Infisical · saifsmailbox98 · May 22, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/backend/src/db/migrations/20260515000000_relay-resource-auth.ts b/backend/src/db/migrations/20260515000000_relay-resource-auth.ts
@@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // 1. Add relayId FK to resource_auth_methods — same nullable-FK-per-resource-type
+  // pattern used for gatewayId (see 20260430143000_resource-auth-methods.ts).
+  if (await knex.schema.hasTable(TableName.ResourceAuthMethod)) {
+    const hasRelayId = await knex.schema.hasColumn(TableName.ResourceAuthMethod, "relayId");
+    if (!hasRelayId) {
+      await knex.schema.alterTable(TableName.ResourceAuthMethod, (t) => {
+        t.uuid("relayId").nullable();
+        t.foreign("relayId").references("id").inTable(TableName.Relay).onDelete("CASCADE");
+      });
+
+      await knex.schema.raw(`
+        CREATE UNIQUE INDEX one_method_per_relay
+        ON ${TableName.ResourceAuthMethod} ("relayId")
+        WHERE "relayId" IS NOT NULL
+      `);
+    }
+  }
+
+  // 2. Add tokenVersion to relays — used for stateless JWT revocation,
+  // same pattern as gateways_v2.tokenVersion.
+  if (await knex.schema.hasTable(TableName.Relay)) {
+    const hasTokenVersion = await knex.schema.hasColumn(TableName.Relay, "tokenVersion");
+    if (!hasTokenVersion) {
+      await knex.schema.alterTable(TableName.Relay, (t) => {
+        t.integer("tokenVersion").notNullable().defaultTo(0);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Relay)) {
+    const hasTokenVersion = await knex.schema.hasColumn(TableName.Relay, "tokenVersion");
+    if (hasTokenVersion) {
+      await knex.schema.alterTable(TableName.Relay, (t) => {
+        t.dropColumn("tokenVersion");
+      });
+    }
+  }
+
+  if (await knex.schema.hasTable(TableName.ResourceAuthMethod)) {
+    const hasRelayId = await knex.schema.hasColumn(TableName.ResourceAuthMethod, "relayId");
+    if (hasRelayId) {
+      await knex.schema.raw(`DROP INDEX IF EXISTS one_method_per_relay`);
+      await knex.schema.alterTable(TableName.ResourceAuthMethod, (t) => {
+        t.dropColumn("relayId");
+      });
+    }
+  }
+}
diff --git a/backend/src/db/schemas/relays.ts b/backend/src/db/schemas/relays.ts
@@ -16,7 +16,8 @@ export const RelaysSchema = z.object({
   name: z.string(),
   host: z.string(),
   heartbeat: z.date().nullable().optional(),
-  healthAlertedAt: z.date().nullable().optional()
+  healthAlertedAt: z.date().nullable().optional(),
+  tokenVersion: z.number().default(0)
 });
 
 export type TRelays = z.infer<typeof RelaysSchema>;

diff --git a/backend/src/db/schemas/resource-auth-methods.ts b/backend/src/db/schemas/resource-auth-methods.ts
@@ -12,7 +12,8 @@ export const ResourceAuthMethodsSchema = z.object({
   gatewayId: z.string().uuid().nullable().optional(),
   method: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  relayId: z.string().uuid().nullable().optional()
 });
 
 export type TResourceAuthMethods = z.infer<typeof ResourceAuthMethodsSchema>;

diff --git a/backend/src/ee/routes/v1/relay-router.ts b/backend/src/ee/routes/v1/relay-router.ts
@@ -70,6 +70,7 @@ export const registerRelayRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: true,
       operationId: "registerOrgRelay",
       body: z.object({
         host: z.string(),
@@ -212,6 +213,7 @@ export const registerRelayRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: true,
       operationId: "heartbeatOrgRelay",
       body: z.object({
         name: slugSchema({ min: 1, max: 32, field: "name" })

diff --git a/backend/src/ee/routes/v2/index.ts b/backend/src/ee/routes/v2/index.ts
@@ -10,6 +10,7 @@ import {
 import { registerDeprecatedProjectRoleRouter } from "./deprecated-project-role-router";
 import { registerGatewayV2Router } from "./gateway-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerRelayV2Router } from "./relay-router";
 import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 
@@ -57,4 +58,6 @@ export const registerV2EERoutes = async (server: FastifyZodProvider) => {
   );
 
   await server.register(registerSecretVersionRouter, { prefix: "/secret-versions" });
+
+  await server.register(registerRelayV2Router, { prefix: "/relays" });
 };