feat: move SidebarTab to Opal, add disabled styling for sidebar variants

- Add [data-disabled] CSS rules for sidebar-heavy and sidebar-light variants (text-02 foreground, transparent background, no opacity) - Move SidebarTab from refresh-components to @opal/components with disabled prop, docstrings, stories, and README - Old file re-exports from Opal for backwards compatibility
docs: update Disabled section in AGENTS.md
2026-04-09 08:52:42 +00:00 · 2026-04-02 10:25:23 -07:00 · 2026-04-02 09:51:22 -07:00 · 2026-04-02 09:51:22 -07:00 · 2026-04-02 09:51:22 -07:00
296 changed files with 6454 additions and 11012 deletions
--- a/.cursor/skills/onyx-cli/SKILL.md
+++ b/.cursor/skills/onyx-cli/SKILL.md
@@ -1 +0,0 @@
-../../../cli/internal/embedded/SKILL.md
--- a/.cursor/skills/onyx-cli/SKILL.md
+++ b/.cursor/skills/onyx-cli/SKILL.md
@@ -0,0 +1,186 @@
+---
+name: onyx-cli
+description: Query the Onyx knowledge base using the onyx-cli command. Use when the user wants to search company documents, ask questions about internal knowledge, query connected data sources, or look up information stored in Onyx.
+---
+
+# Onyx CLI — Agent Tool
+
+Onyx is an enterprise search and Gen-AI platform that connects to company documents, apps, and people. The `onyx-cli` CLI provides non-interactive commands to query the Onyx knowledge base and list available agents.
+
+## Prerequisites
+
+### 1. Check if installed
+
+```bash
+which onyx-cli
+```
+
+### 2. Install (if needed)
+
+**Primary — pip:**
+
+```bash
+pip install onyx-cli
+```
+
+**From source (Go):**
+
+```bash
+cd cli && go build -o onyx-cli . && sudo mv onyx-cli /usr/local/bin/
+```
+
+### 3. Check if configured
+
+```bash
+onyx-cli validate-config
+```
+
+This checks the config file exists, API key is present, and tests the server connection via `/api/me`. Exit code 0 on success, non-zero with a descriptive error on failure.
+
+If unconfigured, you have two options:
+
+**Option A — Interactive setup (requires user input):**
+
+```bash
+onyx-cli configure
+```
+
+This prompts for the Onyx server URL and API key, tests the connection, and saves config.
+
+**Option B — Environment variables (non-interactive, preferred for agents):**
+
+```bash
+export ONYX_SERVER_URL="https://your-onyx-server.com"  # default: https://cloud.onyx.app
+export ONYX_API_KEY="your-api-key"
+```
+
+Environment variables override the config file. If these are set, no config file is needed.
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `ONYX_SERVER_URL` | No | Onyx server base URL (default: `https://cloud.onyx.app`) |
+| `ONYX_API_KEY` | Yes | API key for authentication |
+| `ONYX_PERSONA_ID` | No | Default agent/persona ID |
+
+If neither the config file nor environment variables are set, tell the user that `onyx-cli` needs to be configured and ask them to either:
+- Run `onyx-cli configure` interactively, or
+- Set `ONYX_SERVER_URL` and `ONYX_API_KEY` environment variables
+
+## Commands
+
+### Validate configuration
+
+```bash
+onyx-cli validate-config
+```
+
+Checks config file exists, API key is present, and tests the server connection. Use this before `ask` or `agents` to confirm the CLI is properly set up.
+
+### List available agents
+
+```bash
+onyx-cli agents
+```
+
+Prints a table of agent IDs, names, and descriptions. Use `--json` for structured output:
+
+```bash
+onyx-cli agents --json
+```
+
+Use agent IDs with `ask --agent-id` to query a specific agent.
+
+### Basic query (plain text output)
+
+```bash
+onyx-cli ask "What is our company's PTO policy?"
+```
+
+Streams the answer as plain text to stdout. Exit code 0 on success, non-zero on error.
+
+### JSON output (structured events)
+
+```bash
+onyx-cli ask --json "What authentication methods do we support?"
+```
+
+Outputs JSON-encoded parsed stream events (one object per line). Key event objects include message deltas, stop, errors, search-start, and citation payloads.
+
+Each line is a JSON object with this envelope:
+
+```json
+{"type": "<event_type>", "event": { ... }}
+```
+
+| Event Type | Description |
+|------------|-------------|
+| `message_delta` | Content token — concatenate all `content` fields for the full answer |
+| `stop` | Stream complete |
+| `error` | Error with `error` message field |
+| `search_tool_start` | Onyx started searching documents |
+| `citation_info` | Source citation — see shape below |
+
+`citation_info` event shape:
+
+```json
+{
+  "type": "citation_info",
+  "event": {
+    "citation_number": 1,
+    "document_id": "abc123def456",
+    "placement": {"turn_index": 0, "tab_index": 0, "sub_turn_index": null}
+  }
+}
+```
+
+`placement` is metadata about where in the conversation the citation appeared and can be ignored for most use cases.
+
+### Specify an agent
+
+```bash
+onyx-cli ask --agent-id 5 "Summarize our Q4 roadmap"
+```
+
+Uses a specific Onyx agent/persona instead of the default.
+
+### All flags
+
+| Flag | Type | Description |
+|------|------|-------------|
+| `--agent-id` | int | Agent ID to use (overrides default) |
+| `--json` | bool | Output raw NDJSON events instead of plain text |
+
+## Statelessness
+
+Each `onyx-cli ask` call creates an independent chat session. There is no built-in way to chain context across multiple `ask` invocations — every call starts fresh. If you need multi-turn conversation with memory, use the interactive TUI (`onyx-cli` or `onyx-cli chat`) instead.
+
+## When to Use
+
+Use `onyx-cli ask` when:
+
+- The user asks about company-specific information (policies, docs, processes)
+- You need to search internal knowledge bases or connected data sources
+- The user references Onyx, asks you to "search Onyx", or wants to query their documents
+- You need context from company wikis, Confluence, Google Drive, Slack, or other connected sources
+
+Do NOT use when:
+
+- The question is about general programming knowledge (use your own knowledge)
+- The user is asking about code in the current repository (use grep/read tools)
+- The user hasn't mentioned Onyx and the question doesn't require internal company data
+
+## Examples
+
+```bash
+# Simple question
+onyx-cli ask "What are the steps to deploy to production?"
+
+# Get structured output for parsing
+onyx-cli ask --json "List all active API integrations"
+
+# Use a specialized agent
+onyx-cli ask --agent-id 3 "What were the action items from last week's standup?"
+
+# Pipe the answer into another command
+onyx-cli ask "What is the database schema for users?" | head -20
+```
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -228,7 +228,7 @@ jobs:

      - name: Create GitHub Release
        id: create-release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # ratchet:softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # ratchet:softprops/action-gh-release@v2
        with:
          tag_name: ${{ steps.release-tag.outputs.tag }}
          name: ${{ steps.release-tag.outputs.tag }}
--- a/.github/workflows/helm-chart-releases.yml
+++ b/.github/workflows/helm-chart-releases.yml
@@ -21,7 +21,7 @@ jobs:
          persist-credentials: false

      - name: Install Helm CLI
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # ratchet:azure/setup-helm@v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # ratchet:azure/setup-helm@v4
        with:
          version: v3.12.1

--- a/.github/workflows/nightly-close-stale-issues.yml
+++ b/.github/workflows/nightly-close-stale-issues.yml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # ratchet:actions/stale@v10
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # ratchet:actions/stale@v10
        with:
          stale-issue-message: 'This issue is stale because it has been open 75 days with no activity. Remove stale label or comment or this will be closed in 15 days.'
          stale-pr-message: 'This PR is stale because it has been open 75 days with no activity. Remove stale label or comment or this will be closed in 15 days.'
--- a/.github/workflows/pr-helm-chart-testing.yml
+++ b/.github/workflows/pr-helm-chart-testing.yml
@@ -36,7 +36,7 @@ jobs:
          persist-credentials: false

      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # ratchet:azure/setup-helm@v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # ratchet:azure/setup-helm@v4.3.1
        with:
          version: v3.19.0

--- a/.gitignore
+++ b/.gitignore
@@ -59,6 +59,3 @@ node_modules

 # plans
 plans/
-
-# Added context for LLMs
-onyx-llm-context/
--- a/backend/alembic/env.py
+++ b/backend/alembic/env.py
@@ -1,4 +1,4 @@
-from typing import Any
+from typing import Any, Literal
 from onyx.db.engine.iam_auth import get_iam_auth_token
 from onyx.configs.app_configs import USE_IAM_AUTH
 from onyx.configs.app_configs import POSTGRES_HOST
@@ -19,6 +19,7 @@ from logging.config import fileConfig

 from alembic import context
 from sqlalchemy.ext.asyncio import create_async_engine
+from sqlalchemy.sql.schema import SchemaItem
 from onyx.configs.constants import SSL_CERT_FILE
 from shared_configs.configs import (
    MULTI_TENANT,
@@ -44,6 +45,8 @@ if config.config_file_name is not None and config.attributes.get(

 target_metadata = [Base.metadata, ResultModelBase.metadata]

+EXCLUDE_TABLES = {"kombu_queue", "kombu_message"}
+
 logger = logging.getLogger(__name__)

 ssl_context: ssl.SSLContext | None = None
@@ -53,6 +56,25 @@ if USE_IAM_AUTH:
    ssl_context = ssl.create_default_context(cafile=SSL_CERT_FILE)


+def include_object(
+    object: SchemaItem,  # noqa: ARG001
+    name: str | None,
+    type_: Literal[
+        "schema",
+        "table",
+        "column",
+        "index",
+        "unique_constraint",
+        "foreign_key_constraint",
+    ],
+    reflected: bool,  # noqa: ARG001
+    compare_to: SchemaItem | None,  # noqa: ARG001
+) -> bool:
+    if type_ == "table" and name in EXCLUDE_TABLES:
+        return False
+    return True
+
+
 def filter_tenants_by_range(
    tenant_ids: list[str], start_range: int | None = None, end_range: int | None = None
 ) -> list[str]:
@@ -209,6 +231,7 @@ def do_run_migrations(
    context.configure(
        connection=connection,
        target_metadata=target_metadata,  # type: ignore
+        include_object=include_object,
        version_table_schema=schema_name,
        include_schemas=True,
        compare_type=True,
@@ -382,6 +405,7 @@ def run_migrations_offline() -> None:
                url=url,
                target_metadata=target_metadata,  # type: ignore
                literal_binds=True,
+                include_object=include_object,
                version_table_schema=schema,
                include_schemas=True,
                script_location=config.get_main_option("script_location"),
@@ -423,6 +447,7 @@ def run_migrations_offline() -> None:
                url=url,
                target_metadata=target_metadata,  # type: ignore
                literal_binds=True,
+                include_object=include_object,
                version_table_schema=schema,
                include_schemas=True,
                script_location=config.get_main_option("script_location"),
@@ -465,6 +490,7 @@ def run_migrations_online() -> None:
            context.configure(
                connection=connection,
                target_metadata=target_metadata,  # type: ignore
+                include_object=include_object,
                version_table_schema=schema_name,
                include_schemas=True,
                compare_type=True,
--- a/backend/alembic_tenants/env.py
+++ b/backend/alembic_tenants/env.py
@@ -1,9 +1,11 @@
 import asyncio
 from logging.config import fileConfig
+from typing import Literal

 from sqlalchemy import pool
 from sqlalchemy.engine import Connection
 from sqlalchemy.ext.asyncio import create_async_engine
+from sqlalchemy.schema import SchemaItem

 from alembic import context
 from onyx.db.engine.sql_engine import build_connection_string
@@ -33,6 +35,27 @@ target_metadata = [PublicBase.metadata]
 # my_important_option = config.get_main_option("my_important_option")
 # ... etc.

+EXCLUDE_TABLES = {"kombu_queue", "kombu_message"}
+
+
+def include_object(
+    object: SchemaItem,  # noqa: ARG001
+    name: str | None,
+    type_: Literal[
+        "schema",
+        "table",
+        "column",
+        "index",
+        "unique_constraint",
+        "foreign_key_constraint",
+    ],
+    reflected: bool,  # noqa: ARG001
+    compare_to: SchemaItem | None,  # noqa: ARG001
+) -> bool:
+    if type_ == "table" and name in EXCLUDE_TABLES:
+        return False
+    return True
+

 def run_migrations_offline() -> None:
    """Run migrations in 'offline' mode.
@@ -62,6 +85,7 @@ def do_run_migrations(connection: Connection) -> None:
    context.configure(
        connection=connection,
        target_metadata=target_metadata,  # type: ignore[arg-type]
+        include_object=include_object,
    )

    with context.begin_transaction():
--- a/backend/ee/onyx/auth/users.py
+++ b/backend/ee/onyx/auth/users.py
@@ -10,10 +10,9 @@ from fastapi import status
 from ee.onyx.configs.app_configs import SUPER_CLOUD_API_KEY
 from ee.onyx.configs.app_configs import SUPER_USERS
 from ee.onyx.server.seeding import get_seed_config
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.app_configs import AUTH_TYPE
 from onyx.configs.app_configs import USER_AUTH_SECRET
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.utils.logger import setup_logger

@@ -40,7 +39,7 @@ def get_default_admin_user_emails_() -> list[str]:

 async def current_cloud_superuser(
    request: Request,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
 ) -> User:
    api_key = request.headers.get("Authorization", "").replace("Bearer ", "")
    if api_key != SUPER_CLOUD_API_KEY:
--- a/backend/ee/onyx/background/celery/tasks/cloud/tasks.py
+++ b/backend/ee/onyx/background/celery/tasks/cloud/tasks.py
@@ -5,7 +5,6 @@ from celery import Task
 from celery.exceptions import SoftTimeLimitExceeded
 from redis.lock import Lock as RedisLock

-from ee.onyx.server.tenants.product_gating import get_gated_tenants
 from onyx.background.celery.apps.app_base import task_logger
 from onyx.background.celery.tasks.beat_schedule import BEAT_EXPIRES_DEFAULT
 from onyx.configs.constants import CELERY_GENERIC_BEAT_LOCK_TIMEOUT
@@ -31,7 +30,6 @@ def cloud_beat_task_generator(
    queue: str = OnyxCeleryTask.DEFAULT,
    priority: int = OnyxCeleryPriority.MEDIUM,
    expires: int = BEAT_EXPIRES_DEFAULT,
-    skip_gated: bool = True,
 ) -> bool | None:
    """a lightweight task used to kick off individual beat tasks per tenant."""
    time_start = time.monotonic()
@@ -50,22 +48,20 @@ def cloud_beat_task_generator(
    last_lock_time = time.monotonic()
    tenant_ids: list[str] = []
    num_processed_tenants = 0
-    num_skipped_gated = 0

    try:
        tenant_ids = get_all_tenant_ids()

-        # Per-task control over whether gated tenants are included. Most periodic tasks
-        # do no useful work on gated tenants and just waste DB connections fanning out
-        # to ~10k+ inactive tenants. A small number of cleanup tasks (connector deletion,
-        # checkpoint/index attempt cleanup) need to run on gated tenants and pass
-        # `skip_gated=False` from the beat schedule.
-        gated_tenants: set[str] = get_gated_tenants() if skip_gated else set()
+        # NOTE: for now, we are running tasks for gated tenants, since we want to allow
+        # connector deletion to run successfully. The new plan is to continously prune
+        # the gated tenants set, so we won't have a build up of old, unused gated tenants.
+        # Keeping this around in case we want to revert to the previous behavior.
+        # gated_tenants = get_gated_tenants()

        for tenant_id in tenant_ids:
-            if tenant_id in gated_tenants:
-                num_skipped_gated += 1
-                continue
+            # Same comment here as the above NOTE
+            # if tenant_id in gated_tenants:
+            #     continue

            current_time = time.monotonic()
            if current_time - last_lock_time >= (CELERY_GENERIC_BEAT_LOCK_TIMEOUT / 4):
@@ -108,7 +104,6 @@ def cloud_beat_task_generator(
        f"cloud_beat_task_generator finished: "
        f"task={task_name} "
        f"num_processed_tenants={num_processed_tenants} "
-        f"num_skipped_gated={num_skipped_gated} "
        f"num_tenants={len(tenant_ids)} "
        f"elapsed={time_elapsed:.2f}"
    )
--- a/backend/ee/onyx/background/celery/tasks/tenant_provisioning/tasks.py
+++ b/backend/ee/onyx/background/celery/tasks/tenant_provisioning/tasks.py
@@ -27,13 +27,13 @@ from shared_configs.configs import MULTI_TENANT
 from shared_configs.configs import TENANT_ID_PREFIX

 # Maximum tenants to provision in a single task run.
-# Each tenant takes ~80s (alembic migrations), so 15 tenants ≈ 20 minutes.
-_MAX_TENANTS_PER_RUN = 15
+# Each tenant takes ~80s (alembic migrations), so 5 tenants ≈ 7 minutes.
+_MAX_TENANTS_PER_RUN = 5

 # Time limits sized for worst-case: provisioning up to _MAX_TENANTS_PER_RUN new tenants
 # (~90s each) plus migrating up to TARGET_AVAILABLE_TENANTS pool tenants (~90s each).
-_TENANT_PROVISIONING_SOFT_TIME_LIMIT = 60 * 40  # 40 minutes
-_TENANT_PROVISIONING_TIME_LIMIT = 60 * 45  # 45 minutes
+_TENANT_PROVISIONING_SOFT_TIME_LIMIT = 60 * 20  # 20 minutes
+_TENANT_PROVISIONING_TIME_LIMIT = 60 * 25  # 25 minutes


@shared_task(
--- a/backend/ee/onyx/background/celery/tasks/ttl_management/tasks.py
+++ b/backend/ee/onyx/background/celery/tasks/ttl_management/tasks.py
@@ -1,14 +1,20 @@
+from datetime import datetime
+from datetime import timezone
 from uuid import UUID

 from celery import shared_task
 from celery import Task

 from ee.onyx.background.celery_utils import should_perform_chat_ttl_check
+from ee.onyx.background.task_name_builders import name_chat_ttl_task
 from onyx.configs.app_configs import JOB_TIMEOUT
 from onyx.configs.constants import OnyxCeleryTask
 from onyx.db.chat import delete_chat_session
 from onyx.db.chat import get_chat_sessions_older_than
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
+from onyx.db.enums import TaskStatus
+from onyx.db.tasks import mark_task_as_finished_with_id
+from onyx.db.tasks import register_task
 from onyx.server.settings.store import load_settings
 from onyx.utils.logger import setup_logger

@@ -23,42 +29,59 @@ logger = setup_logger()
    trail=False,
 )
 def perform_ttl_management_task(
-    self: Task, retention_limit_days: int, *, tenant_id: str  # noqa: ARG001
+    self: Task, retention_limit_days: int, *, tenant_id: str
 ) -> None:
    task_id = self.request.id
    if not task_id:
        raise RuntimeError("No task id defined for this task; cannot identify it")

+    start_time = datetime.now(tz=timezone.utc)
+
    user_id: UUID | None = None
    session_id: UUID | None = None
    try:
        with get_session_with_current_tenant() as db_session:
+            # we generally want to move off this, but keeping for now
+            register_task(
+                db_session=db_session,
+                task_name=name_chat_ttl_task(retention_limit_days, tenant_id),
+                task_id=task_id,
+                status=TaskStatus.STARTED,
+                start_time=start_time,
+            )

            old_chat_sessions = get_chat_sessions_older_than(
                retention_limit_days, db_session
            )

        for user_id, session_id in old_chat_sessions:
-            try:
-                with get_session_with_current_tenant() as db_session:
-                    delete_chat_session(
-                        user_id,
-                        session_id,
-                        db_session,
-                        include_deleted=True,
-                        hard_delete=True,
-                    )
-            except Exception:
-                logger.exception(
-                    "Failed to delete chat session "
-                    f"user_id={user_id} session_id={session_id}, "
-                    "continuing with remaining sessions"
+            # one session per delete so that we don't blow up if a deletion fails.
+            with get_session_with_current_tenant() as db_session:
+                delete_chat_session(
+                    user_id,
+                    session_id,
+                    db_session,
+                    include_deleted=True,
+                    hard_delete=True,
                )

+        with get_session_with_current_tenant() as db_session:
+            mark_task_as_finished_with_id(
+                db_session=db_session,
+                task_id=task_id,
+                success=True,
+            )
+
    except Exception:
        logger.exception(
            f"delete_chat_session exceptioned. user_id={user_id} session_id={session_id}"
        )
+        with get_session_with_current_tenant() as db_session:
+            mark_task_as_finished_with_id(
+                db_session=db_session,
+                task_id=task_id,
+                success=False,
+            )
        raise


--- a/backend/ee/onyx/db/user_group.py
+++ b/backend/ee/onyx/db/user_group.py
@@ -39,7 +39,6 @@ from onyx.db.models import User__UserGroup
 from onyx.db.models import UserGroup
 from onyx.db.models import UserGroup__ConnectorCredentialPair
 from onyx.db.models import UserRole
-from onyx.db.permissions import recompute_permissions_for_group__no_commit
 from onyx.db.permissions import recompute_user_permissions__no_commit
 from onyx.db.users import fetch_user_by_id
 from onyx.utils.logger import setup_logger
@@ -953,46 +952,3 @@ def delete_user_group_cc_pair_relationship__no_commit(
        UserGroup__ConnectorCredentialPair.cc_pair_id == cc_pair_id,
    )
    db_session.execute(delete_stmt)
-
-
-def set_group_permission__no_commit(
-    group_id: int,
-    permission: Permission,
-    enabled: bool,
-    granted_by: UUID,
-    db_session: Session,
-) -> None:
-    """Grant or revoke a single permission for a group using soft-delete.
-
-    Does NOT commit — caller must commit the session.
-    """
-    existing = db_session.execute(
-        select(PermissionGrant)
-        .where(
-            PermissionGrant.group_id == group_id,
-            PermissionGrant.permission == permission,
-        )
-        .with_for_update()
-    ).scalar_one_or_none()
-
-    if enabled:
-        if existing is not None:
-            if existing.is_deleted:
-                existing.is_deleted = False
-                existing.granted_by = granted_by
-                existing.granted_at = func.now()
-        else:
-            db_session.add(
-                PermissionGrant(
-                    group_id=group_id,
-                    permission=permission,
-                    grant_source=GrantSource.USER,
-                    granted_by=granted_by,
-                )
-            )
-    else:
-        if existing is not None and not existing.is_deleted:
-            existing.is_deleted = True
-
-    db_session.flush()
-    recompute_permissions_for_group__no_commit(group_id, db_session)
--- a/backend/ee/onyx/main.py
+++ b/backend/ee/onyx/main.py
@@ -155,7 +155,7 @@ def get_application() -> FastAPI:
    include_router_with_global_prefix_prepended(application, license_router)

    # Unified billing API - always registered in EE.
-    # Each endpoint is protected by admin permission checks.
+    # Each endpoint is protected by the `current_admin_user` dependency (admin auth).
    include_router_with_global_prefix_prepended(application, billing_router)

    if MULTI_TENANT:
--- a/backend/ee/onyx/server/analytics/api.py
+++ b/backend/ee/onyx/server/analytics/api.py
@@ -17,10 +17,10 @@ from ee.onyx.db.analytics import fetch_persona_message_analytics
 from ee.onyx.db.analytics import fetch_persona_unique_users
 from ee.onyx.db.analytics import fetch_query_analytics
 from ee.onyx.db.analytics import user_can_view_assistant_stats
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User

 router = APIRouter(prefix="/analytics", tags=PUBLIC_API_TAGS)
@@ -40,7 +40,7 @@ class QueryAnalyticsResponse(BaseModel):
 def get_query_analytics(
    start: datetime.datetime | None = None,
    end: datetime.datetime | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[QueryAnalyticsResponse]:
    daily_query_usage_info = fetch_query_analytics(
@@ -71,7 +71,7 @@ class UserAnalyticsResponse(BaseModel):
 def get_user_analytics(
    start: datetime.datetime | None = None,
    end: datetime.datetime | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[UserAnalyticsResponse]:
    daily_query_usage_info_per_user = fetch_per_user_query_analytics(
@@ -105,7 +105,7 @@ class OnyxbotAnalyticsResponse(BaseModel):
 def get_onyxbot_analytics(
    start: datetime.datetime | None = None,
    end: datetime.datetime | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[OnyxbotAnalyticsResponse]:
    daily_onyxbot_info = fetch_onyxbot_analytics(
@@ -141,7 +141,7 @@ def get_persona_messages(
    persona_id: int,
    start: datetime.datetime | None = None,
    end: datetime.datetime | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[PersonaMessageAnalyticsResponse]:
    """Fetch daily message counts for a single persona within the given time range."""
@@ -179,7 +179,7 @@ def get_persona_unique_users(
    persona_id: int,
    start: datetime.datetime,
    end: datetime.datetime,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[PersonaUniqueUsersResponse]:
    """Get unique users per day for a single persona."""
@@ -218,7 +218,7 @@ def get_assistant_stats(
    assistant_id: int,
    start: datetime.datetime | None = None,
    end: datetime.datetime | None = None,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> AssistantStatsResponse:
    """
--- a/backend/ee/onyx/server/billing/api.py
+++ b/backend/ee/onyx/server/billing/api.py
@@ -29,6 +29,7 @@ from fastapi import Depends
 from pydantic import BaseModel
 from sqlalchemy.orm import Session

+from ee.onyx.auth.users import current_admin_user
 from ee.onyx.db.license import get_license
 from ee.onyx.db.license import get_used_seats
 from ee.onyx.server.billing.models import BillingInformationResponse
@@ -50,13 +51,11 @@ from ee.onyx.server.billing.service import (
    get_billing_information as get_billing_service,
 )
 from ee.onyx.server.billing.service import update_seat_count as update_seat_service
-from onyx.auth.permissions import require_permission
 from onyx.auth.users import User
 from onyx.configs.app_configs import STRIPE_PUBLISHABLE_KEY_OVERRIDE
 from onyx.configs.app_configs import STRIPE_PUBLISHABLE_KEY_URL
 from onyx.configs.app_configs import WEB_DOMAIN
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.error_handling.error_codes import OnyxErrorCode
 from onyx.error_handling.exceptions import OnyxError
 from onyx.redis.redis_pool import get_shared_redis_client
@@ -148,7 +147,7 @@ def _get_tenant_id() -> str | None:
@router.post("/create-checkout-session")
 async def create_checkout_session(
    request: CreateCheckoutSessionRequest | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> CreateCheckoutSessionResponse:
    """Create a Stripe checkout session for new subscription or renewal.
@@ -192,7 +191,7 @@ async def create_checkout_session(
@router.post("/create-customer-portal-session")
 async def create_customer_portal_session(
    request: CreateCustomerPortalSessionRequest | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> CreateCustomerPortalSessionResponse:
    """Create a Stripe customer portal session for managing subscription.
@@ -217,7 +216,7 @@ async def create_customer_portal_session(

@router.get("/billing-information")
 async def get_billing_information(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> BillingInformationResponse | SubscriptionStatusResponse:
    """Get billing information for the current subscription.
@@ -259,7 +258,7 @@ async def get_billing_information(
@router.post("/seats/update")
 async def update_seats(
    request: SeatUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> SeatUpdateResponse:
    """Update the seat count for the current subscription.
@@ -365,7 +364,7 @@ class ResetConnectionResponse(BaseModel):

@router.post("/reset-connection")
 async def reset_stripe_connection(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> ResetConnectionResponse:
    """Reset the Stripe connection circuit breaker.

--- a/backend/ee/onyx/server/enterprise_settings/api.py
+++ b/backend/ee/onyx/server/enterprise_settings/api.py
@@ -27,12 +27,11 @@ from ee.onyx.server.scim.auth import generate_scim_token
 from ee.onyx.server.scim.models import ScimTokenCreate
 from ee.onyx.server.scim.models import ScimTokenCreatedResponse
 from ee.onyx.server.scim.models import ScimTokenResponse
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_user_with_expired_token
 from onyx.auth.users import get_user_manager
 from onyx.auth.users import UserManager
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.file_store.file_store import get_default_file_store
 from onyx.server.utils import BasicAuthenticationError
@@ -121,8 +120,7 @@ async def refresh_access_token(

@admin_router.put("")
 def admin_ee_put_settings(
-    settings: EnterpriseSettings,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    settings: EnterpriseSettings, _: User = Depends(current_admin_user)
 ) -> None:
    store_settings(settings)

@@ -141,7 +139,7 @@ def ee_fetch_settings() -> EnterpriseSettings:
 def put_logo(
    file: UploadFile,
    is_logotype: bool = False,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> None:
    upload_logo(file=file, is_logotype=is_logotype)

@@ -198,8 +196,7 @@ def fetch_logo(

@admin_router.put("/custom-analytics-script")
 def upload_custom_analytics_script(
-    script_upload: AnalyticsScriptUpload,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    script_upload: AnalyticsScriptUpload, _: User = Depends(current_admin_user)
 ) -> None:
    try:
        store_analytics_script(script_upload)
@@ -223,7 +220,7 @@ def _get_scim_dal(db_session: Session = Depends(get_session)) -> ScimDAL:

@admin_router.get("/scim/token")
 def get_active_scim_token(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    dal: ScimDAL = Depends(_get_scim_dal),
 ) -> ScimTokenResponse:
    """Return the currently active SCIM token's metadata, or 404 if none."""
@@ -253,7 +250,7 @@ def get_active_scim_token(
@admin_router.post("/scim/token", status_code=201)
 def create_scim_token(
    body: ScimTokenCreate,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    dal: ScimDAL = Depends(_get_scim_dal),
 ) -> ScimTokenCreatedResponse:
    """Create a new SCIM bearer token.
--- a/backend/ee/onyx/server/features/hooks/api.py
+++ b/backend/ee/onyx/server/features/hooks/api.py
@@ -4,13 +4,12 @@ from fastapi import Depends
 from fastapi import Query
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import User
 from onyx.db.constants import UNSET
 from onyx.db.constants import UnsetType
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
-from onyx.db.enums import Permission
 from onyx.db.hook import create_hook__no_commit
 from onyx.db.hook import delete_hook__no_commit
 from onyx.db.hook import get_hook_by_id
@@ -179,7 +178,7 @@ router = APIRouter(prefix="/admin/hooks")

@router.get("/specs")
 def get_hook_point_specs(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
 ) -> list[HookPointMetaResponse]:
    return [
@@ -200,7 +199,7 @@ def get_hook_point_specs(

@router.get("")
 def list_hooks(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> list[HookResponse]:
@@ -211,7 +210,7 @@ def list_hooks(
@router.post("")
 def create_hook(
    req: HookCreateRequest,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> HookResponse:
@@ -247,7 +246,7 @@ def create_hook(
@router.get("/{hook_id}")
 def get_hook(
    hook_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> HookResponse:
@@ -259,7 +258,7 @@ def get_hook(
 def update_hook(
    hook_id: int,
    req: HookUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> HookResponse:
@@ -329,7 +328,7 @@ def update_hook(
@router.delete("/{hook_id}")
 def delete_hook(
    hook_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> None:
@@ -340,7 +339,7 @@ def delete_hook(
@router.post("/{hook_id}/activate")
 def activate_hook(
    hook_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> HookResponse:
@@ -382,7 +381,7 @@ def activate_hook(
@router.post("/{hook_id}/validate")
 def validate_hook(
    hook_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> HookValidateResponse:
@@ -410,7 +409,7 @@ def validate_hook(
@router.post("/{hook_id}/deactivate")
 def deactivate_hook(
    hook_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> HookResponse:
@@ -433,7 +432,7 @@ def deactivate_hook(
 def list_hook_execution_logs(
    hook_id: int,
    limit: int = Query(default=10, ge=1, le=100),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    _hook_enabled: None = Depends(require_hook_enabled),
    db_session: Session = Depends(get_session),
 ) -> list[HookExecutionRecord]:
--- a/backend/ee/onyx/server/license/api.py
+++ b/backend/ee/onyx/server/license/api.py
@@ -17,6 +17,7 @@ from fastapi import File
 from fastapi import UploadFile
 from sqlalchemy.orm import Session

+from ee.onyx.auth.users import current_admin_user
 from ee.onyx.configs.app_configs import CLOUD_DATA_PLANE_URL
 from ee.onyx.db.license import delete_license as db_delete_license
 from ee.onyx.db.license import get_license
@@ -31,10 +32,8 @@ from ee.onyx.server.license.models import LicenseStatusResponse
 from ee.onyx.server.license.models import LicenseUploadResponse
 from ee.onyx.server.license.models import SeatUsageResponse
 from ee.onyx.utils.license import verify_license_signature
-from onyx.auth.permissions import require_permission
 from onyx.auth.users import User
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.error_handling.error_codes import OnyxErrorCode
 from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.logger import setup_logger
@@ -61,7 +60,7 @@ def _strip_pem_delimiters(content: str) -> str:

@router.get("")
 async def get_license_status(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> LicenseStatusResponse:
    """Get current license status and seat usage."""
@@ -85,7 +84,7 @@ async def get_license_status(

@router.get("/seats")
 async def get_seat_usage(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> SeatUsageResponse:
    """Get detailed seat usage information."""
@@ -108,7 +107,7 @@ async def get_seat_usage(
@router.post("/claim")
 async def claim_license(
    session_id: str | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> LicenseResponse:
    """
@@ -216,7 +215,7 @@ async def claim_license(
@router.post("/upload")
 async def upload_license(
    license_file: UploadFile = File(...),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> LicenseUploadResponse:
    """
@@ -264,7 +263,7 @@ async def upload_license(

@router.post("/refresh")
 async def refresh_license_cache_endpoint(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> LicenseStatusResponse:
    """
@@ -293,7 +292,7 @@ async def refresh_license_cache_endpoint(

@router.delete("")
 async def delete_license(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> dict[str, bool]:
    """
--- a/backend/ee/onyx/server/manage/standard_answer.py
+++ b/backend/ee/onyx/server/manage/standard_answer.py
@@ -12,9 +12,8 @@ from ee.onyx.db.standard_answer import insert_standard_answer_category
 from ee.onyx.db.standard_answer import remove_standard_answer
 from ee.onyx.db.standard_answer import update_standard_answer
 from ee.onyx.db.standard_answer import update_standard_answer_category
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.server.manage.models import StandardAnswer
 from onyx.server.manage.models import StandardAnswerCategory
@@ -28,7 +27,7 @@ router = APIRouter(prefix="/manage")
 def create_standard_answer(
    standard_answer_creation_request: StandardAnswerCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> StandardAnswer:
    standard_answer_model = insert_standard_answer(
        keyword=standard_answer_creation_request.keyword,
@@ -44,7 +43,7 @@ def create_standard_answer(
@router.get("/admin/standard-answer")
 def list_standard_answers(
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> list[StandardAnswer]:
    standard_answer_models = fetch_standard_answers(db_session=db_session)
    return [
@@ -58,7 +57,7 @@ def patch_standard_answer(
    standard_answer_id: int,
    standard_answer_creation_request: StandardAnswerCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> StandardAnswer:
    existing_standard_answer = fetch_standard_answer(
        standard_answer_id=standard_answer_id,
@@ -84,7 +83,7 @@ def patch_standard_answer(
 def delete_standard_answer(
    standard_answer_id: int,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> None:
    return remove_standard_answer(
        standard_answer_id=standard_answer_id,
@@ -96,7 +95,7 @@ def delete_standard_answer(
 def create_standard_answer_category(
    standard_answer_category_creation_request: StandardAnswerCategoryCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> StandardAnswerCategory:
    standard_answer_category_model = insert_standard_answer_category(
        category_name=standard_answer_category_creation_request.name,
@@ -108,7 +107,7 @@ def create_standard_answer_category(
@router.get("/admin/standard-answer/category")
 def list_standard_answer_categories(
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> list[StandardAnswerCategory]:
    standard_answer_category_models = fetch_standard_answer_categories(
        db_session=db_session
@@ -124,7 +123,7 @@ def patch_standard_answer_category(
    standard_answer_category_id: int,
    standard_answer_category_creation_request: StandardAnswerCategoryCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> StandardAnswerCategory:
    existing_standard_answer_category = fetch_standard_answer_category(
        standard_answer_category_id=standard_answer_category_id,
--- a/backend/ee/onyx/server/oauth/api.py
+++ b/backend/ee/onyx/server/oauth/api.py
@@ -9,10 +9,9 @@ from ee.onyx.server.oauth.api_router import router
 from ee.onyx.server.oauth.confluence_cloud import ConfluenceCloudOAuth
 from ee.onyx.server.oauth.google_drive import GoogleDriveOAuth
 from ee.onyx.server.oauth.slack import SlackOAuth
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.app_configs import DEV_MODE
 from onyx.configs.constants import DocumentSource
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.redis.redis_pool import get_redis_client
 from onyx.utils.logger import setup_logger
@@ -25,7 +24,7 @@ logger = setup_logger()
 def prepare_authorization_request(
    connector: DocumentSource,
    redirect_on_success: str | None,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    tenant_id: str | None = Depends(get_current_tenant_id),
 ) -> JSONResponse:
    """Used by the frontend to generate the url for the user's browser during auth request.
--- a/backend/ee/onyx/server/oauth/confluence_cloud.py
+++ b/backend/ee/onyx/server/oauth/confluence_cloud.py
@@ -15,7 +15,7 @@ from pydantic import ValidationError
 from sqlalchemy.orm import Session

 from ee.onyx.server.oauth.api_router import router
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.app_configs import DEV_MODE
 from onyx.configs.app_configs import OAUTH_CONFLUENCE_CLOUD_CLIENT_ID
 from onyx.configs.app_configs import OAUTH_CONFLUENCE_CLOUD_CLIENT_SECRET
@@ -26,7 +26,6 @@ from onyx.db.credentials import create_credential
 from onyx.db.credentials import fetch_credential_by_id_for_user
 from onyx.db.credentials import update_credential_json
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.redis.redis_pool import get_redis_client
 from onyx.server.documents.models import CredentialBase
@@ -147,7 +146,7 @@ class ConfluenceCloudOAuth:
 def confluence_oauth_callback(
    code: str,
    state: str,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
    tenant_id: str | None = Depends(get_current_tenant_id),
 ) -> JSONResponse:
@@ -259,7 +258,7 @@ def confluence_oauth_callback(
@router.get("/connector/confluence/accessible-resources")
 def confluence_oauth_accessible_resources(
    credential_id: int,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
    tenant_id: str | None = Depends(get_current_tenant_id),  # noqa: ARG001
 ) -> JSONResponse:
@@ -326,7 +325,7 @@ def confluence_oauth_finalize(
    cloud_id: str,
    cloud_name: str,
    cloud_url: str,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
    tenant_id: str | None = Depends(get_current_tenant_id),  # noqa: ARG001
 ) -> JSONResponse:
--- a/backend/ee/onyx/server/oauth/google_drive.py
+++ b/backend/ee/onyx/server/oauth/google_drive.py
@@ -12,7 +12,7 @@ from pydantic import BaseModel
 from sqlalchemy.orm import Session

 from ee.onyx.server.oauth.api_router import router
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.app_configs import DEV_MODE
 from onyx.configs.app_configs import OAUTH_GOOGLE_DRIVE_CLIENT_ID
 from onyx.configs.app_configs import OAUTH_GOOGLE_DRIVE_CLIENT_SECRET
@@ -34,7 +34,6 @@ from onyx.connectors.google_utils.shared_constants import (
 )
 from onyx.db.credentials import create_credential
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.redis.redis_pool import get_redis_client
 from onyx.server.documents.models import CredentialBase
@@ -115,7 +114,7 @@ class GoogleDriveOAuth:
 def handle_google_drive_oauth_callback(
    code: str,
    state: str,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
    tenant_id: str | None = Depends(get_current_tenant_id),
 ) -> JSONResponse:
--- a/backend/ee/onyx/server/oauth/slack.py
+++ b/backend/ee/onyx/server/oauth/slack.py
@@ -10,7 +10,7 @@ from pydantic import BaseModel
 from sqlalchemy.orm import Session

 from ee.onyx.server.oauth.api_router import router
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.app_configs import DEV_MODE
 from onyx.configs.app_configs import OAUTH_SLACK_CLIENT_ID
 from onyx.configs.app_configs import OAUTH_SLACK_CLIENT_SECRET
@@ -18,7 +18,6 @@ from onyx.configs.app_configs import WEB_DOMAIN
 from onyx.configs.constants import DocumentSource
 from onyx.db.credentials import create_credential
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.redis.redis_pool import get_redis_client
 from onyx.server.documents.models import CredentialBase
@@ -99,7 +98,7 @@ class SlackOAuth:
 def handle_slack_oauth_callback(
    code: str,
    state: str,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
    tenant_id: str | None = Depends(get_current_tenant_id),
 ) -> JSONResponse:
--- a/backend/ee/onyx/server/query_and_chat/query_backend.py
+++ b/backend/ee/onyx/server/query_and_chat/query_backend.py
@@ -8,9 +8,8 @@ from ee.onyx.onyxbot.slack.handlers.handle_standard_answers import (
 )
 from ee.onyx.server.query_and_chat.models import StandardAnswerRequest
 from ee.onyx.server.query_and_chat.models import StandardAnswerResponse
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.utils.logger import setup_logger

@@ -23,7 +22,7 @@ basic_router = APIRouter(prefix="/query")
 def get_standard_answer(
    request: StandardAnswerRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> StandardAnswerResponse:
    try:
        standard_answers = oneoff_standard_answers(
--- a/backend/ee/onyx/server/query_and_chat/search_backend.py
+++ b/backend/ee/onyx/server/query_and_chat/search_backend.py
@@ -19,11 +19,10 @@ from ee.onyx.server.query_and_chat.models import SearchHistoryResponse
 from ee.onyx.server.query_and_chat.models import SearchQueryResponse
 from ee.onyx.server.query_and_chat.models import SendSearchQueryRequest
 from ee.onyx.server.query_and_chat.streaming_models import SearchErrorPacket
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import ONYX_SEARCH_UI_USES_OPENSEARCH_KEYWORD_SEARCH
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.llm.factory import get_default_llm
 from onyx.server.usage_limits import check_llm_cost_limit_for_provider
@@ -40,7 +39,7 @@ router = APIRouter(prefix="/search")
@router.post("/search-flow-classification")
 def search_flow_classification(
    request: SearchFlowClassificationRequest,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> SearchFlowClassificationResponse:
    query = request.user_query
@@ -80,7 +79,7 @@ def search_flow_classification(
 )
 def handle_send_search_message(
    request: SendSearchQueryRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StreamingResponse | SearchFullResponse:
    """
@@ -130,7 +129,7 @@ def handle_send_search_message(
 def get_search_history(
    limit: int = 100,
    filter_days: int | None = None,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> SearchHistoryResponse:
    """
--- a/backend/ee/onyx/server/query_history/api.py
+++ b/backend/ee/onyx/server/query_history/api.py
@@ -20,7 +20,7 @@ from ee.onyx.server.query_history.models import ChatSessionMinimal
 from ee.onyx.server.query_history.models import ChatSessionSnapshot
 from ee.onyx.server.query_history.models import MessageSnapshot
 from ee.onyx.server.query_history.models import QueryHistoryExport
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import get_display_email
 from onyx.background.celery.versioned_apps.client import app as client_app
 from onyx.background.task_utils import construct_query_history_report_name
@@ -39,7 +39,6 @@ from onyx.configs.constants import SessionType
 from onyx.db.chat import get_chat_session_by_id
 from onyx.db.chat import get_chat_sessions_by_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.enums import TaskStatus
 from onyx.db.file_record import get_query_history_export_files
 from onyx.db.models import ChatSession
@@ -154,7 +153,7 @@ def snapshot_from_chat_session(
@router.get("/admin/chat-sessions")
 def admin_get_chat_sessions(
    user_id: UUID,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> ChatSessionsResponse:
    # we specifically don't allow this endpoint if "anonymized" since
@@ -197,7 +196,7 @@ def get_chat_session_history(
    feedback_type: QAFeedbackType | None = None,
    start_time: datetime | None = None,
    end_time: datetime | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> PaginatedReturn[ChatSessionMinimal]:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -235,7 +234,7 @@ def get_chat_session_history(
@router.get("/admin/chat-session-history/{chat_session_id}")
 def get_chat_session_admin(
    chat_session_id: UUID,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> ChatSessionSnapshot:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -270,7 +269,7 @@ def get_chat_session_admin(

@router.get("/admin/query-history/list")
 def list_all_query_history_exports(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[QueryHistoryExport]:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -298,7 +297,7 @@ def list_all_query_history_exports(

@router.post("/admin/query-history/start-export", tags=PUBLIC_API_TAGS)
 def start_query_history_export(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
    start: datetime | None = None,
    end: datetime | None = None,
@@ -345,7 +344,7 @@ def start_query_history_export(
@router.get("/admin/query-history/export-status", tags=PUBLIC_API_TAGS)
 def get_query_history_export_status(
    request_id: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> dict[str, str]:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -379,7 +378,7 @@ def get_query_history_export_status(
@router.get("/admin/query-history/download", tags=PUBLIC_API_TAGS)
 def download_query_history_csv(
    request_id: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> StreamingResponse:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
--- a/backend/ee/onyx/server/reporting/usage_export_api.py
+++ b/backend/ee/onyx/server/reporting/usage_export_api.py
@@ -12,11 +12,10 @@ from sqlalchemy.orm import Session
 from ee.onyx.db.usage_export import get_all_usage_reports
 from ee.onyx.db.usage_export import get_usage_report_data
 from ee.onyx.db.usage_export import UsageReportMetadata
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.background.celery.versioned_apps.client import app as client_app
 from onyx.configs.constants import OnyxCeleryTask
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.file_store.constants import STANDARD_CHUNK_SIZE
 from shared_configs.contextvars import get_current_tenant_id
@@ -32,7 +31,7 @@ class GenerateUsageReportParams(BaseModel):
@router.post("/admin/usage-report", status_code=204)
 def generate_report(
    params: GenerateUsageReportParams,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
 ) -> None:
    # Validate period parameters
    if params.period_from and params.period_to:
@@ -59,7 +58,7 @@ def generate_report(
@router.get("/admin/usage-report/{report_name}")
 def read_usage_report(
    report_name: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),  # noqa: ARG001
 ) -> Response:
    try:
@@ -83,7 +82,7 @@ def read_usage_report(

@router.get("/admin/usage-report")
 def fetch_usage_reports(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[UsageReportMetadata]:
    try:
--- a/backend/ee/onyx/server/tenants/anonymous_users_api.py
+++ b/backend/ee/onyx/server/tenants/anonymous_users_api.py
@@ -12,13 +12,12 @@ from ee.onyx.server.tenants.anonymous_user_path import (
 from ee.onyx.server.tenants.anonymous_user_path import modify_anonymous_user_path
 from ee.onyx.server.tenants.anonymous_user_path import validate_anonymous_user_path
 from ee.onyx.server.tenants.models import AnonymousUserPath
-from onyx.auth.permissions import require_permission
 from onyx.auth.users import anonymous_user_enabled
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import User
 from onyx.configs.constants import ANONYMOUS_USER_COOKIE_NAME
 from onyx.configs.constants import FASTAPI_USERS_AUTH_COOKIE_NAME
 from onyx.db.engine.sql_engine import get_session_with_shared_schema
-from onyx.db.enums import Permission
 from onyx.utils.logger import setup_logger
 from shared_configs.contextvars import get_current_tenant_id

@@ -29,7 +28,7 @@ router = APIRouter(prefix="/tenants")

@router.get("/anonymous-user-path")
 async def get_anonymous_user_path_api(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> AnonymousUserPath:
    tenant_id = get_current_tenant_id()

@@ -45,7 +44,7 @@ async def get_anonymous_user_path_api(
@router.post("/anonymous-user-path")
 async def set_anonymous_user_path_api(
    anonymous_user_path: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> None:
    tenant_id = get_current_tenant_id()
    try:
--- a/backend/ee/onyx/server/tenants/billing_api.py
+++ b/backend/ee/onyx/server/tenants/billing_api.py
@@ -22,6 +22,7 @@ import httpx
 from fastapi import APIRouter
 from fastapi import Depends

+from ee.onyx.auth.users import current_admin_user
 from ee.onyx.server.tenants.access import control_plane_dep
 from ee.onyx.server.tenants.billing import fetch_billing_information
 from ee.onyx.server.tenants.billing import fetch_customer_portal_session
@@ -37,12 +38,10 @@ from ee.onyx.server.tenants.models import SubscriptionSessionResponse
 from ee.onyx.server.tenants.models import SubscriptionStatusResponse
 from ee.onyx.server.tenants.product_gating import overwrite_full_gated_set
 from ee.onyx.server.tenants.product_gating import store_product_gating
-from onyx.auth.permissions import require_permission
 from onyx.auth.users import User
 from onyx.configs.app_configs import STRIPE_PUBLISHABLE_KEY_OVERRIDE
 from onyx.configs.app_configs import STRIPE_PUBLISHABLE_KEY_URL
 from onyx.configs.app_configs import WEB_DOMAIN
-from onyx.db.enums import Permission
 from onyx.error_handling.error_codes import OnyxErrorCode
 from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.logger import setup_logger
@@ -100,7 +99,7 @@ def gate_product_full_sync(

@router.get("/billing-information")
 async def billing_information(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> BillingInformation | SubscriptionStatusResponse:
    logger.info("Fetching billing information")
    tenant_id = get_current_tenant_id()
@@ -109,7 +108,7 @@ async def billing_information(

@router.post("/create-customer-portal-session")
 async def create_customer_portal_session(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> dict:
    """Create a Stripe customer portal session via the control plane."""
    tenant_id = get_current_tenant_id()
@@ -131,7 +130,7 @@ async def create_customer_portal_session(
@router.post("/create-checkout-session")
 async def create_checkout_session(
    request: CreateCheckoutSessionRequest | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> dict:
    """Create a Stripe checkout session via the control plane."""
    tenant_id = get_current_tenant_id()
@@ -154,7 +153,7 @@ async def create_checkout_session(
@router.post("/create-subscription-session")
 async def create_subscription_session(
    request: CreateSubscriptionSessionRequest | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> SubscriptionSessionResponse:
    try:
        tenant_id = CURRENT_TENANT_ID_CONTEXTVAR.get()
--- a/backend/ee/onyx/server/tenants/team_membership_api.py
+++ b/backend/ee/onyx/server/tenants/team_membership_api.py
@@ -6,11 +6,10 @@ from sqlalchemy.orm import Session
 from ee.onyx.server.tenants.provisioning import delete_user_from_control_plane
 from ee.onyx.server.tenants.user_mapping import remove_all_users_from_tenant
 from ee.onyx.server.tenants.user_mapping import remove_users_from_tenant
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import User
 from onyx.db.auth import get_user_count
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.users import delete_user_from_db
 from onyx.db.users import get_user_by_email
 from onyx.server.manage.models import UserByEmail
@@ -25,9 +24,7 @@ router = APIRouter(prefix="/tenants")
@router.post("/leave-team")
 async def leave_organization(
    user_email: UserByEmail,
-    current_user: User = Depends(
-        require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)
-    ),
+    current_user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    tenant_id = get_current_tenant_id()
--- a/backend/ee/onyx/server/tenants/tenant_management_api.py
+++ b/backend/ee/onyx/server/tenants/tenant_management_api.py
@@ -3,9 +3,8 @@ from fastapi import Depends

 from ee.onyx.server.tenants.models import TenantByDomainResponse
 from ee.onyx.server.tenants.provisioning import get_tenant_by_domain_from_control_plane
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.auth.users import User
-from onyx.db.enums import Permission
 from onyx.utils.logger import setup_logger
 from shared_configs.contextvars import get_current_tenant_id

@@ -27,7 +26,7 @@ FORBIDDEN_COMMON_EMAIL_SUBSTRINGS = [

@router.get("/existing-team-by-domain")
 def get_existing_tenant_by_domain(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> TenantByDomainResponse | None:
    domain = user.email.split("@")[1]
    if any(substring in domain for substring in FORBIDDEN_COMMON_EMAIL_SUBSTRINGS):
--- a/backend/ee/onyx/server/tenants/user_invitations_api.py
+++ b/backend/ee/onyx/server/tenants/user_invitations_api.py
@@ -10,9 +10,9 @@ from ee.onyx.server.tenants.user_mapping import approve_user_invite
 from ee.onyx.server.tenants.user_mapping import deny_user_invite
 from ee.onyx.server.tenants.user_mapping import invite_self_to_tenant
 from onyx.auth.invited_users import get_pending_users
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
+from onyx.auth.users import current_user
 from onyx.auth.users import User
-from onyx.db.enums import Permission
 from onyx.utils.logger import setup_logger
 from shared_configs.contextvars import get_current_tenant_id

@@ -24,7 +24,7 @@ router = APIRouter(prefix="/tenants")
@router.post("/users/invite/request")
 async def request_invite(
    invite_request: RequestInviteRequest,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
 ) -> None:
    try:
        invite_self_to_tenant(user.email, invite_request.tenant_id)
@@ -37,7 +37,7 @@ async def request_invite(

@router.get("/users/pending")
 def list_pending_users(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> list[PendingUserSnapshot]:
    pending_emails = get_pending_users()
    return [PendingUserSnapshot(email=email) for email in pending_emails]
@@ -46,7 +46,7 @@ def list_pending_users(
@router.post("/users/invite/approve")
 async def approve_user(
    approve_user_request: ApproveUserRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> None:
    tenant_id = get_current_tenant_id()
    approve_user_invite(approve_user_request.email, tenant_id)
@@ -55,7 +55,7 @@ async def approve_user(
@router.post("/users/invite/accept")
 async def accept_invite(
    invite_request: RequestInviteRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> None:
    """
    Accept an invitation to join a tenant.
@@ -70,7 +70,7 @@ async def accept_invite(
@router.post("/users/invite/deny")
 async def deny_invite(
    invite_request: RequestInviteRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> None:
    """
    Deny an invitation to join a tenant.
--- a/backend/ee/onyx/server/token_rate_limits/api.py
+++ b/backend/ee/onyx/server/token_rate_limits/api.py
@@ -7,11 +7,10 @@ from sqlalchemy.orm import Session
 from ee.onyx.db.token_limit import fetch_all_user_group_token_rate_limits_by_group
 from ee.onyx.db.token_limit import fetch_user_group_token_rate_limits_for_user
 from ee.onyx.db.token_limit import insert_user_group_token_rate_limit
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_curator_or_admin_user
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.token_limit import fetch_all_user_token_rate_limits
 from onyx.db.token_limit import insert_user_token_rate_limit
@@ -29,7 +28,7 @@ Group Token Limit Settings

@router.get("/user-groups")
 def get_all_group_token_limit_settings(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> dict[str, list[TokenRateLimitDisplay]]:
    user_groups_to_token_rate_limits = fetch_all_user_group_token_rate_limits_by_group(
@@ -65,7 +64,7 @@ def get_group_token_limit_settings(
 def create_group_token_limit_settings(
    group_id: int,
    token_limit_settings: TokenRateLimitArgs,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> TokenRateLimitDisplay:
    rate_limit_display = TokenRateLimitDisplay.from_db(
@@ -87,7 +86,7 @@ User Token Limit Settings

@router.get("/users")
 def get_user_token_limit_settings(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[TokenRateLimitDisplay]:
    return [
@@ -99,7 +98,7 @@ def get_user_token_limit_settings(
@router.post("/users")
 def create_user_token_limit_settings(
    token_limit_settings: TokenRateLimitArgs,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> TokenRateLimitDisplay:
    rate_limit_display = TokenRateLimitDisplay.from_db(
--- a/backend/ee/onyx/server/user_group/api.py
+++ b/backend/ee/onyx/server/user_group/api.py
@@ -13,26 +13,22 @@ from ee.onyx.db.user_group import fetch_user_groups_for_user
 from ee.onyx.db.user_group import insert_user_group
 from ee.onyx.db.user_group import prepare_user_group_for_deletion
 from ee.onyx.db.user_group import rename_user_group
-from ee.onyx.db.user_group import set_group_permission__no_commit
 from ee.onyx.db.user_group import update_user_curator_relationship
 from ee.onyx.db.user_group import update_user_group
 from ee.onyx.server.user_group.models import AddUsersToUserGroupRequest
 from ee.onyx.server.user_group.models import MinimalUserGroupSnapshot
 from ee.onyx.server.user_group.models import SetCuratorRequest
-from ee.onyx.server.user_group.models import SetPermissionRequest
-from ee.onyx.server.user_group.models import SetPermissionResponse
 from ee.onyx.server.user_group.models import UpdateGroupAgentsRequest
 from ee.onyx.server.user_group.models import UserGroup
 from ee.onyx.server.user_group.models import UserGroupCreate
 from ee.onyx.server.user_group.models import UserGroupRename
 from ee.onyx.server.user_group.models import UserGroupUpdate
-from onyx.auth.permissions import NON_TOGGLEABLE_PERMISSIONS
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.models import UserRole
 from onyx.db.persona import get_persona_by_id
@@ -72,7 +68,7 @@ def list_user_groups(
@router.get("/user-groups/minimal")
 def list_minimal_user_groups(
    include_default: bool = False,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[MinimalUserGroupSnapshot]:
    if user.role == UserRole.ADMIN:
@@ -95,50 +91,23 @@ def list_minimal_user_groups(
@router.get("/admin/user-group/{user_group_id}/permissions")
 def get_user_group_permissions(
    user_group_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
-) -> list[Permission]:
+) -> list[str]:
    group = fetch_user_group(db_session, user_group_id)
    if group is None:
        raise OnyxError(OnyxErrorCode.NOT_FOUND, "User group not found")
    return [
-        grant.permission for grant in group.permission_grants if not grant.is_deleted
+        grant.permission.value
+        for grant in group.permission_grants
+        if not grant.is_deleted
    ]


-@router.put("/admin/user-group/{user_group_id}/permissions")
-def set_user_group_permission(
-    user_group_id: int,
-    request: SetPermissionRequest,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
-    db_session: Session = Depends(get_session),
-) -> SetPermissionResponse:
-    group = fetch_user_group(db_session, user_group_id)
-    if group is None:
-        raise OnyxError(OnyxErrorCode.NOT_FOUND, "User group not found")
-
-    if request.permission in NON_TOGGLEABLE_PERMISSIONS:
-        raise OnyxError(
-            OnyxErrorCode.INVALID_INPUT,
-            f"Permission '{request.permission}' cannot be toggled via this endpoint",
-        )
-
-    set_group_permission__no_commit(
-        group_id=user_group_id,
-        permission=request.permission,
-        enabled=request.enabled,
-        granted_by=user.id,
-        db_session=db_session,
-    )
-    db_session.commit()
-
-    return SetPermissionResponse(permission=request.permission, enabled=request.enabled)
-
-
@router.post("/admin/user-group")
 def create_user_group(
    user_group: UserGroupCreate,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> UserGroup:
    try:
@@ -155,7 +124,7 @@ def create_user_group(
@router.patch("/admin/user-group/rename")
 def rename_user_group_endpoint(
    rename_request: UserGroupRename,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> UserGroup:
    group = fetch_user_group(db_session, rename_request.id)
@@ -243,7 +212,7 @@ def set_user_curator(
@router.delete("/admin/user-group/{user_group_id}")
 def delete_user_group(
    user_group_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    group = fetch_user_group(db_session, user_group_id)
@@ -264,7 +233,7 @@ def delete_user_group(
 def update_group_agents(
    user_group_id: int,
    request: UpdateGroupAgentsRequest,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    for agent_id in request.added_agent_ids:
--- a/backend/ee/onyx/server/user_group/models.py
+++ b/backend/ee/onyx/server/user_group/models.py
@@ -2,7 +2,6 @@ from uuid import UUID

 from pydantic import BaseModel

-from onyx.auth.permissions import Permission
 from onyx.db.models import UserGroup as UserGroupModel
 from onyx.server.documents.models import ConnectorCredentialPairDescriptor
 from onyx.server.documents.models import ConnectorSnapshot
@@ -122,13 +121,3 @@ class SetCuratorRequest(BaseModel):
 class UpdateGroupAgentsRequest(BaseModel):
    added_agent_ids: list[int]
    removed_agent_ids: list[int]
-
-
-class SetPermissionRequest(BaseModel):
-    permission: Permission
-    enabled: bool
-
-
-class SetPermissionResponse(BaseModel):
-    permission: Permission
-    enabled: bool
--- a/backend/onyx/auth/permissions.py
+++ b/backend/onyx/auth/permissions.py
@@ -47,20 +47,6 @@ IMPLIED_PERMISSIONS: dict[str, set[str]] = {
    },
 }

-# Permissions that cannot be toggled via the group-permission API.
-# BASIC_ACCESS is always granted, FULL_ADMIN_PANEL_ACCESS is too broad,
-# and READ_* permissions are implied (never stored directly).
-NON_TOGGLEABLE_PERMISSIONS: frozenset[Permission] = frozenset(
-    {
-        Permission.BASIC_ACCESS,
-        Permission.FULL_ADMIN_PANEL_ACCESS,
-        Permission.READ_CONNECTORS,
-        Permission.READ_DOCUMENT_SETS,
-        Permission.READ_AGENTS,
-        Permission.READ_USERS,
-    }
-)
-

 def resolve_effective_permissions(granted: set[str]) -> set[str]:
    """Expand granted permissions with their implied permissions.
@@ -121,5 +107,4 @@ def require_permission(

        return user

-    dependency._is_require_permission = True  # type: ignore[attr-defined]  # sentinel for auth_check detection
    return dependency
--- a/backend/onyx/auth/users.py
+++ b/backend/onyx/auth/users.py
@@ -127,7 +127,6 @@ from onyx.db.models import User
 from onyx.db.pat import fetch_user_for_pat
 from onyx.db.users import assign_user_to_default_groups__no_commit
 from onyx.db.users import get_user_by_email
-from onyx.db.users import is_limited_user
 from onyx.error_handling.error_codes import OnyxErrorCode
 from onyx.error_handling.exceptions import log_onyx_error
 from onyx.error_handling.exceptions import onyx_error_to_json_response
@@ -1682,9 +1681,9 @@ async def current_user(
 ) -> User:
    user = await double_check_user(user)

-    if is_limited_user(user):
+    if user.role == UserRole.LIMITED:
        raise BasicAuthenticationError(
-            detail="Access denied. User has limited permissions.",
+            detail="Access denied. User role is LIMITED. BASIC or higher permissions are required.",
        )
    return user

@@ -1701,6 +1700,15 @@ async def current_curator_or_admin_user(
    return user


+async def current_admin_user(user: User = Depends(current_user)) -> User:
+    if user.role != UserRole.ADMIN:
+        raise BasicAuthenticationError(
+            detail="Access denied. User must be an admin to perform this action.",
+        )
+
+    return user
+
+
 async def _get_user_from_token_data(token_data: dict) -> User | None:
    """Shared logic: token data dict → User object.

@@ -1809,11 +1817,11 @@ async def current_user_from_websocket(
    # Apply same checks as HTTP auth (verification, OIDC expiry, role)
    user = await double_check_user(user)

-    # Block limited users (same as current_user)
-    if is_limited_user(user):
-        logger.warning(f"WS auth: user {user.email} is limited")
+    # Block LIMITED users (same as current_user)
+    if user.role == UserRole.LIMITED:
+        logger.warning(f"WS auth: user {user.email} has LIMITED role")
        raise BasicAuthenticationError(
-            detail="Access denied. User has limited permissions.",
+            detail="Access denied. User role is LIMITED. BASIC or higher permissions are required.",
        )

    logger.debug(f"WS auth: authenticated {user.email}")
--- a/backend/onyx/background/README.md
+++ b/backend/onyx/background/README.md
@@ -1,7 +1,6 @@
 # Overview of Onyx Background Jobs

 The background jobs take care of:
-
 1. Pulling/Indexing documents (from connectors)
 2. Updating document metadata (from connectors)
 3. Cleaning up checkpoints and logic around indexing work (indexing indexing checkpoints and index attempt metadata)
@@ -10,41 +9,37 @@ The background jobs take care of:

 ## Worker → Queue Mapping

-| Worker                    | File                           | Queues                                                                                                               |
-| ------------------------- | ------------------------------ | -------------------------------------------------------------------------------------------------------------------- |
-| Primary                   | `apps/primary.py`              | `celery`                                                                                                             |
-| Light                     | `apps/light.py`                | `vespa_metadata_sync`, `connector_deletion`, `doc_permissions_upsert`, `checkpoint_cleanup`, `index_attempt_cleanup` |
-| Heavy                     | `apps/heavy.py`                | `connector_pruning`, `connector_doc_permissions_sync`, `connector_external_group_sync`, `csv_generation`, `sandbox`  |
-| Docprocessing             | `apps/docprocessing.py`        | `docprocessing`                                                                                                      |
-| Docfetching               | `apps/docfetching.py`          | `connector_doc_fetching`                                                                                             |
-| User File Processing      | `apps/user_file_processing.py` | `user_file_processing`, `user_file_project_sync`, `user_file_delete`                                                 |
-| Monitoring                | `apps/monitoring.py`           | `monitoring`                                                                                                         |
-| Background (consolidated) | `apps/background.py`           | All queues above except `celery`                                                                                     |
+| Worker | File | Queues |
+|--------|------|--------|
+| Primary | `apps/primary.py` | `celery` |
+| Light | `apps/light.py` | `vespa_metadata_sync`, `connector_deletion`, `doc_permissions_upsert`, `checkpoint_cleanup`, `index_attempt_cleanup` |
+| Heavy | `apps/heavy.py` | `connector_pruning`, `connector_doc_permissions_sync`, `connector_external_group_sync`, `csv_generation`, `sandbox` |
+| Docprocessing | `apps/docprocessing.py` | `docprocessing` |
+| Docfetching | `apps/docfetching.py` | `connector_doc_fetching` |
+| User File Processing | `apps/user_file_processing.py` | `user_file_processing`, `user_file_project_sync`, `user_file_delete` |
+| Monitoring | `apps/monitoring.py` | `monitoring` |
+| Background (consolidated) | `apps/background.py` | All queues above except `celery` |

 ## Non-Worker Apps
-
-| App        | File        | Purpose                                                                                               |
-| ---------- | ----------- | ----------------------------------------------------------------------------------------------------- |
-| **Beat**   | `beat.py`   | Celery beat scheduler with `DynamicTenantScheduler` that generates per-tenant periodic task schedules |
-| **Client** | `client.py` | Minimal app for task submission from non-worker processes (e.g., API server)                          |
+| App | File | Purpose |
+|-----|------|---------|
+| **Beat** | `beat.py` | Celery beat scheduler with `DynamicTenantScheduler` that generates per-tenant periodic task schedules |
+| **Client** | `client.py` | Minimal app for task submission from non-worker processes (e.g., API server) |

 ### Shared Module
-
 `app_base.py` provides:
-
 - `TenantAwareTask` - Base task class that sets tenant context
 - Signal handlers for logging, cleanup, and lifecycle events
 - Readiness probes and health checks

+
 ## Worker Details

 ### Primary (Coordinator and task dispatcher)
-
 It is the single worker which handles tasks from the default celery queue. It is a singleton worker ensured by the `PRIMARY_WORKER` Redis lock
 which it touches every `CELERY_PRIMARY_WORKER_LOCK_TIMEOUT / 8` seconds (using Celery Bootsteps)

 On startup:
-
 - waits for redis, postgres, document index to all be healthy
 - acquires the singleton lock
 - cleans all the redis states associated with background jobs
@@ -52,34 +47,34 @@ On startup:

 Then it cycles through its tasks as scheduled by Celery Beat:

-| Task                              | Frequency | Description                                                                                |
-| --------------------------------- | --------- | ------------------------------------------------------------------------------------------ |
-| `check_for_indexing`              | 15s       | Scans for connectors needing indexing → dispatches to `DOCFETCHING` queue                  |
-| `check_for_vespa_sync_task`       | 20s       | Finds stale documents/document sets → dispatches sync tasks to `VESPA_METADATA_SYNC` queue |
-| `check_for_pruning`               | 20s       | Finds connectors due for pruning → dispatches to `CONNECTOR_PRUNING` queue                 |
-| `check_for_connector_deletion`    | 20s       | Processes deletion requests → dispatches to `CONNECTOR_DELETION` queue                     |
-| `check_for_user_file_processing`  | 20s       | Checks for user uploads → dispatches to `USER_FILE_PROCESSING` queue                       |
-| `check_for_checkpoint_cleanup`    | 1h        | Cleans up old indexing checkpoints                                                         |
-| `check_for_index_attempt_cleanup` | 30m       | Cleans up old index attempts                                                               |
-| `celery_beat_heartbeat`           | 1m        | Heartbeat for Beat watchdog                                                                |
+| Task | Frequency | Description |
+|------|-----------|-------------|
+| `check_for_indexing` | 15s | Scans for connectors needing indexing → dispatches to `DOCFETCHING` queue |
+| `check_for_vespa_sync_task` | 20s | Finds stale documents/document sets → dispatches sync tasks to `VESPA_METADATA_SYNC` queue |
+| `check_for_pruning` | 20s | Finds connectors due for pruning → dispatches to `CONNECTOR_PRUNING` queue |
+| `check_for_connector_deletion` | 20s | Processes deletion requests → dispatches to `CONNECTOR_DELETION` queue |
+| `check_for_user_file_processing` | 20s | Checks for user uploads → dispatches to `USER_FILE_PROCESSING` queue |
+| `check_for_checkpoint_cleanup` | 1h | Cleans up old indexing checkpoints |
+| `check_for_index_attempt_cleanup` | 30m | Cleans up old index attempts |
+| `kombu_message_cleanup_task` | periodic | Cleans orphaned Kombu messages from DB (Kombu being the messaging framework used by Celery) |
+| `celery_beat_heartbeat` | 1m | Heartbeat for Beat watchdog |

 Watchdog is a separate Python process managed by supervisord which runs alongside celery workers. It checks the ONYX_CELERY_BEAT_HEARTBEAT_KEY in
 Redis to ensure Celery Beat is not dead. Beat schedules the celery_beat_heartbeat for Primary to touch the key and share that it's still alive.
 See supervisord.conf for watchdog config.

-### Light

+### Light
 Fast and short living tasks that are not resource intensive. High concurrency:
 Can have 24 concurrent workers, each with a prefetch of 8 for a total of 192 tasks in flight at once.

 Tasks it handles:
-
 - Syncs access/permissions, document sets, boosts, hidden state
 - Deletes documents that are marked for deletion in Postgres
 - Cleanup of checkpoints and index attempts

-### Heavy

+### Heavy
 Long running, resource intensive tasks, handles pruning and sandbox operations. Low concurrency - max concurrency of 4 with 1 prefetch.

 Does not interact with the Document Index, it handles the syncs with external systems. Large volume API calls to handle pruning and fetching permissions, etc.
@@ -88,24 +83,16 @@ Generates CSV exports which may take a long time with significant data in Postgr

 Sandbox (new feature) for running Next.js, Python virtual env, OpenCode AI Agent, and access to knowledge files

+
 ### Docprocessing, Docfetching, User File Processing
-
 Docprocessing and Docfetching are for indexing documents:
-
 - Docfetching runs connectors to pull documents from external APIs (Google Drive, Confluence, etc.), stores batches to file storage, and dispatches docprocessing tasks
- Docprocessing retrieves batches, runs the indexing pipeline (chunking, embedding), and indexes into the Document Index
- User Files come from uploads directly via the input bar
+- Docprocessing retrieves batches, runs the indexing pipeline (chunking, embedding), and indexes into the Document Index 
+User Files come from uploads directly via the input bar
+

 ### Monitoring
-
 Observability and metrics collections:
-
- Queue lengths, connector success/failure, connector latencies
+- Queue lengths, connector success/failure, lconnector latencies
 - Memory of supervisor managed processes (workers, beat, slack)
 - Cloud and multitenant specific monitorings
-
-## Prometheus Metrics
-
-Workers can expose Prometheus metrics via a standalone HTTP server. Currently docfetching and docprocessing have push-based task lifecycle metrics; the monitoring worker runs pull-based collectors for queue depth and connector health.
-
-For the full metric reference, integration guide, and PromQL examples, see [`docs/METRICS.md`](../../../docs/METRICS.md#celery-worker-metrics).
--- a/backend/onyx/background/celery/apps/heavy.py
+++ b/backend/onyx/background/celery/apps/heavy.py
@@ -13,12 +13,6 @@ from celery.signals import worker_shutdown
 import onyx.background.celery.apps.app_base as app_base
 from onyx.configs.constants import POSTGRES_CELERY_WORKER_HEAVY_APP_NAME
 from onyx.db.engine.sql_engine import SqlEngine
-from onyx.server.metrics.celery_task_metrics import on_celery_task_postrun
-from onyx.server.metrics.celery_task_metrics import on_celery_task_prerun
-from onyx.server.metrics.celery_task_metrics import on_celery_task_rejected
-from onyx.server.metrics.celery_task_metrics import on_celery_task_retry
-from onyx.server.metrics.celery_task_metrics import on_celery_task_revoked
-from onyx.server.metrics.metrics_server import start_metrics_server
 from onyx.utils.logger import setup_logger
 from shared_configs.configs import MULTI_TENANT

@@ -40,7 +34,6 @@ def on_task_prerun(
    **kwds: Any,
 ) -> None:
    app_base.on_task_prerun(sender, task_id, task, args, kwargs, **kwds)
-    on_celery_task_prerun(task_id, task)


@signals.task_postrun.connect
@@ -55,31 +48,6 @@ def on_task_postrun(
    **kwds: Any,
 ) -> None:
    app_base.on_task_postrun(sender, task_id, task, args, kwargs, retval, state, **kwds)
-    on_celery_task_postrun(task_id, task, state)
-
-
-@signals.task_retry.connect
-def on_task_retry(sender: Any | None = None, **kwargs: Any) -> None:  # noqa: ARG001
-    task_id = getattr(getattr(sender, "request", None), "id", None)
-    on_celery_task_retry(task_id, sender)
-
-
-@signals.task_revoked.connect
-def on_task_revoked(sender: Any | None = None, **kwargs: Any) -> None:
-    task_name = getattr(sender, "name", None) or str(sender)
-    on_celery_task_revoked(kwargs.get("task_id"), task_name)
-
-
-@signals.task_rejected.connect
-def on_task_rejected(sender: Any | None = None, **kwargs: Any) -> None:  # noqa: ARG001
-    message = kwargs.get("message")
-    task_name: str | None = None
-    if message is not None:
-        headers = getattr(message, "headers", None) or {}
-        task_name = headers.get("task")
-    if task_name is None:
-        task_name = "unknown"
-    on_celery_task_rejected(None, task_name)


@celeryd_init.connect
@@ -108,7 +76,6 @@ def on_worker_init(sender: Worker, **kwargs: Any) -> None:

@worker_ready.connect
 def on_worker_ready(sender: Any, **kwargs: Any) -> None:
-    start_metrics_server("heavy")
    app_base.on_worker_ready(sender, **kwargs)


--- a/backend/onyx/background/celery/apps/primary.py
+++ b/backend/onyx/background/celery/apps/primary.py
@@ -317,6 +317,7 @@ celery_app.autodiscover_tasks(
            "onyx.background.celery.tasks.docprocessing",
            "onyx.background.celery.tasks.evals",
            "onyx.background.celery.tasks.hierarchyfetching",
+            "onyx.background.celery.tasks.periodic",
            "onyx.background.celery.tasks.pruning",
            "onyx.background.celery.tasks.shared",
            "onyx.background.celery.tasks.vespa",
--- a/backend/onyx/background/celery/tasks/beat_schedule.py
+++ b/backend/onyx/background/celery/tasks/beat_schedule.py
@@ -75,8 +75,6 @@ beat_task_templates: list[dict] = [
        "options": {
            "priority": OnyxCeleryPriority.LOW,
            "expires": BEAT_EXPIRES_DEFAULT,
-            # Run on gated tenants too — they may still have stale checkpoints to clean.
-            "skip_gated": False,
        },
    },
    {
@@ -86,8 +84,6 @@ beat_task_templates: list[dict] = [
        "options": {
            "priority": OnyxCeleryPriority.MEDIUM,
            "expires": BEAT_EXPIRES_DEFAULT,
-            # Run on gated tenants too — they may still have stale index attempts.
-            "skip_gated": False,
        },
    },
    {
@@ -97,8 +93,6 @@ beat_task_templates: list[dict] = [
        "options": {
            "priority": OnyxCeleryPriority.MEDIUM,
            "expires": BEAT_EXPIRES_DEFAULT,
-            # Gated tenants may still have connectors awaiting deletion.
-            "skip_gated": False,
        },
    },
    {
@@ -142,14 +136,7 @@ beat_task_templates: list[dict] = [
    {
        "name": "cleanup-idle-sandboxes",
        "task": OnyxCeleryTask.CLEANUP_IDLE_SANDBOXES,
-        # SANDBOX_IDLE_TIMEOUT_SECONDS defaults to 1 hour, so there is no
-        # functional reason to scan more often than every ~15 minutes. In the
-        # cloud this is multiplied by CLOUD_BEAT_MULTIPLIER_DEFAULT (=8) so
-        # the effective cadence becomes ~2 hours, which still meets the
-        # idle-detection SLA. The previous 1-minute base schedule produced
-        # an 8-minute per-tenant fan-out and was the dominant source of
-        # background DB load on the cloud cluster.
-        "schedule": timedelta(minutes=15),
+        "schedule": timedelta(minutes=1),
        "options": {
            "priority": OnyxCeleryPriority.LOW,
            "expires": BEAT_EXPIRES_DEFAULT,
@@ -279,7 +266,7 @@ def make_cloud_generator_task(task: dict[str, Any]) -> dict[str, Any]:
    cloud_task["kwargs"] = {}
    cloud_task["kwargs"]["task_name"] = task["task"]

-    optional_fields = ["queue", "priority", "expires", "skip_gated"]
+    optional_fields = ["queue", "priority", "expires"]
    for field in optional_fields:
        if field in task["options"]:
            cloud_task["kwargs"][field] = task["options"][field]
@@ -315,7 +302,7 @@ beat_cloud_tasks: list[dict] = [
    {
        "name": f"{ONYX_CLOUD_CELERY_TASK_PREFIX}_check-available-tenants",
        "task": OnyxCeleryTask.CLOUD_CHECK_AVAILABLE_TENANTS,
-        "schedule": timedelta(minutes=2),
+        "schedule": timedelta(minutes=10),
        "options": {
            "queue": OnyxCeleryQueues.MONITORING,
            "priority": OnyxCeleryPriority.HIGH,
@@ -372,13 +359,7 @@ if not MULTI_TENANT:
        ]
    )

-    # `skip_gated` is a cloud-only hint consumed by `cloud_beat_task_generator`. Strip
-    # it before extending the self-hosted schedule so it doesn't leak into apply_async
-    # as an unrecognised option on every fired task message.
-    for _template in beat_task_templates:
-        _self_hosted_template = copy.deepcopy(_template)
-        _self_hosted_template["options"].pop("skip_gated", None)
-        tasks_to_schedule.append(_self_hosted_template)
+    tasks_to_schedule.extend(beat_task_templates)


 def generate_cloud_tasks(
--- a/backend/onyx/background/celery/tasks/opensearch_migration/tasks.py
+++ b/backend/onyx/background/celery/tasks/opensearch_migration/tasks.py
@@ -36,7 +36,6 @@ from onyx.configs.constants import OnyxRedisLocks
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
 from onyx.db.opensearch_migration import build_sanitized_to_original_doc_id_mapping
 from onyx.db.opensearch_migration import get_vespa_visit_state
-from onyx.db.opensearch_migration import is_migration_completed
 from onyx.db.opensearch_migration import (
    mark_migration_completed_time_if_not_set_with_commit,
 )
@@ -107,19 +106,14 @@ def migrate_chunks_from_vespa_to_opensearch_task(
            acquired; effectively a no-op. True if the task completed
            successfully. False if the task errored.
    """
-    # 1. Check if we should run the task.
-    # 1.a. If OpenSearch indexing is disabled, we don't run the task.
    if not ENABLE_OPENSEARCH_INDEXING_FOR_ONYX:
        task_logger.warning(
            "OpenSearch migration is not enabled, skipping chunk migration task."
        )
        return None
+
    task_logger.info("Starting chunk-level migration from Vespa to OpenSearch.")
    task_start_time = time.monotonic()
-
-    # 1.b. Only one instance per tenant of this task may run concurrently at
-    # once. If we fail to acquire a lock, we assume it is because another task
-    # has one and we exit.
    r = get_redis_client()
    lock: RedisLock = r.lock(
        name=OnyxRedisLocks.OPENSEARCH_MIGRATION_BEAT_LOCK,
@@ -142,11 +136,10 @@ def migrate_chunks_from_vespa_to_opensearch_task(
            f"Token: {lock.local.token}"
        )

-    # 2. Prepare to migrate.
    total_chunks_migrated_this_task = 0
    total_chunks_errored_this_task = 0
    try:
-        # 2.a. Double-check that tenant info is correct.
+        # Double check that tenant info is correct.
        if tenant_id != get_current_tenant_id():
            err_str = (
                f"Tenant ID mismatch in the OpenSearch migration task: "
@@ -155,62 +148,16 @@ def migrate_chunks_from_vespa_to_opensearch_task(
            task_logger.error(err_str)
            return False

-        # Do as much as we can with a DB session in one spot to not hold a
-        # session during a migration batch.
-        with get_session_with_current_tenant() as db_session:
-            # 2.b. Immediately check to see if this tenant is done, to save
-            # having to do any other work. This function does not require a
-            # migration record to necessarily exist.
-            if is_migration_completed(db_session):
-                return True
-
-            # 2.c. Try to insert the OpenSearchTenantMigrationRecord table if it
-            # does not exist.
+        with (
+            get_session_with_current_tenant() as db_session,
+            get_vespa_http_client(
+                timeout=VESPA_MIGRATION_REQUEST_TIMEOUT_S
+            ) as vespa_client,
+        ):
            try_insert_opensearch_tenant_migration_record_with_commit(db_session)
-
-            # 2.d. Get search settings.
            search_settings = get_current_search_settings(db_session)
-            indexing_setting = IndexingSetting.from_db_model(search_settings)
-
-            # 2.e. Build sanitized to original doc ID mapping to check for
-            # conflicts in the event we sanitize a doc ID to an
-            # already-existing doc ID.
-            # We reconstruct this mapping for every task invocation because
-            # a document may have been added in the time between two tasks.
-            sanitized_doc_start_time = time.monotonic()
-            sanitized_to_original_doc_id_mapping = (
-                build_sanitized_to_original_doc_id_mapping(db_session)
-            )
-            task_logger.debug(
-                f"Built sanitized_to_original_doc_id_mapping with {len(sanitized_to_original_doc_id_mapping)} entries "
-                f"in {time.monotonic() - sanitized_doc_start_time:.3f} seconds."
-            )
-
-            # 2.f. Get the current migration state.
-            continuation_token_map, total_chunks_migrated = get_vespa_visit_state(
-                db_session
-            )
-            # 2.f.1. Double-check that the migration state does not imply
-            # completion. Really we should never have to enter this block as we
-            # would expect is_migration_completed to return True, but in the
-            # strange event that the migration is complete but the migration
-            # completed time was never stamped, we do so here.
-            if is_continuation_token_done_for_all_slices(continuation_token_map):
-                task_logger.info(
-                    f"OpenSearch migration COMPLETED for tenant {tenant_id}. Total chunks migrated: {total_chunks_migrated}."
-                )
-                mark_migration_completed_time_if_not_set_with_commit(db_session)
-                return True
-        task_logger.debug(
-            f"Read the tenant migration record. Total chunks migrated: {total_chunks_migrated}. "
-            f"Continuation token map: {continuation_token_map}"
-        )
-
-        with get_vespa_http_client(
-            timeout=VESPA_MIGRATION_REQUEST_TIMEOUT_S
-        ) as vespa_client:
-            # 2.g. Create the OpenSearch and Vespa document indexes.
            tenant_state = TenantState(tenant_id=tenant_id, multitenant=MULTI_TENANT)
+            indexing_setting = IndexingSetting.from_db_model(search_settings)
            opensearch_document_index = OpenSearchDocumentIndex(
                tenant_state=tenant_state,
                index_name=search_settings.index_name,
@@ -224,14 +171,22 @@ def migrate_chunks_from_vespa_to_opensearch_task(
                httpx_client=vespa_client,
            )

-            # 2.h. Get the approximate chunk count in Vespa as of this time to
-            # update the migration record.
+            sanitized_doc_start_time = time.monotonic()
+            # We reconstruct this mapping for every task invocation because a
+            # document may have been added in the time between two tasks.
+            sanitized_to_original_doc_id_mapping = (
+                build_sanitized_to_original_doc_id_mapping(db_session)
+            )
+            task_logger.debug(
+                f"Built sanitized_to_original_doc_id_mapping with {len(sanitized_to_original_doc_id_mapping)} entries "
+                f"in {time.monotonic() - sanitized_doc_start_time:.3f} seconds."
+            )
+
            approx_chunk_count_in_vespa: int | None = None
            get_chunk_count_start_time = time.monotonic()
            try:
                approx_chunk_count_in_vespa = vespa_document_index.get_chunk_count()
            except Exception:
-                # This failure should not be blocking.
                task_logger.exception(
                    "Error getting approximate chunk count in Vespa. Moving on..."
                )
@@ -240,12 +195,25 @@ def migrate_chunks_from_vespa_to_opensearch_task(
                f"approximate chunk count in Vespa. Got {approx_chunk_count_in_vespa}."
            )

-            # 3. Do the actual migration in batches until we run out of time.
            while (
                time.monotonic() - task_start_time < MIGRATION_TASK_SOFT_TIME_LIMIT_S
                and lock.owned()
            ):
-                # 3.a. Get the next batch of raw chunks from Vespa.
+                (
+                    continuation_token_map,
+                    total_chunks_migrated,
+                ) = get_vespa_visit_state(db_session)
+                if is_continuation_token_done_for_all_slices(continuation_token_map):
+                    task_logger.info(
+                        f"OpenSearch migration COMPLETED for tenant {tenant_id}. Total chunks migrated: {total_chunks_migrated}."
+                    )
+                    mark_migration_completed_time_if_not_set_with_commit(db_session)
+                    break
+                task_logger.debug(
+                    f"Read the tenant migration record. Total chunks migrated: {total_chunks_migrated}. "
+                    f"Continuation token map: {continuation_token_map}"
+                )
+
                get_vespa_chunks_start_time = time.monotonic()
                raw_vespa_chunks, next_continuation_token_map = (
                    vespa_document_index.get_all_raw_document_chunks_paginated(
@@ -258,7 +226,6 @@ def migrate_chunks_from_vespa_to_opensearch_task(
                    f"seconds. Next continuation token map: {next_continuation_token_map}"
                )

-                # 3.b. Transform the raw chunks to OpenSearch chunks in memory.
                opensearch_document_chunks, errored_chunks = (
                    transform_vespa_chunks_to_opensearch_chunks(
                        raw_vespa_chunks,
@@ -273,7 +240,6 @@ def migrate_chunks_from_vespa_to_opensearch_task(
                        "errored."
                    )

-                # 3.c. Index the OpenSearch chunks into OpenSearch.
                index_opensearch_chunks_start_time = time.monotonic()
                opensearch_document_index.index_raw_chunks(
                    chunks=opensearch_document_chunks
@@ -285,38 +251,12 @@ def migrate_chunks_from_vespa_to_opensearch_task(

                total_chunks_migrated_this_task += len(opensearch_document_chunks)
                total_chunks_errored_this_task += len(errored_chunks)
-
-                # Do as much as we can with a DB session in one spot to not hold a
-                # session during a migration batch.
-                with get_session_with_current_tenant() as db_session:
-                    # 3.d. Update the migration state.
-                    update_vespa_visit_progress_with_commit(
-                        db_session,
-                        continuation_token_map=next_continuation_token_map,
-                        chunks_processed=len(opensearch_document_chunks),
-                        chunks_errored=len(errored_chunks),
-                        approx_chunk_count_in_vespa=approx_chunk_count_in_vespa,
-                    )
-
-                    # 3.e. Get the current migration state. Even thought we
-                    # technically have it in-memory since we just wrote it, we
-                    # want to reference the DB as the source of truth at all
-                    # times.
-                    continuation_token_map, total_chunks_migrated = (
-                        get_vespa_visit_state(db_session)
-                    )
-                    # 3.e.1. Check if the migration is done.
-                    if is_continuation_token_done_for_all_slices(
-                        continuation_token_map
-                    ):
-                        task_logger.info(
-                            f"OpenSearch migration COMPLETED for tenant {tenant_id}. Total chunks migrated: {total_chunks_migrated}."
-                        )
-                        mark_migration_completed_time_if_not_set_with_commit(db_session)
-                        return True
-                task_logger.debug(
-                    f"Read the tenant migration record. Total chunks migrated: {total_chunks_migrated}. "
-                    f"Continuation token map: {continuation_token_map}"
+                update_vespa_visit_progress_with_commit(
+                    db_session,
+                    continuation_token_map=next_continuation_token_map,
+                    chunks_processed=len(opensearch_document_chunks),
+                    chunks_errored=len(errored_chunks),
+                    approx_chunk_count_in_vespa=approx_chunk_count_in_vespa,
                )
    except Exception:
        traceback.print_exc()
--- a/backend/onyx/background/celery/tasks/periodic/init.py
+++ b/backend/onyx/background/celery/tasks/periodic/init.py
--- a/backend/onyx/background/celery/tasks/periodic/tasks.py
+++ b/backend/onyx/background/celery/tasks/periodic/tasks.py
@@ -0,0 +1,138 @@
+#####
+# Periodic Tasks
+#####
+import json
+from typing import Any
+
+from celery import shared_task
+from celery.contrib.abortable import AbortableTask  # type: ignore
+from celery.exceptions import TaskRevokedError
+from sqlalchemy import inspect
+from sqlalchemy import text
+from sqlalchemy.orm import Session
+
+from onyx.background.celery.apps.app_base import task_logger
+from onyx.configs.app_configs import JOB_TIMEOUT
+from onyx.configs.constants import OnyxCeleryTask
+from onyx.configs.constants import PostgresAdvisoryLocks
+from onyx.db.engine.sql_engine import get_session_with_current_tenant
+
+
+@shared_task(
+    name=OnyxCeleryTask.KOMBU_MESSAGE_CLEANUP_TASK,
+    soft_time_limit=JOB_TIMEOUT,
+    bind=True,
+    base=AbortableTask,
+)
+def kombu_message_cleanup_task(self: Any, tenant_id: str) -> int:  # noqa: ARG001
+    """Runs periodically to clean up the kombu_message table"""
+
+    # we will select messages older than this amount to clean up
+    KOMBU_MESSAGE_CLEANUP_AGE = 7  # days
+    KOMBU_MESSAGE_CLEANUP_PAGE_LIMIT = 1000
+
+    ctx = {}
+    ctx["last_processed_id"] = 0
+    ctx["deleted"] = 0
+    ctx["cleanup_age"] = KOMBU_MESSAGE_CLEANUP_AGE
+    ctx["page_limit"] = KOMBU_MESSAGE_CLEANUP_PAGE_LIMIT
+    with get_session_with_current_tenant() as db_session:
+        # Exit the task if we can't take the advisory lock
+        result = db_session.execute(
+            text("SELECT pg_try_advisory_lock(:id)"),
+            {"id": PostgresAdvisoryLocks.KOMBU_MESSAGE_CLEANUP_LOCK_ID.value},
+        ).scalar()
+        if not result:
+            return 0
+
+        while True:
+            if self.is_aborted():
+                raise TaskRevokedError("kombu_message_cleanup_task was aborted.")
+
+            b = kombu_message_cleanup_task_helper(ctx, db_session)
+            if not b:
+                break
+
+            db_session.commit()
+
+    if ctx["deleted"] > 0:
+        task_logger.info(
+            f"Deleted {ctx['deleted']} orphaned messages from kombu_message."
+        )
+
+    return ctx["deleted"]
+
+
+def kombu_message_cleanup_task_helper(ctx: dict, db_session: Session) -> bool:
+    """
+    Helper function to clean up old messages from the `kombu_message` table that are no longer relevant.
+
+    This function retrieves messages from the `kombu_message` table that are no longer visible and
+    older than a specified interval. It checks if the corresponding task_id exists in the
+    `celery_taskmeta` table. If the task_id does not exist, the message is deleted.
+
+    Args:
+        ctx (dict): A context dictionary containing configuration parameters such as:
+            - 'cleanup_age' (int): The age in days after which messages are considered old.
+            - 'page_limit' (int): The maximum number of messages to process in one batch.
+            - 'last_processed_id' (int): The ID of the last processed message to handle pagination.
+            - 'deleted' (int): A counter to track the number of deleted messages.
+        db_session (Session): The SQLAlchemy database session for executing queries.
+
+    Returns:
+        bool: Returns True if there are more rows to process, False if not.
+    """
+
+    inspector = inspect(db_session.bind)
+    if not inspector:
+        return False
+
+    # With the move to redis as celery's broker and backend, kombu tables may not even exist.
+    # We can fail silently.
+    if not inspector.has_table("kombu_message"):
+        return False
+
+    query = text(
+        """
+    SELECT id, timestamp, payload
+    FROM kombu_message WHERE visible = 'false'
+    AND timestamp < CURRENT_TIMESTAMP - INTERVAL :interval_days
+    AND id > :last_processed_id
+    ORDER BY id
+    LIMIT :page_limit
+"""
+    )
+    kombu_messages = db_session.execute(
+        query,
+        {
+            "interval_days": f"{ctx['cleanup_age']} days",
+            "page_limit": ctx["page_limit"],
+            "last_processed_id": ctx["last_processed_id"],
+        },
+    ).fetchall()
+
+    if len(kombu_messages) == 0:
+        return False
+
+    for msg in kombu_messages:
+        payload = json.loads(msg[2])
+        task_id = payload["headers"]["id"]
+
+        # Check if task_id exists in celery_taskmeta
+        task_exists = db_session.execute(
+            text("SELECT 1 FROM celery_taskmeta WHERE task_id = :task_id"),
+            {"task_id": task_id},
+        ).fetchone()
+
+        # If task_id does not exist, delete the message
+        if not task_exists:
+            result = db_session.execute(
+                text("DELETE FROM kombu_message WHERE id = :message_id"),
+                {"message_id": msg[0]},
+            )
+            if result.rowcount > 0:  # type: ignore
+                ctx["deleted"] += 1
+
+        ctx["last_processed_id"] = msg[0]
+
+    return True
--- a/backend/onyx/background/celery/tasks/pruning/tasks.py
+++ b/backend/onyx/background/celery/tasks/pruning/tasks.py
@@ -217,7 +217,7 @@ def check_for_pruning(self: Task, *, tenant_id: str) -> bool | None:
    try:
        # the entire task needs to run frequently in order to finalize pruning

-        # but pruning only kicks off once per min
+        # but pruning only kicks off once per hour
        if not r.exists(OnyxRedisSignals.BLOCK_PRUNING):
            task_logger.info("Checking for pruning due")

--- a/backend/onyx/chat/process_message.py
+++ b/backend/onyx/chat/process_message.py
@@ -996,7 +996,6 @@ def _run_models(

    def _run_model(model_idx: int) -> None:
        """Run one LLM loop inside a worker thread, writing packets to ``merged_queue``."""
-
        model_emitter = Emitter(
            model_idx=model_idx,
            merged_queue=merged_queue,
@@ -1103,33 +1102,33 @@ def _run_models(
        finally:
            merged_queue.put((model_idx, _MODEL_DONE))

-    def _save_errored_message(model_idx: int, context: str) -> None:
-        """Save an error message to a reserved ChatMessage that failed during execution."""
+    def _delete_orphaned_message(model_idx: int, context: str) -> None:
+        """Delete a reserved ChatMessage that was never populated due to a model error."""
        try:
-            msg = db_session.get(ChatMessage, setup.reserved_messages[model_idx].id)
-            if msg is not None:
-                error_text = f"Error from {setup.model_display_names[model_idx]}: model encountered an error during generation."
-                msg.message = error_text
-                msg.error = error_text
+            orphaned = db_session.get(
+                ChatMessage, setup.reserved_messages[model_idx].id
+            )
+            if orphaned is not None:
+                db_session.delete(orphaned)
                db_session.commit()
        except Exception:
            logger.exception(
-                "%s error save failed for model %d (%s)",
+                "%s orphan cleanup failed for model %d (%s)",
                context,
                model_idx,
                setup.model_display_names[model_idx],
            )

-    # Each worker thread needs its own Context copy — a single Context object
-    # cannot be entered concurrently by multiple threads (RuntimeError).
+    # Copy contextvars before submitting futures — ThreadPoolExecutor does NOT
+    # auto-propagate contextvars in Python 3.11; threads would inherit a blank context.
+    worker_context = contextvars.copy_context()
    executor = ThreadPoolExecutor(
        max_workers=n_models, thread_name_prefix="multi-model"
    )
    completion_persisted: bool = False
    try:
        for i in range(n_models):
-            ctx = contextvars.copy_context()
-            executor.submit(ctx.run, _run_model, i)
+            executor.submit(worker_context.run, _run_model, i)

        # ── Main thread: merge and yield packets ────────────────────────────
        models_remaining = n_models
@@ -1146,7 +1145,7 @@ def _run_models(
                    #   save "stopped by user" for a model that actually threw an exception.
                    for i in range(n_models):
                        if model_errored[i]:
-                            _save_errored_message(i, "stop-button")
+                            _delete_orphaned_message(i, "stop-button")
                            continue
                        try:
                            succeeded = model_succeeded[i]
@@ -1212,7 +1211,7 @@ def _run_models(
        for i in range(n_models):
            if not model_succeeded[i]:
                # Model errored — delete its orphaned reserved message.
-                _save_errored_message(i, "normal")
+                _delete_orphaned_message(i, "normal")
                continue
            try:
                llm_loop_completion_handle(
@@ -1265,7 +1264,7 @@ def _run_models(
                            setup.model_display_names[i],
                        )
                elif model_errored[i]:
-                    _save_errored_message(i, "disconnect")
+                    _delete_orphaned_message(i, "disconnect")
            # 4. Drain buffered packets from memory — no consumer is running.
            while not merged_queue.empty():
                try:
--- a/backend/onyx/configs/app_configs.py
+++ b/backend/onyx/configs/app_configs.py
@@ -379,14 +379,6 @@ POSTGRES_HOST = os.environ.get("POSTGRES_HOST") or "127.0.0.1"
 POSTGRES_PORT = os.environ.get("POSTGRES_PORT") or "5432"
 POSTGRES_DB = os.environ.get("POSTGRES_DB") or "postgres"
 AWS_REGION_NAME = os.environ.get("AWS_REGION_NAME") or "us-east-2"
-# Comma-separated replica / multi-host list. If unset, defaults to POSTGRES_HOST
-# only.
-_POSTGRES_HOSTS_STR = os.environ.get("POSTGRES_HOSTS", "").strip()
-POSTGRES_HOSTS: list[str] = (
-    [h.strip() for h in _POSTGRES_HOSTS_STR.split(",") if h.strip()]
-    if _POSTGRES_HOSTS_STR
-    else [POSTGRES_HOST]
-)

 POSTGRES_API_SERVER_POOL_SIZE = int(
    os.environ.get("POSTGRES_API_SERVER_POOL_SIZE") or 40
--- a/backend/onyx/configs/constants.py
+++ b/backend/onyx/configs/constants.py
@@ -12,11 +12,6 @@ SLACK_USER_TOKEN_PREFIX = "xoxp-"
 SLACK_BOT_TOKEN_PREFIX = "xoxb-"
 ONYX_EMAILABLE_LOGO_MAX_DIM = 512

-# The mask_string() function in encryption.py uses "•" (U+2022 BULLET) to mask secrets.
-MASK_CREDENTIAL_CHAR = "\u2022"
-# Pattern produced by mask_string for strings >= 14 chars: "abcd...wxyz" (exactly 11 chars)
-MASK_CREDENTIAL_LONG_RE = re.compile(r"^.{4}\.{3}.{4}$")
-
 SOURCE_TYPE = "source_type"
 # stored in the `metadata` of a chunk. Used to signify that this chunk should
 # not be used for QA. For example, Google Drive file types which can't be parsed
@@ -396,6 +391,10 @@ class MilestoneRecordType(str, Enum):
    REQUESTED_CONNECTOR = "requested_connector"


+class PostgresAdvisoryLocks(Enum):
+    KOMBU_MESSAGE_CLEANUP_LOCK_ID = auto()
+
+
 class OnyxCeleryQueues:
    # "celery" is the default queue defined by celery and also the queue
    # we are running in the primary worker to run system tasks
@@ -578,6 +577,7 @@ class OnyxCeleryTask:
    MONITOR_PROCESS_MEMORY = "monitor_process_memory"
    CELERY_BEAT_HEARTBEAT = "celery_beat_heartbeat"

+    KOMBU_MESSAGE_CLEANUP_TASK = "kombu_message_cleanup_task"
    CONNECTOR_PERMISSION_SYNC_GENERATOR_TASK = (
        "connector_permission_sync_generator_task"
    )
--- a/backend/onyx/connectors/notion/connector.py
+++ b/backend/onyx/connectors/notion/connector.py
@@ -44,7 +44,7 @@ _NOTION_CALL_TIMEOUT = 30  # 30 seconds
 _MAX_PAGES = 1000


-# TODO: Pages need to have their metadata ingested
+# TODO: Tables need to be ingested, Pages need to have their metadata ingested


 class NotionPage(BaseModel):
@@ -452,19 +452,6 @@ class NotionConnector(LoadConnector, PollConnector):
            sub_inner_dict: dict[str, Any] | list[Any] | str = inner_dict
            while isinstance(sub_inner_dict, dict) and "type" in sub_inner_dict:
                type_name = sub_inner_dict["type"]
-
-                # Notion user objects (people properties, created_by, etc.) have
-                # "name" at the same level as "type": "person"/"bot". If we drill
-                # into the person/bot sub-dict we lose the name. Capture it here
-                # before descending, but skip "title"-type properties where "name"
-                # is not the display value we want.
-                if (
-                    "name" in sub_inner_dict
-                    and isinstance(sub_inner_dict["name"], str)
-                    and type_name not in ("title",)
-                ):
-                    return sub_inner_dict["name"]
-
                sub_inner_dict = sub_inner_dict[type_name]

                # If the innermost layer is None, the value is not set
@@ -676,19 +663,6 @@ class NotionConnector(LoadConnector, PollConnector):
                            text = rich_text["text"]["content"]
                            cur_result_text_arr.append(text)

-                # table_row blocks store content in "cells" (list of lists
-                # of rich text objects) rather than "rich_text"
-                if "cells" in result_obj:
-                    row_cells: list[str] = []
-                    for cell in result_obj["cells"]:
-                        cell_texts = [
-                            rt.get("plain_text", "")
-                            for rt in cell
-                            if isinstance(rt, dict)
-                        ]
-                        row_cells.append(" ".join(cell_texts))
-                    cur_result_text_arr.append("\t".join(row_cells))
-
                if result["has_children"]:
                    if result_type == "child_page":
                        # Child pages will not be included at this top level, it will be a separate document.
--- a/backend/onyx/db/api_key.py
+++ b/backend/onyx/db/api_key.py
@@ -110,8 +110,8 @@ def insert_api_key(

    # Assign the API key virtual user to the appropriate default group
    # before commit so everything is atomic.
-    # Only ADMIN and BASIC roles get default group membership.
-    if api_key_args.role in (UserRole.ADMIN, UserRole.BASIC):
+    # LIMITED role service accounts should have no group membership.
+    if api_key_args.role != UserRole.LIMITED:
        assign_user_to_default_groups__no_commit(
            db_session,
            api_key_user_row,
@@ -161,8 +161,8 @@ def update_api_key(
        )
        db_session.execute(delete_stmt)

-        # Re-assign to the correct default group (only for ADMIN/BASIC).
-        if api_key_args.role in (UserRole.ADMIN, UserRole.BASIC):
+        # Re-assign to the correct default group (skip for LIMITED).
+        if api_key_args.role != UserRole.LIMITED:
            assign_user_to_default_groups__no_commit(
                db_session,
                api_key_user,
--- a/backend/onyx/db/chat.py
+++ b/backend/onyx/db/chat.py
@@ -190,23 +190,16 @@ def delete_messages_and_files_from_chat_session(
    chat_session_id: UUID, db_session: Session
 ) -> None:
    # Select messages older than cutoff_time with files
-    messages_with_files = (
-        db_session.execute(
-            select(ChatMessage.id, ChatMessage.files).where(
-                ChatMessage.chat_session_id == chat_session_id,
-            )
+    messages_with_files = db_session.execute(
+        select(ChatMessage.id, ChatMessage.files).where(
+            ChatMessage.chat_session_id == chat_session_id,
        )
-        .tuples()
-        .all()
-    )
+    ).fetchall()

-    file_store = get_default_file_store()
    for _, files in messages_with_files:
+        file_store = get_default_file_store()
        for file_info in files or []:
-            if file_info.get("user_file_id"):
-                # user files are managed by the user file lifecycle
-                continue
-            file_store.delete_file(file_id=file_info["id"], error_on_missing=False)
+            file_store.delete_file(file_id=file_info.get("id"))

    # Delete ChatMessage records - CASCADE constraints will automatically handle:
    # - ChatMessage__StandardAnswer relationship records
--- a/backend/onyx/db/federated.py
+++ b/backend/onyx/db/federated.py
@@ -8,8 +8,6 @@ from sqlalchemy.orm import selectinload
 from sqlalchemy.orm import Session

 from onyx.configs.constants import FederatedConnectorSource
-from onyx.configs.constants import MASK_CREDENTIAL_CHAR
-from onyx.configs.constants import MASK_CREDENTIAL_LONG_RE
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
 from onyx.db.models import DocumentSet
 from onyx.db.models import FederatedConnector
@@ -47,23 +45,6 @@ def fetch_all_federated_connectors_parallel() -> list[FederatedConnector]:
        return fetch_all_federated_connectors(db_session)


-def _reject_masked_credentials(credentials: dict[str, Any]) -> None:
-    """Raise if any credential string value contains mask placeholder characters.
-
-    mask_string() has two output formats:
-    - Short strings (< 14 chars): "••••••••••••" (U+2022 BULLET)
-    - Long strings (>= 14 chars): "abcd...wxyz" (first4 + "..." + last4)
-    Both must be rejected.
-    """
-    for key, val in credentials.items():
-        if isinstance(val, str) and (
-            MASK_CREDENTIAL_CHAR in val or MASK_CREDENTIAL_LONG_RE.match(val)
-        ):
-            raise ValueError(
-                f"Credential field '{key}' contains masked placeholder characters. Please provide the actual credential value."
-            )
-
-
 def validate_federated_connector_credentials(
    source: FederatedConnectorSource,
    credentials: dict[str, Any],
@@ -85,8 +66,6 @@ def create_federated_connector(
    config: dict[str, Any] | None = None,
 ) -> FederatedConnector:
    """Create a new federated connector with credential and config validation."""
-    _reject_masked_credentials(credentials)
-
    # Validate credentials before creating
    if not validate_federated_connector_credentials(source, credentials):
        raise ValueError(
@@ -298,8 +277,6 @@ def update_federated_connector(
    )

    if credentials is not None:
-        _reject_masked_credentials(credentials)
-
        # Validate credentials before updating
        if not validate_federated_connector_credentials(
            federated_connector.source, credentials
--- a/backend/onyx/db/llm.py
+++ b/backend/onyx/db/llm.py
@@ -236,15 +236,14 @@ def upsert_llm_provider(
        db_session.add(existing_llm_provider)

    # Filter out empty strings and None values from custom_config to allow
-    # providers like Bedrock to fall back to IAM roles when credentials are not provided.
-    # NOTE: An empty dict ({}) is preserved as-is — it signals that the provider was
-    # created via the custom modal and must be reopened with CustomModal, not a
-    # provider-specific modal. Only None means "no custom config at all".
+    # providers like Bedrock to fall back to IAM roles when credentials are not provided
    custom_config = llm_provider_upsert_request.custom_config
    if custom_config:
        custom_config = {
            k: v for k, v in custom_config.items() if v is not None and v.strip() != ""
        }
+        # Set to None if the dict is empty after filtering
+        custom_config = custom_config or None

    api_base = llm_provider_upsert_request.api_base or None
    existing_llm_provider.provider = llm_provider_upsert_request.provider
@@ -304,7 +303,16 @@ def upsert_llm_provider(
        ).delete(synchronize_session="fetch")
        db_session.flush()

+    # Import here to avoid circular imports
+    from onyx.llm.utils import get_max_input_tokens
+
    for model_config in llm_provider_upsert_request.model_configurations:
+        max_input_tokens = model_config.max_input_tokens
+        if max_input_tokens is None:
+            max_input_tokens = get_max_input_tokens(
+                model_name=model_config.name,
+                model_provider=llm_provider_upsert_request.provider,
+            )

        supported_flows = [LLMModelFlowType.CHAT]
        if model_config.supports_image_input:
@@ -317,7 +325,7 @@ def upsert_llm_provider(
                model_configuration_id=existing.id,
                supported_flows=supported_flows,
                is_visible=model_config.is_visible,
-                max_input_tokens=model_config.max_input_tokens,
+                max_input_tokens=max_input_tokens,
                display_name=model_config.display_name,
            )
        else:
@@ -327,7 +335,7 @@ def upsert_llm_provider(
                model_name=model_config.name,
                supported_flows=supported_flows,
                is_visible=model_config.is_visible,
-                max_input_tokens=model_config.max_input_tokens,
+                max_input_tokens=max_input_tokens,
                display_name=model_config.display_name,
            )

--- a/backend/onyx/db/opensearch_migration.py
+++ b/backend/onyx/db/opensearch_migration.py
@@ -324,15 +324,6 @@ def mark_migration_completed_time_if_not_set_with_commit(
    db_session.commit()


-def is_migration_completed(db_session: Session) -> bool:
-    """Returns True if the migration is completed.
-
-    Can be run even if the migration record does not exist.
-    """
-    record = db_session.query(OpenSearchTenantMigrationRecord).first()
-    return record is not None and record.migration_completed_at is not None
-
-
 def build_sanitized_to_original_doc_id_mapping(
    db_session: Session,
 ) -> dict[str, str]:
--- a/backend/onyx/db/user_preferences.py
+++ b/backend/onyx/db/user_preferences.py
@@ -20,7 +20,6 @@ from onyx.db.models import User__UserGroup
 from onyx.db.models import UserGroup
 from onyx.db.permissions import recompute_user_permissions__no_commit
 from onyx.db.users import assign_user_to_default_groups__no_commit
-from onyx.db.users import is_limited_user
 from onyx.server.manage.models import MemoryItem
 from onyx.server.manage.models import UserSpecificAssistantPreference
 from onyx.utils.logger import setup_logger
@@ -66,11 +65,8 @@ def update_user_role(
            )
        )

-        # Re-assign to the correct default group.
-        # assign_user_to_default_groups__no_commit internally skips
-        # ANONYMOUS, BOT, and EXT_PERM_USER account types.
-        # Also skip limited users (no group assignment).
-        if not is_limited_user(user):
+        # Re-assign to the correct default group (skip for LIMITED).
+        if new_role != UserRole.LIMITED:
            assign_user_to_default_groups__no_commit(
                db_session,
                user,
@@ -102,10 +98,7 @@ def activate_user(
    created while inactive or deactivated before the backfill migration.
    """
    user.is_active = True
-    # assign_user_to_default_groups__no_commit internally skips
-    # ANONYMOUS, BOT, and EXT_PERM_USER account types.
-    # Also skip limited users (no group assignment).
-    if not is_limited_user(user):
+    if user.role != UserRole.LIMITED:
        assign_user_to_default_groups__no_commit(
            db_session, user, is_admin=(user.role == UserRole.ADMIN)
        )
--- a/backend/onyx/db/users.py
+++ b/backend/onyx/db/users.py
@@ -34,27 +34,9 @@ from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
 logger = setup_logger()


-def is_limited_user(user: User) -> bool:
-    """Check if a user is effectively limited — i.e. should be denied
-    access by ``current_user`` and should not receive default-group
-    membership.
-
-    A user is limited when they are:
-    * an anonymous user, or
-    * a service account with no effective permissions (no group membership).
-    """
-    if user.account_type == AccountType.ANONYMOUS:
-        return True
-    if (
-        user.account_type == AccountType.SERVICE_ACCOUNT
-        and not user.effective_permissions
-    ):
-        return True
-    return False
-
-
 def validate_user_role_update(
    requested_role: UserRole,
+    current_role: UserRole,
    current_account_type: AccountType,
    explicit_override: bool = False,
 ) -> None:
@@ -68,7 +50,7 @@ def validate_user_role_update(
    - requested role is a limited user
    - current account type is BOT (slack user)
    - current account type is EXT_PERM_USER
-    - current account type is ANONYMOUS or SERVICE_ACCOUNT
+    - current role is a limited user
    """

    if current_account_type == AccountType.BOT:
@@ -83,10 +65,10 @@ def validate_user_role_update(
            detail="To change an External Permissioned User's role, they must first login to Onyx via the web app.",
        )

-    if current_account_type in (AccountType.ANONYMOUS, AccountType.SERVICE_ACCOUNT):
+    if current_role == UserRole.LIMITED:
        raise HTTPException(
            status_code=400,
-            detail="Cannot change the role of an anonymous or service account user.",
+            detail="To change a Limited User's role, they must first login to Onyx via the web app.",
        )

    if explicit_override:
--- a/backend/onyx/document_index/opensearch/schema.py
+++ b/backend/onyx/document_index/opensearch/schema.py
@@ -1,4 +1,3 @@
-import hashlib
 from datetime import datetime
 from datetime import timezone
 from typing import Any
@@ -21,13 +20,9 @@ from onyx.document_index.opensearch.constants import DEFAULT_MAX_CHUNK_SIZE
 from onyx.document_index.opensearch.constants import EF_CONSTRUCTION
 from onyx.document_index.opensearch.constants import EF_SEARCH
 from onyx.document_index.opensearch.constants import M
-from onyx.document_index.opensearch.string_filtering import DocumentIDTooLongError
 from onyx.document_index.opensearch.string_filtering import (
    filter_and_validate_document_id,
 )
-from onyx.document_index.opensearch.string_filtering import (
-    MAX_DOCUMENT_ID_ENCODED_LENGTH,
-)
 from onyx.utils.tenant import get_tenant_id_short_string
 from shared_configs.configs import MULTI_TENANT
 from shared_configs.contextvars import get_current_tenant_id
@@ -80,50 +75,17 @@ def get_opensearch_doc_chunk_id(

    This will be the string used to identify the chunk in OpenSearch. Any direct
    chunk queries should use this function.
-
-    If the document ID is too long, a hash of the ID is used instead.
    """
-    opensearch_doc_chunk_id_suffix: str = f"__{max_chunk_size}__{chunk_index}"
-    encoded_suffix_length: int = len(opensearch_doc_chunk_id_suffix.encode("utf-8"))
-    max_encoded_permissible_doc_id_length: int = (
-        MAX_DOCUMENT_ID_ENCODED_LENGTH - encoded_suffix_length
+    sanitized_document_id = filter_and_validate_document_id(document_id)
+    opensearch_doc_chunk_id = (
+        f"{sanitized_document_id}__{max_chunk_size}__{chunk_index}"
    )
-    opensearch_doc_chunk_id_tenant_prefix: str = ""
    if tenant_state.multitenant:
-        short_tenant_id: str = get_tenant_id_short_string(tenant_state.tenant_id)
        # Use tenant ID because in multitenant mode each tenant has its own
        # Documents table, so there is a very small chance that doc IDs are not
        # actually unique across all tenants.
-        opensearch_doc_chunk_id_tenant_prefix = f"{short_tenant_id}__"
-        encoded_prefix_length: int = len(
-            opensearch_doc_chunk_id_tenant_prefix.encode("utf-8")
-        )
-        max_encoded_permissible_doc_id_length -= encoded_prefix_length
-
-    try:
-        sanitized_document_id: str = filter_and_validate_document_id(
-            document_id, max_encoded_length=max_encoded_permissible_doc_id_length
-        )
-    except DocumentIDTooLongError:
-        # If the document ID is too long, use a hash instead.
-        # We use blake2b because it is faster and equally secure as SHA256, and
-        # accepts digest_size which controls the number of bytes returned in the
-        # hash.
-        # digest_size is the size of the returned hash in bytes. Since we're
-        # decoding the hash bytes as a hex string, the digest_size should be
-        # half the max target size of the hash string.
-        # Subtract 1 because filter_and_validate_document_id compares on >= on
-        # max_encoded_length.
-        # 64 is the max digest_size blake2b returns.
-        digest_size: int = min((max_encoded_permissible_doc_id_length - 1) // 2, 64)
-        sanitized_document_id = hashlib.blake2b(
-            document_id.encode("utf-8"), digest_size=digest_size
-        ).hexdigest()
-
-    opensearch_doc_chunk_id: str = (
-        f"{opensearch_doc_chunk_id_tenant_prefix}{sanitized_document_id}{opensearch_doc_chunk_id_suffix}"
-    )
-
+        short_tenant_id = get_tenant_id_short_string(tenant_state.tenant_id)
+        opensearch_doc_chunk_id = f"{short_tenant_id}__{opensearch_doc_chunk_id}"
    # Do one more validation to ensure we haven't exceeded the max length.
    opensearch_doc_chunk_id = filter_and_validate_document_id(opensearch_doc_chunk_id)
    return opensearch_doc_chunk_id
--- a/backend/onyx/document_index/opensearch/string_filtering.py
+++ b/backend/onyx/document_index/opensearch/string_filtering.py
@@ -1,15 +1,7 @@
 import re

-MAX_DOCUMENT_ID_ENCODED_LENGTH: int = 512

-
-class DocumentIDTooLongError(ValueError):
-    """Raised when a document ID is too long for OpenSearch after filtering."""
-
-
-def filter_and_validate_document_id(
-    document_id: str, max_encoded_length: int = MAX_DOCUMENT_ID_ENCODED_LENGTH
-) -> str:
+def filter_and_validate_document_id(document_id: str) -> str:
    """
    Filters and validates a document ID such that it can be used as an ID in
    OpenSearch.
@@ -27,13 +19,9 @@ def filter_and_validate_document_id(

    Args:
        document_id: The document ID to filter and validate.
-        max_encoded_length: The maximum length of the document ID after
-            filtering in bytes. Compared with >= for extra resilience, so
-            encoded values of this length will fail.

    Raises:
-        DocumentIDTooLongError: If the document ID is too long after filtering.
-        ValueError: If the document ID is empty after filtering.
+        ValueError: If the document ID is empty or too long after filtering.

    Returns:
        str: The filtered document ID.
@@ -41,8 +29,6 @@ def filter_and_validate_document_id(
    filtered_document_id = re.sub(r"[^A-Za-z0-9_.\-~]", "", document_id)
    if not filtered_document_id:
        raise ValueError(f"Document ID {document_id} is empty after filtering.")
-    if len(filtered_document_id.encode("utf-8")) >= max_encoded_length:
-        raise DocumentIDTooLongError(
-            f"Document ID {document_id} is too long after filtering."
-        )
+    if len(filtered_document_id.encode("utf-8")) >= 512:
+        raise ValueError(f"Document ID {document_id} is too long after filtering.")
    return filtered_document_id
--- a/backend/onyx/file_processing/extract_file_text.py
+++ b/backend/onyx/file_processing/extract_file_text.py
@@ -52,21 +52,9 @@ KNOWN_OPENPYXL_BUGS = [

 def get_markitdown_converter() -> "MarkItDown":
    global _MARKITDOWN_CONVERTER
+    from markitdown import MarkItDown

    if _MARKITDOWN_CONVERTER is None:
-        from markitdown import MarkItDown
-
-        # Patch this function to effectively no-op because we were seeing this
-        # module take an inordinate amount of time to convert charts to markdown,
-        # making some powerpoint files with many or complicated charts nearly
-        # unindexable.
-        from markitdown.converters._pptx_converter import PptxConverter
-
-        setattr(
-            PptxConverter,
-            "_convert_chart_to_markdown",
-            lambda self, chart: "\n\n[chart omitted]\n\n",  # noqa: ARG005
-        )
        _MARKITDOWN_CONVERTER = MarkItDown(enable_plugins=False)
    return _MARKITDOWN_CONVERTER

@@ -217,26 +205,18 @@ def read_pdf_file(
    try:
        pdf_reader = PdfReader(file)

-        if pdf_reader.is_encrypted:
-            # Try the explicit password first, then fall back to an empty
-            # string.  Owner-password-only PDFs (permission restrictions but
-            # no open password) decrypt successfully with "".
-            # See https://github.com/onyx-dot-app/onyx/issues/9754
-            passwords = [p for p in [pdf_pass, ""] if p is not None]
+        if pdf_reader.is_encrypted and pdf_pass is not None:
            decrypt_success = False
-            for pw in passwords:
-                try:
-                    if pdf_reader.decrypt(pw) != 0:
-                        decrypt_success = True
-                        break
-                except Exception:
-                    pass
+            try:
+                decrypt_success = pdf_reader.decrypt(pdf_pass) != 0
+            except Exception:
+                logger.error("Unable to decrypt pdf")

            if not decrypt_success:
-                logger.error(
-                    "Encrypted PDF could not be decrypted, returning empty text."
-                )
                return "", metadata, []
+        elif pdf_reader.is_encrypted:
+            logger.warning("No Password for an encrypted PDF, returning empty text.")
+            return "", metadata, []

        # Basic PDF metadata
        if pdf_reader.metadata is not None:
--- a/backend/onyx/file_processing/password_validation.py
+++ b/backend/onyx/file_processing/password_validation.py
@@ -33,20 +33,8 @@ def is_pdf_protected(file: IO[Any]) -> bool:

    with preserve_position(file):
        reader = PdfReader(file)
-        if not reader.is_encrypted:
-            return False

-        # PDFs with only an owner password (permission restrictions like
-        # print/copy disabled) use an empty user password — any viewer can open
-        # them without prompting.  decrypt("") returns 0 only when a real user
-        # password is required.  See https://github.com/onyx-dot-app/onyx/issues/9754
-        try:
-            return reader.decrypt("") == 0
-        except Exception:
-            logger.exception(
-                "Failed to evaluate PDF encryption; treating as password protected"
-            )
-            return True
+    return bool(reader.is_encrypted)


 def is_docx_protected(file: IO[Any]) -> bool:
--- a/backend/onyx/file_store/file_store.py
+++ b/backend/onyx/file_store/file_store.py
@@ -136,14 +136,12 @@ class FileStore(ABC):
        """

    @abstractmethod
-    def delete_file(self, file_id: str, error_on_missing: bool = True) -> None:
+    def delete_file(self, file_id: str) -> None:
        """
        Delete a file by its ID.

        Parameters:
-        - file_id: ID of file to delete
-        - error_on_missing: If False, silently return when the file record
-          does not exist instead of raising.
+        - file_name: Name of file to delete
        """

    @abstractmethod
@@ -454,23 +452,12 @@ class S3BackedFileStore(FileStore):
            logger.warning(f"Error getting file size for {file_id}: {e}")
            return None

-    def delete_file(
-        self,
-        file_id: str,
-        error_on_missing: bool = True,
-        db_session: Session | None = None,
-    ) -> None:
+    def delete_file(self, file_id: str, db_session: Session | None = None) -> None:
        with get_session_with_current_tenant_if_none(db_session) as db_session:
            try:
-                file_record = get_filerecord_by_file_id_optional(
+                file_record = get_filerecord_by_file_id(
                    file_id=file_id, db_session=db_session
                )
-                if file_record is None:
-                    if error_on_missing:
-                        raise RuntimeError(
-                            f"File by id {file_id} does not exist or was deleted"
-                        )
-                    return
                if not file_record.bucket_name:
                    logger.error(
                        f"File record {file_id} with key {file_record.object_key} "
--- a/backend/onyx/file_store/postgres_file_store.py
+++ b/backend/onyx/file_store/postgres_file_store.py
@@ -222,23 +222,12 @@ class PostgresBackedFileStore(FileStore):
            logger.warning(f"Error getting file size for {file_id}: {e}")
            return None

-    def delete_file(
-        self,
-        file_id: str,
-        error_on_missing: bool = True,
-        db_session: Session | None = None,
-    ) -> None:
+    def delete_file(self, file_id: str, db_session: Session | None = None) -> None:
        with get_session_with_current_tenant_if_none(db_session) as session:
            try:
-                file_content = get_file_content_by_file_id_optional(
+                file_content = get_file_content_by_file_id(
                    file_id=file_id, db_session=session
                )
-                if file_content is None:
-                    if error_on_missing:
-                        raise RuntimeError(
-                            f"File content for file_id {file_id} does not exist or was deleted"
-                        )
-                    return
                raw_conn = _get_raw_connection(session)

                try:
--- a/backend/onyx/llm/constants.py
+++ b/backend/onyx/llm/constants.py
@@ -26,7 +26,6 @@ class LlmProviderNames(str, Enum):
    MISTRAL = "mistral"
    LITELLM_PROXY = "litellm_proxy"
    BIFROST = "bifrost"
-    OPENAI_COMPATIBLE = "openai_compatible"

    def __str__(self) -> str:
        """Needed so things like:
@@ -47,7 +46,6 @@ WELL_KNOWN_PROVIDER_NAMES = [
    LlmProviderNames.LM_STUDIO,
    LlmProviderNames.LITELLM_PROXY,
    LlmProviderNames.BIFROST,
-    LlmProviderNames.OPENAI_COMPATIBLE,
 ]


@@ -66,7 +64,6 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
    LlmProviderNames.LM_STUDIO: "LM Studio",
    LlmProviderNames.LITELLM_PROXY: "LiteLLM Proxy",
    LlmProviderNames.BIFROST: "Bifrost",
-    LlmProviderNames.OPENAI_COMPATIBLE: "OpenAI Compatible",
    "groq": "Groq",
    "anyscale": "Anyscale",
    "deepseek": "DeepSeek",
@@ -119,7 +116,6 @@ AGGREGATOR_PROVIDERS: set[str] = {
    LlmProviderNames.AZURE,
    LlmProviderNames.LITELLM_PROXY,
    LlmProviderNames.BIFROST,
-    LlmProviderNames.OPENAI_COMPATIBLE,
 }

 # Model family name mappings for display name generation
--- a/backend/onyx/llm/multi_llm.py
+++ b/backend/onyx/llm/multi_llm.py
@@ -327,19 +327,12 @@ class LitellmLLM(LLM):
        ):
            model_kwargs[VERTEX_LOCATION_KWARG] = "global"

-        # Bifrost and OpenAI-compatible: OpenAI-compatible proxies that send
-        # model names directly to the endpoint. We route through LiteLLM's
-        # openai provider with the server's base URL, and ensure /v1 is appended.
-        if model_provider in (
-            LlmProviderNames.BIFROST,
-            LlmProviderNames.OPENAI_COMPATIBLE,
-        ):
+        # Bifrost: OpenAI-compatible proxy that expects model names in
+        # provider/model format (e.g. "anthropic/claude-sonnet-4-6").
+        # We route through LiteLLM's openai provider with the Bifrost base URL,
+        # and ensure /v1 is appended.
+        if model_provider == LlmProviderNames.BIFROST:
            self._custom_llm_provider = "openai"
-            # LiteLLM's OpenAI client requires an api_key to be set.
-            # Many OpenAI-compatible servers don't need auth, so supply a
-            # placeholder to prevent LiteLLM from raising AuthenticationError.
-            if not self._api_key:
-                model_kwargs.setdefault("api_key", "not-needed")
            if self._api_base is not None:
                base = self._api_base.rstrip("/")
                self._api_base = base if base.endswith("/v1") else f"{base}/v1"
@@ -456,20 +449,17 @@ class LitellmLLM(LLM):
        optional_kwargs: dict[str, Any] = {}

        # Model name
-        is_openai_compatible_proxy = self._model_provider in (
-            LlmProviderNames.BIFROST,
-            LlmProviderNames.OPENAI_COMPATIBLE,
-        )
+        is_bifrost = self._model_provider == LlmProviderNames.BIFROST
        model_provider = (
            f"{self.config.model_provider}/responses"
            if is_openai_model  # Uses litellm's completions -> responses bridge
            else self.config.model_provider
        )
-        if is_openai_compatible_proxy:
-            # OpenAI-compatible proxies (Bifrost, generic OpenAI-compatible
-            # servers) expect model names sent directly to their endpoint.
-            # We use custom_llm_provider="openai" so LiteLLM doesn't try
-            # to route based on the provider prefix.
+        if is_bifrost:
+            # Bifrost expects model names in provider/model format
+            # (e.g. "anthropic/claude-sonnet-4-6") sent directly to its
+            # OpenAI-compatible endpoint. We use custom_llm_provider="openai"
+            # so LiteLLM doesn't try to route based on the provider prefix.
            model = self.config.deployment_name or self.config.model_name
        else:
            model = f"{model_provider}/{self.config.deployment_name or self.config.model_name}"
@@ -560,10 +550,7 @@ class LitellmLLM(LLM):
        if structured_response_format:
            optional_kwargs["response_format"] = structured_response_format

-        if (
-            not (is_claude_model or is_ollama or is_mistral)
-            or is_openai_compatible_proxy
-        ):
+        if not (is_claude_model or is_ollama or is_mistral) or is_bifrost:
            # Litellm bug: tool_choice is dropped silently if not specified here for OpenAI
            # However, this param breaks Anthropic and Mistral models,
            # so it must be conditionally included unless the request is
--- a/backend/onyx/llm/well_known_providers/constants.py
+++ b/backend/onyx/llm/well_known_providers/constants.py
@@ -15,8 +15,6 @@ LITELLM_PROXY_PROVIDER_NAME = "litellm_proxy"

 BIFROST_PROVIDER_NAME = "bifrost"

-OPENAI_COMPATIBLE_PROVIDER_NAME = "openai_compatible"
-
 # Providers that use optional Bearer auth from custom_config
 PROVIDERS_WITH_SPECIAL_API_KEY_HANDLING: dict[str, str] = {
    LlmProviderNames.OLLAMA_CHAT: OLLAMA_API_KEY_CONFIG_KEY,
--- a/backend/onyx/llm/well_known_providers/llm_provider_options.py
+++ b/backend/onyx/llm/well_known_providers/llm_provider_options.py
@@ -19,7 +19,6 @@ from onyx.llm.well_known_providers.constants import BIFROST_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import LITELLM_PROXY_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import LM_STUDIO_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OLLAMA_PROVIDER_NAME
-from onyx.llm.well_known_providers.constants import OPENAI_COMPATIBLE_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OPENAI_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OPENROUTER_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import VERTEXAI_PROVIDER_NAME
@@ -52,7 +51,6 @@ def _get_provider_to_models_map() -> dict[str, list[str]]:
        OPENROUTER_PROVIDER_NAME: [],  # Dynamic - fetched from OpenRouter API
        LITELLM_PROXY_PROVIDER_NAME: [],  # Dynamic - fetched from LiteLLM proxy API
        BIFROST_PROVIDER_NAME: [],  # Dynamic - fetched from Bifrost API
-        OPENAI_COMPATIBLE_PROVIDER_NAME: [],  # Dynamic - fetched from OpenAI-compatible API
    }


@@ -338,7 +336,6 @@ def get_provider_display_name(provider_name: str) -> str:
        VERTEXAI_PROVIDER_NAME: "Google Vertex AI",
        OPENROUTER_PROVIDER_NAME: "OpenRouter",
        LITELLM_PROXY_PROVIDER_NAME: "LiteLLM Proxy",
-        OPENAI_COMPATIBLE_PROVIDER_NAME: "OpenAI Compatible",
    }

    if provider_name in _ONYX_PROVIDER_DISPLAY_NAMES:
--- a/backend/onyx/mcp_server/tools/search.py
+++ b/backend/onyx/mcp_server/tools/search.py
@@ -3,8 +3,6 @@
 from datetime import datetime
 from typing import Any

-import httpx
-
 from onyx.configs.constants import DocumentSource
 from onyx.mcp_server.api import mcp_server
 from onyx.mcp_server.utils import get_http_client
@@ -17,21 +15,6 @@ from onyx.utils.variable_functionality import global_version
 logger = setup_logger()


-def _extract_error_detail(response: httpx.Response) -> str:
-    """Extract a human-readable error message from a failed backend response.
-
-    The backend returns OnyxError responses as
-    ``{"error_code": "...", "detail": "..."}``.
-    """
-    try:
-        body = response.json()
-        if detail := body.get("detail"):
-            return str(detail)
-    except Exception:
-        pass
-    return f"Request failed with status {response.status_code}"
-
-
@mcp_server.tool()
 async def search_indexed_documents(
    query: str,
@@ -175,14 +158,7 @@ async def search_indexed_documents(
            json=search_request,
            headers=auth_headers,
        )
-        if not response.is_success:
-            error_detail = _extract_error_detail(response)
-            return {
-                "documents": [],
-                "total_results": 0,
-                "query": query,
-                "error": error_detail,
-            }
+        response.raise_for_status()
        result = response.json()

        # Check for error in response
@@ -258,13 +234,7 @@ async def search_web(
            json=request_payload,
            headers={"Authorization": f"Bearer {access_token.token}"},
        )
-        if not response.is_success:
-            error_detail = _extract_error_detail(response)
-            return {
-                "error": error_detail,
-                "results": [],
-                "query": query,
-            }
+        response.raise_for_status()
        response_payload = response.json()
        results = response_payload.get("results", [])
        return {
@@ -310,12 +280,7 @@ async def open_urls(
            json={"urls": urls},
            headers={"Authorization": f"Bearer {access_token.token}"},
        )
-        if not response.is_success:
-            error_detail = _extract_error_detail(response)
-            return {
-                "error": error_detail,
-                "results": [],
-            }
+        response.raise_for_status()
        response_payload = response.json()
        results = response_payload.get("results", [])
        return {
--- a/backend/onyx/mcp_server_main.py
+++ b/backend/onyx/mcp_server_main.py
@@ -6,7 +6,6 @@ from onyx.configs.app_configs import MCP_SERVER_ENABLED
 from onyx.configs.app_configs import MCP_SERVER_HOST
 from onyx.configs.app_configs import MCP_SERVER_PORT
 from onyx.utils.logger import setup_logger
-from onyx.utils.variable_functionality import set_is_ee_based_on_env_variable

 logger = setup_logger()

@@ -17,7 +16,6 @@ def main() -> None:
        logger.info("MCP server is disabled (MCP_SERVER_ENABLED=false)")
        return

-    set_is_ee_based_on_env_variable()
    logger.info(f"Starting MCP server on {MCP_SERVER_HOST}:{MCP_SERVER_PORT}")

    from onyx.mcp_server.api import mcp_app
--- a/backend/onyx/server/api_key/api.py
+++ b/backend/onyx/server/api_key/api.py
@@ -2,7 +2,7 @@ from fastapi import APIRouter
 from fastapi import Depends
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.db.api_key import ApiKeyDescriptor
 from onyx.db.api_key import fetch_api_keys
 from onyx.db.api_key import insert_api_key
@@ -10,7 +10,6 @@ from onyx.db.api_key import regenerate_api_key
 from onyx.db.api_key import remove_api_key
 from onyx.db.api_key import update_api_key
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.server.api_key.models import APIKeyArgs

@@ -20,7 +19,7 @@ router = APIRouter(prefix="/admin/api-key")

@router.get("")
 def list_api_keys(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[ApiKeyDescriptor]:
    return fetch_api_keys(db_session)
@@ -29,7 +28,7 @@ def list_api_keys(
@router.post("")
 def create_api_key(
    api_key_args: APIKeyArgs,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> ApiKeyDescriptor:
    return insert_api_key(db_session, api_key_args, user.id)
@@ -38,7 +37,7 @@ def create_api_key(
@router.post("/{api_key_id}/regenerate")
 def regenerate_existing_api_key(
    api_key_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> ApiKeyDescriptor:
    return regenerate_api_key(db_session, api_key_id)
@@ -48,7 +47,7 @@ def regenerate_existing_api_key(
 def update_existing_api_key(
    api_key_id: int,
    api_key_args: APIKeyArgs,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> ApiKeyDescriptor:
    return update_api_key(db_session, api_key_id, api_key_args)
@@ -57,7 +56,7 @@ def update_existing_api_key(
@router.delete("/{api_key_id}")
 def delete_api_key(
    api_key_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    remove_api_key(db_session, api_key_id)
--- a/backend/onyx/server/auth_check.py
+++ b/backend/onyx/server/auth_check.py
@@ -4,6 +4,7 @@ from fastapi import FastAPI
 from fastapi.dependencies.models import Dependant
 from starlette.routing import BaseRoute

+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_chat_accessible_user
 from onyx.auth.users import current_curator_or_admin_user
 from onyx.auth.users import current_limited_user
@@ -90,11 +91,6 @@ def is_route_in_spec_list(
    return False


-def _is_require_permission_dependency(fn: object) -> bool:
-    """Detect closures generated by ``require_permission()``."""
-    return bool(getattr(fn, "_is_require_permission", False))
-
-
 def check_router_auth(
    application: FastAPI,
    public_endpoint_specs: list[tuple[str, set[str]]] = PUBLIC_ENDPOINT_SPECS,
@@ -130,6 +126,7 @@ def check_router_auth(
                if (
                    depends_fn == current_limited_user
                    or depends_fn == current_user
+                    or depends_fn == current_admin_user
                    or depends_fn == current_curator_or_admin_user
                    or depends_fn == current_user_with_expired_token
                    or depends_fn == current_chat_accessible_user
@@ -137,7 +134,6 @@ def check_router_auth(
                    or depends_fn == control_plane_dep
                    or depends_fn == current_cloud_superuser
                    or depends_fn == verify_scim_token
-                    or _is_require_permission_dependency(depends_fn)
                ):
                    found_auth = True
                    break
--- a/backend/onyx/server/documents/cc_pair.py
+++ b/backend/onyx/server/documents/cc_pair.py
@@ -10,8 +10,8 @@ from sqlalchemy import select
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.background.celery.tasks.pruning.tasks import (
    try_creating_prune_generator_task,
 )
@@ -38,7 +38,6 @@ from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import AccessType
 from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import IndexingStatus
-from onyx.db.enums import Permission
 from onyx.db.enums import PermissionSyncStatus
 from onyx.db.index_attempt import count_index_attempt_errors_for_cc_pair
 from onyx.db.index_attempt import count_index_attempts_for_cc_pair
@@ -623,7 +622,7 @@ def associate_credential_to_connector(
 def dissociate_credential_from_connector(
    connector_id: int,
    credential_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse[int]:
    return remove_credential_from_connector(
--- a/backend/onyx/server/documents/connector.py
+++ b/backend/onyx/server/documents/connector.py
@@ -22,9 +22,10 @@ from pydantic import BaseModel
 from sqlalchemy.orm import Session

 from onyx.auth.email_utils import send_email
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_chat_accessible_user
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.background.celery.tasks.pruning.tasks import (
    try_creating_prune_generator_task,
 )
@@ -104,7 +105,6 @@ from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import AccessType
 from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import IndexingMode
-from onyx.db.enums import Permission
 from onyx.db.enums import ProcessingMode
 from onyx.db.federated import fetch_all_federated_connectors_parallel
 from onyx.db.index_attempt import get_index_attempts_for_cc_pair
@@ -189,8 +189,7 @@ def check_google_app_gmail_credentials_exist(

@router.put("/admin/connector/gmail/app-credential")
 def upsert_google_app_gmail_credentials(
-    app_credentials: GoogleAppCredentials,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    app_credentials: GoogleAppCredentials, _: User = Depends(current_admin_user)
 ) -> StatusResponse:
    try:
        upsert_google_app_cred(app_credentials, DocumentSource.GMAIL)
@@ -204,7 +203,7 @@ def upsert_google_app_gmail_credentials(

@router.delete("/admin/connector/gmail/app-credential")
 def delete_google_app_gmail_credentials(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    try:
@@ -232,8 +231,7 @@ def check_google_app_credentials_exist(

@router.put("/admin/connector/google-drive/app-credential")
 def upsert_google_app_credentials(
-    app_credentials: GoogleAppCredentials,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    app_credentials: GoogleAppCredentials, _: User = Depends(current_admin_user)
 ) -> StatusResponse:
    try:
        upsert_google_app_cred(app_credentials, DocumentSource.GOOGLE_DRIVE)
@@ -247,7 +245,7 @@ def upsert_google_app_credentials(

@router.delete("/admin/connector/google-drive/app-credential")
 def delete_google_app_credentials(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    try:
@@ -279,8 +277,7 @@ def check_google_service_gmail_account_key_exist(

@router.put("/admin/connector/gmail/service-account-key")
 def upsert_google_service_gmail_account_key(
-    service_account_key: GoogleServiceAccountKey,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    service_account_key: GoogleServiceAccountKey, _: User = Depends(current_admin_user)
 ) -> StatusResponse:
    try:
        upsert_service_account_key(service_account_key, DocumentSource.GMAIL)
@@ -294,7 +291,7 @@ def upsert_google_service_gmail_account_key(

@router.delete("/admin/connector/gmail/service-account-key")
 def delete_google_service_gmail_account_key(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    try:
@@ -326,8 +323,7 @@ def check_google_service_account_key_exist(

@router.put("/admin/connector/google-drive/service-account-key")
 def upsert_google_service_account_key(
-    service_account_key: GoogleServiceAccountKey,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    service_account_key: GoogleServiceAccountKey, _: User = Depends(current_admin_user)
 ) -> StatusResponse:
    try:
        upsert_service_account_key(service_account_key, DocumentSource.GOOGLE_DRIVE)
@@ -341,7 +337,7 @@ def upsert_google_service_account_key(

@router.delete("/admin/connector/google-drive/service-account-key")
 def delete_google_service_account_key(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    try:
@@ -411,7 +407,7 @@ def upsert_gmail_service_account_credential(
@router.get("/admin/connector/google-drive/check-auth/{credential_id}")
 def check_drive_tokens(
    credential_id: int,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> AuthStatus:
    db_credentials = fetch_credential_by_id_for_user(credential_id, user, db_session)
@@ -1798,9 +1794,7 @@ def connector_run_once(

@router.get("/connector/gmail/authorize/{credential_id}")
 def gmail_auth(
-    response: Response,
-    credential_id: str,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    response: Response, credential_id: str, _: User = Depends(current_user)
 ) -> AuthUrl:
    # set a cookie that we can read in the callback (used for `verify_csrf`)
    response.set_cookie(
@@ -1814,9 +1808,7 @@ def gmail_auth(

@router.get("/connector/google-drive/authorize/{credential_id}")
 def google_drive_auth(
-    response: Response,
-    credential_id: str,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    response: Response, credential_id: str, _: User = Depends(current_user)
 ) -> AuthUrl:
    # set a cookie that we can read in the callback (used for `verify_csrf`)
    response.set_cookie(
@@ -1834,7 +1826,7 @@ def google_drive_auth(
 def gmail_callback(
    request: Request,
    callback: GmailCallback = Depends(),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    credential_id_cookie = request.cookies.get(_GMAIL_CREDENTIAL_ID_COOKIE_NAME)
@@ -1864,7 +1856,7 @@ def gmail_callback(
 def google_drive_callback(
    request: Request,
    callback: GDriveCallback = Depends(),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    credential_id_cookie = request.cookies.get(_GOOGLE_DRIVE_CREDENTIAL_ID_COOKIE_NAME)
@@ -1893,7 +1885,7 @@ def google_drive_callback(

@router.get("/connector", tags=PUBLIC_API_TAGS)
 def get_connectors(
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[ConnectorSnapshot]:
    connectors = fetch_connectors(db_session)
@@ -1908,7 +1900,7 @@ def get_connectors(

@router.get("/indexed-sources", tags=PUBLIC_API_TAGS)
 def get_indexed_sources(
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> IndexedSourcesResponse:
    sources = sorted(
@@ -1920,7 +1912,7 @@ def get_indexed_sources(
@router.get("/connector/{connector_id}", tags=PUBLIC_API_TAGS)
 def get_connector_by_id(
    connector_id: int,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> ConnectorSnapshot | StatusResponse[int]:
    connector = fetch_connector_by_id(connector_id, db_session)
@@ -1949,7 +1941,7 @@ def get_connector_by_id(
@router.post("/connector-request")
 def submit_connector_request(
    request_data: ConnectorRequestSubmission,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> StatusResponse:
    """
    Submit a connector request for Cloud deployments.
--- a/backend/onyx/server/documents/credential.py
+++ b/backend/onyx/server/documents/credential.py
@@ -9,8 +9,9 @@ from fastapi import Query
 from fastapi import UploadFile
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.connectors.factory import validate_ccpair_for_user
 from onyx.db.credentials import alter_credential
@@ -25,7 +26,6 @@ from onyx.db.credentials import fetch_credentials_for_user
 from onyx.db.credentials import swap_credentials_connector
 from onyx.db.credentials import update_credential
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import DocumentSource
 from onyx.db.models import User
 from onyx.server.documents.models import CredentialBase
@@ -95,7 +95,7 @@ def get_cc_source_full_info(
@router.delete("/admin/credential/{credential_id}")
 def delete_credential_by_id_admin(
    credential_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    """Same as the user endpoint, but can delete any credential (not just the user's own)"""
@@ -108,7 +108,7 @@ def delete_credential_by_id_admin(
@router.put("/admin/credential/swap")
 def swap_credentials_for_connector(
    credential_swap_req: CredentialSwapRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    validate_ccpair_for_user(
@@ -228,7 +228,7 @@ def create_credential_with_private_key(

@router.get("/credential")
 def list_credentials(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[CredentialSnapshot]:
    credentials = fetch_credentials_for_user(db_session=db_session, user=user)
@@ -241,7 +241,7 @@ def list_credentials(
@router.get("/credential/{credential_id}")
 def get_credential_by_id(
    credential_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> CredentialSnapshot | StatusResponse[int]:
    credential = fetch_credential_by_id_for_user(
@@ -263,7 +263,7 @@ def get_credential_by_id(
 def update_credential_data(
    credential_id: int,
    credential_update: CredentialDataUpdateRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> CredentialBase:
    credential = alter_credential(
@@ -291,7 +291,7 @@ def update_credential_private_key(
    uploaded_file: UploadFile = File(...),
    field_key: str = Form(...),
    type_definition_key: str = Form(...),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> CredentialBase:
    try:
@@ -334,7 +334,7 @@ def update_credential_private_key(
 def update_credential_from_model(
    credential_id: int,
    credential_data: CredentialBase,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> CredentialSnapshot | StatusResponse[int]:
    updated_credential = update_credential(
@@ -369,7 +369,7 @@ def update_credential_from_model(
@router.delete("/credential/{credential_id}")
 def delete_credential_by_id(
    credential_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    delete_credential_for_user(
@@ -386,7 +386,7 @@ def delete_credential_by_id(
@router.delete("/credential/force/{credential_id}")
 def force_delete_credential_by_id(
    credential_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> StatusResponse:
    delete_credential_for_user(credential_id, user, db_session, True)
--- a/backend/onyx/server/documents/document.py
+++ b/backend/onyx/server/documents/document.py
@@ -4,13 +4,12 @@ from fastapi import HTTPException
 from fastapi import Query
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.context.search.models import IndexFilters
 from onyx.context.search.preprocessing.access_filters import (
    build_access_filters_for_user,
 )
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.search_settings import get_current_search_settings
 from onyx.document_index.factory import get_default_document_index
@@ -30,7 +29,7 @@ router = APIRouter(prefix="/document")
@router.get("/document-size-info", dependencies=[Depends(require_vector_db)])
 def get_document_info(
    document_id: str = Query(...),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> DocumentInfo:
    search_settings = get_current_search_settings(db_session)
@@ -75,7 +74,7 @@ def get_document_info(
 def get_chunk_info(
    document_id: str = Query(...),
    chunk_id: int = Query(...),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> ChunkInfo:
    search_settings = get_current_search_settings(db_session)
--- a/backend/onyx/server/documents/standard_oauth.py
+++ b/backend/onyx/server/documents/standard_oauth.py
@@ -12,13 +12,12 @@ from pydantic import BaseModel
 from pydantic import ValidationError
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import WEB_DOMAIN
 from onyx.configs.constants import DocumentSource
 from onyx.connectors.interfaces import OAuthConnector
 from onyx.db.credentials import create_credential
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.redis.redis_pool import get_redis_client
 from onyx.server.documents.models import CredentialBase
@@ -90,7 +89,7 @@ def oauth_authorize(
    request: Request,
    source: DocumentSource,
    desired_return_url: Annotated[str | None, Query()] = None,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> AuthorizeResponse:
    """Initiates the OAuth flow by redirecting to the provider's auth page"""

@@ -142,7 +141,7 @@ def oauth_callback(
    code: Annotated[str, Query()],
    state: Annotated[str, Query()],
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> CallbackResponse:
    """Handles the OAuth callback and exchanges the code for tokens"""
    oauth_connectors = _discover_oauth_connectors()
@@ -202,7 +201,7 @@ class OAuthDetails(BaseModel):
@router.get("/details/{source}")
 def oauth_details(
    source: DocumentSource,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> OAuthDetails:
    oauth_connectors = _discover_oauth_connectors()

--- a/backend/onyx/server/features/build/api/api.py
+++ b/backend/onyx/server/features/build/api/api.py
@@ -13,14 +13,13 @@ from fastapi.responses import RedirectResponse
 from fastapi.responses import StreamingResponse
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.auth.users import optional_user
 from onyx.configs.constants import DocumentSource
 from onyx.db.connector_credential_pair import get_connector_credential_pairs_for_user
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import IndexingStatus
-from onyx.db.enums import Permission
 from onyx.db.enums import ProcessingMode
 from onyx.db.enums import SharingScope
 from onyx.db.index_attempt import get_latest_index_attempt_for_cc_pair_id
@@ -46,9 +45,7 @@ _TEMPLATES_DIR = Path(__file__).parent / "templates"
 _WEBAPP_HMR_FIXER_TEMPLATE = (_TEMPLATES_DIR / "webapp_hmr_fixer.js").read_text()


-def require_onyx_craft_enabled(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
-) -> User:
+def require_onyx_craft_enabled(user: User = Depends(current_user)) -> User:
    """
    Dependency that checks if Onyx Craft is enabled for the user.
    Raises HTTP 403 if Onyx Craft is disabled via feature flag.
@@ -76,7 +73,7 @@ router.include_router(user_library_router, tags=["build"])

@router.get("/limit", response_model=RateLimitResponse)
 def get_rate_limit(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> RateLimitResponse:
    """Get rate limit information for the current user."""
@@ -90,7 +87,7 @@ def get_rate_limit(

@router.get("/connectors", response_model=BuildConnectorListResponse)
 def get_build_connectors(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> BuildConnectorListResponse:
    """Get all connectors for the build admin panel.
@@ -521,7 +518,7 @@ def get_webapp(

@router.post("/sandbox/reset", response_model=None)
 def reset_sandbox(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """Reset the user's sandbox by terminating it and cleaning up all sessions.
--- a/backend/onyx/server/features/build/api/messages_api.py
+++ b/backend/onyx/server/features/build/api/messages_api.py
@@ -9,11 +9,10 @@ from fastapi import HTTPException
 from fastapi.responses import StreamingResponse
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.server.features.build.api.models import MessageListResponse
 from onyx.server.features.build.api.models import MessageRequest
@@ -31,7 +30,7 @@ router = APIRouter()


 def check_build_rate_limits(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    """
@@ -54,7 +53,7 @@ def check_build_rate_limits(
@router.get("/sessions/{session_id}/messages", tags=PUBLIC_API_TAGS)
 def list_messages(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> MessageListResponse:
    """Get all messages for a build session."""
@@ -74,7 +73,7 @@ def list_messages(
 def send_message(
    session_id: UUID,
    request: MessageRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    _rate_limit_check: None = Depends(check_build_rate_limits),
 ) -> StreamingResponse:
    """
--- a/backend/onyx/server/features/build/api/sessions_api.py
+++ b/backend/onyx/server/features/build/api/sessions_api.py
@@ -11,10 +11,9 @@ from fastapi import UploadFile
 from sqlalchemy import exists
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import BuildSessionStatus
-from onyx.db.enums import Permission
 from onyx.db.enums import SandboxStatus
 from onyx.db.models import BuildMessage
 from onyx.db.models import User
@@ -66,7 +65,7 @@ router = APIRouter(prefix="/sessions")

@router.get("", response_model=SessionListResponse)
 def list_sessions(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> SessionListResponse:
    """List all build sessions for the current user."""
@@ -89,7 +88,7 @@ SESSION_CREATE_LOCK_TIMEOUT_SECONDS = 300
@router.post("", response_model=DetailedSessionResponse)
 def create_session(
    request: SessionCreateRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> DetailedSessionResponse:
    """
@@ -158,7 +157,7 @@ def create_session(
@router.get("/{session_id}", response_model=DetailedSessionResponse)
 def get_session_details(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> DetailedSessionResponse:
    """
@@ -196,7 +195,7 @@ def get_session_details(
 )
 def check_pre_provisioned_session(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> PreProvisionedCheckResponse:
    """
@@ -229,7 +228,7 @@ def check_pre_provisioned_session(
@router.post("/{session_id}/generate-name", response_model=SessionNameGenerateResponse)
 def generate_session_name(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> SessionNameGenerateResponse:
    """Generate a session name using LLM based on the first user message."""
@@ -249,7 +248,7 @@ def generate_session_name(
 def generate_suggestions(
    session_id: UUID,
    request: GenerateSuggestionsRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> GenerateSuggestionsResponse:
    """Generate follow-up suggestions based on the first exchange in a session."""
@@ -282,7 +281,7 @@ def generate_suggestions(
 def update_session_name(
    session_id: UUID,
    request: SessionUpdateRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> SessionResponse:
    """Update the name of a build session."""
@@ -302,7 +301,7 @@ def update_session_name(
 def set_session_public(
    session_id: UUID,
    request: SetSessionSharingRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> SetSessionSharingResponse:
    """Set the sharing scope of a build session's webapp."""
@@ -320,7 +319,7 @@ def set_session_public(
@router.delete("/{session_id}", response_model=None)
 def delete_session(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """Delete a build session and all associated data.
@@ -357,7 +356,7 @@ RESTORE_LOCK_TIMEOUT_SECONDS = 300
@router.post("/{session_id}/restore", response_model=DetailedSessionResponse)
 def restore_session(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> DetailedSessionResponse:
    """Restore sandbox and load session snapshot. Blocks until complete.
@@ -537,7 +536,7 @@ def restore_session(
 )
 def list_artifacts(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[dict]:
    """List artifacts generated in the session."""
@@ -555,7 +554,7 @@ def list_artifacts(
 def list_directory(
    session_id: UUID,
    path: str = "",
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> DirectoryListing:
    """
@@ -593,7 +592,7 @@ def list_directory(
 def download_artifact(
    session_id: UUID,
    path: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """Download a specific artifact file."""
@@ -644,7 +643,7 @@ def download_artifact(
 def export_docx(
    session_id: UUID,
    path: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """Export a markdown file as DOCX."""
@@ -686,7 +685,7 @@ def export_docx(
 def get_pptx_preview(
    session_id: UUID,
    path: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> PptxPreviewResponse:
    """Generate slide image previews for a PPTX file."""
@@ -712,7 +711,7 @@ def get_pptx_preview(
@router.get("/{session_id}/webapp-info", response_model=WebappInfo)
 def get_webapp_info(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> WebappInfo:
    """
@@ -734,7 +733,7 @@ def get_webapp_info(
@router.get("/{session_id}/webapp-download")
 def download_webapp(
    session_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """
@@ -765,7 +764,7 @@ def download_webapp(
 def download_directory(
    session_id: UUID,
    path: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """
@@ -802,7 +801,7 @@ def download_directory(
 def upload_file_endpoint(
    session_id: UUID,
    file: UploadFile = File(...),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UploadResponse:
    """Upload a file to the session's sandbox.
@@ -853,7 +852,7 @@ def upload_file_endpoint(
 def delete_file_endpoint(
    session_id: UUID,
    path: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """Delete a file from the session's sandbox.
--- a/backend/onyx/server/features/build/api/user_library.py
+++ b/backend/onyx/server/features/build/api/user_library.py
@@ -38,7 +38,7 @@ from fastapi import UploadFile
 from pydantic import BaseModel
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.background.celery.versioned_apps.client import app as celery_app
 from onyx.configs.constants import DocumentSource
 from onyx.configs.constants import OnyxCeleryQueues
@@ -48,7 +48,6 @@ from onyx.db.document import upsert_document_by_connector_credential_pair
 from onyx.db.document import upsert_documents
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import ConnectorCredentialPairStatus
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.document_index.interfaces import DocumentMetadata
 from onyx.server.features.build.configs import USER_LIBRARY_MAX_FILE_SIZE_BYTES
@@ -282,7 +281,7 @@ def _store_and_track_file(

@router.get("/tree")
 def get_library_tree(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[LibraryEntryResponse]:
    """Get user's uploaded files as a tree structure.
@@ -323,7 +322,7 @@ def get_library_tree(
 async def upload_files(
    files: list[UploadFile] = File(...),
    path: str = Form("/"),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UploadResponse:
    """Upload files directly to S3 and track in PostgreSQL.
@@ -440,7 +439,7 @@ async def upload_files(
 async def upload_zip(
    file: UploadFile = File(...),
    path: str = Form("/"),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UploadResponse:
    """Upload and extract a zip file, storing each extracted file to S3.
@@ -609,7 +608,7 @@ async def upload_zip(
@router.post("/directories")
 def create_directory(
    request: CreateDirectoryRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> LibraryEntryResponse:
    """Create a virtual directory.
@@ -659,7 +658,7 @@ def create_directory(
 def toggle_file_sync(
    document_id: str,
    enabled: bool = Query(...),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> ToggleSyncResponse:
    """Enable/disable syncing a file to sandboxes.
@@ -711,7 +710,7 @@ def toggle_file_sync(
@router.delete("/files/{document_id}")
 def delete_file(
    document_id: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> DeleteFileResponse:
    """Delete a file from both S3 and the document table."""
--- a/backend/onyx/server/features/default_assistant/api.py
+++ b/backend/onyx/server/features/default_assistant/api.py
@@ -5,9 +5,8 @@ from fastapi import Depends
 from fastapi import HTTPException
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.persona import get_default_assistant
 from onyx.db.persona import update_default_assistant_configuration
@@ -23,7 +22,7 @@ router = APIRouter(prefix="/admin/default-assistant")

@router.get("/configuration")
 def get_default_assistant_configuration(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DefaultAssistantConfiguration:
    """Get the current default assistant configuration.
@@ -48,7 +47,7 @@ def get_default_assistant_configuration(
@router.patch("")
 def update_default_assistant(
    update_request: DefaultAssistantUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DefaultAssistantConfiguration:
    """Update the default assistant configuration.
--- a/backend/onyx/server/features/document_set/api.py
+++ b/backend/onyx/server/features/document_set/api.py
@@ -4,8 +4,8 @@ from fastapi import HTTPException
 from fastapi import Query
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.background.celery.versioned_apps.client import app as client_app
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.configs.constants import OnyxCeleryPriority
@@ -18,7 +18,6 @@ from onyx.db.document_set import insert_document_set
 from onyx.db.document_set import mark_document_set_as_to_be_deleted
 from onyx.db.document_set import update_document_set
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.server.features.document_set.models import CheckDocSetPublicRequest
 from onyx.server.features.document_set.models import CheckDocSetPublicResponse
@@ -160,7 +159,7 @@ def delete_document_set(

@router.get("/document-set")
 def list_document_sets_for_user(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
    get_editable: bool = Query(
        False, description="If true, return editable document sets"
@@ -175,7 +174,7 @@ def list_document_sets_for_user(
@router.get("/document-set-public")
 def document_set_public(
    check_public_request: CheckDocSetPublicRequest,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> CheckDocSetPublicResponse:
    is_public = check_document_sets_are_public(
--- a/backend/onyx/server/features/hierarchy/api.py
+++ b/backend/onyx/server/features/hierarchy/api.py
@@ -4,12 +4,11 @@ from fastapi import HTTPException
 from sqlalchemy.orm import Session

 from onyx.access.hierarchy_access import get_user_external_group_ids
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import ENABLE_OPENSEARCH_INDEXING_FOR_ONYX
 from onyx.configs.constants import DocumentSource
 from onyx.db.document import get_accessible_documents_for_hierarchy_node_paginated
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.hierarchy import get_accessible_hierarchy_nodes_for_source
 from onyx.db.models import User
 from onyx.db.opensearch_migration import get_opensearch_retrieval_state
@@ -59,7 +58,7 @@ def _get_user_access_info(user: User, db_session: Session) -> tuple[str, list[st
@router.get(HIERARCHY_NODES_LIST_PATH)
 def list_accessible_hierarchy_nodes(
    source: DocumentSource,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> HierarchyNodesResponse:
    _require_opensearch(db_session)
@@ -86,7 +85,7 @@ def list_accessible_hierarchy_nodes(
@router.post(HIERARCHY_NODE_DOCUMENTS_PATH)
 def list_accessible_hierarchy_node_documents(
    documents_request: HierarchyNodeDocumentsRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> HierarchyNodeDocumentsResponse:
    _require_opensearch(db_session)
--- a/backend/onyx/server/features/input_prompt/api.py
+++ b/backend/onyx/server/features/input_prompt/api.py
@@ -3,9 +3,9 @@ from fastapi import Depends
 from fastapi import HTTPException
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
+from onyx.auth.users import current_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.input_prompt import disable_input_prompt_for_user
 from onyx.db.input_prompt import fetch_input_prompt_by_id
 from onyx.db.input_prompt import fetch_input_prompts_by_user
@@ -28,7 +28,7 @@ admin_router = APIRouter(prefix="/admin/input_prompt")

@basic_router.get("")
 def list_input_prompts(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    include_public: bool = True,
    db_session: Session = Depends(get_session),
 ) -> list[InputPromptSnapshot]:
@@ -43,7 +43,7 @@ def list_input_prompts(
@basic_router.get("/{input_prompt_id}")
 def get_input_prompt(
    input_prompt_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> InputPromptSnapshot:
    input_prompt = fetch_input_prompt_by_id(
@@ -58,7 +58,7 @@ def get_input_prompt(
@basic_router.post("")
 def create_input_prompt(
    create_input_prompt_request: CreateInputPromptRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> InputPromptSnapshot:
    input_prompt = insert_input_prompt(
@@ -82,7 +82,7 @@ def create_input_prompt(
 def patch_input_prompt(
    input_prompt_id: int,
    update_input_prompt_request: UpdateInputPromptRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> InputPromptSnapshot:
    try:
@@ -105,7 +105,7 @@ def patch_input_prompt(
@basic_router.delete("/{input_prompt_id}")
 def delete_input_prompt(
    input_prompt_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
    delete_public: bool = False,
 ) -> None:
@@ -123,7 +123,7 @@ def delete_input_prompt(
@admin_router.delete("/{input_prompt_id}")
 def delete_public_input_prompt(
    input_prompt_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -138,7 +138,7 @@ def delete_public_input_prompt(
@basic_router.post("/{input_prompt_id}/hide")
 def hide_input_prompt_for_user(
    input_prompt_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    """
--- a/backend/onyx/server/features/mcp/api.py
+++ b/backend/onyx/server/features/mcp/api.py
@@ -25,9 +25,9 @@ from pydantic import AnyUrl
 from pydantic import BaseModel
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
 from onyx.auth.schemas import UserRole
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import WEB_DOMAIN
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
@@ -35,7 +35,6 @@ from onyx.db.enums import MCPAuthenticationPerformer
 from onyx.db.enums import MCPAuthenticationType
 from onyx.db.enums import MCPServerStatus
 from onyx.db.enums import MCPTransport
-from onyx.db.enums import Permission
 from onyx.db.mcp import create_connection_config
 from onyx.db.mcp import create_mcp_server__no_commit
 from onyx.db.mcp import delete_all_user_connection_configs_for_server_no_commit
@@ -361,7 +360,7 @@ async def connect_admin_oauth(
 async def connect_user_oauth(
    request: MCPUserOAuthConnectRequest,
    db: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> MCPUserOAuthConnectResponse:
    return await _connect_oauth(request, db, is_admin=False, user=user)

@@ -573,7 +572,7 @@ async def _connect_oauth(
 async def process_oauth_callback(
    request: Request,
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> MCPOAuthCallbackResponse:
    """Complete OAuth flow by exchanging code for tokens and storing them.

@@ -656,7 +655,7 @@ async def process_oauth_callback(
 def save_user_credentials(
    request: MCPUserCredentialsRequest,
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> MCPApiKeyResponse:
    """Save user credentials for template-based MCP server authentication"""

@@ -984,7 +983,7 @@ def _db_mcp_server_to_api_mcp_server(
 def get_mcp_servers_for_assistant(
    assistant_id: str,
    db: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> MCPServersResponse:
    """Get MCP servers for an assistant"""

@@ -1012,7 +1011,7 @@ def get_mcp_servers_for_assistant(
@router.get("/servers", response_model=MCPServersResponse)
 def get_mcp_servers_for_user(
    db: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> MCPServersResponse:
    """List all MCP servers for use in agent configuration and chat UI.

@@ -1141,7 +1140,7 @@ def get_mcp_server_tools_snapshots(
 def user_list_mcp_tools_by_id(
    server_id: int,
    db: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> MCPToolListResponse:
    return _list_mcp_tools_by_id(server_id, db, False, user)

--- a/backend/onyx/server/features/notifications/api.py
+++ b/backend/onyx/server/features/notifications/api.py
@@ -3,9 +3,8 @@ from fastapi import Depends
 from fastapi import HTTPException
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.notification import dismiss_notification
 from onyx.db.notification import get_notification_by_id
@@ -23,7 +22,7 @@ router = APIRouter(prefix="/notifications")

@router.get("")
 def get_notifications_api(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[NotificationModel]:
    """
@@ -59,7 +58,7 @@ def get_notifications_api(
@router.post("/{notification_id}/dismiss")
 def dismiss_notification_endpoint(
    notification_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
--- a/backend/onyx/server/features/oauth_config/api.py
+++ b/backend/onyx/server/features/oauth_config/api.py
@@ -6,11 +6,10 @@ from fastapi import HTTPException
 from sqlalchemy.orm import Session

 from onyx.auth.oauth_token_manager import OAuthTokenManager
-from onyx.auth.permissions import require_permission
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import WEB_DOMAIN
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import OAuthConfig
 from onyx.db.models import User
 from onyx.db.oauth_config import create_oauth_config
@@ -156,7 +155,7 @@ def delete_oauth_config_endpoint(
 def initiate_oauth_flow(
    request: OAuthInitiateRequest,
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> OAuthInitiateResponse:
    """
    Initiate OAuth flow for the current user.
@@ -193,7 +192,7 @@ def handle_oauth_callback(
    code: str,
    state: str,
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> OAuthCallbackResponse:
    """
    Handle OAuth callback after user authorizes the application.
@@ -254,7 +253,7 @@ def handle_oauth_callback(
 def revoke_oauth_token(
    oauth_config_id: int,
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> dict[str, str]:
    """
    Revoke (delete) the current user's OAuth token for a specific OAuth config.
--- a/backend/onyx/server/features/password/api.py
+++ b/backend/onyx/server/features/password/api.py
@@ -4,12 +4,12 @@ from fastapi import HTTPException
 from fastapi_users.exceptions import InvalidPasswordException
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
+from onyx.auth.users import current_user
 from onyx.auth.users import get_user_manager
 from onyx.auth.users import User
 from onyx.auth.users import UserManager
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.users import get_user_by_email
 from onyx.server.features.password.models import ChangePasswordRequest
 from onyx.server.features.password.models import UserResetRequest
@@ -22,7 +22,7 @@ router = APIRouter(prefix="/password")
 async def change_my_password(
    form_data: ChangePasswordRequest,
    user_manager: UserManager = Depends(get_user_manager),
-    current_user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    current_user: User = Depends(current_user),
 ) -> None:
    """
    Change the password for the current user.
@@ -46,7 +46,7 @@ async def admin_reset_user_password(
    user_reset_request: UserResetRequest,
    user_manager: UserManager = Depends(get_user_manager),
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> UserResetResponse:
    """
    Reset the password for a user (admin only).
--- a/backend/onyx/server/features/persona/api.py
+++ b/backend/onyx/server/features/persona/api.py
@@ -9,16 +9,16 @@ from pydantic import BaseModel
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_chat_accessible_user
 from onyx.auth.users import current_curator_or_admin_user
 from onyx.auth.users import current_limited_user
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.configs.constants import FileOrigin
 from onyx.configs.constants import MilestoneRecordType
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.persona import create_assistant_label
 from onyx.db.persona import create_update_persona
@@ -150,7 +150,7 @@ def patch_persona_visibility(
 def patch_user_persona_public_status(
    persona_id: int,
    is_public_request: IsPublicRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -187,7 +187,7 @@ def patch_persona_featured_status(
@admin_agents_router.patch("/display-priorities")
 def patch_agents_display_priorities(
    display_priority_request: DisplayPriorityRequest,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -265,7 +265,7 @@ def get_agents_admin_paginated(
@admin_router.patch("/{persona_id}/undelete", tags=PUBLIC_API_TAGS)
 def undelete_persona(
    persona_id: int,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    mark_persona_as_not_deleted(
@@ -279,7 +279,7 @@ def undelete_persona(
@admin_router.post("/upload-image")
 def upload_file(
    file: UploadFile,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> dict[str, str]:
    file_store = get_default_file_store()
    file_type = ChatFileType.IMAGE
@@ -298,7 +298,7 @@ def upload_file(
@basic_router.post("", tags=PUBLIC_API_TAGS)
 def create_persona(
    persona_upsert_request: PersonaUpsertRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> PersonaSnapshot:
    tenant_id = get_current_tenant_id()
@@ -328,7 +328,7 @@ def create_persona(
 def update_persona(
    persona_id: int,
    persona_upsert_request: PersonaUpsertRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> PersonaSnapshot:
    _validate_user_knowledge_enabled(persona_upsert_request, "update")
@@ -350,7 +350,7 @@ class PersonaLabelPatchRequest(BaseModel):
@basic_router.get("/labels")
 def get_labels(
    db: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> list[PersonaLabelResponse]:
    return [
        PersonaLabelResponse.from_model(label)
@@ -362,7 +362,7 @@ def get_labels(
 def create_label(
    label: PersonaLabelCreate,
    db: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> PersonaLabelResponse:
    """Create a new assistant label"""
    try:
@@ -379,7 +379,7 @@ def create_label(
 def patch_persona_label(
    label_id: int,
    persona_label_patch_request: PersonaLabelPatchRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    update_persona_label(
@@ -392,7 +392,7 @@ def patch_persona_label(
@admin_router.delete("/label/{label_id}")
 def delete_label(
    label_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    delete_persona_label(label_id=label_id, db_session=db_session)
@@ -410,7 +410,7 @@ class PersonaShareRequest(BaseModel):
 def share_persona(
    persona_id: int,
    persona_share_request: PersonaShareRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -434,7 +434,7 @@ def share_persona(
@basic_router.delete("/{persona_id}", tags=PUBLIC_API_TAGS)
 def delete_persona(
    persona_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    mark_persona_as_deleted(
--- a/backend/onyx/server/features/projects/api.py
+++ b/backend/onyx/server/features/projects/api.py
@@ -12,7 +12,7 @@ from fastapi import UploadFile
 from pydantic import BaseModel
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.configs.constants import OnyxCeleryPriority
 from onyx.configs.constants import OnyxCeleryQueues
@@ -20,7 +20,6 @@ from onyx.configs.constants import OnyxCeleryTask
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.configs.constants import USER_FILE_PROJECT_SYNC_MAX_QUEUE_DEPTH
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.enums import UserFileStatus
 from onyx.db.models import ChatSession
 from onyx.db.models import Project__UserFile
@@ -99,7 +98,7 @@ def _trigger_user_file_project_sync(

@router.get("", tags=PUBLIC_API_TAGS)
 def get_projects(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[UserProjectSnapshot]:
    user_id = user.id
@@ -112,7 +111,7 @@ def get_projects(
@router.post("/create", tags=PUBLIC_API_TAGS)
 def create_project(
    name: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UserProjectSnapshot:
    if name == "":
@@ -130,7 +129,7 @@ def upload_user_files(
    files: list[UploadFile] = File(...),
    project_id: int | None = Form(None),
    temp_id_map: str | None = Form(None),  # JSON string mapping hashed key -> temp_id
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> CategorizedFilesSnapshot:
    try:
@@ -169,7 +168,7 @@ def upload_user_files(
@router.get("/{project_id}", tags=PUBLIC_API_TAGS)
 def get_project(
    project_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UserProjectSnapshot:
    user_id = user.id
@@ -186,7 +185,7 @@ def get_project(
@router.get("/files/{project_id}", tags=PUBLIC_API_TAGS)
 def get_files_in_project(
    project_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[UserFileSnapshot]:
    user_id = user.id
@@ -209,7 +208,7 @@ def unlink_user_file_from_project(
    project_id: int,
    file_id: UUID,
    bg_tasks: BackgroundTasks,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    """Unlink an existing user file from a specific project for the current user.
@@ -254,7 +253,7 @@ def link_user_file_to_project(
    project_id: int,
    file_id: UUID,
    bg_tasks: BackgroundTasks,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UserFileSnapshot:
    """Link an existing user file to a specific project for the current user.
@@ -301,7 +300,7 @@ class ProjectInstructionsResponse(BaseModel):
 )
 def get_project_instructions(
    project_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> ProjectInstructionsResponse:
    user_id = user.id
@@ -329,7 +328,7 @@ class UpsertProjectInstructionsRequest(BaseModel):
 def upsert_project_instructions(
    project_id: int,
    body: UpsertProjectInstructionsRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> ProjectInstructionsResponse:
    """Create or update this project's instructions stored on the project itself."""
@@ -360,7 +359,7 @@ class ProjectPayload(BaseModel):
 )
 def get_project_details(
    project_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> ProjectPayload:
    project = get_project(project_id, user, db_session)
@@ -390,7 +389,7 @@ class UpdateProjectRequest(BaseModel):
 def update_project(
    project_id: int,
    body: UpdateProjectRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UserProjectSnapshot:
    user_id = user.id
@@ -415,7 +414,7 @@ def update_project(
@router.delete("/{project_id}", tags=PUBLIC_API_TAGS)
 def delete_project(
    project_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    user_id = user.id
@@ -444,7 +443,7 @@ def delete_project(
 def delete_user_file(
    file_id: UUID,
    bg_tasks: BackgroundTasks,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UserFileDeleteResult:
    """Delete a user file belonging to the current user.
@@ -502,7 +501,7 @@ def delete_user_file(
@router.get("/file/{file_id}", response_model=UserFileSnapshot, tags=PUBLIC_API_TAGS)
 def get_user_file(
    file_id: UUID,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> UserFileSnapshot:
    """Fetch a single user file by ID for the current user.
@@ -530,7 +529,7 @@ class UserFileIdsRequest(BaseModel):
 )
 def get_user_file_statuses(
    body: UserFileIdsRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[UserFileSnapshot]:
    """Fetch statuses for a set of user file IDs owned by the current user.
@@ -556,7 +555,7 @@ def get_user_file_statuses(
 def move_chat_session(
    project_id: int,
    body: ChatSessionRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    user_id = user.id
@@ -575,7 +574,7 @@ def move_chat_session(
@router.post("/remove_chat_session")
 def remove_chat_session(
    body: ChatSessionRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> Response:
    user_id = user.id
@@ -594,7 +593,7 @@ def remove_chat_session(
@router.get("/session/{chat_session_id}/token-count", response_model=TokenCountResponse)
 def get_chat_session_project_token_count(
    chat_session_id: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> TokenCountResponse:
    """Return sum of token_count for all user files in the project linked to the given chat session.
@@ -622,7 +621,7 @@ def get_chat_session_project_token_count(
@router.get("/session/{chat_session_id}/files", tags=PUBLIC_API_TAGS)
 def get_chat_session_project_files(
    chat_session_id: str,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[UserFileSnapshot]:
    """Return user files for the project linked to the given chat session.
@@ -660,7 +659,7 @@ def get_chat_session_project_files(
@router.get("/{project_id}/token-count", response_model=TokenCountResponse)
 def get_project_total_token_count(
    project_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> TokenCountResponse:
    """Return sum of token_count for all user files in the given project for the current user."""
--- a/backend/onyx/server/features/tool/api.py
+++ b/backend/onyx/server/features/tool/api.py
@@ -6,12 +6,11 @@ from fastapi import HTTPException
 from pydantic import BaseModel
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
 from onyx.auth.schemas import UserRole
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import Tool
 from onyx.db.models import User
 from onyx.db.tools import create_tool__no_commit
@@ -220,7 +219,7 @@ def validate_tool(
@router.get("/openapi", tags=PUBLIC_API_TAGS)
 def list_openapi_tools(
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> list[ToolSnapshot]:
    tools = get_tools(db_session, only_openapi=True)

@@ -238,7 +237,7 @@ def list_openapi_tools(
 def get_custom_tool(
    tool_id: int,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> ToolSnapshot:
    try:
        tool = get_tool_by_id(tool_id, db_session)
@@ -250,7 +249,7 @@ def get_custom_tool(
@router.get("", tags=PUBLIC_API_TAGS)
 def list_tools(
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
 ) -> list[ToolSnapshot]:
    tools = get_tools(db_session, only_enabled=True, only_connected_mcp=True)

--- a/backend/onyx/server/features/user_oauth_token/api.py
+++ b/backend/onyx/server/features/user_oauth_token/api.py
@@ -6,9 +6,8 @@ from pydantic import BaseModel
 from sqlalchemy.orm import Session

 from onyx.auth.oauth_token_manager import OAuthTokenManager
-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.oauth_config import get_all_user_oauth_tokens

@@ -24,7 +23,7 @@ class OAuthTokenStatus(BaseModel):
@router.get("/status")
 def get_user_oauth_token_status(
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
 ) -> list[OAuthTokenStatus]:
    """
    Get the OAuth token status for the current user across all OAuth configs.
--- a/backend/onyx/server/features/web_search/api.py
+++ b/backend/onyx/server/features/web_search/api.py
@@ -1,16 +1,14 @@
 from fastapi import APIRouter
 from fastapi import Depends
+from fastapi import HTTPException
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_user
 from onyx.configs.constants import PUBLIC_API_TAGS
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.db.web_search import fetch_active_web_content_provider
 from onyx.db.web_search import fetch_active_web_search_provider
-from onyx.error_handling.error_codes import OnyxErrorCode
-from onyx.error_handling.exceptions import OnyxError
 from onyx.server.features.web_search.models import OpenUrlsToolRequest
 from onyx.server.features.web_search.models import OpenUrlsToolResponse
 from onyx.server.features.web_search.models import WebSearchToolRequest
@@ -63,10 +61,9 @@ def _get_active_search_provider(
 ) -> tuple[WebSearchProviderView, WebSearchProvider]:
    provider_model = fetch_active_web_search_provider(db_session)
    if provider_model is None:
-        raise OnyxError(
-            OnyxErrorCode.INVALID_INPUT,
-            "No web search provider configured. Please configure one in "
-            "Admin > Web Search settings.",
+        raise HTTPException(
+            status_code=400,
+            detail="No web search provider configured.",
        )

    provider_view = WebSearchProviderView(
@@ -79,10 +76,9 @@ def _get_active_search_provider(
    )

    if provider_model.api_key is None:
-        raise OnyxError(
-            OnyxErrorCode.INVALID_INPUT,
-            "Web search provider requires an API key. Please configure one in "
-            "Admin > Web Search settings.",
+        raise HTTPException(
+            status_code=400,
+            detail="Web search provider requires an API key.",
        )

    try:
@@ -92,7 +88,7 @@ def _get_active_search_provider(
            config=provider_model.config or {},
        )
    except ValueError as exc:
-        raise OnyxError(OnyxErrorCode.INVALID_INPUT, str(exc)) from exc
+        raise HTTPException(status_code=400, detail=str(exc)) from exc

    return provider_view, provider

@@ -114,9 +110,9 @@ def _get_active_content_provider(

    if provider_model.api_key is None:
        # TODO - this is not a great error, in fact, this key should not be nullable.
-        raise OnyxError(
-            OnyxErrorCode.INVALID_INPUT,
-            "Web content provider requires an API key.",
+        raise HTTPException(
+            status_code=400,
+            detail="Web content provider requires an API key.",
        )

    try:
@@ -129,12 +125,12 @@ def _get_active_content_provider(
            config=config,
        )
    except ValueError as exc:
-        raise OnyxError(OnyxErrorCode.INVALID_INPUT, str(exc)) from exc
+        raise HTTPException(status_code=400, detail=str(exc)) from exc

    if provider is None:
-        raise OnyxError(
-            OnyxErrorCode.INVALID_INPUT,
-            "Unable to initialize the configured web content provider.",
+        raise HTTPException(
+            status_code=400,
+            detail="Unable to initialize the configured web content provider.",
        )

    provider_view = WebContentProviderView(
@@ -158,13 +154,12 @@ def _run_web_search(
    for query in request.queries:
        try:
            search_results = provider.search(query)
-        except OnyxError:
+        except HTTPException:
            raise
        except Exception as exc:
            logger.exception("Web search provider failed for query '%s'", query)
-            raise OnyxError(
-                OnyxErrorCode.BAD_GATEWAY,
-                "Web search provider failed to execute query.",
+            raise HTTPException(
+                status_code=502, detail="Web search provider failed to execute query."
            ) from exc

        filtered_results = filter_web_search_results_with_no_title_or_snippet(
@@ -197,13 +192,12 @@ def _open_urls(
        docs = filter_web_contents_with_no_title_or_content(
            list(provider.contents(urls))
        )
-    except OnyxError:
+    except HTTPException:
        raise
    except Exception as exc:
        logger.exception("Web content provider failed to fetch URLs")
-        raise OnyxError(
-            OnyxErrorCode.BAD_GATEWAY,
-            "Web content provider failed to fetch URLs.",
+        raise HTTPException(
+            status_code=502, detail="Web content provider failed to fetch URLs."
        ) from exc

    results: list[LlmOpenUrlResult] = []
@@ -226,7 +220,7 @@ def _open_urls(
@router.post("/search", response_model=WebSearchWithContentResponse)
 def execute_web_search(
    request: WebSearchToolRequest,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> WebSearchWithContentResponse:
    """
@@ -269,7 +263,7 @@ def execute_web_search(
@router.post("/search-lite", response_model=WebSearchToolResponse)
 def execute_web_search_lite(
    request: WebSearchToolRequest,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> WebSearchToolResponse:
    """
@@ -285,7 +279,7 @@ def execute_web_search_lite(
@router.post("/open-urls", response_model=OpenUrlsToolResponse)
 def execute_open_urls(
    request: OpenUrlsToolRequest,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> OpenUrlsToolResponse:
    """
--- a/backend/onyx/server/federated/api.py
+++ b/backend/onyx/server/federated/api.py
@@ -9,11 +9,10 @@ from fastapi import Request
 from fastapi import Response
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
 from onyx.auth.users import current_curator_or_admin_user
+from onyx.auth.users import current_user
 from onyx.configs.constants import FederatedConnectorSource
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.federated import (
    create_federated_connector as db_create_federated_connector,
 )
@@ -320,7 +319,7 @@ def validate_entities(
@router.get("/{id}/authorize")
 def get_authorize_url(
    id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> AuthorizeUrlResponse:
    """Get URL to send the user for OAuth"""
@@ -369,7 +368,7 @@ def get_authorize_url(
@router.post("/callback")
 def handle_oauth_callback_generic(
    request: Request,
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> OAuthCallbackResult:
    """Handle callback for any federated connector using state parameter"""
@@ -446,7 +445,7 @@ def handle_oauth_callback_generic(

@router.get("")
 def get_federated_connectors(
-    _: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    _: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[FederatedConnectorStatus]:
    """Get all federated connectors for display in the status table"""
@@ -466,7 +465,7 @@ def get_federated_connectors(

@router.get("/oauth-status")
 def get_user_oauth_status(
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> list[UserOAuthStatus]:
    """Get OAuth status for all federated connectors for the current user"""
@@ -611,7 +610,7 @@ def delete_federated_connector_endpoint(
@router.delete("/{id}/oauth")
 def disconnect_oauth_token(
    id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(current_user),
    db_session: Session = Depends(get_session),
 ) -> bool:
    """Disconnect OAuth token for the current user from a federated connector"""
--- a/backend/onyx/server/kg/api.py
+++ b/backend/onyx/server/kg/api.py
@@ -2,14 +2,13 @@ from fastapi import APIRouter
 from fastapi import Depends
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.constants import TMP_DRALPHA_PERSONA_NAME
 from onyx.configs.kg_configs import KG_BETA_ASSISTANT_DESCRIPTION
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.entities import get_entity_stats_by_grounded_source_name
 from onyx.db.entity_type import get_configured_entity_types
 from onyx.db.entity_type import update_entity_types_and_related_connectors__commit
-from onyx.db.enums import Permission
 from onyx.db.kg_config import disable_kg
 from onyx.db.kg_config import enable_kg
 from onyx.db.kg_config import get_kg_config_settings
@@ -48,9 +47,7 @@ admin_router = APIRouter(prefix="/admin/kg")


@admin_router.get("/exposed")
-def get_kg_exposed(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
-) -> bool:
+def get_kg_exposed(_: User = Depends(current_admin_user)) -> bool:
    kg_config_settings = get_kg_config_settings()
    return kg_config_settings.KG_EXPOSED

@@ -60,7 +57,7 @@ def get_kg_exposed(

@admin_router.put("/reset")
 def reset_kg(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> SourceAndEntityTypeView:
    reset_full_kg_index__commit(db_session)
@@ -72,9 +69,7 @@ def reset_kg(


@admin_router.get("/config")
-def get_kg_config(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
-) -> KGConfig:
+def get_kg_config(_: User = Depends(current_admin_user)) -> KGConfig:
    config = get_kg_config_settings()
    return KGConfigAPIModel.from_kg_config_settings(config)

@@ -82,7 +77,7 @@ def get_kg_config(
@admin_router.put("/config")
 def enable_or_disable_kg(
    req: EnableKGConfigRequest | DisableKGConfigRequest,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    if isinstance(req, DisableKGConfigRequest):
@@ -168,7 +163,7 @@ def enable_or_disable_kg(

@admin_router.get("/entity-types")
 def get_kg_entity_types(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> SourceAndEntityTypeView:
    # when using for the first time, populate with default entity types
@@ -199,7 +194,7 @@ def get_kg_entity_types(
@admin_router.put("/entity-types")
 def update_kg_entity_types(
    updates: list[EntityType],
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    update_entity_types_and_related_connectors__commit(
--- a/backend/onyx/server/manage/administrative.py
+++ b/backend/onyx/server/manage/administrative.py
@@ -8,7 +8,7 @@ from fastapi import Depends
 from fastapi import HTTPException
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_curator_or_admin_user
 from onyx.background.celery.versioned_apps.client import app as client_app
 from onyx.configs.app_configs import GENERATIVE_MODEL_ACCESS_CHECK_FREQ
@@ -23,7 +23,6 @@ from onyx.db.connector_credential_pair import (
 )
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import ConnectorCredentialPairStatus
-from onyx.db.enums import Permission
 from onyx.db.feedback import fetch_docs_ranked_by_boost_for_user
 from onyx.db.feedback import update_document_boost_for_user
 from onyx.db.feedback import update_document_hidden_for_user
@@ -106,7 +105,7 @@ def document_hidden_update(

@router.get("/admin/genai-api-key/validate")
 def validate_existing_genai_api_key(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> None:
    # Only validate every so often
    kv_store = get_kv_store()
--- a/backend/onyx/server/manage/code_interpreter/api.py
+++ b/backend/onyx/server/manage/code_interpreter/api.py
@@ -2,11 +2,10 @@ from fastapi import APIRouter
 from fastapi import Depends
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.db.code_interpreter import fetch_code_interpreter_server
 from onyx.db.code_interpreter import update_code_interpreter_server_enabled
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.server.manage.code_interpreter.models import CodeInterpreterServer
 from onyx.server.manage.code_interpreter.models import CodeInterpreterServerHealth
@@ -19,7 +18,7 @@ admin_router = APIRouter(prefix="/admin/code-interpreter")

@admin_router.get("/health")
 def get_code_interpreter_health(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> CodeInterpreterServerHealth:
    try:
        client = CodeInterpreterClient()
@@ -30,8 +29,7 @@ def get_code_interpreter_health(

@admin_router.get("")
 def get_code_interpreter(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
-    db_session: Session = Depends(get_session),
+    _: User = Depends(current_admin_user), db_session: Session = Depends(get_session)
 ) -> CodeInterpreterServer:
    ci_server = fetch_code_interpreter_server(db_session)
    return CodeInterpreterServer(enabled=ci_server.server_enabled)
@@ -40,7 +38,7 @@ def get_code_interpreter(
@admin_router.put("")
 def update_code_interpreter(
    update: CodeInterpreterServer,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    update_code_interpreter_server_enabled(
--- a/backend/onyx/server/manage/discord_bot/api.py
+++ b/backend/onyx/server/manage/discord_bot/api.py
@@ -6,7 +6,7 @@ from fastapi import HTTPException
 from fastapi import status
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.configs.app_configs import AUTH_TYPE
 from onyx.configs.app_configs import DISCORD_BOT_TOKEN
 from onyx.configs.constants import AuthType
@@ -23,7 +23,6 @@ from onyx.db.discord_bot import get_guild_configs
 from onyx.db.discord_bot import update_discord_channel_config
 from onyx.db.discord_bot import update_guild_config
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.models import User
 from onyx.server.manage.discord_bot.models import DiscordBotConfigCreateRequest
 from onyx.server.manage.discord_bot.models import DiscordBotConfigResponse
@@ -65,7 +64,7 @@ def _check_bot_config_api_access() -> None:
@router.get("/config", response_model=DiscordBotConfigResponse)
 def get_bot_config(
    _: None = Depends(_check_bot_config_api_access),
-    __: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    __: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DiscordBotConfigResponse:
    """Get Discord bot config. Returns 403 on Cloud or if env vars set."""
@@ -83,7 +82,7 @@ def get_bot_config(
 def create_bot_request(
    request: DiscordBotConfigCreateRequest,
    _: None = Depends(_check_bot_config_api_access),
-    __: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    __: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DiscordBotConfigResponse:
    """Create Discord bot config. Returns 403 on Cloud or if env vars set."""
@@ -109,7 +108,7 @@ def create_bot_request(
@router.delete("/config")
 def delete_bot_config_endpoint(
    _: None = Depends(_check_bot_config_api_access),
-    __: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    __: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> dict:
    """Delete Discord bot config.
@@ -132,7 +131,7 @@ def delete_bot_config_endpoint(

@router.delete("/service-api-key")
 def delete_service_api_key_endpoint(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> dict:
    """Delete the Discord service API key.
@@ -155,7 +154,7 @@ def delete_service_api_key_endpoint(

@router.get("/guilds", response_model=list[DiscordGuildConfigResponse])
 def list_guild_configs(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[DiscordGuildConfigResponse]:
    """List all guild configs (pending and registered)."""
@@ -165,7 +164,7 @@ def list_guild_configs(

@router.post("/guilds", response_model=DiscordGuildConfigCreateResponse)
 def create_guild_request(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DiscordGuildConfigCreateResponse:
    """Create new guild config with registration key. Key shown once."""
@@ -184,7 +183,7 @@ def create_guild_request(
@router.get("/guilds/{config_id}", response_model=DiscordGuildConfigResponse)
 def get_guild_config(
    config_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DiscordGuildConfigResponse:
    """Get specific guild config."""
@@ -198,7 +197,7 @@ def get_guild_config(
 def update_guild_request(
    config_id: int,
    request: DiscordGuildConfigUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DiscordGuildConfigResponse:
    """Update guild config."""
@@ -220,7 +219,7 @@ def update_guild_request(
@router.delete("/guilds/{config_id}")
 def delete_guild_request(
    config_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> dict:
    """Delete guild config (invalidates registration key).
@@ -249,7 +248,7 @@ def delete_guild_request(
 )
 def list_channel_configs(
    config_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[DiscordChannelConfigResponse]:
    """List whitelisted channels for a guild."""
@@ -271,7 +270,7 @@ def update_channel_request(
    guild_config_id: int,
    channel_config_id: int,
    request: DiscordChannelConfigUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> DiscordChannelConfigResponse:
    """Update channel config."""
--- a/backend/onyx/server/manage/embedding/api.py
+++ b/backend/onyx/server/manage/embedding/api.py
@@ -2,9 +2,8 @@ from fastapi import APIRouter
 from fastapi import Depends
 from sqlalchemy.orm import Session

-from onyx.auth.permissions import require_permission
+from onyx.auth.users import current_admin_user
 from onyx.db.engine.sql_engine import get_session
-from onyx.db.enums import Permission
 from onyx.db.llm import fetch_existing_embedding_providers
 from onyx.db.llm import remove_embedding_provider
 from onyx.db.llm import upsert_cloud_embedding_provider
@@ -35,7 +34,7 @@ basic_router = APIRouter(prefix="/embedding")
@admin_router.post("/test-embedding")
 def test_embedding_configuration(
    test_llm_request: TestEmbeddingRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
 ) -> None:
    try:
        test_model = EmbeddingModel(
@@ -66,7 +65,7 @@ def test_embedding_configuration(

@admin_router.get("", response_model=list[EmbeddingModelDetail])
 def list_embedding_models(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[EmbeddingModelDetail]:
    search_settings = get_all_search_settings(db_session)
@@ -75,7 +74,7 @@ def list_embedding_models(

@admin_router.get("/embedding-provider")
 def list_embedding_providers(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> list[CloudEmbeddingProvider]:
    return [
@@ -87,7 +86,7 @@ def list_embedding_providers(
@admin_router.delete("/embedding-provider/{provider_type}")
 def delete_embedding_provider(
    provider_type: EmbeddingProvider,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> None:
    embedding_provider = get_current_db_embedding_provider(db_session=db_session)
@@ -106,7 +105,7 @@ def delete_embedding_provider(
@admin_router.put("/embedding-provider")
 def put_cloud_embedding_provider(
    provider: CloudEmbeddingProviderCreationRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(current_admin_user),
    db_session: Session = Depends(get_session),
 ) -> CloudEmbeddingProvider:
    return upsert_cloud_embedding_provider(db_session, provider)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Raunak Bhagat	22903c9343	feat: move SidebarTab to Opal, add disabled styling for sidebar variants - Add [data-disabled] CSS rules for sidebar-heavy and sidebar-light variants (text-02 foreground, transparent background, no opacity) - Move SidebarTab from refresh-components to @opal/components with disabled prop, docstrings, stories, and README - Old file re-exports from Opal for backwards compatibility	2026-04-02 10:25:23 -07:00
Raunak Bhagat	17b0d19faf	docs: update Disabled section in AGENTS.md	2026-04-02 09:51:22 -07:00
Raunak Bhagat	3b6955468e	docs: update Disabled and Interactive.Simple docstrings Disabled is now a pure CSS wrapper with no React context. Remove "use client" directive, update CLAUDE.md description, and simplify Interactive.Simple's docstring.	2026-04-02 09:51:22 -07:00
Raunak Bhagat	9c091ecd45	refactor: remove Disabled context, add disabled prop to all Interactive primitives - Add `disabled` prop to Interactive.Stateful and Interactive.Simple - Remove useDisabled() from Interactive.Container (derives from aria-disabled) - Add `disabled` prop to OpenButton and SelectButton - Migrate callsites: SharedAppInputBar, AppInputBar, InputBar, LLMPopover - Strip context, useDisabled, and DisabledContextValue from Disabled component - Disabled is now a pure CSS wrapper with no React context	2026-04-02 09:51:22 -07:00