x1a\".token.v1.ListUserRefreshTokensRes\"\x00B1Z/github.com/absmach/magistrala/api/grpc/token/v1b\x06proto3"

 var (
 	file_token_v1_token_proto_rawDescOnce sync.Once
@@ -243,22 +493,32 @@ func file_token_v1_token_proto_rawDescGZIP() []byte {
 	return file_token_v1_token_proto_rawDescData
 }

-var file_token_v1_token_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_token_v1_token_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
 var file_token_v1_token_proto_goTypes = []any{
-	(*IssueReq)(nil),   // 0: token.v1.IssueReq
-	(*RefreshReq)(nil), // 1: token.v1.RefreshReq
-	(*Token)(nil),      // 2: token.v1.Token
+	(*IssueReq)(nil),                 // 0: token.v1.IssueReq
+	(*RefreshReq)(nil),               // 1: token.v1.RefreshReq
+	(*RevokeReq)(nil),                // 2: token.v1.RevokeReq
+	(*Token)(nil),                    // 3: token.v1.Token
+	(*RevokeRes)(nil),                // 4: token.v1.RevokeRes
+	(*ListUserRefreshTokensReq)(nil), // 5: token.v1.ListUserRefreshTokensReq
+	(*ListUserRefreshTokensRes)(nil), // 6: token.v1.ListUserRefreshTokensRes
+	(*RefreshToken)(nil),             // 7: token.v1.RefreshToken
 }
 var file_token_v1_token_proto_depIdxs = []int32{
-	0, // 0: token.v1.TokenService.Issue:input_type -> token.v1.IssueReq
-	1, // 1: token.v1.TokenService.Refresh:input_type -> token.v1.RefreshReq
-	2, // 2: token.v1.TokenService.Issue:output_type -> token.v1.Token
-	2, // 3: token.v1.TokenService.Refresh:output_type -> token.v1.Token
-	2, // [2:4] is the sub-list for method output_type
-	0, // [0:2] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
+	7, // 0: token.v1.ListUserRefreshTokensRes.refresh_tokens:type_name -> token.v1.RefreshToken
+	0, // 1: token.v1.TokenService.Issue:input_type -> token.v1.IssueReq
+	1, // 2: token.v1.TokenService.Refresh:input_type -> token.v1.RefreshReq
+	2, // 3: token.v1.TokenService.Revoke:input_type -> token.v1.RevokeReq
+	5, // 4: token.v1.TokenService.ListUserRefreshTokens:input_type -> token.v1.ListUserRefreshTokensReq
+	3, // 5: token.v1.TokenService.Issue:output_type -> token.v1.Token
+	3, // 6: token.v1.TokenService.Refresh:output_type -> token.v1.Token
+	4, // 7: token.v1.TokenService.Revoke:output_type -> token.v1.RevokeRes
+	6, // 8: token.v1.TokenService.ListUserRefreshTokens:output_type -> token.v1.ListUserRefreshTokensRes
+	5, // [5:9] is the sub-list for method output_type
+	1, // [1:5] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }

 func init() { file_token_v1_token_proto_init() }
@@ -266,14 +526,14 @@ func file_token_v1_token_proto_init() {
 	if File_token_v1_token_proto != nil {
 		return
 	}
-	file_token_v1_token_proto_msgTypes[2].OneofWrappers = []any{}
+	file_token_v1_token_proto_msgTypes[3].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_token_v1_token_proto_rawDesc), len(file_token_v1_token_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   3,
+			NumMessages:   8,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: token/v1/token.proto

@@ -22,8 +22,10 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	TokenService_Issue_FullMethodName   = "/token.v1.TokenService/Issue"
-	TokenService_Refresh_FullMethodName = "/token.v1.TokenService/Refresh"
+	TokenService_Issue_FullMethodName                 = "/token.v1.TokenService/Issue"
+	TokenService_Refresh_FullMethodName               = "/token.v1.TokenService/Refresh"
+	TokenService_Revoke_FullMethodName                = "/token.v1.TokenService/Revoke"
+	TokenService_ListUserRefreshTokens_FullMethodName = "/token.v1.TokenService/ListUserRefreshTokens"
 )

 // TokenServiceClient is the client API for TokenService service.
@@ -32,6 +34,8 @@ const (
 type TokenServiceClient interface {
 	Issue(ctx context.Context, in *IssueReq, opts ...grpc.CallOption) (*Token, error)
 	Refresh(ctx context.Context, in *RefreshReq, opts ...grpc.CallOption) (*Token, error)
+	Revoke(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*RevokeRes, error)
+	ListUserRefreshTokens(ctx context.Context, in *ListUserRefreshTokensReq, opts ...grpc.CallOption) (*ListUserRefreshTokensRes, error)
 }

 type tokenServiceClient struct {
@@ -62,12 +66,34 @@ func (c *tokenServiceClient) Refresh(ctx context.Context, in *RefreshReq, opts .
 	return out, nil
 }

+func (c *tokenServiceClient) Revoke(ctx context.Context, in *RevokeReq, opts ...grpc.CallOption) (*RevokeRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(RevokeRes)
+	err := c.cc.Invoke(ctx, TokenService_Revoke_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *tokenServiceClient) ListUserRefreshTokens(ctx context.Context, in *ListUserRefreshTokensReq, opts ...grpc.CallOption) (*ListUserRefreshTokensRes, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ListUserRefreshTokensRes)
+	err := c.cc.Invoke(ctx, TokenService_ListUserRefreshTokens_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // TokenServiceServer is the server API for TokenService service.
 // All implementations must embed UnimplementedTokenServiceServer
 // for forward compatibility.
 type TokenServiceServer interface {
 	Issue(context.Context, *IssueReq) (*Token, error)
 	Refresh(context.Context, *RefreshReq) (*Token, error)
+	Revoke(context.Context, *RevokeReq) (*RevokeRes, error)
+	ListUserRefreshTokens(context.Context, *ListUserRefreshTokensReq) (*ListUserRefreshTokensRes, error)
 	mustEmbedUnimplementedTokenServiceServer()
 }

@@ -79,10 +105,16 @@ type TokenServiceServer interface {
 type UnimplementedTokenServiceServer struct{}

 func (UnimplementedTokenServiceServer) Issue(context.Context, *IssueReq) (*Token, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Issue not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Issue not implemented")
 }
 func (UnimplementedTokenServiceServer) Refresh(context.Context, *RefreshReq) (*Token, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Refresh not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Refresh not implemented")
+}
+func (UnimplementedTokenServiceServer) Revoke(context.Context, *RevokeReq) (*RevokeRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method Revoke not implemented")
+}
+func (UnimplementedTokenServiceServer) ListUserRefreshTokens(context.Context, *ListUserRefreshTokensReq) (*ListUserRefreshTokensRes, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListUserRefreshTokens not implemented")
 }
 func (UnimplementedTokenServiceServer) mustEmbedUnimplementedTokenServiceServer() {}
 func (UnimplementedTokenServiceServer) testEmbeddedByValue()                      {}
@@ -95,7 +127,7 @@ type UnsafeTokenServiceServer interface {
 }

 func RegisterTokenServiceServer(s grpc.ServiceRegistrar, srv TokenServiceServer) {
-	// If the following call pancis, it indicates UnimplementedTokenServiceServer was
+	// If the following call panics, it indicates UnimplementedTokenServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -141,6 +173,42 @@ func _TokenService_Refresh_Handler(srv interface{}, ctx context.Context, dec fun
 	return interceptor(ctx, in, info, handler)
 }

+func _TokenService_Revoke_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(TokenServiceServer).Revoke(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: TokenService_Revoke_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(TokenServiceServer).Revoke(ctx, req.(*RevokeReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _TokenService_ListUserRefreshTokens_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListUserRefreshTokensReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(TokenServiceServer).ListUserRefreshTokens(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: TokenService_ListUserRefreshTokens_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(TokenServiceServer).ListUserRefreshTokens(ctx, req.(*ListUserRefreshTokensReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // TokenService_ServiceDesc is the grpc.ServiceDesc for TokenService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -156,6 +224,14 @@ var TokenService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Refresh",
 			Handler:    _TokenService_Refresh_Handler,
 		},
+		{
+			MethodName: "Revoke",
+			Handler:    _TokenService_Revoke_Handler,
+		},
+		{
+			MethodName: "ListUserRefreshTokens",
+			Handler:    _TokenService_ListUserRefreshTokens_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "token/v1/token.proto",
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.10
+// 	protoc-gen-go v1.36.11
 // 	protoc        v6.33.0
 // source: users/v1/users.proto

@@ -365,7 +365,7 @@ const file_users_v1_users_proto_rawDesc = "" +
 	"\rauth_provider\x18\x10 \x01(\tR\fauthProvider\x12 \n" +
 	"\vpermissions\x18\x11 \x03(\tR\vpermissions2Y\n" +
 	"\fUsersService\x12I\n" +
-	"\rRetrieveUsers\x12\x1a.users.v1.RetrieveUsersReq\x1a\x1a.users.v1.RetrieveUsersRes\"\x00B.Z,github.com/absmach/supermq/api/grpc/users/v1b\x06proto3"
+	"\rRetrieveUsers\x12\x1a.users.v1.RetrieveUsersReq\x1a\x1a.users.v1.RetrieveUsersRes\"\x00B1Z/github.com/absmach/magistrala/api/grpc/users/v1b\x06proto3"

 var (
 	file_users_v1_users_proto_rawDescOnce sync.Once
@@ -3,7 +3,7 @@

 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v6.33.0
 // source: users/v1/users.proto

@@ -72,7 +72,7 @@ type UsersServiceServer interface {
 type UnimplementedUsersServiceServer struct{}

 func (UnimplementedUsersServiceServer) RetrieveUsers(context.Context, *RetrieveUsersReq) (*RetrieveUsersRes, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RetrieveUsers not implemented")
+	return nil, status.Error(codes.Unimplemented, "method RetrieveUsers not implemented")
 }
 func (UnimplementedUsersServiceServer) mustEmbedUnimplementedUsersServiceServer() {}
 func (UnimplementedUsersServiceServer) testEmbeddedByValue()                      {}
@@ -85,7 +85,7 @@ type UnsafeUsersServiceServer interface {
 }

 func RegisterUsersServiceServer(s grpc.ServiceRegistrar, srv UsersServiceServer) {
-	// If the following call pancis, it indicates UnimplementedUsersServiceServer was
+	// If the following call panics, it indicates UnimplementedUsersServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -11,12 +11,12 @@ import (
 	"regexp"
 	"strings"

-	"github.com/absmach/supermq"
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/clients"
-	"github.com/absmach/supermq/groups"
-	"github.com/absmach/supermq/pkg/errors"
-	"github.com/absmach/supermq/users"
+	"github.com/absmach/magistrala"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/clients"
+	"github.com/absmach/magistrala/groups"
+	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/absmach/magistrala/users"
 	"github.com/gofrs/uuid/v5"
 )

@@ -37,6 +37,7 @@ const (
 	MetadataKey = "metadata"
 	NameKey     = "name"
 	TagKey      = "tag"
+	TagsKey     = "tags"
 	StatusKey   = "status"

 	ClientKey   = "client"
@@ -157,7 +158,7 @@ func ValidateUserName(name string) error {

 // EncodeResponse encodes successful response.
 func EncodeResponse(_ context.Context, w http.ResponseWriter, response any) error {
-	if ar, ok := response.(supermq.Response); ok {
+	if ar, ok := response.(magistrala.Response); ok {
 		for k, v := range ar.Headers() {
 			w.Header().Set(k, v)
 		}
@@ -10,16 +10,16 @@ import (
 	"testing"
 	"time"

-	"github.com/absmach/supermq"
-	api "github.com/absmach/supermq/api/http"
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/internal/testsutil"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	"github.com/absmach/magistrala"
+	api "github.com/absmach/magistrala/api/http"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/internal/testsutil"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
 	"github.com/stretchr/testify/assert"
 )

-var _ supermq.Response = (*response)(nil)
+var _ magistrala.Response = (*response)(nil)

 var validUUID = testsutil.GenerateUUID(&testing.T{})

@@ -7,11 +7,11 @@ import (
 	"context"
 	"net/http"

-	"github.com/absmach/supermq"
+	"github.com/absmach/magistrala"
 	"github.com/go-chi/chi/v5/middleware"
 )

-func RequestIDMiddleware(idp supermq.IDProvider) func(http.Handler) http.Handler {
+func RequestIDMiddleware(idp magistrala.IDProvider) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			requestID, err := idp.ID()
@@ -3,7 +3,7 @@

 package util

-import "github.com/absmach/supermq/pkg/errors"
+import "github.com/absmach/magistrala/pkg/errors"

 // Errors defined in this file are used by the LoggingErrorEncoder decorator
 // to distinguish and log API request validation errors and avoid that service
@@ -7,7 +7,7 @@ import (
 	"net/http"
 	"testing"

-	apiutil "github.com/absmach/supermq/api/http/util"
+	apiutil "github.com/absmach/magistrala/api/http/util"
 	"github.com/stretchr/testify/assert"
 )

@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"strconv"

-	"github.com/absmach/supermq/pkg/errors"
+	"github.com/absmach/magistrala/pkg/errors"
 	kithttp "github.com/go-kit/kit/transport/http"
 )

@@ -11,10 +11,10 @@ import (
 	"net/url"
 	"testing"

-	apiutil "github.com/absmach/supermq/api/http/util"
-	smqlog "github.com/absmach/supermq/logger"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	mglog "github.com/absmach/magistrala/logger"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
 	"github.com/stretchr/testify/assert"
 )

@@ -355,7 +355,7 @@ func TestLoggingErrorEncoder(t *testing.T) {
 				encCalled = true
 			}

-			errorEncoder := apiutil.LoggingErrorEncoder(smqlog.NewMock(), encFunc)
+			errorEncoder := apiutil.LoggingErrorEncoder(mglog.NewMock(), encFunc)
 			errorEncoder(context.Background(), c.err, httptest.NewRecorder())

 			assert.True(t, encCalled)
@@ -2,13 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0

 asyncapi: '2.6.0'
-id: 'https://github.com/absmach/supermq/blob/main/api/asyncapi/mqtt.yaml'
+id: 'https://github.com/absmach/magistrala/blob/main/api/asyncapi/mqtt.yaml'
 info:
-  title: SuperMQ MQTT Adapter
+  title: Magistrala MQTT Adapter
  version: '0.18.0'
  contact:
-    name: SuperMQ Team
-    url: 'https://github.com/absmach/supermq'
+    name: Magistrala Team
+    url: 'https://github.com/absmach/magistrala'
    email: info@absmach.eu
  description: |
    MQTT adapter provides an MQTT API for sending messages through the platform. MQTT adapter uses [mProxy](https://github.com/absmach/mproxy) for proxying traffic between client and MQTT broker.
@@ -16,7 +16,7 @@ info:

  license:
    name: Apache 2.0
-    url: 'https://github.com/absmach/supermq/blob/main/LICENSE'
+    url: 'https://github.com/absmach/magistrala/blob/main/LICENSE'


 defaultContentType: application/json
@@ -2,18 +2,18 @@
 # SPDX-License-Identifier: Apache-2.0

 asyncapi: 2.6.0
-id: 'https://github.com/absmach/supermq/blob/main/api/asyncapi/websocket.yaml'
+id: 'https://github.com/absmach/magistrala/blob/main/api/asyncapi/websocket.yaml'
 info:
-  title: SuperMQ WebSocket adapter
+  title: Magistrala WebSocket adapter
  description: WebSocket adapter provides a WebSocket API for sending messages through communication channels. WebSocket adapter uses [mProxy](https://github.com/absmach/mproxy) for proxying traffic between client and MQTT broker.
  version: '0.18.0'
  contact:
-    name: SuperMQ Team
-    url: 'https://github.com/absmach/supermq'
+    name: Magistrala Team
+    url: 'https://github.com/absmach/magistrala'
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: 'https://github.com/absmach/supermq/blob/main/LICENSE'
+    url: 'https://github.com/absmach/magistrala/blob/main/LICENSE'
 tags:
  - name: WebSocket
 defaultContentType: application/json
@@ -28,7 +28,7 @@ servers:
        description: Hostname of the WebSocket adapter
        default: localhost
      port:
-        description: SuperMQ WebSocket Adapter port
+        description: Magistrala WebSocket Adapter port
        default: '8008'

 channels:
@@ -74,7 +74,7 @@ channels:
        - bearerAuth: []
  /version:
    subscribe:
-      summary: Get the version of the SuperMQ adapter
+      summary: Get the version of the Magistrala adapter
      operationId: getVersion
      bindings:
        http:
@@ -1,5 +1,5 @@
-# SuperMQ OpenAPI Specification
+# Magistrala OpenAPI Specification

-This folder contains an OpenAPI specifications for SuperMQ API.
+This folder contains an OpenAPI specifications for Magistrala API.

-View specification in Swagger UI at [docs.api.supermq.absmach.eu](https://docs.api.supermq.absmach.eu)
+View specification in Swagger UI at [docs.api.magistrala.absmach.eu](https://docs.api.magistrala.absmach.eu)
@@ -0,0 +1,508 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Alarms API
+  description: |
+    HTTP API for managing alarms service.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:8050
+  - url: https://localhost:8050
+
+tags:
+  - name: alarms
+    description: Everything about your Alarms
+    externalDocs:
+      description: Find out more about alarms
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /{domainID}/alarms:
+    get:
+      operationId: listAlarms
+      summary: List Alarms
+      description: |
+        Retrieves a list of alarms with optional filtering
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit'
+        - $ref: '#/components/parameters/Order'
+        - $ref: '#/components/parameters/Dir'
+        - $ref: '#/components/parameters/ChannelID'
+        - $ref: '#/components/parameters/ClientID'
+        - $ref: '#/components/parameters/Subtopic'
+        - $ref: '#/components/parameters/RuleID'
+        - $ref: '#/components/parameters/Status'
+        - $ref: '#/components/parameters/AssigneeID'
+        - $ref: '#/components/parameters/Severity'
+        - $ref: '#/components/parameters/UpdatedBy'
+        - $ref: '#/components/parameters/AssignedBy'
+        - $ref: '#/components/parameters/AcknowledgedBy'
+        - $ref: '#/components/parameters/ResolvedBy'
+        - $ref: '#/components/parameters/CreatedFrom'
+        - $ref: '#/components/parameters/CreatedTo'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/AlarmsPageRes'
+        '400':
+          description: Failed due to malformed query parameters
+        '401':
+          description: Missing or invalid access token
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/alarms/{alarmID}:
+    get:
+      operationId: viewAlarm
+      summary: View Alarm
+      description: Retrieves an alarm by ID
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/AlarmID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/AlarmRes'
+        '400':
+          description: Missing or invalid alarm ID
+        '401':
+          description: Missing or invalid access token
+        '403':
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Alarm does not exist
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    put:
+      operationId: updateAlarm
+      summary: Update Alarm
+      description: Updates an existing alarm
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/AlarmID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/AlarmUpdateReq'
+      responses:
+        '200':
+          $ref: '#/components/responses/AlarmRes'
+        '400':
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        '403':
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Alarm does not exist
+        '415':
+          description: Missing or invalid content type
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    delete:
+      operationId: deleteAlarm
+      summary: Delete Alarm
+      description: Deletes an alarm
+      tags:
+        - alarms
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/AlarmID'
+      security:
+        - bearerAuth: []
+      responses:
+        '204':
+          description: Alarm deleted successfully
+        '400':
+          description: Failed due to malformed alarm ID
+        '401':
+          description: Missing or invalid access token
+        '403':
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Alarm does not exist
+        '422':
+          description: Database can't process request
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /health:
+    get:
+      summary: Retrieves service health check info
+      tags:
+        - health
+      security: []
+      responses:
+        '200':
+          $ref: '#/components/responses/HealthRes'
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+components:
+  schemas:
+    Alarm:
+      type: object
+      properties:
+        id:
+          type: string
+          description: Unique alarm identifier
+          readOnly: true
+        rule_id:
+          type: string
+          description: Rule ID that triggered this alarm
+        domain_id:
+          type: string
+          description: Domain ID this alarm belongs to
+        channel_id:
+          type: string
+          description: Channel ID where the alarm was triggered
+        client_id:
+          type: string
+          description: Client ID that triggered the alarm
+        subtopic:
+          type: string
+          description: Subtopic associated with the alarm
+        status:
+          type: string
+          description: Alarm status
+          enum: [active, cleared]
+        measurement:
+          type: string
+          description: Measurement that triggered the alarm
+        value:
+          type: string
+          description: Value that triggered the alarm
+        unit:
+          type: string
+          description: Unit of measurement
+        threshold:
+          type: string
+          description: Threshold value that was exceeded
+        cause:
+          type: string
+          description: Cause or description of the alarm
+        severity:
+          type: integer
+          description: Severity level (0-100)
+          minimum: 0
+          maximum: 100
+        assignee_id:
+          type: string
+          description: ID of the user assigned to this alarm
+        created_at:
+          type: string
+          format: date-time
+          description: Creation timestamp
+          readOnly: true
+        updated_at:
+          type: string
+          format: date-time
+          description: Last update timestamp
+          readOnly: true
+        updated_by:
+          type: string
+          description: User who last updated the alarm
+          readOnly: true
+        assigned_at:
+          type: string
+          format: date-time
+          description: When the alarm was assigned
+          readOnly: true
+        assigned_by:
+          type: string
+          description: User who assigned the alarm
+          readOnly: true
+        acknowledged_at:
+          type: string
+          format: date-time
+          description: When the alarm was acknowledged
+          readOnly: true
+        acknowledged_by:
+          type: string
+          description: User who acknowledged the alarm
+          readOnly: true
+        resolved_at:
+          type: string
+          format: date-time
+          description: When the alarm was resolved
+          readOnly: true
+        resolved_by:
+          type: string
+          description: User who resolved the alarm
+          readOnly: true
+        metadata:
+          type: object
+          description: Custom metadata
+          additionalProperties: true
+
+    AlarmsPage:
+      type: object
+      properties:
+        offset:
+          type: integer
+          description: Number of items to skip during retrieval
+          minimum: 0
+          default: 0
+        limit:
+          type: integer
+          description: Size of the subset to retrieve
+          minimum: 1
+          maximum: 1000
+          default: 10
+        total:
+          type: integer
+          description: Total number of results
+          minimum: 0
+        alarms:
+          type: array
+          minItems: 0
+          items:
+            $ref: '#/components/schemas/Alarm'
+      required:
+        - alarms
+        - total
+        - offset
+        - limit
+
+  parameters:
+    DomainID:
+      name: domainID
+      description: Domain ID
+      in: path
+      required: true
+      schema:
+        type: string
+    AlarmID:
+      name: alarmID
+      description: Alarm ID
+      in: path
+      required: true
+      schema:
+        type: string
+    Offset:
+      name: offset
+      description: Number of items to skip
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+    Limit:
+      name: limit
+      description: Size of the subset to retrieve
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 10
+        minimum: 1
+        maximum: 1000
+    Order:
+      name: order
+      description: Order by field
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [created_at, updated_at]
+        default: created_at
+    Dir:
+      name: dir
+      description: Sort direction
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [asc, desc]
+        default: desc
+    ChannelID:
+      name: channel_id
+      description: Filter by channel ID
+      in: query
+      required: false
+      schema:
+        type: string
+    ClientID:
+      name: client_id
+      description: Filter by client ID
+      in: query
+      required: false
+      schema:
+        type: string
+    Subtopic:
+      name: subtopic
+      description: Filter by subtopic
+      in: query
+      required: false
+      schema:
+        type: string
+    RuleID:
+      name: rule_id
+      description: Filter by rule ID
+      in: query
+      required: false
+      schema:
+        type: string
+    Status:
+      name: status
+      description: Filter by alarm status
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [active, cleared, all]
+        default: all
+    AssigneeID:
+      name: assignee_id
+      description: Filter by assignee ID
+      in: query
+      required: false
+      schema:
+        type: string
+    Severity:
+      name: severity
+      description: Filter by severity level
+      in: query
+      required: false
+      schema:
+        type: integer
+        minimum: 0
+        maximum: 100
+    UpdatedBy:
+      name: updated_by
+      description: Filter by user who updated
+      in: query
+      required: false
+      schema:
+        type: string
+    AssignedBy:
+      name: assigned_by
+      description: Filter by user who assigned
+      in: query
+      required: false
+      schema:
+        type: string
+    AcknowledgedBy:
+      name: acknowledged_by
+      description: Filter by user who acknowledged
+      in: query
+      required: false
+      schema:
+        type: string
+    ResolvedBy:
+      name: resolved_by
+      description: Filter by user who resolved
+      in: query
+      required: false
+      schema:
+        type: string
+    CreatedFrom:
+      name: created_from
+      description: Filter alarms created after this time (RFC3339 format)
+      in: query
+      required: false
+      schema:
+        type: string
+        format: date-time
+    CreatedTo:
+      name: created_to
+      description: Filter alarms created before this time (RFC3339 format)
+      in: query
+      required: false
+      schema:
+        type: string
+        format: date-time
+
+  requestBodies:
+    AlarmUpdateReq:
+      description: JSON-formatted document describing the alarm update
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              status:
+                type: string
+                description: Alarm status
+                enum: [active, cleared]
+              assignee_id:
+                type: string
+                description: ID of the user assigned to this alarm
+              severity:
+                type: integer
+                description: Severity level (0-100)
+                minimum: 0
+                maximum: 100
+              metadata:
+                type: object
+                description: Custom metadata
+                additionalProperties: true
+
+  responses:
+    AlarmRes:
+      description: Alarm data retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Alarm'
+      links:
+        update:
+          operationId: updateAlarm
+          parameters:
+            alarmID: $response.body#/id
+            domainID: $response.body#/domain_id
+        delete:
+          operationId: deleteAlarm
+          parameters:
+            alarmID: $response.body#/id
+            domainID: $response.body#/domain_id
+    AlarmsPageRes:
+      description: Alarms page retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/AlarmsPage'
+    ServiceError:
+      description: Unexpected server-side error occurred
+    HealthRes:
+      description: Service Health Check
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Auth Service
+  title: Magistrala Auth Service
  description: |
    This is the Auth Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform users. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: Everything about your Keys.
    externalDocs:
      description: Find out more about keys
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: PATs
    description: Everything about your Personal Access Tokens.
    externalDocs:
      description: Find out more about Personal Access Tokens
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Service health check endpoint.
    externalDocs:
      description: Find out more about health check
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /keys:
@@ -0,0 +1,722 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.3
+info:
+  title: Certs Service API
+  description: |
+    Certificate management service for issuing, renewing, revoking, and managing X.509 certificates.
+    This service provides PKI functionality including certificate lifecycle management, OCSP responder,
+    and CRL generation.
+  version: 1.0.0
+  contact:
+    name: Abstract Machines
+  license:
+    name: Apache-2.0
+    url: https://www.apache.org/licenses/LICENSE-2.0.html
+
+servers:
+  - url: http://localhost:9019
+    description: Development server
+
+tags:
+  - name: certificates
+    description: Certificate lifecycle management operations
+  - name: pki
+    description: PKI infrastructure operations (OCSP, CRL, CA)
+  - name: health
+    description: Service health and monitoring
+
+security:
+  - BearerAuth: []
+
+paths:
+  /{domainID}/certs/issue/{entityID}:
+    post:
+      tags:
+        - certificates
+      summary: Issue a new certificate
+      description: Issues a new X.509 certificate for the specified entity with custom subject options
+      operationId: issueCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/EntityID'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IssueCertRequest'
+      responses:
+        '201':
+          description: Certificate successfully issued
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CertificateResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{id}/renew:
+    patch:
+      tags:
+        - certificates
+      summary: Renew a certificate
+      description: Renews an existing certificate with extended TTL and new serial number
+      operationId: renewCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/CertID'
+      responses:
+        '200':
+          description: Certificate successfully renewed
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenewCertResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{id}/revoke:
+    patch:
+      tags:
+        - certificates
+      summary: Revoke a certificate
+      description: Revokes a certificate by its serial number
+      operationId: revokeCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/CertID'
+      responses:
+        '204':
+          description: Certificate successfully revoked
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '422':
+          $ref: '#/components/responses/UnprocessableEntity'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{entityID}/delete:
+    delete:
+      tags:
+        - certificates
+      summary: Delete certificates for an entity
+      description: Deletes all certificates associated with the specified entity
+      operationId: deleteCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/EntityID'
+      responses:
+        '204':
+          description: Certificates successfully deleted
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '422':
+          $ref: '#/components/responses/UnprocessableEntity'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs:
+    get:
+      tags:
+        - certificates
+      summary: List certificates
+      description: Retrieves a paginated list of certificates with optional filtering by entity ID
+      operationId: listCerts
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit'
+        - $ref: '#/components/parameters/EntityIDFilter'
+      responses:
+        '200':
+          description: Certificates successfully retrieved
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CertificateListResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/{id}:
+    get:
+      tags:
+        - certificates
+      summary: View certificate details
+      description: Retrieves detailed information about a specific certificate by serial number
+      operationId: viewCert
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/CertID'
+      responses:
+        '200':
+          description: Certificate details successfully retrieved
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ViewCertResponse'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /{domainID}/certs/csrs/{entityID}:
+    post:
+      tags:
+        - certificates
+      summary: Issue certificate from CSR
+      description: Issues a certificate from a Certificate Signing Request (CSR)
+      operationId: issueFromCSR
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/EntityID'
+        - $ref: '#/components/parameters/TTL'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IssueFromCSRRequest'
+      responses:
+        '200':
+          description: Certificate successfully issued from CSR
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IssueFromCSRResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/csrs/{entityID}:
+    post:
+      tags:
+        - certificates
+      summary: Issue certificate from CSR (Internal)
+      description: Issues a certificate from a CSR using internal agent authentication
+      operationId: issueFromCSRInternal
+      security:
+        - AgentAuth: []
+      parameters:
+        - $ref: '#/components/parameters/EntityID'
+        - $ref: '#/components/parameters/TTL'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IssueFromCSRRequest'
+      responses:
+        '200':
+          description: Certificate successfully issued from CSR
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IssueFromCSRResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/ocsp:
+    post:
+      tags:
+        - pki
+      summary: OCSP responder
+      description: |
+        Online Certificate Status Protocol (OCSP) responder endpoint.
+        Accepts both binary OCSP requests and JSON format requests.
+      operationId: ocsp
+      security: []
+      parameters:
+        - name: force_status
+          in: query
+          description: Force a specific OCSP status for testing
+          required: false
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/ocsp-request:
+            schema:
+              type: string
+              format: binary
+              description: DER-encoded OCSP request
+          application/json:
+            schema:
+              $ref: '#/components/schemas/OCSPRequest'
+      responses:
+        '200':
+          description: OCSP response
+          content:
+            application/ocsp-response:
+              schema:
+                type: string
+                format: binary
+                description: DER-encoded OCSP response
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/crl:
+    get:
+      tags:
+        - pki
+      summary: Generate Certificate Revocation List
+      description: Generates and returns the current Certificate Revocation List (CRL)
+      operationId: generateCRL
+      security: []
+      responses:
+        '200':
+          description: CRL successfully generated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CRLResponse'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/view-ca:
+    get:
+      tags:
+        - pki
+      summary: View CA certificate
+      description: Retrieves the CA certificate chain (root and intermediate certificates)
+      operationId: viewCA
+      security: []
+      responses:
+        '200':
+          description: CA certificate successfully retrieved
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ViewCertResponse'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /certs/download-ca:
+    get:
+      tags:
+        - pki
+      summary: Download CA certificate
+      description: Downloads the CA certificate as a ZIP file
+      operationId: downloadCA
+      security: []
+      responses:
+        '200':
+          description: CA certificate ZIP file
+          content:
+            application/zip:
+              schema:
+                type: string
+                format: binary
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /health:
+    get:
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        '200':
+          $ref: '#/components/responses/HealthRes'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+
+  /metrics:
+    get:
+      tags:
+        - health
+      summary: Prometheus metrics
+      description: Returns Prometheus metrics for monitoring
+      operationId: metrics
+      security: []
+      responses:
+        '200':
+          description: Metrics successfully retrieved
+          content:
+            text/plain:
+              schema:
+                type: string
+
+components:
+  securitySchemes:
+    BearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: User authentication token
+    AgentAuth:
+      type: http
+      scheme: bearer
+      description: Agent authentication token for internal operations
+
+  parameters:
+    DomainID:
+      name: domainID
+      in: path
+      required: true
+      description: Domain identifier
+      schema:
+        type: string
+    EntityID:
+      name: entityID
+      in: path
+      required: true
+      description: Entity identifier for the certificate
+      schema:
+        type: string
+    CertID:
+      name: id
+      in: path
+      required: true
+      description: Certificate serial number
+      schema:
+        type: string
+    Offset:
+      name: offset
+      in: query
+      description: Number of items to skip
+      schema:
+        type: integer
+        minimum: 0
+        default: 0
+    Limit:
+      name: limit
+      in: query
+      description: Maximum number of items to return
+      schema:
+        type: integer
+        minimum: 1
+        maximum: 100
+        default: 10
+    EntityIDFilter:
+      name: entity_id
+      in: query
+      description: Filter certificates by entity ID
+      schema:
+        type: string
+    TTL:
+      name: ttl
+      in: query
+      description: Time to live for the certificate (e.g., "8760h", "365d")
+      schema:
+        type: string
+
+  schemas:
+    IssueCertRequest:
+      type: object
+      required:
+        - options
+      properties:
+        ttl:
+          type: string
+          description: Time to live for the certificate (e.g., "8760h" for 1 year)
+          example: "8760h"
+        ip_addresses:
+          type: array
+          items:
+            type: string
+          description: IP addresses to include in the certificate
+          example: ["192.168.1.1", "10.0.0.1"]
+        options:
+          $ref: '#/components/schemas/SubjectOptions'
+
+    SubjectOptions:
+      type: object
+      required:
+        - common_name
+      properties:
+        common_name:
+          type: string
+          description: Common Name (CN) for the certificate subject
+          example: "example.com"
+        organization:
+          type: array
+          items:
+            type: string
+          description: Organization (O)
+          example: ["Abstract Machines"]
+        organizational_unit:
+          type: array
+          items:
+            type: string
+          description: Organizational Unit (OU)
+          example: ["Engineering"]
+        country:
+          type: array
+          items:
+            type: string
+          description: Country (C)
+          example: ["US"]
+        province:
+          type: array
+          items:
+            type: string
+          description: Province or State (ST)
+          example: ["California"]
+        locality:
+          type: array
+          items:
+            type: string
+          description: Locality or City (L)
+          example: ["San Francisco"]
+        street_address:
+          type: array
+          items:
+            type: string
+          description: Street Address
+          example: ["123 Main St"]
+        postal_code:
+          type: array
+          items:
+            type: string
+          description: Postal Code
+          example: ["94105"]
+        dns_names:
+          type: array
+          items:
+            type: string
+          description: DNS names for Subject Alternative Names
+          example: ["example.com", "www.example.com"]
+        ip_addresses:
+          type: array
+          items:
+            type: string
+          description: IP addresses for Subject Alternative Names
+          example: ["192.168.1.1"]
+
+    CertificateResponse:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Unique serial number of the certificate
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        key:
+          type: string
+          description: PEM-encoded private key
+          example: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+        revoked:
+          type: boolean
+          description: Whether the certificate is revoked
+          example: false
+        expiry_time:
+          type: string
+          format: date-time
+          description: Certificate expiration time
+          example: "2026-11-05T12:00:00Z"
+        entity_id:
+          type: string
+          description: Entity identifier associated with the certificate
+          example: "entity-123"
+
+    RenewCertResponse:
+      type: object
+      properties:
+        certificate:
+          $ref: '#/components/schemas/ViewCertResponse'
+
+    ViewCertResponse:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Certificate serial number
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        key:
+          type: string
+          description: PEM-encoded private key
+          example: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+        revoked:
+          type: boolean
+          description: Revocation status
+          example: false
+        expiry_time:
+          type: string
+          format: date-time
+          description: Expiration timestamp
+          example: "2026-11-05T12:00:00Z"
+        entity_id:
+          type: string
+          description: Associated entity identifier
+          example: "entity-123"
+
+    CertificateListResponse:
+      type: object
+      properties:
+        total:
+          type: integer
+          format: uint64
+          description: Total number of certificates
+          example: 100
+        offset:
+          type: integer
+          format: uint64
+          description: Current offset
+          example: 0
+        limit:
+          type: integer
+          format: uint64
+          description: Current limit
+          example: 10
+        certificates:
+          type: array
+          items:
+            $ref: '#/components/schemas/ViewCertResponse'
+
+    IssueFromCSRRequest:
+      type: object
+      required:
+        - csr
+      properties:
+        csr:
+          type: string
+          format: byte
+          description: PEM-encoded Certificate Signing Request
+          example: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K..."
+
+    IssueFromCSRResponse:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Serial number of the issued certificate
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        revoked:
+          type: boolean
+          description: Revocation status
+          example: false
+        expiry_time:
+          type: string
+          format: date-time
+          description: Expiration timestamp
+          example: "2026-11-05T12:00:00Z"
+        entity_id:
+          type: string
+          description: Associated entity identifier
+          example: "entity-123"
+
+    OCSPRequest:
+      type: object
+      properties:
+        serial_number:
+          type: string
+          description: Certificate serial number to check
+          example: "4a:3f:5e:2c:1b:8d:9e:7f"
+        certificate:
+          type: string
+          description: PEM-encoded certificate to check
+          example: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+        status:
+          type: string
+          description: Force a specific status (for testing)
+          enum: [good, revoked, unknown]
+
+    CRLResponse:
+      type: object
+      properties:
+        crl:
+          type: string
+          format: byte
+          description: DER-encoded Certificate Revocation List
+
+    Error:
+      type: object
+      properties:
+        error:
+          type: string
+          description: Error message
+          example: "invalid request"
+
+  responses:
+    BadRequest:
+      description: Bad request - invalid parameters or malformed request
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    Unauthorized:
+      description: Unauthorized - invalid or missing authentication token
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    NotFound:
+      description: Resource not found
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    UnprocessableEntity:
+      description: Unprocessable entity - request cannot be processed
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    InternalServerError:
+      description: Internal server error
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: './schemas/health_info.yaml'
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Channels Service
+  title: Magistrala Channels Service
  description: |
    This is the Channels Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform channels. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: CRUD operations for your channels
    externalDocs:
      description: Find out more about channels
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Connections
    description: All operations involving channel and client connections
    externalDocs:
      description: Find out more about channel and client connections
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /{domainID}/channels:
@@ -89,6 +89,7 @@ paths:
        - $ref: "#/components/parameters/Offset"
        - $ref: "#/components/parameters/Order"
        - $ref: "#/components/parameters/Direction"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/Metadata"
        - $ref: "#/components/parameters/Status"
        - $ref: "#/components/parameters/ChannelName"
@@ -101,6 +102,8 @@ paths:
        - $ref: "#/components/parameters/Client"
        - $ref: "#/components/parameters/Group"
        - $ref: "#/components/parameters/User"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      responses:
        "200":
          $ref: "#/components/responses/ChannelPageRes"
@@ -780,16 +783,12 @@ components:

    Tags:
      name: tags
-      description: Client tags.
+      description: Channel tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
-        type: array
-        minItems: 0
-        uniqueItems: true
-        items:
-          type: string
+        type: string
      required: false
-      example: ["yello", "orange"]
+      example: "orange,yellow"

    ChannelName:
      name: name
@@ -947,6 +946,26 @@ components:
      required: false
      example: bb7edb32-2eac-4aad-aebe-ed96fe073879

+    CreatedFrom:
+      name: created_from
+      description: Filter channels created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter channels created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
  requestBodies:
    ChannelCreateReq:
      description: JSON-formatted document describing the new channel to be registered
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Clients Service
+  title: Magistrala Clients Service
  description: |
    This is the Clients Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform clients. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: CRUD operations for your clients
    externalDocs:
      description: Find out more about clients
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Roles
    description: All operations involving roles for clients
    externalDocs:
      description: Find out more about roles
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /{domainID}/clients:
@@ -100,6 +100,8 @@ paths:
        - $ref: "#/components/parameters/ConnectionType"
        - $ref: "#/components/parameters/Group"
        - $ref: "#/components/parameters/User"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      security:
        - bearerAuth: []
      responses:
@@ -1282,16 +1284,12 @@ components:

    Tags:
      name: tags
-      description: Client tags.
+      description: Clients tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
-        type: array
-        minItems: 0
-        uniqueItems: true
-        items:
-          type: string
+        type: string
      required: false
-      example: ["yello", "orange"]
+      example: "orange,yellow"

    Metadata:
      name: metadata
@@ -1422,6 +1420,26 @@ components:
        minLength: 36
      required: false
      example: bb7edb32-2eac-4aad-aebe-ed96fe073879
+    
+    CreatedFrom:
+      name: created_from
+      description: Filter clients created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter clients created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"

  requestBodies:
    ClientCreateReq:
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Domains Service
+  title: Magistrala Domains Service
  description: |
    This is the Domains Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform domains. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,22 +24,22 @@ tags:
    description: CRUD operations for your domains
    externalDocs:
      description: Find out more about domains
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Roles
    description: All operations involving roles for domains
    externalDocs:
      description: Find out more about roles
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Invitations
    description: All operations involving invitations for domains
    externalDocs:
      description: Find out more about Invitations
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Service health check endpoint.
    externalDocs:
      description: Find out more about health check
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /domains:
@@ -76,6 +76,7 @@ paths:
        - $ref: "#/components/parameters/Order"
        - $ref: "#/components/parameters/Direction"
        - $ref: "#/components/parameters/Metadata"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/Status"
        - $ref: "#/components/parameters/DomainName"
        - $ref: "./schemas/roles.yaml#/components/parameters/ActionsQuery"
@@ -83,6 +84,8 @@ paths:
        - $ref: "./schemas/roles.yaml#/components/parameters/RoleNameQuery"
        - $ref: "#/components/parameters/AccessType"
        - $ref: "#/components/parameters/OnlyTotal"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      tags:
        - Domains
      security:
@@ -1179,6 +1182,14 @@ components:
      schema:
        type: object
        additionalProperties: {}
+    Tags:
+      name: tags
+      description: Domain tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
+      in: query
+      schema:
+        type: string
+      required: false
+      example: "orange,yellow"
    Type:
      name: type
      description: The type of the API Key.
@@ -1282,6 +1293,26 @@ components:
        default: false
      required: false

+    CreatedFrom:
+      name: created_from
+      description: Filter domains created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter domains created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
  requestBodies:
    DomainCreateReq:
      description: JSON-formatted document describing the new domain to be registered
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Groups Service
+  title: Magistrala Groups Service
  description: |
    This is the Groups Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform groups. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,17 +24,17 @@ tags:
    description: CRUD operations for your groups
    externalDocs:
      description: Find out more about users groups
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Roles
    description: All operations involving roles for groups
    externalDocs:
      description: Find out more about roles
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /{domainID}/groups:
@@ -92,6 +92,7 @@ paths:
        - $ref: "#/components/parameters/DirectionOrder"
        - $ref: "#/components/parameters/Level"
        - $ref: "#/components/parameters/Tree"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/Metadata"
        - $ref: "#/components/parameters/GroupName"
        - $ref: "#/components/parameters/RootGroup"
@@ -102,6 +103,8 @@ paths:
        - $ref: "./schemas/roles.yaml#/components/parameters/RoleNameQuery"
        - $ref: "#/components/parameters/AccessType"
        - $ref: "#/components/parameters/OnlyTotal"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      responses:
        "200":
          $ref: "#/components/responses/GroupPageRes"
@@ -328,6 +331,8 @@ paths:
        - $ref: "#/components/parameters/Level"
        - $ref: "#/components/parameters/Tree"
        - $ref: "#/components/parameters/Direction"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      responses:
        "200":
          $ref: "#/components/responses/GroupsHierarchyPageRes"
@@ -1150,7 +1155,7 @@ components:
          description: User's last name.
        email:
          type: string
-          example: user@supermq.com
+          example: user@magistrala.com
          description: User's email address.
        tags:
          type: array
@@ -1387,16 +1392,12 @@ components:

    Tags:
      name: tags
-      description: User tags.
+      description: Group tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
-        type: array
-        minItems: 0
-        uniqueItems: true
-        items:
-          type: string
+        type: string
      required: false
-      example: ["yello", "orange"]
+      example: "orange,yellow"

    GroupName:
      name: name
@@ -1602,6 +1603,26 @@ components:
        default: false
      required: false

+    CreatedFrom:
+      name: created_from
+      description: Filter groups created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter groups created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
    User:
      name: user
      description: If provided lists groups associated with a user with the provided ID. Only available for admin users.
@@ -3,16 +3,16 @@

 openapi: 3.0.1
 info:
-  title: SuperMQ http adapter
+  title: Magistrala http adapter
  description: |
    HTTP API for sending messages through communication channels.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,7 +24,7 @@ tags:
    description: Everything about your Messages
    externalDocs:
      description: Find out more about messages
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /m/{domainPrefix}/c/{channelPrefix}:
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Journal Log Service
+  title: Magistrala Journal Log Service
  description: |
    This is the Journal Log Server based on the OpenAPI 3.0 specification.  It is the HTTP API for viewing journal log history. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@mainflux.com
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -0,0 +1,292 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Notifiers service
+  description: |
+    HTTP API for Notifiers service.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:9014
+  - url: https://localhost:9014
+  - url: http://localhost:9015
+  - url: https://localhost:9015
+
+tags:
+  - name: notifiers
+    description: Everything about your Notifiers
+    externalDocs:
+      description: Find out more about notifiers
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /subscriptions:
+    post:
+      operationId: createSubscription
+      summary: Create subscription
+      description: Creates a new subscription give a topic and contact.
+      tags:
+        - notifiers
+      requestBody:
+        $ref: "#/components/requestBodies/Create"
+      responses:
+        "201":
+          $ref: "#/components/responses/Create"
+        "400":
+          description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "409":
+          description: Failed due to using an existing topic and contact.
+        "415":
+          description: Missing or invalid content type.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    get:
+      operationId: listSubscriptions
+      summary: List subscriptions
+      description: List subscriptions given list parameters.
+      tags:
+        - notifiers
+      parameters:
+        - $ref: "#/components/parameters/Topic"
+        - $ref: "#/components/parameters/Contact"
+        - $ref: "#/components/parameters/Offset"
+        - $ref: "#/components/parameters/Limit"
+      responses:
+        "200":
+          $ref: "#/components/responses/Page"
+        "400":
+          description: Failed due to malformed query parameters.
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "404":
+          description: A non-existent entity request.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+  /subscriptions/{id}:
+    get:
+      operationId: viewSubscription
+      summary: Get subscription with the provided id
+      description: Retrieves a subscription with the provided id.
+      tags:
+        - notifiers
+      parameters:
+        - $ref: "#/components/parameters/Id"
+      responses:
+        "200":
+          $ref: "#/components/responses/View"
+        "400":
+          description: Failed due to malformed ID.
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "404":
+          description: A non-existent entity request.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    delete:
+      operationId: removeSubscription
+      summary: Delete subscription with the provided id
+      description: Removes a subscription with the provided id.
+      tags:
+        - notifiers
+      parameters:
+        - $ref: "#/components/parameters/Id"
+      responses:
+        "204":
+          description: Subscription removed
+        "401":
+          description: Missing or invalid access token provided.
+        "403":
+          description: Failed to perform authorization over the entity.
+        "404":
+          description: A non-existent entity request.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+  /health:
+    get:
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        "200":
+          $ref: "#/components/responses/HealthRes"
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+components:
+  schemas:
+    Subscription:
+      type: object
+      properties:
+        id:
+          type: string
+          format: ulid
+          example: 01EWDVKBQSG80B6PQRS9PAAY35
+          description: ULID id of the subscription.
+        owner_id:
+          type: string
+          format: uuid
+          example: 18167738-f7a8-4e96-a123-58c3cd14de3a
+          description: An id of the owner who created subscription.
+        topic:
+          type: string
+          example: topic/subtopic
+          description: Topic to which the user subscribes.
+        contact:
+          type: string
+          example: user@example.com
+          description: The contact of the user to which the notification will be sent.
+    CreateSubscription:
+      type: object
+      properties:
+        topic:
+          type: string
+          example: topic/subtopic
+          description: Topic to which the user subscribes.
+        contact:
+          type: string
+          example: user@example.com
+          description: The contact of the user to which the notification will be sent.
+    Page:
+      type: object
+      properties:
+        subscriptions:
+          type: array
+          minItems: 0
+          uniqueItems: true
+          items:
+            $ref: "#/components/schemas/Subscription"
+        total:
+          type: integer
+          description: Total number of items.
+        offset:
+          type: integer
+          description: Number of items to skip during retrieval.
+        limit:
+          type: integer
+          description: Maximum number of items to return in one page.
+
+  parameters:
+    Id:
+      name: id
+      description: Unique identifier.
+      in: path
+      schema:
+        type: string
+        format: ulid
+      required: true
+    Limit:
+      name: limit
+      description: Size of the subset to retrieve.
+      in: query
+      schema:
+        type: integer
+        default: 10
+        maximum: 100
+        minimum: 1
+      required: false
+    Offset:
+      name: offset
+      description: Number of items to skip during retrieval.
+      in: query
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+      required: false
+    Topic:
+      name: topic
+      description: Topic name.
+      in: query
+      schema:
+        type: string
+      required: false
+    Contact:
+      name: contact
+      description: Subscription contact.
+      in: query
+      schema:
+        type: string
+      required: false
+
+  requestBodies:
+    Create:
+      description: JSON-formatted document describing the new subscription to be created
+      required: true
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/CreateSubscription"
+
+  responses:
+    Create:
+      description: Created a new subscription.
+      headers:
+        Location:
+          content:
+            text/plain:
+              schema:
+                type: string
+                description: Created subscription relative URL
+                example: /subscriptions/{id}
+    View:
+      description: View subscription.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/Subscription"
+      links:
+        delete:
+          operationId: removeSubscription
+          parameters:
+            id: $response.body#/id
+    Page:
+      description: Data retrieved.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/Page"
+    ServiceError:
+      description: Unexpected server-side error occurred.
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
+
+security:
+  - bearerAuth: []
@@ -0,0 +1,312 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala reader service
+  description: |
+    HTTP API for reading messages.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:9003
+  - url: https://localhost:9003
+  - url: http://localhost:9005
+  - url: https://localhost:9005
+  - url: http://localhost:9009
+  - url: https://localhost:9009
+  - url: http://localhost:9011
+  - url: https://localhost:9011
+
+tags:
+  - name: readers
+    description: Everything about your Readers
+    externalDocs:
+      description: Find out more about readers
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /{domainID}/channels/{chanId}/messages:
+    get:
+      operationId: getMessages
+      summary: Retrieves messages sent to single channel
+      description: |
+        Retrieves a list of messages sent to specific channel. Due to
+        performance concerns, data is retrieved in subsets. The API readers must
+        ensure that the entire dataset is consumed either by making subsequent
+        requests, or by increasing the subset size of the initial request.
+      tags:
+        - readers
+      parameters:
+        - $ref: "#/components/parameters/DomainID"
+        - $ref: "#/components/parameters/ChanId"
+        - $ref: "#/components/parameters/Limit"
+        - $ref: "#/components/parameters/Offset"
+        - $ref: "#/components/parameters/Publisher"
+        - $ref: "#/components/parameters/Name"
+        - $ref: "#/components/parameters/Value"
+        - $ref: "#/components/parameters/BoolValue"
+        - $ref: "#/components/parameters/StringValue"
+        - $ref: "#/components/parameters/DataValue"
+        - $ref: "#/components/parameters/From"
+        - $ref: "#/components/parameters/To"
+        - $ref: "#/components/parameters/Aggregation"
+        - $ref: "#/components/parameters/Interval"
+      responses:
+        "200":
+          $ref: "#/components/responses/MessagesPageRes"
+        "400":
+          description: Failed due to malformed query parameters.
+        "401":
+          description: Missing or invalid access token provided.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+  /health:
+    get:
+      operationId: health
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        "200":
+          $ref: "#/components/responses/HealthRes"
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+components:
+  schemas:
+    MessagesPage:
+      type: object
+      properties:
+        total:
+          type: number
+          description: Total number of items that are present on the system.
+        offset:
+          type: number
+          description: Number of items that were skipped during retrieval.
+        limit:
+          type: number
+          description: Size of the subset that was retrieved.
+        messages:
+          type: array
+          minItems: 0
+          uniqueItems: true
+          items:
+            type: object
+            properties:
+              channel:
+                type: integer
+                description: Unique channel id.
+              publisher:
+                type: integer
+                description: Unique publisher id.
+              protocol:
+                type: string
+                description: Protocol name.
+              name:
+                type: string
+                description: Measured parameter name.
+              unit:
+                type: string
+                description: Value unit.
+              value:
+                type: number
+                description: Measured value in number.
+              stringValue:
+                type: string
+                description: Measured value in string format.
+              boolValue:
+                type: boolean
+                description: Measured value in boolean format.
+              dataValue:
+                type: string
+                description: Measured value in binary format.
+              valueSum:
+                type: number
+                description: Sum value.
+              time:
+                type: number
+                description: Time of measurement.
+              updateTime:
+                type: number
+                description: Time of updating measurement.
+
+  parameters:
+    DomainID:
+      name: domainID
+      description: Unique domain identifier.
+      in: path
+      schema:
+        type: string
+        format: uuid
+      required: true
+    ChanId:
+      name: chanId
+      description: Unique channel identifier.
+      in: path
+      schema:
+        type: string
+        format: uuid
+      required: true
+    Limit:
+      name: limit
+      description: Size of the subset to retrieve.
+      in: query
+      schema:
+        type: integer
+        default: 10
+        maximum: 100
+        minimum: 1
+      required: false
+    Offset:
+      name: offset
+      description: Number of items to skip during retrieval.
+      in: query
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+      required: false
+    Publisher:
+      name: Publisher
+      description: Unique thing identifier.
+      in: query
+      schema:
+        type: string
+        format: uuid
+      required: false
+    Name:
+      name: name
+      description: SenML message name.
+      in: query
+      schema:
+        type: string
+      required: false
+    Value:
+      name: v
+      description: SenML message value.
+      in: query
+      schema:
+        type: string
+      required: false
+    BoolValue:
+      name: vb
+      description: SenML message bool value.
+      in: query
+      schema:
+        type: boolean
+      required: false
+    StringValue:
+      name: vs
+      description: SenML message string value.
+      in: query
+      schema:
+        type: string
+      required: false
+    DataValue:
+      name: vd
+      description: SenML message data value.
+      in: query
+      schema:
+        type: string
+      required: false
+    Comparator:
+      name: comparator
+      description: Value comparison operator.
+      in: query
+      schema:
+        type: string
+        default: eq
+        enum:
+          - eq
+          - lt
+          - le
+          - gt
+          - ge
+      required: false
+    From:
+      name: from
+      description: SenML message time in nanoseconds (integer part represents seconds).
+      in: query
+      schema:
+        type: number
+      example: 1709218556069
+      required: false
+    To:
+      name: to
+      description: SenML message time in nanoseconds (integer part represents seconds).
+      in: query
+      schema:
+        type: number
+      example: 1709218757503
+      required: false
+    Aggregation:
+      name: aggregation
+      description: Aggregation function.
+      in: query
+      schema:
+        type: string
+        enum:
+          - MAX
+          - AVG
+          - MIN
+          - SUM
+          - COUNT
+          - max
+          - min
+          - sum
+          - avg
+          - count
+      example: MAX
+      required: false
+    Interval:
+      name: interval
+      description: Aggregation interval.
+      in: query
+      schema:
+        type: string
+      example: 10s
+      required: false
+
+  responses:
+    MessagesPageRes:
+      description: Data retrieved.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/MessagesPage"
+    ServiceError:
+      description: Unexpected server-side error occurred.
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
+
+    thingAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: uuid
+      description: |
+        * Things access: "Authorization: Thing <thing_key>"
+
+security:
+  - bearerAuth: []
+  - thingAuth: []
@@ -0,0 +1,553 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Reports Service API
+  description: |
+    HTTP API for managing reports service.
+  version: 0.18.5
+servers:
+  - url: http://localhost:9017
+tags:
+  - name: reports
+    description: Operations related to report configurations and generation
+paths:
+  /{domainID}/reports:
+    post:
+      operationId: generateReport
+      summary: Generate a report
+      description: Generates a report based on the provided configuration or an existing config. The action determines the response format.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/GenerateReportRequest'
+      responses:
+        '200':
+          description: Report generated successfully (content varies by action)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenerateReportResponse'
+            application/octet-stream:
+              schema:
+                type: string
+                format: binary
+        '400':
+          description: Invalid request parameters
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs:
+    post:
+      operationId: addReportConfig
+      summary: Create a report configuration
+      description: Creates a new report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AddReportConfigRequest'
+      responses:
+        '201':
+          description: Report configuration created
+          headers:
+            Location:
+              schema:
+                type: string
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '400':
+          description: Invalid request body
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    get:
+      operationId: listReportConfigs
+      summary: List report configurations
+      description: Retrieves a paginated list of report configurations.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: List of report configurations
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ListReportsConfigResponse'
+        '400':
+          description: Invalid query parameters
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}:
+    get:
+      operationId: viewReportConfig
+      summary: View a report configuration
+      description: Retrieves details of a specific report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Report configuration details
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '404':
+          description: Report configuration not found
+        '401':
+          description: Missing or invalid access token
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    patch:
+      operationId: updateReportConfig
+      summary: Update a report configuration
+      description: Updates specified fields of a report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UpdateReportConfigRequest'
+      responses:
+        '200':
+          description: Report configuration updated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '400':
+          description: Invalid request body
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+    delete:
+      operationId: deleteReportConfig
+      summary: Delete a report configuration
+      description: Permanently deletes a report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '204':
+          description: Report configuration deleted
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}/schedule:
+    patch:
+      operationId: updateReportSchedule
+      summary: Update report schedule
+      description: Updates the schedule of a report configuration.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Schedule'
+      responses:
+        '200':
+          description: Schedule updated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '400':
+          description: Invalid schedule
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}/enable:
+    post:
+      operationId: enableReportConfig
+      summary: Enable a report configuration
+      description: Enables a report configuration to generate scheduled reports.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Report configuration enabled
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /{domainID}/reports/configs/{reportID}/disable:
+    post:
+      operationId: disableReportConfig
+      summary: Disable a report configuration
+      description: Disables a report configuration, stopping scheduled reports.
+      tags:
+        - reports
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/ReportID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Report configuration disabled
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportConfig'
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Report configuration not found
+        '500':
+          $ref: '#/components/responses/ServiceError'
+
+  /health:
+    get:
+      summary: Service health check
+      tags:
+        - health
+      responses:
+        '200':
+          $ref: '#/components/responses/HealthRes'
+
+components:
+  schemas:
+    ReportConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          readOnly: true
+        name:
+          type: string
+        description:
+          type: string
+        domain_id:
+          type: string
+          readOnly: true
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+        status:
+          $ref: '#/components/schemas/Status'
+        created_at:
+          type: string
+          format: date-time
+          readOnly: true
+        created_by:
+          type: string
+          readOnly: true
+        updated_at:
+          type: string
+          format: date-time
+          readOnly: true
+        updated_by:
+          type: string
+          readOnly: true
+      required:
+        - name
+        - metrics
+        - config
+
+    Schedule:
+      type: object
+      properties:
+        recurring:
+          type: string
+          enum: [None, Daily, Weekly, Monthly]
+        recurring_period:
+          type: integer
+          minimum: 1
+        start_time:
+          type: string
+          format: date-time
+        next_run:
+          type: string
+          format: date-time
+          readOnly: true
+
+    MetricConfig:
+      type: object
+      properties:
+        title:
+          type: string
+          maxLength: 100
+        format:
+          type: string
+          enum: [pdf, csv, html]
+        aggregation:
+          $ref: '#/components/schemas/AggConfig'
+
+    AggConfig:
+      type: object
+      properties:
+        window:
+          type: string
+        function:
+          type: string
+          enum: [sum, average, max, min]
+
+    EmailSetting:
+      type: object
+      properties:
+        recipients:
+          type: array
+          items:
+            type: string
+            format: email
+        subject:
+          type: string
+        body_template:
+          type: string
+      required:
+        - recipients
+        - subject
+
+    ReqMetric:
+      type: object
+      properties:
+        name:
+          type: string
+        type:
+          type: string
+          enum: [gauge, counter, histogram]
+        parameters:
+          type: object
+      required:
+        - name
+        - type
+
+    Status:
+      type: string
+      enum: [enabled, disabled]
+
+    GenerateReportRequest:
+      type: object
+      properties:
+        action:
+          type: string
+          enum: [view, download, email]
+        config_id:
+          type: string
+        name:
+          type: string
+        description:
+          type: string
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+      required:
+        - action
+
+    GenerateReportResponse:
+      type: object
+      properties:
+        total:
+          type: integer
+        from:
+          type: string
+          format: date-time
+        to:
+          type: string
+          format: date-time
+        aggregation:
+          $ref: '#/components/schemas/AggConfig'
+        reports:
+          type: array
+          items:
+            $ref: '#/components/schemas/Report'
+
+    Report:
+      type: object
+      properties:
+        timestamp:
+          type: string
+          format: date-time
+        value:
+          type: number
+        metric_name:
+          type: string
+
+    AddReportConfigRequest:
+      type: object
+      properties:
+        name:
+          type: string
+        description:
+          type: string
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+        status:
+          $ref: '#/components/schemas/Status'
+      required:
+        - name
+        - metrics
+        - config
+
+    UpdateReportConfigRequest:
+      type: object
+      properties:
+        name:
+          type: string
+        description:
+          type: string
+        schedule:
+          $ref: '#/components/schemas/Schedule'
+        config:
+          $ref: '#/components/schemas/MetricConfig'
+        email:
+          $ref: '#/components/schemas/EmailSetting'
+        metrics:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReqMetric'
+        status:
+          $ref: '#/components/schemas/Status'
+
+    ListReportsConfigResponse:
+      type: object
+      properties:
+        total:
+          type: integer
+        offset:
+          type: integer
+        limit:
+          type: integer
+        report_configs:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReportConfig'
+
+  parameters:
+    DomainID:
+      name: domainID
+      in: path
+      required: true
+      schema:
+        type: string
+    ReportID:
+      name: reportID
+      in: path
+      required: true
+      schema:
+        type: string
+    Offset:
+      name: offset
+      in: query
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+    Limit:
+      name: limit
+      in: query
+      schema:
+        type: integer
+        default: 10
+        minimum: 1
+        maximum: 100
+
+  responses:
+    ServiceError:
+      description: Unexpected server error
+    HealthRes:
+      description: Service Health Check.
+      content:
+        application/health+json:
+          schema:
+            $ref: './schemas/health_info.yaml'
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
@@ -0,0 +1,586 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.1
+info:
+  title: Magistrala Rules Engine API
+  description: |
+    HTTP API for managing rules engine service.
+    Some useful links:
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
+  contact:
+    email: info@absmach.eu
+  license:
+    name: Apache 2.0
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
+  version: 0.18.5
+
+servers:
+  - url: http://localhost:9008
+  - url: http://localhost:9008
+
+tags:
+  - name: rules engine
+    description: Everything about your Rules Engine
+    externalDocs:
+      description: Find out more about rules engine
+      url: https://magistrala.absmach.eu/docs/
+
+paths:
+  /{domainID}/rules:
+    post:
+      operationId: createRule
+      summary: Create Rule
+      description: |
+        Creates a new rule for message processing
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/RuleCreateReq'
+      responses:
+        '201':
+          $ref: '#/components/responses/RuleCreateRes'
+        '400':
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        '415':
+          description: Missing or invalid content type
+        "500":
+          $ref: "#/components/responses/ServiceError"
+        "503":
+          description: Failed to receive response from the clients service.
+    get:
+      operationId: getRules
+      summary: List Rules
+      description: |
+        Retrieves a list of rules with optional filtering
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/Offset'
+        - $ref: '#/components/parameters/Limit' 
+        - $ref: '#/components/parameters/InputChannel'
+        - $ref: '#/components/parameters/OutputChannel'
+        - $ref: '#/components/parameters/Status'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/RuleListRes'
+        '400':
+          description: Failed due to malformed query parameters
+        '401':
+          description: Missing or invalid access token
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /{domainID}/rules/{ruleID}:
+    get:
+      operationId: getRule
+      summary: View Rule
+      description: Retrieves a rule by ID
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          $ref: '#/components/responses/RuleRes'
+        "400":
+          description: Missing or invalid rule
+        "403":
+          description: Failed to perform authorization over the entity
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Rule does not exist
+        "422":
+          description: Database can't process request
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    put:
+      operationId: updateRule
+      summary: Update Rule
+      description: Updates an existing rule
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: '#/components/requestBodies/RuleUpdateReq'
+      responses:
+        '200':
+          $ref: '#/components/responses/RuleRes'
+        '400':
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        '404':
+          description: Rule does not exist
+        "415":
+          description: Missing or invalid content type.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+    delete:
+      operationId: removeRule
+      summary: Delete Rule
+      description: Deletes a rule
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '204':
+          description: Rule deleted successfully
+        "400":
+          description: Failed due to malformed rule ID
+        '401':
+          description: Missing or invalid access token
+        "403":
+          description: Failed to perform authorization over the entity
+        "422":
+          description: Database can't process request
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /{domainID}/rules/{ruleID}/enable:
+    put:
+      operationId: enableRule
+      summary: Enable Rule
+      description: Enables a rule for processing
+      tags:
+        - rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Rule enabled successfully
+        "400":
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        "403":
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Rule does not exist
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /{domainID}/rules/{ruleID}/disable:
+    put:
+      operationId: disableRule
+      summary: Disable Rule
+      description: Disables a rule from processing
+      tags:
+        - Rules
+      parameters:
+        - $ref: '#/components/parameters/DomainID'
+        - $ref: '#/components/parameters/RuleID'
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Rule disabled successfully
+        "400":
+          description: Failed due to malformed JSON
+        '401':
+          description: Missing or invalid access token
+        "403":
+          description: Failed to perform authorization over the entity
+        '404':
+          description: Rule does not exist
+        "422":
+          description: Database can't process request
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /health:
+    get:
+      summary: Retrieves service health check info.
+      tags:
+        - health
+      security: []
+      responses:
+        "200":
+          $ref: "#/components/responses/HealthRes"
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+components:
+  schemas:
+    RulesListRes:
+      type: object
+      properties:
+        total:
+          type: integer
+          description: Total number of results
+          minimum: 0
+        offset:
+          type: integer
+          description: Number of items to skip during retrieval
+          minimum: 0
+          default: 0
+        limit:
+          type: integer
+          description: Size of the subset to retrieve
+          maximum: 100
+          default: 10
+        rules:
+          type: array
+          minItems: 0
+          uniqueItems: true
+          items:
+            $ref: '#/components/schemas/Rule'
+      required:
+        - rules
+
+    Rule:
+      type: object
+      properties:
+        id:
+          type: string
+          description: Unique rule identifier
+        name:
+          type: string
+          description: Rule name
+        domain:
+          type: string
+          description: Domain ID this rule belongs to
+        metadata:
+          type: object
+          description: Custom metadata
+          additionalProperties:
+            type: string
+        input_channel:
+          type: string
+          description: Input channel for receiving messages
+        input_topic:
+          type: string
+          description: Input topic for receiving messages
+        logic:
+          type: object
+          description: Rule processing logic script
+          properties:
+            script:
+              type: string
+              description: Script content
+        output_channel:
+          type: string
+          description: Output channel for processed messages
+        output_topic:
+          type: string
+          description: Output topic for processed messages
+        schedule:
+          type: object
+          description: Rule execution schedule
+          properties:
+            start_datetime:
+              type: string
+              format: date-time
+              description: When the schedule becomes active
+            time:
+              type: string
+              format: date-time
+              description: Specific time for the rule to run
+            recurring:
+              type: string
+              description: Schedule recurrence pattern
+              enum: [None, Daily, Weekly, Monthly]
+            recurring_period:
+              type: integer
+              minimum: 1
+              description: Controls how many intervals to skip between executions (1 = every interval, 2 = every second interval, etc.)
+        status:
+          type: string
+          description: Rule status
+          enum: [enabled, disabled]
+        created_at:
+          type: string
+          format: date-time
+          description: Creation timestamp
+          readOnly: true
+        created_by:
+          type: string
+          description: User who created the rule
+        updated_at:
+          type: string
+          format: date-time
+          description: Last update timestamp
+          readOnly: true
+        updated_by:
+          type: string
+          description: User who last updated the rule
+      required:
+        - name
+        - domain
+        - input_channel
+        - input_topic
+        - logic
+        - status
+
+  parameters:
+    DomainID:
+      name: domainID
+      description: Domain ID
+      in: path
+      required: true
+      schema:
+        type: string
+    RuleID:
+      name: ruleID
+      description: Rule ID
+      in: path
+      required: true
+      schema:
+        type: string
+    Offset:
+      name: offset
+      description: Number of items to skip
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 0
+        minimum: 0
+    Limit:
+      name: limit
+      description: Size of the subset
+      in: query
+      required: false
+      schema:
+        type: integer
+        default: 10
+        minimum: 1
+    InputChannel:
+      name: input_channel
+      description: Filter by input channel
+      in: query
+      required: false
+      schema:
+        type: string
+    OutputChannel:
+      name: output_channel
+      description: Filter by output channel
+      in: query
+      required: false
+      schema:
+        type: string
+    Status:
+      name: status
+      description: Filter by rule status
+      in: query
+      required: false
+      schema:
+        type: string
+        enum: [enabled, disabled]
+        default: enabled
+
+  requestBodies:
+    RuleCreateReq:
+      description: JSON-formatted document describing the new rule
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              name:
+                type: string
+                description: Rule name
+              domain:
+                type: string
+                description: Domain ID this rule belongs to
+              metadata:
+                type: object
+                description: Custom metadata
+                additionalProperties:
+                  type: string
+              input_channel:
+                type: string
+                description: Input channel for receiving messages
+              input_topic:
+                type: string
+                description: Input topic for receiving messages
+              logic:
+                type: object
+                description: Rule processing logic script
+                properties:
+                  script:
+                    type: string
+                    description: Script content
+              output_channel:
+                type: string
+                description: Output channel for processed messages
+              output_topic:
+                type: string
+                description: Output topic for processed messages
+              schedule:
+                type: object
+                description: Rule execution schedule
+                properties:
+                  start_datetime:
+                    type: string
+                    format: date-time
+                    description: When the schedule becomes active
+                  time:
+                    type: string
+                    format: date-time
+                    description: Specific time for the rule to run
+                  recurring:
+                    type: string
+                    description: Schedule recurrence pattern
+                    enum: [None, Daily, Weekly, Monthly]
+                  recurring_period:
+                    type: integer
+                    minimum: 1
+                    description: Controls how many intervals to skip between executions
+              status:
+                type: string
+                description: Rule status
+                enum: [enabled, disabled]
+            required:
+              - name
+              - domain
+              - input_channel
+              - input_topic
+              - logic
+              - schedule
+    RuleUpdateReq:
+      description: JSON-formatted document describing the rule update
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              name:
+                type: string
+                description: Rule name
+              metadata:
+                type: object
+                description: Custom metadata
+                additionalProperties:
+                  type: string
+              input_channel:
+                type: string
+                description: Input channel for receiving messages
+              input_topic:
+                type: string
+                description: Input topic for receiving messages
+              logic:
+                type: object
+                description: Rule processing logic script
+                properties:
+                  script:
+                    type: string
+                    description: Script content
+              output_channel:
+                type: string
+                description: Output channel for processed messages
+              output_topic:
+                type: string
+                description: Output topic for processed messages
+              schedule:
+                type: object
+                description: Rule execution schedule
+                properties:
+                  start_datetime:
+                    type: string
+                    format: date-time
+                    description: When the schedule becomes active
+                  time:
+                    type: string
+                    format: date-time
+                    description: Specific time for the rule to run
+                  recurring:
+                    type: string
+                    description: Schedule recurrence pattern
+                    enum: [None, Daily, Weekly, Monthly]
+                  recurring_period:
+                    type: integer
+                    minimum: 1
+                    description: Controls how many intervals to skip between executions
+              status:
+                type: string
+                description: Rule status
+                enum: [enabled, disabled]
+
+  responses:
+    RuleCreateRes:
+      description: Rule registered
+      headers:
+        Location:
+          content:
+            text/plain:
+              schema:
+                type: string
+                description: Created rule's relative URL (i.e. /rules/{ruleID})
+    RuleListRes:
+      description: Data retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/RulesListRes'
+    RuleRes:
+      description: Data retrieved
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Rule'
+      links:
+        update:
+          operationId: updateRule
+          parameters:
+            ruleID: $response.body#/id
+        enable:
+          operationId: enableRule
+          parameters:
+            ruleID: $response.body#/id
+        disable:
+          operationId: disableRule
+          parameters:
+            ruleID: $response.body#/id
+        delete:
+          operationId: removeRule
+          parameters:
+            ruleID: $response.body#/id
+    ServiceError:
+      description: Unexpected server-side error occurred
+    HealthRes:
+      description: Service Health Check
+      content:
+        application/health+json:
+          schema:
+            $ref: "./schemas/health_info.yaml"
+
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: |
+        * Users access: "Authorization: Bearer <user_token>"
@@ -3,16 +3,16 @@

 openapi: 3.0.3
 info:
-  title: SuperMQ Users Service
+  title: Magistrala Users Service
  description: |
    This is the Users Server based on the OpenAPI 3.0 specification.  It is the HTTP API for managing platform users. You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    Some useful links:
-    - [The SuperMQ repository](https://github.com/absmach/supermq)
+    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
    email: info@absmach.eu
  license:
    name: Apache 2.0
-    url: https://github.com/absmach/supermq/blob/main/LICENSE
+    url: https://github.com/absmach/magistrala/blob/main/LICENSE
  version: 0.18.0

 servers:
@@ -24,12 +24,12 @@ tags:
    description: Everything about your Users
    externalDocs:
      description: Find out more about users
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/
  - name: Health
    description: Health check operations
    externalDocs:
      description: Find out more about health checks
-      url: https://docs.supermq.absmach.eu/
+      url: https://magistrala.absmach.eu/docs/

 paths:
  /users:
@@ -83,8 +83,10 @@ paths:
        - $ref: "#/components/parameters/LastName"
        - $ref: "#/components/parameters/Username"
        - $ref: "#/components/parameters/Email"
-        - $ref: "#/components/parameters/Tag"
+        - $ref: "#/components/parameters/Tags"
        - $ref: "#/components/parameters/OnlyTotal"
+        - $ref: "#/components/parameters/CreatedFrom"
+        - $ref: "#/components/parameters/CreatedTo"
      security:
        - bearerAuth: []
      responses:
@@ -610,6 +612,57 @@ paths:
        "500":
          $ref: "#/components/responses/ServiceError"

+  /users/tokens/revoke:
+    post:
+      operationId: revokeRefreshToken
+      summary: Revoke Refresh Token
+      description: |
+        Revokes a specific refresh token by its ID. This invalidates the
+        refresh token so it can no longer be used to obtain new access tokens.
+      tags:
+        - Users
+      security:
+        - bearerAuth: []
+      requestBody:
+        $ref: "#/components/requestBodies/RevokeRefreshTokenReq"
+      responses:
+        "204":
+          description: Refresh token revoked successfully.
+        "400":
+          description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.
+        "404":
+          description: A non-existent entity request.
+        "415":
+          description: Missing or invalid content type.
+        "422":
+          description: Database can't process request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
+  /users/tokens/refresh-tokens:
+    get:
+      operationId: listActiveRefreshTokens
+      summary: List Active Refresh Tokens
+      description: |
+        Lists all active refresh token sessions for the currently authenticated user.
+      tags:
+        - Users
+      security:
+        - bearerAuth: []
+      responses:
+        "200":
+          $ref: "#/components/responses/RefreshTokensPageRes"
+        "400":
+          description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.
+        "404":
+          description: A non-existent entity request.
+        "500":
+          $ref: "#/components/responses/ServiceError"
+
  /users/send-verification:
    post:
      operationId: sendVerification
@@ -762,7 +815,7 @@ components:
          description: User tags.
        email:
          type: string
-          example: "john.doe@supermq.com"
+          example: "john.doe@magistrala.com"
          description: User email for example email address.
        credentials:
          type: object
@@ -819,7 +872,7 @@ components:
          description: User's last name.
        email:
          type: string
-          example: user@supermq.com
+          example: user@magistrala.com
          description: User's email address.
        tags:
          type: array
@@ -934,7 +987,7 @@ components:
      properties:
        email:
          type: string
-          example: user@supermq.com
+          example: user@magistrala.com
          description: User email address.
      required:
        - email
@@ -1042,6 +1095,30 @@ components:
        - username
        - password

+    RefreshToken:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+          example: "bb7edb32-2eac-4aad-aebe-ed96fe073879"
+          description: Unique identifier of the refresh token.
+        description:
+          type: string
+          example: "Chrome browser session"
+          description: Description of the refresh token session.
+
+    RefreshTokensPage:
+      type: object
+      properties:
+        refresh_tokens:
+          type: array
+          items:
+            $ref: "#/components/schemas/RefreshToken"
+          description: List of active refresh tokens.
+      required:
+        - refresh_tokens
+
    Error:
      type: object
      properties:
@@ -1145,14 +1222,14 @@ components:
      required: false
      example: enabled

-    Tag:
-      name: tag
-      description: User tag.
+    Tags:
+      name: tags
+      description: User tags. Multiple tags can be specified separated by comma for OR condition and plus for AND condition.
      in: query
      schema:
        type: string
      required: false
-      example: "orange"
+      example: "orange,yellow"

    GroupName:
      name: name
@@ -1328,6 +1405,26 @@ components:
        default: false
      required: false

+    CreatedFrom:
+      name: created_from
+      description: Filter users created from this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-01-01T00:00:00Z"
+
+    CreatedTo:
+      name: created_to
+      description: Filter users created up to this date (inclusive).
+      in: query
+      schema:
+        type: string
+        format: date-time
+      required: false
+      example: "2023-12-31T23:59:59Z"
+
    VerificationToken:
      name: token
      description: Verification token.
@@ -1463,6 +1560,22 @@ components:
                format: jwt
                description: Reset token generated and sent in email.

+    RevokeRefreshTokenReq:
+      description: JSON-formatted document describing the refresh token to revoke.
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              token_id:
+                type: string
+                format: uuid
+                example: "bb7edb32-2eac-4aad-aebe-ed96fe073879"
+                description: The unique identifier of the refresh token to revoke.
+            required:
+              - token_id
+
    PasswordChange:
      description: Password change data. User can change its password.
      required: true
@@ -1574,6 +1687,13 @@ components:
                example: access
                description: User access token type.

+    RefreshTokensPageRes:
+      description: List of active refresh tokens for the authenticated user.
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/RefreshTokensPage"
+
    HealthRes:
      description: Service Health Check.
      content:
@@ -8,7 +8,7 @@ User service is using Auth service gRPC API to obtain login token or password re

 - ID - key ID
 - Type - one of the three types described below
- IssuerID - an ID of the SuperMQ User who issued the key
+- IssuerID - an ID of the Magistrala User who issued the key
 - Subject - user ID for which the key is issued
 - IssuedAt - the timestamp when the key is issued
 - ExpiresAt - the timestamp after which the key is invalid
@@ -29,7 +29,7 @@ API keys are similar to the User keys. The main difference is that API keys have

 Recovery key is the password recovery key. It's short-lived token used for password recovery process.

-For in-depth explanation of the aforementioned scenarios, as well as thorough understanding of SuperMQ, please check out the [official documentation][doc].
+For in-depth explanation of the aforementioned scenarios, as well as thorough understanding of Magistrala, please check out the [official documentation][doc].

 The following actions are supported:

@@ -59,63 +59,63 @@ Domain consists of the following fields:

 The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.

-| Variable | Description | Default |
-| :--- | :--- | :--- |
-| `SMQ_AUTH_LOG_LEVEL` | Log level for the Auth service (debug, info, warn, error) | info |
-| `SMQ_AUTH_DB_HOST` | Database host address | localhost |
-| `SMQ_AUTH_DB_PORT` | Database host port | 5432 |
-| `SMQ_AUTH_DB_USER` | Database user | supermq |
-| `SMQ_AUTH_DB_PASSWORD` | Database password | supermq |
-| `SMQ_AUTH_DB_NAME` | Name of the database used by the service | auth |
-| `SMQ_AUTH_DB_SSL_MODE` | Database connection SSL mode (disable, require, verify-ca, verify-full) | disable |
-| `SMQ_AUTH_DB_SSL_CERT` | Path to the PEM encoded certificate file | "" |
-| `SMQ_AUTH_DB_SSL_KEY` | Path to the PEM encoded key file | "" |
-| `SMQ_AUTH_DB_SSL_ROOT_CERT` | Path to the PEM encoded root certificate file | "" |
-| `SMQ_AUTH_HTTP_HOST` | Auth service HTTP host | "" |
-| `SMQ_AUTH_HTTP_PORT` | Auth service HTTP port | 8189 |
-| `SMQ_AUTH_HTTP_SERVER_CERT` | Path to the PEM encoded HTTP server certificate file | "" |
-| `SMQ_AUTH_HTTP_SERVER_KEY` | Path to the PEM encoded HTTP server key file | "" |
-| `SMQ_AUTH_GRPC_HOST` | Auth service gRPC host | "" |
-| `SMQ_AUTH_GRPC_PORT` | Auth service gRPC port | 8181 |
-| `SMQ_AUTH_GRPC_SERVER_CERT` | Path to the PEM encoded gRPC server certificate file | "" |
-| `SMQ_AUTH_GRPC_SERVER_KEY` | Path to the PEM encoded gRPC server key file | "" |
-| `SMQ_AUTH_GRPC_SERVER_CA_CERTS` | Path to the PEM encoded gRPC server CA certificate file | "" |
-| `SMQ_AUTH_GRPC_CLIENT_CA_CERTS` | Path to the PEM encoded gRPC client CA certificate file | "" |
-| `SMQ_AUTH_SECRET_KEY` | String used for signing tokens | secret |
-| `SMQ_AUTH_ACCESS_TOKEN_DURATION` | The access token expiration period | 1h |
-| `SMQ_AUTH_REFRESH_TOKEN_DURATION` | The refresh token expiration period | 24h |
-| `SMQ_AUTH_INVITATION_DURATION` | The invitation token expiration period | 168h |
-| `SMQ_AUTH_CACHE_URL` | Redis URL for caching PAT scopes | redis://localhost:6379/0 |
-| `SMQ_AUTH_CACHE_KEY_DURATION` | Duration for which PAT scope cache keys are valid | 10m |
-| `SMQ_SPICEDB_HOST` | SpiceDB host address | localhost |
-| `SMQ_SPICEDB_PORT` | SpiceDB host port | 50051 |
-| `SMQ_SPICEDB_PRE_SHARED_KEY` | SpiceDB pre-shared key | 12345678 |
-| `SMQ_SPICEDB_SCHEMA_FILE` | Path to SpiceDB schema file | ./docker/spicedb/schema.zed |
-| `SMQ_JAEGER_URL` | Jaeger server URL | <http://jaeger:4318/v1/traces> |
-| `SMQ_JAEGER_TRACE_RATIO` | Jaeger sampling ratio | 1.0 |
-| `SMQ_SEND_TELEMETRY` | Send telemetry to supermq call home server | true |
-| `SMQ_ADAPTER_INSTANCE_ID` | Adapter instance ID | "" |
-| `SMQ_CALLOUT_URLS` | Comma-separated list of callout URLs | "" |
-| `SMQ_CALLOUT_METHOD` | Callout method | POST |
-| `SMQ_CALLOUT_TLS_VERIFICATION` | Enable TLS verification for callouts | true |
-| `SMQ_CALLOUT_TIMEOUT` | Callout timeout | 10s |
-| `SMQ_CALLOUT_CA_CERT` | Path to CA certificate file | "" |
-| `SMQ_CALLOUT_CERT` | Path to client certificate file | "" |
-| `SMQ_CALLOUT_KEY` | Path to client key file | "" |
-| `SMQ_CALLOUT_OPERATIONS` | Invoke callout if the authorization permission matches any of the given permissions. | "" |
+| Variable                         | Description                                                                          | Default                        |
+| :------------------------------- | :----------------------------------------------------------------------------------- | :----------------------------- |
+| `MG_AUTH_LOG_LEVEL`              | Log level for the Auth service (debug, info, warn, error)                            | info                           |
+| `MG_AUTH_DB_HOST`                | Database host address                                                                | localhost                      |
+| `MG_AUTH_DB_PORT`                | Database host port                                                                   | 5432                           |
+| `MG_AUTH_DB_USER`                | Database user                                                                        | magistrala                     |
+| `MG_AUTH_DB_PASSWORD`            | Database password                                                                    | magistrala                     |
+| `MG_AUTH_DB_NAME`                | Name of the database used by the service                                             | auth                           |
+| `MG_AUTH_DB_SSL_MODE`            | Database connection SSL mode (disable, require, verify-ca, verify-full)              | disable                        |
+| `MG_AUTH_DB_SSL_CERT`            | Path to the PEM encoded certificate file                                             | ""                             |
+| `MG_AUTH_DB_SSL_KEY`             | Path to the PEM encoded key file                                                     | ""                             |
+| `MG_AUTH_DB_SSL_ROOT_CERT`       | Path to the PEM encoded root certificate file                                        | ""                             |
+| `MG_AUTH_HTTP_HOST`              | Auth service HTTP host                                                               | ""                             |
+| `MG_AUTH_HTTP_PORT`              | Auth service HTTP port                                                               | 8189                           |
+| `MG_AUTH_HTTP_SERVER_CERT`       | Path to the PEM encoded HTTP server certificate file                                 | ""                             |
+| `MG_AUTH_HTTP_SERVER_KEY`        | Path to the PEM encoded HTTP server key file                                         | ""                             |
+| `MG_AUTH_GRPC_HOST`              | Auth service gRPC host                                                               | ""                             |
+| `MG_AUTH_GRPC_PORT`              | Auth service gRPC port                                                               | 8181                           |
+| `MG_AUTH_GRPC_SERVER_CERT`       | Path to the PEM encoded gRPC server certificate file                                 | ""                             |
+| `MG_AUTH_GRPC_SERVER_KEY`        | Path to the PEM encoded gRPC server key file                                         | ""                             |
+| `MG_AUTH_GRPC_SERVER_CA_CERTS`   | Path to the PEM encoded gRPC server CA certificate file                              | ""                             |
+| `MG_AUTH_GRPC_CLIENT_CA_CERTS`   | Path to the PEM encoded gRPC client CA certificate file                              | ""                             |
+| `MG_AUTH_SECRET_KEY`             | String used for signing tokens                                                       | secret                         |
+| `MG_AUTH_ACCESS_TOKEN_DURATION`  | The access token expiration period                                                   | 1h                             |
+| `MG_AUTH_REFRESH_TOKEN_DURATION` | The refresh token expiration period                                                  | 24h                            |
+| `MG_AUTH_INVITATION_DURATION`    | The invitation token expiration period                                               | 168h                           |
+| `MG_AUTH_CACHE_URL`              | Redis URL for caching PAT scopes                                                     | redis://localhost:6379/0       |
+| `MG_AUTH_CACHE_KEY_DURATION`     | Duration for which PAT scope cache keys are valid                                    | 10m                            |
+| `MG_SPICEDB_HOST`                | SpiceDB host address                                                                 | localhost                      |
+| `MG_SPICEDB_PORT`                | SpiceDB host port                                                                    | 50051                          |
+| `MG_SPICEDB_PRE_SHARED_KEY`      | SpiceDB pre-shared key                                                               | 12345678                       |
+| `MG_SPICEDB_SCHEMA_FILE`         | Path to SpiceDB schema file                                                          | ./docker/spicedb/schema.zed    |
+| `MG_JAEGER_URL`                  | Jaeger server URL                                                                    | <http://jaeger:4318/v1/traces> |
+| `MG_JAEGER_TRACE_RATIO`          | Jaeger sampling ratio                                                                | 1.0                            |
+| `MG_SEND_TELEMETRY`              | Send telemetry to magistrala call home server                                        | true                           |
+| `MG_ADAPTER_INSTANCE_ID`         | Adapter instance ID                                                                  | ""                             |
+| `MG_CALLOUT_URLS`                | Comma-separated list of callout URLs                                                 | ""                             |
+| `MG_CALLOUT_METHOD`              | Callout method                                                                       | POST                           |
+| `MG_CALLOUT_TLS_VERIFICATION`    | Enable TLS verification for callouts                                                 | true                           |
+| `MG_CALLOUT_TIMEOUT`             | Callout timeout                                                                      | 10s                            |
+| `MG_CALLOUT_CA_CERT`             | Path to CA certificate file                                                          | ""                             |
+| `MG_CALLOUT_CERT`                | Path to client certificate file                                                      | ""                             |
+| `MG_CALLOUT_KEY`                 | Path to client key file                                                              | ""                             |
+| `MG_CALLOUT_OPERATIONS`          | Invoke callout if the authorization permission matches any of the given permissions. | ""                             |

 ## Deployment

-The service itself is distributed as Docker container. Check the [`auth`](https://github.com/absmach/supermq/blob/main/docker/docker-compose.yaml) service section in docker-compose file to see how service is deployed.
+The service itself is distributed as Docker container. Check the [`auth`](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml) service section in docker-compose file to see how service is deployed.

 Running this service outside of container requires working instance of the postgres database, SpiceDB, and Jaeger server.
 To start the service outside of the container, execute the following shell script:

 ```bash
 # download the latest version of the service
-git clone https://github.com/absmach/supermq
+git clone https://github.com/absmach/magistrala

-cd supermq
+cd magistrala

 # compile the service
 make auth
@@ -124,54 +124,54 @@ make auth
 make install

 # set the environment variables and run the service
-SMQ_AUTH_LOG_LEVEL=info \
-SMQ_AUTH_DB_HOST=localhost \
-SMQ_AUTH_DB_PORT=5432 \
-SMQ_AUTH_DB_USER=supermq \
-SMQ_AUTH_DB_PASSWORD=supermq \
-SMQ_AUTH_DB_NAME=auth \
-SMQ_AUTH_DB_SSL_MODE=disable \
-SMQ_AUTH_DB_SSL_CERT="" \
-SMQ_AUTH_DB_SSL_KEY="" \
-SMQ_AUTH_DB_SSL_ROOT_CERT="" \
-SMQ_AUTH_HTTP_HOST=localhost \
-SMQ_AUTH_HTTP_PORT=8189 \
-SMQ_AUTH_HTTP_SERVER_CERT="" \
-SMQ_AUTH_HTTP_SERVER_KEY="" \
-SMQ_AUTH_GRPC_HOST=localhost \
-SMQ_AUTH_GRPC_PORT=8181 \
-SMQ_AUTH_GRPC_SERVER_CERT="" \
-SMQ_AUTH_GRPC_SERVER_KEY="" \
-SMQ_AUTH_GRPC_SERVER_CA_CERTS="" \
-SMQ_AUTH_GRPC_CLIENT_CA_CERTS="" \
-SMQ_AUTH_SECRET_KEY=secret \
-SMQ_AUTH_ACCESS_TOKEN_DURATION=1h \
-SMQ_AUTH_REFRESH_TOKEN_DURATION=24h \
-SMQ_AUTH_INVITATION_DURATION=168h \
-SMQ_SPICEDB_HOST=localhost \
-SMQ_SPICEDB_PORT=50051 \
-SMQ_SPICEDB_PRE_SHARED_KEY=12345678 \
-SMQ_SPICEDB_SCHEMA_FILE=./docker/spicedb/schema.zed \
-SMQ_JAEGER_URL=http://localhost:14268/api/traces \
-SMQ_JAEGER_TRACE_RATIO=1.0 \
-SMQ_SEND_TELEMETRY=true \
-SMQ_AUTH_ADAPTER_INSTANCE_ID="" \
-SMQ_CALLOUT_URLS="" \
-SMQ_CALLOUT_METHOD="POST" \
-SMQ_CALLOUT_TLS_VERIFICATION=true \
-$GOBIN/supermq-auth
+MG_AUTH_LOG_LEVEL=info \
+MG_AUTH_DB_HOST=localhost \
+MG_AUTH_DB_PORT=5432 \
+MG_AUTH_DB_USER=magistrala \
+MG_AUTH_DB_PASSWORD=magistrala \
+MG_AUTH_DB_NAME=auth \
+MG_AUTH_DB_SSL_MODE=disable \
+MG_AUTH_DB_SSL_CERT="" \
+MG_AUTH_DB_SSL_KEY="" \
+MG_AUTH_DB_SSL_ROOT_CERT="" \
+MG_AUTH_HTTP_HOST=localhost \
+MG_AUTH_HTTP_PORT=8189 \
+MG_AUTH_HTTP_SERVER_CERT="" \
+MG_AUTH_HTTP_SERVER_KEY="" \
+MG_AUTH_GRPC_HOST=localhost \
+MG_AUTH_GRPC_PORT=8181 \
+MG_AUTH_GRPC_SERVER_CERT="" \
+MG_AUTH_GRPC_SERVER_KEY="" \
+MG_AUTH_GRPC_SERVER_CA_CERTS="" \
+MG_AUTH_GRPC_CLIENT_CA_CERTS="" \
+MG_AUTH_SECRET_KEY=secret \
+MG_AUTH_ACCESS_TOKEN_DURATION=1h \
+MG_AUTH_REFRESH_TOKEN_DURATION=24h \
+MG_AUTH_INVITATION_DURATION=168h \
+MG_SPICEDB_HOST=localhost \
+MG_SPICEDB_PORT=50051 \
+MG_SPICEDB_PRE_SHARED_KEY=12345678 \
+MG_SPICEDB_SCHEMA_FILE=./docker/spicedb/schema.zed \
+MG_JAEGER_URL=http://localhost:14268/api/traces \
+MG_JAEGER_TRACE_RATIO=1.0 \
+MG_SEND_TELEMETRY=true \
+MG_AUTH_ADAPTER_INSTANCE_ID="" \
+MG_CALLOUT_URLS="" \
+MG_CALLOUT_METHOD="POST" \
+MG_CALLOUT_TLS_VERIFICATION=true \
+$GOBIN/magistrala-auth
 ```

-Setting `SMQ_AUTH_HTTP_SERVER_CERT` and `SMQ_AUTH_HTTP_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key.
-Setting `SMQ_AUTH_GRPC_SERVER_CERT` and `SMQ_AUTH_GRPC_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key. Setting `SMQ_AUTH_GRPC_SERVER_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs. Setting `SMQ_AUTH_GRPC_CLIENT_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs.
+Setting `MG_AUTH_HTTP_SERVER_CERT` and `MG_AUTH_HTTP_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key.
+Setting `MG_AUTH_GRPC_SERVER_CERT` and `MG_AUTH_GRPC_SERVER_KEY` will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key. Setting `MG_AUTH_GRPC_SERVER_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs. Setting `MG_AUTH_GRPC_CLIENT_CA_CERTS` will enable TLS against the service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs.

 ## Personal Access Tokens (PATs)

-Personal Access Tokens (PATs) provide a secure way to authenticate with SuperMQ APIs without using your primary credentials. They are particularly useful for automation, CI/CD pipelines, and integrating with third-party services.
+Personal Access Tokens (PATs) provide a secure way to authenticate with Magistrala APIs without using your primary credentials. They are particularly useful for automation, CI/CD pipelines, and integrating with third-party services.

 ### Overview

-PATs in SuperMQ are designed with the following features:
+PATs in Magistrala are designed with the following features:

 - **Scoped Access**: Each token can be limited to specific operations on specific resources
 - **Expiration Control**: Set custom expiration times for tokens
@@ -195,7 +195,7 @@ Where:

 ### PAT Operations

-SuperMQ supports the following operations for PATs:
+Magistrala supports the following operations for PATs:

 | Operation   | Description                          |
 | ----------- | ------------------------------------ |
@@ -444,6 +444,6 @@ When a PAT is used for authentication:

 ## Usage

-For more information about service capabilities and its usage, please check out the [API documentation](https://docs.api.supermq.absmach.eu/?urls.primaryName=auth.yaml).
+For more information about service capabilities and its usage, please check out the [API documentation](https://docs.api.magistrala.absmach.eu/?urls.primaryName=auth.yaml).

-[doc]: https://docs.supermq.absmach.eu/
+[doc]: https://magistrala.absmach.eu/docs/
@@ -7,9 +7,9 @@ import (
 	"context"
 	"time"

-	grpcAuthV1 "github.com/absmach/supermq/api/grpc/auth/v1"
-	"github.com/absmach/supermq/auth"
-	grpcapi "github.com/absmach/supermq/auth/api/grpc"
+	grpcAuthV1 "github.com/absmach/magistrala/api/grpc/auth/v1"
+	"github.com/absmach/magistrala/auth"
+	grpcapi "github.com/absmach/magistrala/auth/api/grpc"
 	"github.com/go-kit/kit/endpoint"
 	kitgrpc "github.com/go-kit/kit/transport/grpc"
 	"google.golang.org/grpc"
@@ -57,7 +57,7 @@ func (client authGrpcClient) Authenticate(ctx context.Context, token *grpcAuthV1
 		return &grpcAuthV1.AuthNRes{}, grpcapi.DecodeError(err)
 	}
 	ir := res.(authenticateRes)
-	return &grpcAuthV1.AuthNRes{Id: ir.id, UserId: ir.userID, UserRole: uint32(ir.userRole), Verified: ir.verified}, nil
+	return &grpcAuthV1.AuthNRes{Id: ir.id, UserId: ir.userID, UserRole: uint32(ir.userRole), Verified: ir.verified, TokenType: uint32(ir.tokenType)}, nil
 }

 func encodeIdentifyRequest(_ context.Context, grpcReq any) (any, error) {
@@ -67,7 +67,7 @@ func encodeIdentifyRequest(_ context.Context, grpcReq any) (any, error) {

 func decodeIdentifyResponse(_ context.Context, grpcRes any) (any, error) {
 	res := grpcRes.(*grpcAuthV1.AuthNRes)
-	return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole), verified: res.GetVerified()}, nil
+	return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole), verified: res.GetVerified(), tokenType: auth.KeyType(res.GetTokenType())}, nil
 }

 func (client authGrpcClient) Authorize(ctx context.Context, req *grpcAuthV1.AuthZReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
@@ -76,26 +76,32 @@ func (client authGrpcClient) Authorize(ctx context.Context, req *grpcAuthV1.Auth

 	var authReqData authReq

-	if policy := req.GetPolicy(); policy != nil {
-		authReqData = authReq{
-			TokenType:   policy.GetTokenType(),
-			Domain:      policy.GetDomain(),
-			SubjectType: policy.GetSubjectType(),
-			Subject:     policy.GetSubject(),
-			SubjectKind: policy.GetSubjectKind(),
-			Relation:    policy.GetRelation(),
-			Permission:  policy.GetPermission(),
-			ObjectType:  policy.GetObjectType(),
-			Object:      policy.GetObject(),
+	if req != nil {
+		policyReq := req.GetPolicyReq()
+		patReq := req.GetPatReq()
+
+		if policyReq != nil {
+			authReqData = authReq{
+				Domain:      policyReq.GetDomain(),
+				SubjectType: policyReq.GetSubjectType(),
+				Subject:     policyReq.GetSubject(),
+				SubjectKind: policyReq.GetSubjectKind(),
+				Relation:    policyReq.GetRelation(),
+				Permission:  policyReq.GetPermission(),
+				ObjectType:  policyReq.GetObjectType(),
+				Object:      policyReq.GetObject(),
+			}
 		}
-	} else if pat := req.GetPat(); pat != nil {
-		authReqData = authReq{
-			UserID:           pat.GetUserId(),
-			PatID:            pat.GetPatId(),
-			EntityType:       auth.EntityType(pat.GetEntityType()),
-			OptionalDomainID: pat.GetOptionalDomainId(),
-			Operation:        auth.Operation(pat.GetOperation()),
-			EntityID:         pat.GetEntityId(),
+
+		if patReq != nil {
+			if patReq.GetDomain() != "" {
+				authReqData.Domain = patReq.GetDomain()
+			}
+			authReqData.UserID = patReq.GetUserId()
+			authReqData.PatID = patReq.GetPatId()
+			authReqData.EntityType = patReq.GetEntityType()
+			authReqData.Operation = patReq.GetOperation()
+			authReqData.EntityID = patReq.GetEntityId()
 		}
 	}

@@ -116,36 +122,29 @@ func decodeAuthorizeResponse(_ context.Context, grpcRes any) (any, error) {
 func encodeAuthorizeRequest(_ context.Context, grpcReq any) (any, error) {
 	req := grpcReq.(authReq)

-	// Check if this is a PAT request (has PatID) or policy request
-	if req.PatID != "" {
-		return &grpcAuthV1.AuthZReq{
-			AuthType: &grpcAuthV1.AuthZReq_Pat{
-				Pat: &grpcAuthV1.PATReq{
-					UserId:           req.UserID,
-					PatId:            req.PatID,
-					EntityType:       uint32(req.EntityType),
-					OptionalDomainId: req.OptionalDomainID,
-					Operation:        uint32(req.Operation),
-					EntityId:         req.EntityID,
-				},
-			},
-		}, nil
+	authZReq := &grpcAuthV1.AuthZReq{
+		PolicyReq: &grpcAuthV1.PolicyReq{
+			Domain:      req.Domain,
+			SubjectType: req.SubjectType,
+			Subject:     req.Subject,
+			SubjectKind: req.SubjectKind,
+			Relation:    req.Relation,
+			Permission:  req.Permission,
+			ObjectType:  req.ObjectType,
+			Object:      req.Object,
+		},
 	}

-	// Otherwise, it's a policy request
-	return &grpcAuthV1.AuthZReq{
-		AuthType: &grpcAuthV1.AuthZReq_Policy{
-			Policy: &grpcAuthV1.PolicyReq{
-				TokenType:   req.TokenType,
-				Domain:      req.Domain,
-				SubjectType: req.SubjectType,
-				Subject:     req.Subject,
-				SubjectKind: req.SubjectKind,
-				Relation:    req.Relation,
-				Permission:  req.Permission,
-				ObjectType:  req.ObjectType,
-				Object:      req.Object,
-			},
-		},
-	}, nil
+	if req.PatID != "" {
+		authZReq.PatReq = &grpcAuthV1.PATReq{
+			PatId:      req.PatID,
+			Domain:     req.Domain,
+			Operation:  req.Operation,
+			UserId:     req.UserID,
+			EntityId:   req.EntityID,
+			EntityType: req.EntityType,
+		}
+	}
+
+	return authZReq, nil
 }
@@ -6,8 +6,8 @@ package auth
 import (
 	"context"

-	"github.com/absmach/supermq/auth"
-	"github.com/absmach/supermq/pkg/policies"
+	"github.com/absmach/magistrala/auth"
+	"github.com/absmach/magistrala/pkg/policies"
 	"github.com/go-kit/kit/endpoint"
 )

@@ -23,7 +23,7 @@ func authenticateEndpoint(svc auth.Service) endpoint.Endpoint {
 			return authenticateRes{}, err
 		}

-		return authenticateRes{id: key.ID, userID: key.Subject, userRole: key.Role, verified: key.Verified}, nil
+		return authenticateRes{id: key.ID, userID: key.Subject, userRole: key.Role, verified: key.Verified, tokenType: key.Type}, nil
 	}
 }

@@ -35,23 +35,32 @@ func authorizeEndpoint(svc auth.Service) endpoint.Endpoint {
 			return authorizeRes{}, err
 		}

+		var pat *auth.PATAuthz
+		if req.PatID != "" {
+			entityType, err := auth.ParseEntityType(req.EntityType)
+			if err != nil {
+				return authorizeRes{authorized: false}, err
+			}
+			pat = &auth.PATAuthz{
+				PatID:      req.PatID,
+				UserID:     req.UserID,
+				EntityType: entityType,
+				EntityID:   req.EntityID,
+				Operation:  req.Operation,
+				Domain:     req.Domain,
+			}
+		}
+
 		err := svc.Authorize(ctx, policies.Policy{
-			TokenType:        req.TokenType,
-			Domain:           req.Domain,
-			SubjectType:      req.SubjectType,
-			SubjectKind:      req.SubjectKind,
-			Subject:          req.Subject,
-			Relation:         req.Relation,
-			Permission:       req.Permission,
-			ObjectType:       req.ObjectType,
-			Object:           req.Object,
-			UserID:           req.UserID,
-			PatID:            req.PatID,
-			EntityType:       uint32(req.EntityType),
-			OptionalDomainID: req.OptionalDomainID,
-			Operation:        uint32(req.Operation),
-			EntityID:         req.EntityID,
-		})
+			Domain:      req.Domain,
+			SubjectType: req.SubjectType,
+			SubjectKind: req.SubjectKind,
+			Subject:     req.Subject,
+			Relation:    req.Relation,
+			Permission:  req.Permission,
+			ObjectType:  req.ObjectType,
+			Object:      req.Object,
+		}, pat)
 		if err != nil {
 			return authorizeRes{authorized: false}, err
 		}
@@ -10,13 +10,14 @@ import (
 	"testing"
 	"time"

-	grpcAuthV1 "github.com/absmach/supermq/api/grpc/auth/v1"
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/auth"
-	grpcapi "github.com/absmach/supermq/auth/api/grpc/auth"
-	"github.com/absmach/supermq/internal/testsutil"
-	"github.com/absmach/supermq/pkg/errors"
-	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	grpcAuthV1 "github.com/absmach/magistrala/api/grpc/auth/v1"
+	apiutil "github.com/absmach/magistrala/api/http/util"
+	"github.com/absmach/magistrala/auth"
+	grpcapi "github.com/absmach/magistrala/auth/api/grpc/auth"
+	"github.com/absmach/magistrala/internal/testsutil"
+	"github.com/absmach/magistrala/pkg/errors"
+	svcerr "github.com/absmach/magistrala/pkg/errors/service"
+	"github.com/absmach/magistrala/pkg/policies"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"google.golang.org/grpc"
@@ -92,7 +93,7 @@ func TestIdentify(t *testing.T) {
 			desc:  "authenticate user with valid PAT token",
 			token: "pat_" + validPATToken,
 			key:   auth.Key{ID: id, Type: auth.PersonalAccessToken, Subject: clientID, Role: auth.UserRole},
-			idt:   &grpcAuthV1.AuthNRes{Id: id, UserId: clientID, UserRole: uint32(auth.UserRole)},
+			idt:   &grpcAuthV1.AuthNRes{Id: id, UserId: clientID, UserRole: uint32(auth.UserRole), TokenType: uint32(auth.PersonalAccessToken)},
 			err:   nil,
 		},
 		{
@@ -130,21 +131,21 @@ func TestAuthorize(t *testing.T) {
 		token        string
 		authRequest  *grpcAuthV1.AuthZReq
 		authResponse *grpcAuthV1.AuthZRes
+		expectedReq  *policies.Policy
+		expectedPAT  *auth.PATAuthz
 		err          error
 	}{
 		{
 			desc:  "authorize user with authorized token",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     id,
-						SubjectType: usersType,
-						Object:      authoritiesObj,
-						ObjectType:  usersType,
-						Relation:    memberRelation,
-						Permission:  adminPermission,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
@@ -154,15 +155,13 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with unauthorized token",
 			token: inValidToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     id,
-						SubjectType: usersType,
-						Object:      authoritiesObj,
-						ObjectType:  usersType,
-						Relation:    memberRelation,
-						Permission:  adminPermission,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -172,15 +171,13 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty subject",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     "",
-						SubjectType: usersType,
-						Object:      authoritiesObj,
-						ObjectType:  usersType,
-						Relation:    memberRelation,
-						Permission:  adminPermission,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     "",
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -190,15 +187,13 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty subject type",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     id,
-						SubjectType: "",
-						Object:      authoritiesObj,
-						ObjectType:  usersType,
-						Relation:    memberRelation,
-						Permission:  adminPermission,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: "",
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -208,15 +203,13 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty object",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     id,
-						SubjectType: usersType,
-						Object:      "",
-						ObjectType:  usersType,
-						Relation:    memberRelation,
-						Permission:  adminPermission,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      "",
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  adminPermission,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -226,15 +219,13 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty object type",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     id,
-						SubjectType: usersType,
-						Object:      authoritiesObj,
-						ObjectType:  "",
-						Relation:    memberRelation,
-						Permission:  adminPermission,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  "",
+					Relation:    memberRelation,
+					Permission:  adminPermission,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -244,15 +235,13 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with empty permission",
 			token: validToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Policy{
-					Policy: &grpcAuthV1.PolicyReq{
-						Subject:     id,
-						SubjectType: usersType,
-						Object:      authoritiesObj,
-						ObjectType:  usersType,
-						Relation:    memberRelation,
-						Permission:  "",
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: usersType,
+					Object:      authoritiesObj,
+					ObjectType:  usersType,
+					Relation:    memberRelation,
+					Permission:  "",
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -262,33 +251,88 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize user with valid PAT token",
 			token: validPATToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Pat{
-					Pat: &grpcAuthV1.PATReq{
-						UserId:           id,
-						PatId:            id,
-						EntityType:       uint32(auth.ClientsType),
-						OptionalDomainId: domainID,
-						Operation:        uint32(auth.CreateOp),
-						EntityId:         clientID,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					UserId:     id,
+					EntityId:   clientID,
+					EntityType: auth.ClientsScopeStr,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
 			err:          nil,
 		},
+		{
+			desc:  "authorize bootstrap PAT keeps PAT domain when policy domain is empty",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZReq{
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.MembershipPermission,
+					ObjectType:  policies.DomainType,
+					Object:      domainID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "create",
+					UserId:     id,
+					EntityId:   auth.AnyIDs,
+					EntityType: auth.BootstrapStr,
+				},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
+			expectedReq: &policies.Policy{
+				Domain:      domainID,
+				SubjectType: policies.UserType,
+				SubjectKind: policies.UsersKind,
+				Subject:     id,
+				Permission:  policies.MembershipPermission,
+				ObjectType:  policies.DomainType,
+				Object:      domainID,
+			},
+			expectedPAT: &auth.PATAuthz{
+				PatID:      id,
+				UserID:     id,
+				EntityType: auth.BootstrapType,
+				EntityID:   auth.AnyIDs,
+				Operation:  "create",
+				Domain:     domainID,
+			},
+			err: nil,
+		},
 		{
 			desc:  "authorize user with unauthorized PAT token",
 			token: inValidToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Pat{
-					Pat: &grpcAuthV1.PATReq{
-						UserId:           id,
-						PatId:            id,
-						EntityType:       uint32(auth.ClientsType),
-						OptionalDomainId: domainID,
-						Operation:        uint32(auth.CreateOp),
-						EntityId:         clientID,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					UserId:     id,
+					EntityId:   clientID,
+					EntityType: auth.ClientsScopeStr,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -298,14 +342,21 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize PAT with missing user id",
 			token: validPATToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Pat{
-					Pat: &grpcAuthV1.PATReq{
-						PatId:            id,
-						EntityType:       uint32(auth.ClientsType),
-						OptionalDomainId: domainID,
-						Operation:        uint32(auth.CreateOp),
-						EntityId:         clientID,
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					EntityId:   clientID,
+					EntityType: auth.ClientsScopeStr,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -315,14 +366,21 @@ func TestAuthorize(t *testing.T) {
 			desc:  "authorize PAT with missing entity id",
 			token: validPATToken,
 			authRequest: &grpcAuthV1.AuthZReq{
-				AuthType: &grpcAuthV1.AuthZReq_Pat{
-					Pat: &grpcAuthV1.PATReq{
-						UserId:           id,
-						PatId:            id,
-						EntityType:       uint32(auth.ClientsType),
-						OptionalDomainId: domainID,
-						Operation:        uint32(auth.CreateOp),
-					},
+				PolicyReq: &grpcAuthV1.PolicyReq{
+					Subject:     id,
+					SubjectType: policies.UserType,
+					SubjectKind: policies.UsersKind,
+					Permission:  policies.ViewPermission,
+					ObjectType:  policies.ClientType,
+					Domain:      domainID,
+					Object:      clientID,
+				},
+				PatReq: &grpcAuthV1.PATReq{
+					PatId:      id,
+					Domain:     domainID,
+					Operation:  "view",
+					UserId:     id,
+					EntityType: auth.ClientsScopeStr,
 				},
 			},
 			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
@@ -331,7 +389,7 @@ func TestAuthorize(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			svcCall := svc.On("Authorize", mock.Anything, mock.Anything).Return(tc.err)
+			svcCall := svc.On("Authorize", mock.Anything, mock.Anything, mock.Anything).Return(tc.err)
 			ar, err := grpcClient.Authorize(context.Background(), tc.authRequest)
 			if ar != nil {
 				assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
@@ -4,8 +4,7 @@
 package auth

 import (
-	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/auth"
+	apiutil "github.com/absmach/magistrala/api/http/util"
 )

 type authenticateReq struct {
@@ -25,7 +24,6 @@ func (req authenticateReq) validate() error {
 // 2. object - an entity over which action will be executed
 // 3. action - type of action that will be executed (read/write).
 type authReq struct {
-	TokenType   uint32
 	Domain      string
 	SubjectType string
 	SubjectKind string
@@ -36,12 +34,11 @@ type authReq struct {
 	Object      string

 	// PAT authorization fields
-	UserID           string
-	PatID            string
-	EntityType       auth.EntityType
-	OptionalDomainID string
-	Operation        auth.Operation
-	EntityID         string
+	UserID     string
+	PatID      string
+	EntityType string
+	Operation  string
+	EntityID   string
 }

 func (req authReq) validate() error {
@@ -52,7 +49,9 @@ func (req authReq) validate() error {
 		if req.EntityID == "" {
 			return apiutil.ErrMissingID
 		}
-		return nil
+		if req.EntityType == "" {
+			return apiutil.ErrMissingPolicyObj
+		}
 	}

 	if req.Subject == "" || req.SubjectType == "" {
@@ -3,13 +3,14 @@

 package auth

-import smqauth "github.com/absmach/supermq/auth"
+import "github.com/absmach/magistrala/auth"

 type authenticateRes struct {
-	id       string
-	userID   string
-	userRole smqauth.Role
-	verified bool
+	id        string
+	userID    string
+	userRole  auth.Role
+	verified  bool
+	tokenType auth.KeyType
 }

 type authorizeRes struct {
@@ -6,9 +6,9 @@ package auth
 import (
 	"context"

-	grpcAuthV1 "github.com/absmach/supermq/api/grpc/auth/v1"
-	"github.com/absmach/supermq/auth"
-	grpcapi "github.com/absmach/supermq/auth/api/grpc"
+	grpcAuthV1 "github.com/absmach/magistrala/api/grpc/auth/v1"
+	"github.com/absmach/magistrala/auth"
+	grpcapi "github.com/absmach/magistrala/auth/api/grpc"
 	kitgrpc "github.com/go-kit/kit/transport/grpc"
 )

@@ -60,36 +60,45 @@ func decodeAuthenticateRequest(_ context.Context, grpcReq any) (any, error) {

 func encodeAuthenticateResponse(_ context.Context, grpcRes any) (any, error) {
 	res := grpcRes.(authenticateRes)
-	return &grpcAuthV1.AuthNRes{Id: res.id, UserId: res.userID, UserRole: uint32(res.userRole), Verified: res.verified}, nil
+	return &grpcAuthV1.AuthNRes{Id: res.id, UserId: res.userID, UserRole: uint32(res.userRole), Verified: res.verified, TokenType: uint32(res.tokenType)}, nil
 }

 func decodeAuthorizeRequest(_ context.Context, grpcReq any) (any, error) {
 	req := grpcReq.(*grpcAuthV1.AuthZReq)
-	if policy := req.GetPolicy(); policy != nil {
-		return authReq{
-			TokenType:   policy.GetTokenType(),
-			Domain:      policy.GetDomain(),
-			SubjectType: policy.GetSubjectType(),
-			SubjectKind: policy.GetSubjectKind(),
-			Subject:     policy.GetSubject(),
-			Relation:    policy.GetRelation(),
-			Permission:  policy.GetPermission(),
-			ObjectType:  policy.GetObjectType(),
-			Object:      policy.GetObject(),
-		}, nil
-	}
-	if pat := req.GetPat(); pat != nil {
-		return authReq{
-			UserID:           pat.GetUserId(),
-			PatID:            pat.GetPatId(),
-			EntityType:       auth.EntityType(pat.GetEntityType()),
-			OptionalDomainID: pat.GetOptionalDomainId(),
-			Operation:        auth.Operation(pat.GetOperation()),
-			EntityID:         pat.GetEntityId(),
-		}, nil
+	if req == nil {
+		return authReq{}, nil
 	}

-	return authReq{}, nil
+	policyReq := req.GetPolicyReq()
+	patReq := req.GetPatReq()
+
+	if policyReq == nil {
+		return authReq{}, nil
+	}
+
+	authRequest := authReq{
+		Domain:      policyReq.GetDomain(),
+		SubjectType: policyReq.GetSubjectType(),
+		SubjectKind: policyReq.GetSubjectKind(),
+		Subject:     policyReq.GetSubject(),
+		Relation:    policyReq.GetRelation(),
+		Permission:  policyReq.GetPermission(),
+		ObjectType:  policyReq.GetObjectType(),
+		Object:      policyReq.GetObject(),
+	}
+
+	if patReq != nil {
+		if patReq.GetDomain() != "" {
+			authRequest.Domain = patReq.GetDomain()
+		}
+		authRequest.UserID = patReq.GetUserId()
+		authRequest.PatID = patReq.GetPatId()
+		authRequest.EntityType = patReq.GetEntityType()
+		authRequest.Operation = patReq.GetOperation()
+		authRequest.EntityID = patReq.GetEntityId()
+	}
+
+	return authRequest, nil
 }

 func encodeAuthorizeResponse(_ context.Context, grpcRes any) (any, error) {
@@ -7,7 +7,7 @@ import (
 	"os"
 	"testing"

-	"github.com/absmach/supermq/auth/mocks"
+	"github.com/absmach/magistrala/auth/mocks"
 )

 var svc *mocks.Service
@@ -7,9 +7,9 @@ import (
 	"context"
 	"time"

-	grpcTokenV1 "github.com/absmach/supermq/api/grpc/token/v1"
-	"github.com/absmach/supermq/auth"
-	grpcapi "github.com/absmach/supermq/auth/api/grpc"
+	grpcTokenV1 "github.com/absmach/magistrala/api/grpc/token/v1"
+	"github.com/absmach/magistrala/auth"
+	grpcapi "github.com/absmach/magistrala/auth/api/grpc"
 	"github.com/go-kit/kit/endpoint"
 	kitgrpc "github.com/go-kit/kit/transport/grpc"
 	"google.golang.org/grpc"
@@ -18,14 +18,16 @@ import (
 const tokenSvcName = "token.v1.TokenService"

 type tokenGrpcClient struct {
-	issue   endpoint.Endpoint
-	refresh endpoint.Endpoint
-	timeout time.Duration
+	issue                 endpoint.Endpoint
+	refresh               endpoint.Endpoint
+	revoke                endpoint.Endpoint
+	listUserRefreshTokens endpoint.Endpoint
+	timeout               time.Duration
 }

 var _ grpcTokenV1.TokenServiceClient = (*tokenGrpcClient)(nil)

-// NewAuthClient returns new auth gRPC client instance.
+// NewTokenClient returns new token gRPC client instance.
 func NewTokenClient(conn *grpc.ClientConn, timeout time.Duration) grpcTokenV1.TokenServiceClient {
 	return &tokenGrpcClient{
 		issue: kitgrpc.NewClient(
@@ -44,6 +46,22 @@ func NewTokenClient(conn *grpc.ClientConn, timeout time.Duration) grpcTokenV1.To
 			decodeRefreshResponse,
 			grpcTokenV1.Token{},
 		).Endpoint(),
+		revoke: kitgrpc.NewClient(
+			conn,
+			tokenSvcName,
+			"Revoke",
+			encodeRevokeRequest,
+			decodeRevokeResponse,
+			grpcTokenV1.RevokeRes{},
+		).Endpoint(),
+		listUserRefreshTokens: kitgrpc.NewClient(
+			conn,
+			tokenSvcName,
+			"ListUserRefreshTokens",
+			encodeListUserRefreshTokensRequest,
+			decodeListUserRefreshTokensResponse,
+			grpcTokenV1.ListUserRefreshTokensRes{},
+		).Endpoint(),
 		timeout: timeout,
 	}
 }
@@ -53,10 +71,11 @@ func (client tokenGrpcClient) Issue(ctx context.Context, req *grpcTokenV1.IssueR
 	defer cancel()

 	res, err := client.issue(ctx, issueReq{
-		userID:   req.GetUserId(),
-		userRole: auth.Role(req.GetUserRole()),
-		keyType:  auth.KeyType(req.GetType()),
-		verified: req.GetVerified(),
+		userID:      req.GetUserId(),
+		userRole:    auth.Role(req.GetUserRole()),
+		keyType:     auth.KeyType(req.GetType()),
+		verified:    req.GetVerified(),
+		description: req.GetDescription(),
 	})
 	if err != nil {
 		return &grpcTokenV1.Token{}, grpcapi.DecodeError(err)
@@ -67,10 +86,11 @@ func (client tokenGrpcClient) Issue(ctx context.Context, req *grpcTokenV1.IssueR
 func encodeIssueRequest(_ context.Context, grpcReq any) (any, error) {
 	req := grpcReq.(issueReq)
 	return &grpcTokenV1.IssueReq{
-		UserId:   req.userID,
-		UserRole: uint32(req.userRole),
-		Type:     uint32(req.keyType),
-		Verified: req.verified,
+		UserId:      req.userID,
+		UserRole:    uint32(req.userRole),
+		Type:        uint32(req.keyType),
+		Verified:    req.verified,
+		Description: req.description,
 	}, nil
 }

@@ -97,3 +117,43 @@ func encodeRefreshRequest(_ context.Context, grpcReq any) (any, error) {
 func decodeRefreshResponse(_ context.Context, grpcRes any) (any, error) {
 	return grpcRes, nil
 }
+
+func (client tokenGrpcClient) Revoke(ctx context.Context, req *grpcTokenV1.RevokeReq, _ ...grpc.CallOption) (*grpcTokenV1.RevokeRes, error) {
+	ctx, cancel := context.WithTimeout(ctx, client.timeout)
+	defer cancel()
+
+	res, err := client.revoke(ctx, revokeReq{userID: req.GetUserId(), tokenID: req.GetTokenId()})
+	if err != nil {
+		return &grpcTokenV1.RevokeRes{}, grpcapi.DecodeError(err)
+	}
+	return res.(*grpcTokenV1.RevokeRes), nil
+}
+
+func encodeRevokeRequest(_ context.Context, grpcReq any) (any, error) {
+	req := grpcReq.(revokeReq)
+	return &grpcTokenV1.RevokeReq{UserId: req.userID, TokenId: req.tokenID}, nil
+}
+
+func decodeRevokeResponse(_ context.Context, grpcRes any) (any, error) {
+	return grpcRes, nil
+}
+
+func (client tokenGrpcClient) ListUserRefreshTokens(ctx context.Context, req *grpcTokenV1.ListUserRefreshTokensReq, _ ...grpc.CallOption) (*grpcTokenV1.ListUserRefreshTokensRes, error) {
+	ctx, cancel := context.WithTimeout(ctx, client.timeout)
+	defer cancel()
+
+	res, err := client.listUserRefreshTokens(ctx, listUserRefreshTokensReq{userID: req.GetUserId()})
+	if err != nil {
+		return &grpcTokenV1.ListUserRefreshTokensRes{}, grpcapi.DecodeError(err)
+	}
+	return res.(*grpcTokenV1.ListUserRefreshTokensRes), nil
+}
+
+func encodeListUserRefreshTokensRequest(_ context.Context, grpcReq any) (any, error) {
+	req := grpcReq.(listUserRefreshTokensReq)
+	return &grpcTokenV1.ListUserRefreshTokensReq{UserId: req.userID}, nil
+}
+
+func decodeListUserRefreshTokensResponse(_ context.Context, grpcRes any) (any, error) {
+	return grpcRes, nil
+}
--- a/Show More
+++ b/Show More